CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #43 from TOoSmOotH/master

Browse Source 
1.0.8
This commit is contained in:
Mike Reeves
2019-05-07 09:49:15 -04:00
committed by GitHub
parent 49b526ceca 561df7e57b
commit a62c910203
29 changed files with 785 additions and 227 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@@ -1,6 +1,17 @@
# Security Onion Hybrid Hunter Tech Preview 1.0.7
## Hybrid Hunter 1.0.8
### Changes:
- Suricata 4.1.4
- Eval and Master installs now ask which components you would like to install
- Fleet (osquery) now has it's own additional setup script. [See the docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Configuring-Osquery-with-Security-Onion)
- Fleet setup script now generates auto install packages for Windows, CentOS, and Ubuntu
- When Fleet setup is completed, all SO nodes will auto install the appropriate auto install package
- We now have a progress bar during install!
- The setup script will now tell you if it was successful
- Added Grafana plugin Pie Chart
- The Hive Docker moved to Centos 7 based container
=======
- Suricata 4.1.3
- Updated Influxdb to 1.7.5
- Updated Telegraf to 1.10.1
@@ -18,6 +29,7 @@
- Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release.
- If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master.
### Warnings and Disclaimers
- This technology PREVIEW is PRE-ALPHA, BLEEDING EDGE, and TOTALLY UNSUPPORTED!

6
pillar/data/addtotab.sh
View File

@@ -11,6 +11,8 @@ MANINT=$6
ROOTFS=$7
NSM=$8
MONINT=$9
#NODETYPE=$10
#HOTNAME=$11
echo "Seeing if this host is already in here. If so delete it"
if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
@@ -49,3 +51,7 @@ if [ $TYPE == 'evaltab' ]; then
salt-call state.apply common queue=True
salt-call state.apply utility queue=True
fi
#if [ $TYPE == 'nodestab' ]; then
# echo " nodetype: $NODETYPE" >> /opt/so/saltstack/pillar/data/$TYPE.sls
# echo " hotname: $HOTNAME" >> /opt/so/saltstack/pillar/data/$TYPE.sls
#fi

12
salt/bro/init.sls
View File

@@ -90,8 +90,14 @@ localbrosync:
- group: 939
- template: jinja
so-communitybroimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-communitybro:HH1.0.3
so-bro:
docker_container.running:
- require:
- so-communitybroimage
- image: soshybridhunter/so-communitybro:HH1.0.3
- privileged: True
- binds:
@@ -117,8 +123,14 @@ localbrosync:
- group: 939
- template: jinja
so-broimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-bro:HH1.0.6
so-bro:
docker_container.running:
- require:
- so-broimage
- image: soshybridhunter/so-bro:HH1.0.6
- privileged: True
- binds:

14
salt/common/grafana/grafana_dashboards/eval/eval.json
View File

@@ -3110,7 +3110,7 @@
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "{{ SERVERNAME }} - Monitor Traffic",
"title": "{{ SERVERNAME }} - Management Traffic",
"tooltip": {
"msResolution": true,
"shared": true,
@@ -3862,7 +3862,7 @@
"condition": "AND",
"key": "interface",
"operator": "=",
"value": " {{ MANINT }}"
"value": "{{ MONINT }}"
}
]
},
@@ -3926,7 +3926,7 @@
"condition": "AND",
"key": "interface",
"operator": "=",
"value": "{{ MANINT }}"
"value": "{{ MONINT }}"
}
]
}
@@ -3935,7 +3935,7 @@
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "{{ SERVERNAME }} - Management Traffic",
"title": "{{ SERVERNAME }} - Monitor Traffic",
"tooltip": {
"msResolution": true,
"shared": true,
@@ -3984,10 +3984,10 @@
"fill": 1,
"grid": {},
"gridPos": {
"h": 7,
"h": 6,
"w": 8,
"x": 0,
"y": 29
"x": 16,
"y": 15
},
"id": 15,
"legend": {

28
salt/common/init.sls
View File

@@ -101,9 +101,15 @@ nginxtmp:
- makedirs: True
# Start the core docker
so-coreimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-core:HH1.0.7
so-core:
docker_container.running:
- image: soshybridhunter/so-core:HH1.0.7
- require:
- so-coreimage
- image: soshybridhunter/so-core:HH1.0.8
- hostname: so-core
- user: socore
- binds:
@@ -114,7 +120,7 @@ so-core:
- /opt/so/tmp/nginx/:/run:rw
- /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
- /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
- /opt/so/conf/fleet/packages:/opt/so/html/packages
- /opt/so/conf/fleet/packages:/opt/socore/html/packages
- cap_add: NET_BIND_SERVICE
- port_bindings:
- 80:80
@@ -155,8 +161,14 @@ tgrafconf:
- template: jinja
- source: salt://common/telegraf/etc/telegraf.conf
so-telegrafimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-telegraf:HH1.0.7
so-telegraf:
docker_container.running:
- require:
- so-telegrafimage
- image: soshybridhunter/so-telegraf:HH1.0.7
- environment:
- HOST_PROC=/host/proc
@@ -210,8 +222,14 @@ influxdbconf:
- template: jinja
- source: salt://common/influxdb/etc/influxdb.conf
so-influximage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-influxdb:HH1.0.7
so-influxdb:
docker_container.running:
- require:
- so-influximage
- image: soshybridhunter/so-influxdb:HH1.0.7
- hostname: influxdb
- environment:
@@ -336,7 +354,7 @@ dashboard-{{ SN }}:
- defaults:
SERVERNAME: {{ SN }}
MANINT: {{ SNDATA.manint }}
MONINT: {{ SNDATA.manint }}
MONINT: {{ SNDATA.monint }}
CPUS: {{ SNDATA.totalcpus }}
UID: {{ SNDATA.guid }}
ROOTFS: {{ SNDATA.rootfs }}
@@ -357,7 +375,7 @@ dashboard-{{ SN }}:
- defaults:
SERVERNAME: {{ SN }}
MANINT: {{ SNDATA.manint }}
MONINT: {{ SNDATA.manint }}
MONINT: {{ SNDATA.monint }}
CPUS: {{ SNDATA.totalcpus }}
UID: {{ SNDATA.guid }}
ROOTFS: {{ SNDATA.rootfs }}
@@ -369,7 +387,7 @@ dashboard-{{ SN }}:
# Install the docker. This needs to be behind nginx at some point
so-grafana:
docker_container.running:
- image: soshybridhunter/so-grafana:HH1.0.7
- image: soshybridhunter/so-grafana:HH1.0.8
- hostname: grafana
- user: socore
- binds:

5
salt/curator/init.sls
View File

@@ -112,9 +112,14 @@ curdel:
- month: '*'
- dayweek: '*'
so-curatorimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-curator:HH1.0.3
so-curator:
docker_container.running:
- require:
- so-curatorimage
- image: soshybridhunter/so-curator:HH1.0.3
- hostname: curator
- name: so-curator

6
salt/elastalert/init.sls
View File

@@ -79,8 +79,14 @@ elastarules:
# - group: 939
# - template: jinja
so-elastalertimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.0.3
so-elastalert:
docker_container.running:
- require:
- so-elastalertimage
- image: soshybridhunter/so-elastalert:HH1.0.3
- hostname: elastalert
- name: so-elastalert

18
salt/elasticsearch/init.sls
View File

@@ -90,8 +90,14 @@ eslogdir:
- group: 939
- makedirs: True
so-elasticsearchimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-elasticsearch:HH1.0.6
so-elasticsearch:
docker_container.running:
- require:
- so-elasticsearchimage
- image: soshybridhunter/so-elasticsearch:HH1.0.6
- hostname: elasticsearch
- name: so-elasticsearch
@@ -143,8 +149,14 @@ freqlogdir:
- group: 935
- makedirs: True
so-freqimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-freqserver:HH1.0.3
so-freq:
docker_container.running:
- require:
- so-freqimage
- image: soshybridhunter/so-freqserver:HH1.0.3
- hostname: freqserver
- name: so-freqserver
@@ -179,8 +191,14 @@ dstatslogdir:
- group: 939
- makedirs: True
so-domainstatsimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-domainstats:HH1.0.3
so-domainstats:
docker_container.running:
- require:
- so-domainstatsimage
- image: soshybridhunter/so-domainstats:HH1.0.3
- hostname: domainstats
- name: so-domainstats

5
salt/filebeat/init.sls
View File

@@ -49,9 +49,14 @@ filebeatconfsync:
# - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
# - source: salt://filebeat/files/filebeat.key
so-filebeatimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-filebeat:HH1.0.6
so-filebeat:
docker_container.running:
- require:
- so-filebeatimage
- image: soshybridhunter/so-filebeat:HH1.0.6
- hostname: so-filebeat
- user: root

22
salt/firewall/init.sls
View File

@@ -217,6 +217,17 @@ enable_masternode_mysql_3306_{{ip}}:
- position: 1
- save: True
enable_master_osquery_8080_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 8080
- position: 1
- save: True
{% endfor %}
# Make it so all the minions can talk to salt and update etc.
@@ -277,6 +288,17 @@ enable_minions_influxdb_8086_{{ip}}:
- position: 1
- save: True
enable_minion_osquery_8080_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 8080
- position: 1
- save: True
{% endfor %}
# Allow Forward Nodes to send their beats traffic

16
salt/fleet/init.sls
View File

@@ -31,6 +31,16 @@ fleetlogdir:
- group: 939
- makedirs: True
fleetsetupscript:
file.managed:
- name: /opt/so/conf/fleet/so-fleet-setup.sh
- source: salt://fleet/so-fleet-setup.sh
osquerypackageswebpage:
file.managed:
- name: /opt/so/conf/fleet/packages/index.html
- source: salt://fleet/osquery-packages.html
fleetdb:
mysql_database.present:
- name: fleet
@@ -49,8 +59,14 @@ fleetdbpriv:
- user: fleetdbuser
- host: 172.17.0.0/255.255.0.0
so-fleetimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-fleet:HH1.0.6
so-fleet:
docker_container.running:
- require:
- so-fleetimage
- image: soshybridhunter/so-fleet:HH1.0.6
- hostname: so-fleet
- port_bindings:

113
salt/fleet/osquery-packages.html Normal file
View File

@@ -0,0 +1,113 @@
<!DOCTYPE html>
<html lang="en">
<head>
<title>Security Onion - Hybrid Hunter</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
<style>
* {
box-sizing: border-box;
font-family: Arial, Helvetica, sans-serif;
padding-left: 30px;
padding right: 30px;
}
body {
font-family: Arial, Helvetica, sans-serif;
background-color: #2a2a2a;
}
a {
color: #f2f2f2;
text-align: left;
padding: 0px;
}
/* Style the top navigation bar */
.topnav {
overflow: hidden;
background-color: #333;
width: 1080px;
}
/* Style the topnav links */
.topnav a {
float: left;
display: block;
color: #f2f2f2;
text-align: center;
padding: 14px 16px;
text-decoration: none;
}
/* Change color on hover */
.topnav a:hover {
background-color: #ddd;
color: black;
}
/* Style the content */
.content {
background-color: #2a2a2a;
padding: 10px;
padding-top: 20px;
padding-left: 60px;
color: #E3DBCC;
width: 1080px;
}
/* Style the footer */
.footer {
background-color: #2a2a2a;
padding: 60px;
color: #E3DBCC;
width: 1080px;
}
</style>
</head>
<body>
<div class="topnav">
<a href="/kibana/" target="_blank">Kibana</a>
<a href="/grafana/" target="_blank">Grafana</a>
<a href="/fleet/" target="_blank">Fleet</a>
<a href="/thehive/" target="_blank">TheHive</a>
<a href="/packages/" target="_blank">Osquery Binaries</a>
<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
<a href="https://blog.securityonion.net" target="_blank">Blog</a>
</div>
<div class="content">
<p><center><h1>Osquery Packages</h1></center><br>
<h2>Notes</h2>
<ul>
<li>These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from <a href="https://osquery.io/downloads">osquery.io</a></li>
<li>Packages are not signed.</li>
</ul>
<BR> <h2>Downloads</h2>
<ul>
Generated: N/A
<BR><BR>Packages:
<li><a href="/packages/launcher.msi" download="msi-launcher.msi">MSI (Windows)</a></li>
<li><a href="/packages/launcher.deb" download="deb-launcher.deb">DEB (Debian)</a></li>
<li><a href="/packages/launcher.rpm" download="rpm-launcher.rpm">RPM (RPM)</a></li>
<BR><BR>Config Files:
<li><a href="/packages/launcher.flags" download="launcher.flags.txt">RPM & DEB Flag File</a></li>
<li><a href="/packages/launcher-msi.flags" download="launcher-msi.flags.txt">MSI Flag File</a></li>
</ul>
<BR><h2>Known Issues</h2>
<ul>
<li>None</li>
</ul>
</p>
</div>
</body>
</html>

49
salt/fleet/so-fleet-setup.sh Normal file
View File

@@ -0,0 +1,49 @@
#so-fleet-setup.sh $MasterIP $FleetEmail
if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
echo "so-fleet container not running... Exiting..."
exit 1
fi
initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify
docker exec so-fleet fleetctl setup --email $2 --password $initpw
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret)
#Concat fleet.crt & ca.crt - this is required for launcher connectivity
cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/launcher.crt
#Create the output directory
mkdir /opt/so/conf/fleet/packages
docker run \
--mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
--mount type=bind,source=/etc/pki/launcher.crt,target=/var/launcher/launcher.crt \
soshybridhunter/so-fleet-launcher:HH1.0.8 "$esecret" "$1":8080
cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/
#Update timestamp on packages webpage
sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/osquery-packages.html
# Enable Fleet on all the other parts of the infrastructure
sed -i 's/fleetsetup: 0/fleetsetup: 1/g' /opt/so/saltstack/pillar/static.sls
# Install osquery locally
#if cat /etc/os-release | grep -q 'debian'; then
# dpkg -i /opt/so/conf/fleet/packages/launcher.deb
#else
# rpm -i /opt/so/conf/fleet/packages/launcher.rpm
#fi
echo "Installing launcher via salt"
salt-call state.apply launcher queue=True > /root/launcher.log
echo "Fleet Setup Complete - Login here: https://$1"
echo "Your username is $2 and your password is $initpw"

30
salt/hive/init.sls
View File

@@ -30,8 +30,14 @@ hiveesdata:
- user: 939
- group: 939
so-thehive-esimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-thehive-es:HH1.0.7
so-thehive-es:
docker_container.running:
- require:
- so-thehive-esimage
- image: soshybridhunter/so-thehive-es:HH1.0.7
- hostname: so-thehive-es
- name: so-thehive-es
@@ -60,16 +66,26 @@ so-thehive-es:
# Install Cortex
so-cortex:
docker_container.running:
- image: thehiveproject/cortex:latest
- hostname: so-cortex
- name: so-cortex
- port_bindings:
- 0.0.0.0:9001:9001
#so-corteximage:
# cmd.run:
# - name: docker pull --disable-content-trust=false soshybridhunter/so-cortex:HH1.0.3
#so-cortex:
# docker_container.running:
# - image: thehiveproject/cortex:latest
# - hostname: so-cortex
# - name: so-cortex
# - port_bindings:
# - 0.0.0.0:9001:9001
so-thehiveimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-thehive:HH1.0.7
so-thehive:
docker_container.running:
- require:
- so-thehiveimage
- image: soshybridhunter/so-thehive:HH1.0.7
- hostname: so-thehive
- name: so-thehive

7
salt/idstools/init.sls
View File

@@ -48,11 +48,14 @@ ruleslink:
- name: /opt/so/saltstack/salt/suricata/rules
- target: /opt/so/rules/nids
toosmooth/so-idstools:test2:
docker_image.present
so-idstoolsimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-idstools:HH1.0.3
so-idstools:
docker_container.running:
- require:
- so-idstoolsimage
- image: soshybridhunter/so-idstools:HH1.0.3
- hostname: so-idstools
- user: socore

6
salt/kibana/init.sls
View File

@@ -54,9 +54,15 @@ synckibanacustom:
# File.Recurse for custom saved dashboards
so-kibanaimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-kibana:HH1.0.7
# Start the kibana docker
so-kibana:
docker_container.running:
- require:
- so-kibanaimage
- image: soshybridhunter/so-kibana:HH1.0.7
- hostname: kibana
- user: kibana

12
salt/launcher/init.sls Normal file
View File

@@ -0,0 +1,12 @@
{%- set FLEETSETUP = salt['pillar.get']('static:fleetsetup', '0') -%}
{%- if FLEETSETUP != 0 %}
launcherpkg:
pkg.installed:
- sources:
{% if grains['os'] == 'CentOS' %}
- launcher-final: salt://launcher/packages/launcher.rpm
{% elif grains['os'] == 'Ubuntu' %}
- launcher-final: salt://launcher/packages/launcher.deb
{% endif %}
{%- endif %}

1
salt/launcher/packages/info.txt Normal file
View File

@@ -0,0 +1 @@
Fleet Packages will be copied to this folder

5
salt/logstash/init.sls
View File

@@ -146,9 +146,14 @@ lslogdir:
- makedirs: True
# Add the container
so-logstashimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-logstash:HH1.0.6
so-logstash:
docker_container.running:
- require:
- so-logstashimage
- image: soshybridhunter/so-logstash:HH1.0.6
- hostname: so-logstash
- name: so-logstash

6
salt/master/init.sls
View File

@@ -46,9 +46,15 @@ acngcopyconf:
- name: /opt/so/conf/aptcacher-ng/etc/acng.conf
- source: salt://master/files/acng/acng.conf
so-acngimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-acng:HH1.0.7
# Install the apt-cacher-ng container
so-aptcacherng:
docker_container.running:
- require:
- so-acngimage
- image: soshybridhunter/so-acng:HH1.0.7
- hostname: so-acng
- port_bindings:

6
salt/mysql/init.sls
View File

@@ -48,8 +48,14 @@ mysqldatadir:
- group: 939
- makedirs: True
so-mysqlimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-mysql:HH1.0.7
so-mysql:
docker_container.running:
- require:
- so-mysqlimage
- image: soshybridhunter/so-mysql:HH1.0.7
- hostname: so-mysql
- user: socore

6
salt/pcap/init.sls
View File

@@ -85,8 +85,14 @@ stenolog:
- group: 941
- makedirs: True
so-stenoimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-steno:HH1.0.3
so-steno:
docker_container.running:
- require:
- so-stenoimage
- image: soshybridhunter/so-steno:HH1.0.3
- network_mode: host
- privileged: True

6
salt/redis/init.sls
View File

@@ -47,8 +47,14 @@ redisconfsync:
toosmooth/so-redis:test2:
docker_image.present
so-redisimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.0.7
so-redis:
docker_container.running:
- require:
- so-redisimage
- image: soshybridhunter/so-redis:HH1.0.7
- hostname: so-redis
- user: socore

8
salt/soctopus/init.sls
View File

@@ -13,9 +13,15 @@ soctopussync:
- group: 939
- template: jinja
so-soctopusimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.0.8
so-soctopus:
docker_container.running:
- image: soshybridhunter/so-soctopus:HH1.0.7
- require:
- so-soctopusimage
- image: soshybridhunter/so-soctopus:HH1.0.8
- hostname: soctopus
- name: so-soctopus
- binds:

2
salt/ssl/init.sls
View File

@@ -1,4 +1,5 @@
{% set master = salt['grains.get']('master') %}
{%- set masterip = salt['pillar.get']('static:masterip', '') -%}
# Trust the CA
@@ -109,6 +110,7 @@ fbcrtlink:
x509.certificate_managed:
- signing_private_key: /etc/pki/fleet.key
- CN: {{ master }}
- subjectAltName: DNS:{{ master }},IP:{{ masterip }}
- days_remaining: 0
- days_valid: 3650
- backup: True

8
salt/suricata/init.sls
View File

@@ -70,9 +70,15 @@ suriconfigsync:
- group: 940
- template: jinja
so-suricataimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-suricata:HH1.0.8
so-suricata:
docker_container.running:
- image: soshybridhunter/so-suricata:HH1.0.7
- require:
- so-suricataimage
- image: soshybridhunter/so-suricata:HH1.0.8
- privileged: True
- environment:
- INTERFACE={{ interface }}

43
salt/top.sls
View File

@@ -1,6 +1,8 @@
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
{%- set OSQUERY = salt['pillar.get']('master:osquery', '0') %}
{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%}
{%- set OSQUERY = salt['pillar.get']('master:osquery', '0') -%}
{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') -%}
{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') -%}
{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
base:
'G@role:so-sensor':
- ca
@@ -14,6 +16,9 @@ base:
{%- endif %}
- wazuh
- filebeat
{%- if OSQUERY != 0 %}
- launcher
{%- endif %}
- schedule
'G@role:so-eval':
@@ -37,6 +42,7 @@ base:
{%- if OSQUERY != 0 %}
- fleet
- redis
- launcher
{%- endif %}
{%- if WAZUH != 0 %}
- wazuh
@@ -45,6 +51,9 @@ base:
- utility
- schedule
- soctopus
{%- if THEHIVE != 0 %}
- hive
{%- endif %}
'G@role:so-master':
@@ -55,17 +64,28 @@ base:
- master
- idstools
- redis
{%- if OSQUERY != 0 %}
- mysql
{%- endif %}
- elasticsearch
- logstash
- kibana
- elastalert
{%- if WAZUH != 0 %}
- wazuh
{%- endif %}
- filebeat
- utility
- schedule
{%- if OSQUERY != 0 %}
- fleet
- launcher
{%- endif %}
- soctopus
{%- if THEHIVE != 0 %}
- hive
{%- endif %}
# Storage node logic
@@ -74,6 +94,9 @@ base:
- common
- firewall
- logstash
{%- if OSQUERY != 0 %}
- launcher
{%- endif %}
- schedule
'G@role:so-node and I@node:node_type:hot':
@@ -83,6 +106,9 @@ base:
- logstash
- elasticsearch
- curator
{%- if OSQUERY != 0 %}
- launcher
{%- endif %}
- schedule
'G@role:so-node and I@node:node_type:warm':
@@ -90,6 +116,9 @@ base:
- common
- firewall
- elasticsearch
{%- if OSQUERY != 0 %}
- launcher
{%- endif %}
- schedule
'G@role:so-node and I@node:node_type:storage':
@@ -101,8 +130,13 @@ base:
- logstash
- elasticsearch
- curator
{%- if WAZUH != 0 %}
- wazuh
{%- endif %}
- filebeat
{%- if OSQUERY != 0 %}
- launcher
{%- endif %}
- schedule
'G@role:mastersensor':
@@ -110,4 +144,7 @@ base:
- firewall
- sensor
- master
{%- if OSQUERY != 0 %}
- launcher
{%- endif %}
- schedule

6
salt/wazuh/init.sls
View File

@@ -56,8 +56,14 @@ wazuhagentregister:
- mode: 755
- template: jinja
so-wazuhimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-wazuh:HH1.0.7
so-wazuh:
docker_container.running:
- require:
- so-wazuhimage
- image: soshybridhunter/so-wazuh:HH1.0.7
- hostname: {{HOSTNAME}}-wazuh-manager
- name: so-wazuh

522
so-setup-network.sh
View File

@@ -24,19 +24,22 @@ LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\"
RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
NODE_ES_PORT="9200"
# Reset the Install Log
date -u >~/sosetup.log 2>&1
# End Global Variable Section
# Functions
accept_salt_key_local() {
echo "Accept the key locally on the master" >>~/sosetup.log 2>&1
# Accept the key locally on the master
salt-key -ya $HOSTNAME
}
accept_salt_key_remote() {
echo "Accept the key remotely on the master" >>~/sosetup.log 2>&1
# Delete the key just in case.
ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y
salt-call state.apply ca
@@ -45,6 +48,7 @@ accept_salt_key_remote() {
}
add_master_hostfile() {
echo "Checking if I can resolve master. If not add to hosts file" >>~/sosetup.log 2>&1
# Pop up an input to get the IP address
local MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
@@ -56,6 +60,7 @@ add_master_hostfile() {
}
add_socore_user_master() {
echo "Add socore on the master" >>~/sosetup.log 2>&1
if [ $OS == 'centos' ]; then
local ADDUSER=adduser
else
@@ -70,7 +75,7 @@ add_socore_user_master() {
}
add_socore_user_notmaster() {
echo "Add socore user on non master" >>~/sosetup.log 2>&1
# Add socore user to the non master system. Probably not a bad idea to make system user
groupadd --gid 939 socore
$ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore
@@ -81,7 +86,7 @@ add_socore_user_notmaster() {
auth_pillar(){
if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
echo "Creating Auth Pillar"
echo "Creating Auth Pillar" >>~/sosetup.log 2>&1
mkdir -p /opt/so/saltstack/pillar
echo "auth:" >> /opt/so/saltstack/pillar/auth.sls
echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls
@@ -92,6 +97,7 @@ auth_pillar(){
# Enable Bro Logs
bro_logs_enabled() {
echo "Enabling Bro Logs" >>~/sosetup.log 2>&1
echo "brologs:" > pillar/brologs.sls
echo " enabled:" >> pillar/brologs.sls
@@ -157,12 +163,13 @@ calculate_useable_cores() {
}
checkin_at_boot() {
echo "Enabling checkin at boot" >>~/sosetup.log 2>&1
echo "startup_states: highstate" >> /etc/salt/minion
}
chown_salt_master() {
# Chown the salt dirs on the master for socore
echo "Chown the salt dirs on the master for socore" >>~/sosetup.log 2>&1
chown -R socore:socore /opt/so
}
@@ -171,6 +178,7 @@ clear_master() {
# Clear out the old master public key in case this is a re-install.
# This only happens if you re-install the master.
if [ -f /etc/salt/pki/minion/minion_master.pub ]; then
echo "Clearing old master key" >>~/sosetup.log 2>&1
rm /etc/salt/pki/minion/minion_master.pub
service salt-minion restart
fi
@@ -181,7 +189,7 @@ configure_minion() {
# You have to pass the TYPE to this function so it knows if its a master or not
local TYPE=$1
echo "Configuring minion type as $TYPE"
echo "Configuring minion type as $TYPE" >>~/sosetup.log 2>&1
touch /etc/salt/grains
echo "role: so-$TYPE" > /etc/salt/grains
if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then
@@ -221,7 +229,7 @@ copy_minion_pillar() {
local TYPE=$1
# Copy over the pillar
echo "Copying the pillar over"
echo "Copying the pillar over" >>~/sosetup.log 2>&1
scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls
}
@@ -240,7 +248,7 @@ copy_ssh_key() {
create_bond() {
# Create the bond interface
echo "Setting up Bond"
echo "Setting up Bond" >>~/sosetup.log 2>&1
# Set the MTU
if [ $NSMSETUP != 'ADVANCED' ]; then
@@ -269,17 +277,17 @@ create_bond() {
echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
done
nmcli con reload
systemctl restart network
nmcli con reload >>~/sosetup.log 2>&1
systemctl restart network >>~/sosetup.log 2>&1
else
# Need to add 17.04 support still
apt-get -y install ifenslave
apt-get -y install ifenslave >>~/sosetup.log 2>&1
if ! grep -q bonding /etc/modules; then
echo "bonding" >> /etc/modules
fi
modprobe bonding
modprobe bonding >>~/sosetup.log 2>&1
local LBACK=$(awk '/auto lo/,/^$/' /etc/network/interfaces)
local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces)
@@ -311,7 +319,7 @@ create_bond() {
echo "iface $BNIC inet manual" >> /etc/network/interfaces.d/$BNIC
echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/$BNIC
echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/$BNIC
echo " post-up ethtool -G \$IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC
echo " post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC
echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/$BNIC
echo " bond-master bond0" >> /etc/network/interfaces.d/$BNIC
echo " mtu $MTU" >> /etc/network/interfaces.d/$BNIC
@@ -327,7 +335,7 @@ create_bond() {
echo " mtu $MTU" >> /etc/network/interfaces.d/bond0
echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/bond0
echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/bond0
echo " post-up ethtool -G \$IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0
echo " post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0
echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/bond0
fi
@@ -336,14 +344,14 @@ create_bond() {
detect_os() {
# Detect Base OS
echo "Detecting Base OS"
echo "Detecting Base OS" >>~/sosetup.log 2>&1
if [ -f /etc/redhat-release ]; then
OS=centos
yum -y install bind-utils
elif [ -f /etc/os-release ]; then
OS=ubuntu
else
echo "We were unable to determine if you are using a supported OS."
echo "We were unable to determine if you are using a supported OS." >>~/sosetup.log 2>&1
exit
fi
@@ -358,7 +366,7 @@ docker_install() {
yum -y update
yum -y install docker-ce docker-python python-docker
docker_registry
echo "Restarting Docker"
echo "Restarting Docker" >>~/sosetup.log 2>&1
systemctl restart docker
systemctl enable docker
@@ -366,17 +374,17 @@ docker_install() {
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
apt-get update >>~/sosetup.log 2>&1
apt-get -y install docker-ce >>~/sosetup.log 2>&1
docker_registry
echo "Restarting Docker"
systemctl restart docker
docker_registry >>~/sosetup.log 2>&1
echo "Restarting Docker" >>~/sosetup.log 2>&1
systemctl restart docker >>~/sosetup.log 2>&1
else
apt-key add $TMP/gpg/docker.pub
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
apt-key add $TMP/gpg/docker.pub >>~/sosetup.log 2>&1
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >>~/sosetup.log 2>&1
apt-get update >>~/sosetup.log 2>&1
apt-get -y install docker-ce >>~/sosetup.log 2>&1
docker_registry
echo "Restarting Docker"
systemctl restart docker
docker_registry >>~/sosetup.log 2>&1
echo "Restarting Docker" >>~/sosetup.log 2>&1
systemctl restart docker >>~/sosetup.log 2>&1
fi
fi
@@ -384,13 +392,13 @@ docker_install() {
docker_registry() {
echo "Setting up Docker Registry"
mkdir -p /etc/docker
echo "Setting up Docker Registry" >>~/sosetup.log 2>&1
mkdir -p /etc/docker >>~/sosetup.log 2>&1
# Make the host use the master docker registry
echo "{" > /etc/docker/daemon.json
echo " \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json
echo "}" >> /etc/docker/daemon.json
echo "Docker Registry Setup - Complete"
echo "Docker Registry Setup - Complete" >>~/sosetup.log 2>&1
}
@@ -489,7 +497,7 @@ install_master() {
# Install the salt master package
if [ $OS == 'centos' ]; then
yum -y install wget salt-common salt-master
yum -y install wget salt-common salt-master >>~/sosetup.log 2>&1
# Create a place for the keys for Ubuntu minions
mkdir -p /opt/so/gpg
@@ -535,27 +543,6 @@ master_pillar() {
echo " ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " mtu: 1500" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
if [ $EVALADVANCED == 'ADVANCED' ]; then
if [ $EVALGRAFANA == '0' ]; then
echo " grafana: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
else
echo " grafana: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
fi
if [ $EVALOSQUERY == '0' ]; then
echo " osquery: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
else
echo " osquery: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
fi
if [ $EVALWAZUH == '0' ]; then
echo " wazuh: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
else
echo " wazuh: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
fi
else
echo " grafana: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " osquery: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " wazuh: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
fi
else
echo " freq: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
@@ -574,7 +561,10 @@ master_pillar() {
echo " cur_close_days: $CURCLOSEDAYS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
#echo " mysqlpass: $MYSQLPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
#echo " fleetpass: $FLEETPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " grafana: $GRAFANA" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " osquery: $OSQUERY" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " wazuh: $WAZUH" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " thehive: $THEHIVE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
}
master_static() {
@@ -592,6 +582,7 @@ master_static() {
echo " hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls
echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls
echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls
echo " fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
if [[ $MASTERUPDATES == 'MASTER' ]]; then
echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
else
@@ -630,6 +621,20 @@ node_pillar() {
}
process_components() {
CLEAN=${COMPONENTS//\"}
GRAFANA=0
OSQUERY=0
WAZUH=0
THEHIVE=0
IFS=$' '
for item in $(echo "$CLEAN"); do
let $item=1
done
unset IFS
}
saltify() {
# Install updates and Salt
@@ -863,25 +868,25 @@ salt_checkin() {
# Master State to Fix Mine Usage
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
echo "Building Certificate Authority"
salt-call state.apply ca
salt-call state.apply ca >>~/sosetup.log 2>&1
echo " *** Restarting Salt to fix any SSL errors. ***"
service salt-master restart
service salt-master restart >>~/sosetup.log 2>&1
sleep 5
service salt-minion restart
service salt-minion restart >>~/sosetup.log 2>&1
sleep 15
echo " Applyng a mine hack "
sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt
sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >>~/sosetup.log 2>&1
echo " Applying SSL state "
salt-call state.apply ssl
salt-call state.apply ssl >>~/sosetup.log 2>&1
echo "Still Working... Hang in there"
salt-call state.highstate
#salt-call state.highstate
else
# Run Checkin
salt-call state.apply ca
salt-call state.apply ssl
salt-call state.highstate
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
#salt-call state.highstate >>~/sosetup.log 2>&1
fi
@@ -1145,6 +1150,14 @@ whiptail_cur_close_days() {
whiptail_check_exitstatus $exitstatus
}
whiptail_enable_components() {
COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
"Select Components to install" 20 78 8 \
"GRAFANA" "Enable Grafana for system monitoring" ON \
"OSQUERY" "Enable Fleet with osquery" ON \
"WAZUH" "Enable Wazuh" ON \
"THEHIVE" "Enable TheHive" ON 3>&1 1>&2 2>&3 )
}
whiptail_eval_adv() {
EVALADVANCED=$(whiptail --title "Security Onion Setup" --radiolist \
@@ -1153,24 +1166,6 @@ whiptail_eval_adv() {
"ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 )
}
whiptail_eval_adv_service_grafana() {
whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable Grafana for detailed monitoring?" 8 78
local exitstatus=$?
EVALGRAFANA=$exitstatus
}
whiptail_eval_adv_service_osquery() {
whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable OSquery for client monitoring?" 8 78
local exitstatus=$?
EVALOSQUERY=$exitstatus
}
whiptail_eval_adv_service_wazuh() {
whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable Wazuh for client monitoring?" 8 78
local exitstatus=$?
EVALWAZUH=$exitstatus
}
whiptail_eval_adv_warning() {
whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 78
}
@@ -1349,23 +1344,6 @@ whiptail_master_adv_service_brologs() {
"x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
}
whiptail_master_adv_service_grafana() {
echo "blah"
}
whiptail_master_adv_service_osquery() {
#MOSQ=$()
echo "blah"
}
whiptail_master_adv_service_wazuh() {
echo "blah"
}
whiptail_network_notice() {
whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Hit YES to continue." 8 78
@@ -1484,6 +1462,14 @@ whiptail_setup_complete() {
}
whiptail_setup_failed() {
whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see /root/sosetup.log for details" 8 78
install_cleanup
exit
}
whiptail_shard_count() {
SHARDCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \
@@ -1602,6 +1588,8 @@ if (whiptail_you_sure); then
# Find out how to handle updates
whiptail_master_updates
whiptail_enable_components
process_components
# Do Advacned Setup if they chose it
if [ $MASTERADV == 'ADVANCED' ]; then
@@ -1609,9 +1597,6 @@ if (whiptail_you_sure); then
if [ $BROVERSION != 'SURICATA' ]; then
whiptail_master_adv_service_brologs
fi
whiptail_master_adv_service_osquery
whiptail_master_adv_service_grafana
whiptail_master_adv_service_wazuh
fi
# Last Chance to back out
@@ -1635,60 +1620,91 @@ if (whiptail_you_sure); then
add_socore_user_master
# Install salt and dependencies
echo " ** Installing Salt and Dependencies **"
{
sleep 0.5
echo -e "XXX\n0\nInstalling and configuring Salt... \nXXX"
echo " ** Installing Salt and Dependencies **" >>~/sosetup.log
saltify >>~/sosetup.log 2>&1
docker_install
# Configure the Minion
echo " ** Configuring Minion **"
echo -e "XXX\n5\nInstalling Docker... \nXXX"
docker_install >>~/sosetup.log 2>&1
echo -e "XXX\n10\nConfiguring Salt Master... \nXXX"
echo " ** Configuring Minion **" >>~/sosetup.log
configure_minion master >>~/sosetup.log 2>&1
# Install the salt master
echo " ** Installing Salt Master **"
echo " ** Installing Salt Master **" >>~/sosetup.log
install_master >>~/sosetup.log 2>&1
# Copy the data over
salt_master_directories >>~/sosetup.log 2>&1
# Update sudoers file to allow keys and firewalls to be changed
update_sudoers
# Change perms on the master dir
chown_salt_master
# Determine the ES Heap Size
es_heapsize
# Determine the Logstash Heap Size
ls_heapsize
# Set the static values
master_static
echo "** Generating the master pillar **"
master_pillar
update_sudoers >>~/sosetup.log 2>&1
chown_salt_master >>~/sosetup.log 2>&1
es_heapsize >>~/sosetup.log 2>&1
ls_heapsize >>~/sosetup.log 2>&1
echo -e "XXX\n25\nConfiguring Default Pillars... \nXXX"
master_static >>~/sosetup.log 2>&1
echo "** Generating the master pillar **" >>~/sosetup.log
master_pillar >>~/sosetup.log 2>&1
echo -e "XXX\n30\nAccepting Salt Keys... \nXXX"
# Do a checkin to push the key up
echo "** Pushing the key up to Master **"
echo "** Pushing the key up to Master **" >>~/sosetup.log
salt_firstcheckin >>~/sosetup.log 2>&1
# Accept the Master Key
echo "** Accepting the key on the master **"
accept_salt_key_local
echo "** Accepting the key on the master **" >>~/sosetup.log
accept_salt_key_local >>~/sosetup.log 2>&1
echo -e "XXX\n35\nConfiguring Firewall... \nXXX"
# Open the firewall
echo "** Setting the initial firewall policy **"
set_initial_firewall_policy
echo "** Setting the initial firewall policy **" >>~/sosetup.log
set_initial_firewall_policy >>~/sosetup.log 2>&1
# Do the big checkin but first let them know it will take a bit.
salt_checkin_message
salt_checkin
echo -e "XXX\n40\nGenerating CA... \nXXX"
salt_checkin >>~/sosetup.log 2>&1
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
echo -e "XXX\n43\nInstalling Common Components... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1
echo -e "XXX\n45\nApplying firewall rules... \nXXX"
salt-call state.apply firewall >>~/sosetup.log 2>&1
salt-call state.apply master >>~/sosetup.log 2>&1
salt-call state.apply idstools >>~/sosetup.log 2>&1
echo -e "XXX\n40\nInstalling Redis... \nXXX"
salt-call state.apply redis >>~/sosetup.log 2>&1
if [[ $OSQUERY == '1' ]]; then
echo -e "XXX\n41\nInstalling MySQL... \nXXX"
salt-call state.apply mysql >>~/sosetup.log 2>&1
fi
echo -e "XXX\n45\nInstalling Elastic Components... \nXXX"
salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
salt-call state.apply logstash >>~/sosetup.log 2>&1
salt-call state.apply kibana >>~/sosetup.log 2>&1
salt-call state.apply elastalert >>~/sosetup.log 2>&1
if [[ $WAZUH == '1' ]]; then
echo -e "XXX\n68\nInstalling Wazuh... \nXXX"
salt-call state.apply wazuh >>~/sosetup.log 2>&1
fi
echo -e "XXX\n75\nInstalling Filebeat... \nXXX"
salt-call state.apply filebeat >>~/sosetup.log 2>&1
salt-call state.apply utility >>~/sosetup.log 2>&1
salt-call state.apply schedule >>~/sosetup.log 2>&1
if [[ $OSQUERY == '1' ]]; then
echo -e "XXX\n79\nInstalling Fleet... \nXXX"
salt-call state.apply fleet >>~/sosetup.log 2>&1
salt-call state.apply launcher >>~/sosetup.log 2>&1
fi
echo -e "XXX\n85\nConfiguring SOctopus... \nXXX"
salt-call state.apply soctopus >>~/sosetup.log 2>&1
if [[ $THEHIVE == '1' ]]; then
echo -e "XXX\n87\nInstalling TheHive... \nXXX"
salt-call state.apply hive >>~/sosetup.log 2>&1
fi
echo -e "XXX\n75\nEnabling Checking at Boot... \nXXX"
checkin_at_boot >>~/sosetup.log 2>&1
echo -e "XXX\n95\nVerifying Install... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1
# Enable salt to run a checking when the service starts
checkin_at_boot
# We are done!
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete
else
whiptail_setup_failed
fi
fi
@@ -1721,23 +1737,47 @@ if (whiptail_you_sure); then
get_filesystem_root
get_filesystem_nsm
copy_ssh_key
set_initial_firewall_policy
create_bond
sensor_pillar
saltify
docker_install
configure_minion sensor
copy_minion_pillar sensors
salt_firstcheckin
{
sleep 0.5
echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
set_initial_firewall_policy >>~/sosetup.log 2>&1
echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
create_bond >>~/sosetup.log 2>&1
echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
sensor_pillar >>~/sosetup.log 2>&1
echo -e "XXX\n5\nInstalling Salt Components... \nXXX"
saltify >>~/sosetup.log 2>&1
echo -e "XXX\n20\nInstalling Docker... \nXXX"
docker_install >>~/sosetup.log 2>&1
echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX"
configure_minion sensor >>~/sosetup.log 2>&1
echo -e "XXX\n24\nCopying Sensor Pillar to Master... \nXXX"
copy_minion_pillar sensors >>~/sosetup.log 2>&1
echo -e "XXX\n25\nSending Salt Key to Master... \nXXX"
salt_firstcheckin >>~/sosetup.log 2>&1
echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX"
# Accept the Salt Key
accept_salt_key_remote
# Do the big checkin but first let them know it will take a bit.
salt_checkin_message
salt_checkin
checkin_at_boot
accept_salt_key_remote >>~/sosetup.log 2>&1
echo -e "XXX\n27\nApplying SSL Certificates... \nXXX"
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
echo -e "XXX\n35\nInstalling Core Components... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1
salt-call state.apply firewall >>~/sosetup.log 2>&1
echo -e "XXX\n50\nInstalling PCAP... \nXXX"
salt-call state.apply pcap >>~/sosetup.log 2>&1
echo -e "XXX\n60\nInstalling IDS components... \nXXX"
salt-call state.apply suricata >>~/sosetup.log 2>&1
echo -e "XXX\n80\nVerifying Install... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1
checkin_at_boot >>~/sosetup.log 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete
else
whiptail_setup_failed
fi
fi
#######################
@@ -1756,15 +1796,8 @@ if (whiptail_you_sure); then
# Snag the HOME_NET
whiptail_homenet_master
# Ask about advanced mode
whiptail_eval_adv
if [ $EVALADVANCED == 'ADVANCED' ]; then
whiptail_eval_adv_warning
whiptail_eval_adv_service_grafana
whiptail_eval_adv_service_osquery
whiptail_eval_adv_service_wazuh
fi
whiptail_enable_components
# Set a bunch of stuff since this is eval
es_heapsize
@@ -1780,6 +1813,7 @@ if (whiptail_you_sure); then
NIDS=Suricata
BROVERSION=ZEEK
CURCLOSEDAYS=30
process_components
whiptail_make_changes
#eval_mode_hostsfile
generate_passwords
@@ -1795,29 +1829,107 @@ if (whiptail_you_sure); then
echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
echo ""
add_socore_user_master
create_bond
saltify
docker_install
install_master
# Copy the data over
salt_master_directories
update_sudoers
# Change perms on the master dir
chown_salt_master
{
sleep 0.5
echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
create_bond >>~/sosetup.log 2>&1
echo -e "XXX\n1\nInstalling saltstack... \nXXX"
saltify >>~/sosetup.log 2>&1
echo -e "XXX\n3\nInstalling docker... \nXXX"
docker_install >>~/sosetup.log 2>&1
echo -e "XXX\n5\nInstalling master code... \nXXX"
install_master >>~/sosetup.log 2>&1
echo -e "XXX\n6\nCopying salt code... \nXXX"
salt_master_directories >>~/sosetup.log 2>&1
echo -e "XXX\n6\nupdating suduers... \nXXX"
update_sudoers >>~/sosetup.log 2>&1
echo -e "XXX\n7\nFixing some permissions... \nXXX"
chown_salt_master >>~/sosetup.log 2>&1
echo -e "XXX\n7\nCreating the static pillar... \nXXX"
# Set the static values
master_static
echo "** Generating the master pillar **"
master_pillar
configure_minion eval
set_node_type
node_pillar
set_initial_firewall_policy
salt_firstcheckin
accept_salt_key_local
salt_checkin_message
salt_checkin
checkin_at_boot
master_static >>~/sosetup.log 2>&1
echo -e "XXX\n7\nCreating the master pillar... \nXXX"
master_pillar >>~/sosetup.log 2>&1
echo -e "XXX\n7\nConfiguring minion... \nXXX"
configure_minion eval >>~/sosetup.log 2>&1
echo -e "XXX\n7\nSetting the node type to eval... \nXXX"
set_node_type >>~/sosetup.log 2>&1
echo -e "XXX\n7\nStorage node pillar... \nXXX"
node_pillar >>~/sosetup.log 2>&1
echo -e "XXX\n8\nCreating firewall policies... \nXXX"
set_initial_firewall_policy >>~/sosetup.log 2>&1
echo -e "XXX\n10\nRegistering agent... \nXXX"
salt_firstcheckin >>~/sosetup.log 2>&1
echo -e "XXX\n11\nAccepting Agent... \nXXX"
accept_salt_key_local >>~/sosetup.log 2>&1
echo -e "XXX\n12\nRunning the SSL states... \nXXX"
salt_checkin >>~/sosetup.log 2>&1
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
echo -e "XXX\n15\nInstalling core components... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1
echo -e "XXX\n18\nInitializing firewall rules... \nXXX"
salt-call state.apply firewall >>~/sosetup.log 2>&1
echo -e "XXX\n25\nInstalling master components... \nXXX"
salt-call state.apply master >>~/sosetup.log 2>&1
salt-call state.apply idstools >>~/sosetup.log 2>&1
if [[ $OSQUERY == '1' ]]; then
salt-call state.apply mysql >>~/sosetup.log 2>&1
fi
echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
echo -e "XXX\n40\nInstalling Logstash... \nXXX"
salt-call state.apply logstash >>~/sosetup.log 2>&1
echo -e "XXX\n45\nInstalling ElasticSearch... \nXXX"
salt-call state.apply kibana >>~/sosetup.log 2>&1
echo -e "XXX\n50\nInstalling pcap... \nXXX"
salt-call state.apply pcap >>~/sosetup.log 2>&1
echo -e "XXX\n52\nInstalling Suricata... \nXXX"
salt-call state.apply suricata >>~/sosetup.log 2>&1
echo -e "XXX\n54\nInstalling Zeek... \nXXX"
salt-call state.apply bro >>~/sosetup.log 2>&1
echo -e "XXX\n56\nInstalling curator... \nXXX"
salt-call state.apply curator >>~/sosetup.log 2>&1
echo -e "XXX\n58\nInstalling elastalert... \nXXX"
salt-call state.apply elastalert >>~/sosetup.log 2>&1
if [[ $OSQUERY == '1' ]]; then
echo -e "XXX\n60\nInstalling fleet... \nXXX"
salt-call state.apply fleet >>~/sosetup.log 2>&1
salt-call state.apply redis >>~/sosetup.log 2>&1
fi
if [[ $WAZUH == '1' ]]; then
echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
salt-call state.apply wazuh >>~/sosetup.log 2>&1
fi
echo -e "XXX\n85\nInstalling filebeat... \nXXX"
salt-call state.apply filebeat >>~/sosetup.log 2>&1
salt-call state.apply utility >>~/sosetup.log 2>&1
echo -e "XXX\n95\nInstalling misc components... \nXXX"
salt-call state.apply schedule >>~/sosetup.log 2>&1
salt-call state.apply soctopus >>~/sosetup.log 2>&1
if [[ $THEHIVE == '1' ]]; then
salt-call state.apply hive >>~/sosetup.log 2>&1
fi
echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX"
checkin_at_boot >>~/sosetup.log 2>&1
echo -e "XXX\n99\nVerifying Setup... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
if [ $OS == 'centos' ]; then
if [[ $GOODSETUP == '1' ]]; then
whiptail_setup_complete
else
whiptail_setup_failed
fi
else
if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete
else
whiptail_setup_failed
fi
fi
fi
###################
@@ -1857,6 +1969,46 @@ if (whiptail_you_sure); then
get_filesystem_root
get_filesystem_nsm
copy_ssh_key
{
sleep 0.5
echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
set_initial_firewall_policy >>~/sosetup.log 2>&1
echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
saltify >>~/sosetup.log 2>&1
echo -e "XXX\n20\nInstalling Docker... \nXXX"
docker_install >>~/sosetup.log 2>&1
echo -e "XXX\n30\nInitializing Minion... \nXXX"
configure_minion node >>~/sosetup.log 2>&1
set_node_type >>~/sosetup.log 2>&1
node_pillar >>~/sosetup.log 2>&1
copy_minion_pillar nodes >>~/sosetup.log 2>&1
echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
salt_firstcheckin >>~/sosetup.log 2>&1
# Accept the Salt Key
accept_salt_key_remote >>~/sosetup.log 2>&1
echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
echo -e "XXX\n50\nConfiguring Firewall... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1
salt-call state.apply firewall >>~/sosetup.log 2>&1
echo -e "XXX\n70\nInstalling Elastic Components... \nXXX"
salt-call state.apply logstash >>~/sosetup.log 2>&1
salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
salt-call state.apply curator >>~/sosetup.log 2>&1
salt-call state.apply filebeat >>~/sosetup.log 2>&1
echo -e "XXX\n90\nVerifying Install... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1
checkin_at_boot >>~/sosetup.log 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete
else
whiptail_setup_failed
fi
set_initial_firewall_policy
saltify
docker_install