diff --git a/README.md b/README.md index 2d0602b3a..944c1f91f 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,19 @@ -## Hybrid Hunter 1.0.8 +## Hybrid Hunter Alpha 1.1.0 ### Changes: -- Suricata 4.1.4 -- Eval and Master installs now ask which components you would like to install -- Fleet (osquery) now has it's own additional setup script. [See the docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Configuring-Osquery-with-Security-Onion) -- Fleet setup script now generates auto install packages for Windows, CentOS, and Ubuntu -- When Fleet setup is completed, all SO nodes will auto install the appropriate auto install package -- We now have a progress bar during install! -- The setup script will now tell you if it was successful -- Added Grafana plugin Pie Chart -- The Hive Docker moved to Centos 7 based container. [See the docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/The-Hive) - -### Notes: -- Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release. -- If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master. - +- Alpha is here!! Check out the [[Hybrid Hunter Quick Start Guide|Hybrid-Hunter-Quick-Start-Guide]]. +- There is a new PCAP interface called [Sensoroni](https://github.com/sensoroni/sensoroni). Pivoting is done via Kibana. See details [[here|Pulling-PCAP]]. +- Bond interface setup now uses `nmcli` for better compatibility in the network based setup script. +- Filebeat traffic for HH components now use a separate port (5644). This will allow you to send Beats to the default port (5044) and choose how you want to secure it. It is still recommended to use full SSL via Filebeat and if you already have this set up you will need to change to port 5044. We will continue to refine this in future versions. +- Authentication is now enabled by default for all the web based components. There will be some major changes before we get to beta with how authentication in general is handled due to Elastic "Features" and other components. +- Add users to the web interface via `so-user-add` and follow the prompts. +- `so-allow` now exists to make your life easier. +- Bro 2.6.2. +- All Docker images were updated to reflect Alpha status. +- Disabled DEBUG logging on a lot of components to reduce space usage. +- Added a rule update cron job so the master pulls new rules down every day at 7AM UTC. +- You can now manually run a rule update using the `so-rule-update` command. ### Warnings and Disclaimers diff --git a/pillar/firewall/wazuh_endpoint.sls b/pillar/firewall/wazuh_endpoint.sls new file mode 100644 index 000000000..d5d1a52f8 --- /dev/null +++ b/pillar/firewall/wazuh_endpoint.sls @@ -0,0 +1,2 @@ +wazuh_endpoint: + - 127.0.0.1 diff --git a/salt/bro/files/local.bro b/salt/bro/files/local.bro index 236f855bf..42112f7ee 100644 --- a/salt/bro/files/local.bro +++ b/salt/bro/files/local.bro @@ -100,7 +100,7 @@ # Uncomment the following line to enable the SMB analyzer. The analyzer # is currently considered a preview and therefore not loaded by default. -@load policy/protocols/smb +@load base/protocols/smb # Add the interface to the log event #@load securityonion/add-interface-to-logs.bro diff --git a/salt/bro/init.sls b/salt/bro/init.sls index eada1103c..734255536 100644 --- a/salt/bro/init.sls +++ b/salt/bro/init.sls @@ -125,13 +125,13 @@ localbrosync: so-broimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-bro:HH1.0.6 + - name: docker pull --disable-content-trust=false soshybridhunter/so-bro:HH1.1.0 so-bro: docker_container.running: - require: - so-broimage - - image: soshybridhunter/so-bro:HH1.0.6 + - image: soshybridhunter/so-bro:HH1.1.0 - privileged: True - binds: - /nsm/bro/logs:/nsm/bro/logs:rw diff --git a/salt/common/init.sls b/salt/common/init.sls index b582deda2..b61a0b7e9 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -41,9 +41,11 @@ sensorpkgs: {% if grains['os'] != 'CentOS' %} - python-docker - python-m2crypto + - apache2-utils {% else %} - net-tools - tcpdump + - httpd-tools {% endif %} # Always keep these packages up to date @@ -61,6 +63,16 @@ alwaysupdated: Etc/UTC: timezone.system +# Sync some Utilities +utilsyncscripts: + file.recurse: + - name: /usr/sbin + - user: 0 + - group: 0 + - file_mode: 755 + - template: jinja + - source: salt://common/tools/sbin + # Make sure Docker is running! docker: service.running: @@ -104,13 +116,13 @@ nginxtmp: # Start the core docker so-coreimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-core:HH1.0.7 + - name: docker pull --disable-content-trust=false soshybridhunter/so-core:HH1.1.0 so-core: docker_container.running: - require: - so-coreimage - - image: soshybridhunter/so-core:HH1.0.8 + - image: soshybridhunter/so-core:HH1.1.0 - hostname: so-core - user: socore - binds: @@ -164,13 +176,13 @@ tgrafconf: so-telegrafimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-telegraf:HH1.0.7 + - name: docker pull --disable-content-trust=false soshybridhunter/so-telegraf:HH1.1.0 so-telegraf: docker_container.running: - require: - so-telegrafimage - - image: soshybridhunter/so-telegraf:HH1.0.7 + - image: soshybridhunter/so-telegraf:HH1.1.0 - environment: - HOST_PROC=/host/proc - HOST_ETC=/host/etc @@ -225,13 +237,13 @@ influxdbconf: so-influximage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-influxdb:HH1.0.7 + - name: docker pull --disable-content-trust=false soshybridhunter/so-influxdb:HH1.1.0 so-influxdb: docker_container.running: - require: - so-influximage - - image: soshybridhunter/so-influxdb:HH1.0.7 + - image: soshybridhunter/so-influxdb:HH1.1.0 - hostname: influxdb - environment: - INFLUXDB_HTTP_LOG_ENABLED=false @@ -242,6 +254,8 @@ so-influxdb: - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro - port_bindings: - 0.0.0.0:8086:8086 + - watch: + - file: /opt/so/conf/influxdb/etc/influxdb.conf # Grafana all the things grafanadir: @@ -355,7 +369,7 @@ dashboard-{{ SN }}: - defaults: SERVERNAME: {{ SN }} MANINT: {{ SNDATA.manint }} - MONINT: {{ SNDATA.monint }} + MONINT: {{ SNDATA.manint }} CPUS: {{ SNDATA.totalcpus }} UID: {{ SNDATA.guid }} ROOTFS: {{ SNDATA.rootfs }} @@ -386,9 +400,13 @@ dashboard-{{ SN }}: {% endif %} # Install the docker. This needs to be behind nginx at some point +so-grafanaimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-grafana:HH1.1.0 + so-grafana: docker_container.running: - - image: soshybridhunter/so-grafana:HH1.0.8 + - image: soshybridhunter/so-grafana:HH1.1.0 - hostname: grafana - user: socore - binds: diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval index 3b0a0d4a1..3230e8edd 100644 --- a/salt/common/nginx/nginx.conf.so-eval +++ b/salt/common/nginx/nginx.conf.so-eval @@ -100,6 +100,8 @@ http { } location /kibana/ { + auth_basic "Security Onion"; + auth_basic_user_file /opt/so/conf/nginx/.htpasswd; rewrite /kibana/(.*) /$1 break; proxy_pass http://{{ masterip }}:5601/; proxy_read_timeout 90; @@ -125,6 +127,8 @@ http { } location /fleet/ { + auth_basic "Security Onion"; + auth_basic_user_file /opt/so/conf/nginx/.htpasswd; rewrite /fleet/(.*) /$1 break; proxy_pass https://{{ masterip }}:8080/; proxy_read_timeout 90; @@ -157,6 +161,42 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; + } + + location /sensoroni/ { + auth_basic "Security Onion"; + auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + proxy_pass http://{{ masterip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + + } + + location /kibana/app/sensoroni/ { + rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent; + } + + location /kibana/app/fleet/ { + rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; + } + + location /kibana/app/soctopus/ { + rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; + } + + location /sensoroniagents/ { + proxy_pass http://{{ masterip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + } error_page 404 /404.html; location = /40x.html { diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master index c0eada231..7999a7027 100644 --- a/salt/common/nginx/nginx.conf.so-master +++ b/salt/common/nginx/nginx.conf.so-master @@ -100,6 +100,8 @@ http { } location /kibana/ { + auth_basic "Security Onion"; + auth_basic_user_file /opt/so/conf/nginx/.htpasswd; rewrite /kibana/(.*) /$1 break; proxy_pass http://{{ masterip }}:5601/; proxy_read_timeout 90; @@ -126,6 +128,8 @@ http { location /fleet/ { rewrite /fleet/(.*) /$1 break; + auth_basic "Security Onion"; + auth_basic_user_file /opt/so/conf/nginx/.htpasswd; proxy_pass https://{{ masterip }}:8080/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -159,6 +163,43 @@ http { } + location /sensoroni/ { + auth_basic "Security Onion"; + auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + proxy_pass http://{{ masterip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + + } + + location /kibana/app/sensoroni/ { + rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent; + } + + location /kibana/app/fleet/ { + rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; + } + + location /kibana/app/soctopus/ { + rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; + } + + + location /sensoroniagents/ { + proxy_pass http://{{ masterip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + + } + error_page 404 /404.html; location = /40x.html { } diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow new file mode 100644 index 000000000..1685e386a --- /dev/null +++ b/salt/common/tools/sbin/so-allow @@ -0,0 +1,42 @@ +#!/bin/bash +got_root() { + + # Make sure you are root + if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run using sudo!" + exit 1 + fi + +} + +got_root + +echo "This program allows you to add a firewall rule to allow connections from a new IP address." +echo "" +echo "Choose the role for the IP or Range you would like to add" +echo "" +echo "[a] - Analyst - ports 80/tcp and 443/tcp" +echo "[b] - Logstash Beat - port 5044/tcp" +echo "[o] - Osquery endpoint - port 8080/tcp" +echo "[w] - Wazuh endpoint - port 1514" +echo "" +echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):" +read ROLE +echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):" +read IP + +if [ "$ROLE" == "a" ]; then + FULLROLE=analyst +elif [ "$ROLE" == "b" ]; then + FULLROLE=beats_endpoint +elif [ "$ROLE" == "o" ]; then + FULLROLE=osquery_endpoint +elif [ "$ROLE" == "w" ]; then + FULLROLE=wazuh_endpoint +else + echo "I don't recognize that role" + exit 1 +fi + +echo "Adding $IP to the $FULLROLE role. This can take a few seconds" +/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP diff --git a/salt/common/tools/sbin/so-rule-update b/salt/common/tools/sbin/so-rule-update new file mode 100644 index 000000000..f50d49322 --- /dev/null +++ b/salt/common/tools/sbin/so-rule-update @@ -0,0 +1,13 @@ +#!/bin/bash +got_root() { + + # Make sure you are root + if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run using sudo!" + exit 1 + fi + +} + +got_root +docker exec -it so-idstools /bin/bash -c 'cd /opt/so/idstools/etc && idstools-rulecat' diff --git a/salt/common/tools/sbin/so-user-add b/salt/common/tools/sbin/so-user-add new file mode 100644 index 000000000..930e02d7d --- /dev/null +++ b/salt/common/tools/sbin/so-user-add @@ -0,0 +1,17 @@ +#!/bin/bash +USERNAME=$1 + +# Make sure a username is provided +[ $# -eq 0 ] && { echo "Usage: $0 username"; exit 1; } + +# If the file is there already lets create it otherwise add the user +if [ ! -f /opt/so/conf/nginx/.htpasswd ]; then + + # Create the password file + htpasswd -c /opt/so/conf/nginx/.htpasswd $USERNAME + +else + + htpasswd /opt/so/conf/nginx/.htpasswd $USERNAME + +fi diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 7e6f01544..5c788b891 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -114,13 +114,13 @@ curdel: so-curatorimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-curator:HH1.0.3 + - name: docker pull --disable-content-trust=false soshybridhunter/so-curator:HH1.1.0 so-curator: docker_container.running: - require: - so-curatorimage - - image: soshybridhunter/so-curator:HH1.0.3 + - image: soshybridhunter/so-curator:HH1.1.0 - hostname: curator - name: so-curator - user: curator diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 298a56523..301aa9459 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -81,13 +81,13 @@ elastarules: so-elastalertimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.0.3 + - name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.1.0 so-elastalert: docker_container.running: - require: - so-elastalertimage - - image: soshybridhunter/so-elastalert:HH1.0.3 + - image: soshybridhunter/so-elastalert:HH1.1.0 - hostname: elastalert - name: so-elastalert - user: elastalert diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 3c6337afc..c05cb83e4 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -92,13 +92,13 @@ eslogdir: so-elasticsearchimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-elasticsearch:HH1.0.6 + - name: docker pull --disable-content-trust=false soshybridhunter/so-elasticsearch:HH1.1.0 so-elasticsearch: docker_container.running: - require: - so-elasticsearchimage - - image: soshybridhunter/so-elasticsearch:HH1.0.6 + - image: soshybridhunter/so-elasticsearch:HH1.1.0 - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 31a5b3503..67fd596c5 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -80,7 +80,7 @@ output.logstash: enabled: true # The Logstash hosts - hosts: ["{{ MASTER }}:5044"] + hosts: ["{{ MASTER }}:5644"] # Number of workers per Logstash host. worker: 1 diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index d8abb6470..f14e71772 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -51,13 +51,13 @@ filebeatconfsync: so-filebeatimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-filebeat:HH1.0.6 + - name: docker pull --disable-content-trust=false soshybridhunter/so-filebeat:HH1.1.0 so-filebeat: docker_container.running: - require: - so-filebeatimage - - image: soshybridhunter/so-filebeat:HH1.0.6 + - image: soshybridhunter/so-filebeat:HH1.1.0 - hostname: so-filebeat - user: root - extra_hosts: {{ MASTER }}:{{ MASTERIP }} diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index cfde43365..7044699f0 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -315,6 +315,39 @@ enable_forwardnode_beats_5044_{{ip}}: - position: 1 - save: True +enable_forwardnode_beats_5644_{{ip}}: + iptables.insert: + - table: filter + - chain: DOCKER-USER + - jump: ACCEPT + - proto: tcp + - source: {{ ip }} + - dport: 5644 + - position: 1 + - save: True + +enable_forwardnode_sensoroni_443_{{ip}}: + iptables.insert: + - table: filter + - chain: DOCKER-USER + - jump: ACCEPT + - proto: tcp + - source: {{ ip }} + - dport: 443 + - position: 1 + - save: True + +enable_forwardnode_sensoroni_9822_{{ip}}: + iptables.insert: + - table: filter + - chain: DOCKER-USER + - jump: ACCEPT + - proto: tcp + - source: {{ ip }} + - dport: 9822 + - position: 1 + - save: True + {% endfor %} {% for ip in pillar.get('storage_nodes') %} @@ -375,6 +408,33 @@ enable_standard_osquery_8080_{{ip}}: {% endfor %} +# Allow Wazuh Endpoints to send their traffic +{% for ip in pillar.get('wazuh_endpoint') %} + +enable_wazuh_endpoint_tcp_1514_{{ip}}: + iptables.insert: + - table: filter + - chain: DOCKER-USER + - jump: ACCEPT + - proto: tcp + - source: {{ ip }} + - dport: 1514 + - position: 1 + - save: True + +enable_wazuh_endpoint_udp_1514_{{ip}}: + iptables.insert: + - table: filter + - chain: DOCKER-USER + - jump: ACCEPT + - proto: udp + - source: {{ ip }} + - dport: 1514 + - position: 1 + - save: True + +{% endfor %} + # Allow Analysts {% for ip in pillar.get('analyst') %} @@ -400,49 +460,61 @@ enable_standard_analyst_443_{{ip}}: - position: 1 - save: True -enable_standard_analyst_3000_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 3000 - - position: 1 - - save: True +#enable_standard_analyst_3000_{{ip}}: +# iptables.insert: +# - table: filter +# - chain: DOCKER-USER +# - jump: ACCEPT +# - proto: tcp +# - source: {{ ip }} +# - dport: 3000 +# - position: 1 +# - save: True -enable_standard_analyst_7000_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 7000 - - position: 1 - - save: True +#enable_standard_analyst_7000_{{ip}}: +# iptables.insert: +# - table: filter +# - chain: DOCKER-USER +# - jump: ACCEPT +# - proto: tcp +# - source: {{ ip }} +# - dport: 7000 +# - position: 1 +# - save: True -enable_standard_analyst_9000_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 9000 - - position: 1 - - save: True +#enable_standard_analyst_9000_{{ip}}: +# iptables.insert: +# - table: filter +# - chain: DOCKER-USER +# - jump: ACCEPT +# - proto: tcp +# - source: {{ ip }} +# - dport: 9000 +# - position: 1 +# - save: True -enable_standard_analyst_9001_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 9001 - - position: 1 - - save: True +#enable_standard_analyst_9001_{{ip}}: +# iptables.insert: +# - table: filter +# - chain: DOCKER-USER +# - jump: ACCEPT +# - proto: tcp +# - source: {{ ip }} +# - dport: 9001 +# - position: 1 +# - save: True + +# This is temporary for sensoroni testing +#enable_standard_analyst_9822_{{ip}}: +# iptables.insert: +# - table: filter +# - chain: DOCKER-USER +# - jump: ACCEPT +# - proto: tcp +# - source: {{ ip }} +# - dport: 9822 +# - position: 1 +# - save: True {% endfor %} diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 2ec83502b..83c019880 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -61,13 +61,13 @@ fleetdbpriv: so-fleetimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-fleet:HH1.0.6 + - name: docker pull --disable-content-trust=false soshybridhunter/so-fleet:HH1.1.0 so-fleet: docker_container.running: - require: - so-fleetimage - - image: soshybridhunter/so-fleet:HH1.0.6 + - image: soshybridhunter/so-fleet:HH1.1.0 - hostname: so-fleet - port_bindings: - 0.0.0.0:8080:8080 diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh index 85f8716e1..817ffaf99 100644 --- a/salt/fleet/so-fleet-setup.sh +++ b/salt/fleet/so-fleet-setup.sh @@ -27,7 +27,7 @@ mkdir /opt/so/conf/fleet/packages docker run \ --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \ --mount type=bind,source=/etc/pki/launcher.crt,target=/var/launcher/launcher.crt \ - soshybridhunter/so-fleet-launcher:HH1.0.8 "$esecret" "$1":8080 + soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8080 cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/ #Update timestamp on packages webpage diff --git a/salt/hive/init.sls b/salt/hive/init.sls index 9bdb2c35d..3fc364e4e 100644 --- a/salt/hive/init.sls +++ b/salt/hive/init.sls @@ -33,13 +33,13 @@ hiveesdata: so-thehive-esimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive-es:HH1.0.7 + - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive-es:HH1.1.0 so-thehive-es: docker_container.running: - require: - so-thehive-esimage - - image: soshybridhunter/so-thehive-es:HH1.0.7 + - image: soshybridhunter/so-thehive-es:HH1.1.0 - hostname: so-thehive-es - name: so-thehive-es - user: 939 @@ -81,13 +81,13 @@ so-thehive-es: so-thehiveimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive:HH1.0.8 + - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive:HH1.1.0 so-thehive: docker_container.running: - require: - so-thehiveimage - - image: soshybridhunter/so-thehive:HH1.0.8 + - image: soshybridhunter/so-thehive:HH1.1.0 - environment: - ELASTICSEARCH_HOST={{ MASTERIP }} - hostname: so-thehive @@ -97,7 +97,7 @@ so-thehive: - /opt/so/conf/hive/etc/application.conf:/opt/thehive/conf/application.conf:ro - port_bindings: - 0.0.0.0:9000:9000 - + hivescript: cmd.script: - source: salt://hive/thehive/scripts/hive_init.sh diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 17de745fb..cabd0ee73 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -21,6 +21,13 @@ idstoolsdir: - group: 939 - makedirs: True +idstoolslogdir: + file.directory: + - name: /opt/so/log/idstools + - user: 939 + - group: 939 + - makedirs: True + idstoolsetcsync: file.recurse: - name: /opt/so/conf/idstools/etc @@ -29,6 +36,12 @@ idstoolsetcsync: - group: 939 - template: jinja +/usr/sbin/so-rule-update.sh > /opt/so/log/idstools/download.log: + cron.present: + - user: root + - minute: '1' + - hour: '7' + rulesdir: file.directory: - name: /opt/so/rules/nids @@ -50,13 +63,13 @@ ruleslink: so-idstoolsimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-idstools:HH1.0.3 + - name: docker pull --disable-content-trust=false soshybridhunter/so-idstools:HH1.1.0 so-idstools: docker_container.running: - require: - so-idstoolsimage - - image: soshybridhunter/so-idstools:HH1.0.3 + - image: soshybridhunter/so-idstools:HH1.1.0 - hostname: so-idstools - user: socore - binds: diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index f1015410e..7a403fd11 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -56,14 +56,14 @@ synckibanacustom: so-kibanaimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-kibana:HH1.0.7 + - name: docker pull --disable-content-trust=false soshybridhunter/so-kibana:HH1.1.0 # Start the kibana docker so-kibana: docker_container.running: - require: - so-kibanaimage - - image: soshybridhunter/so-kibana:HH1.0.7 + - image: soshybridhunter/so-kibana:HH1.1.0 - hostname: kibana - user: kibana - environment: diff --git a/salt/logstash/conf/conf.enabled.txt.so-eval b/salt/logstash/conf/conf.enabled.txt.so-eval index d8eae00e6..e7680b3be 100644 --- a/salt/logstash/conf/conf.enabled.txt.so-eval +++ b/salt/logstash/conf/conf.enabled.txt.so-eval @@ -12,8 +12,9 @@ #/usr/share/logstash/pipeline.so/0002_input_windows_json.conf #/usr/share/logstash/pipeline.so/0003_input_syslog.conf #/usr/share/logstash/pipeline.so/0005_input_suricata.conf -/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf +#/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf /usr/share/logstash/pipeline.so/0007_input_import.conf +/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf #/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf #/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf #/usr/share/logstash/pipeline.so/1002_preprocess_json.conf diff --git a/salt/logstash/conf/conf.enabled.txt.so-master b/salt/logstash/conf/conf.enabled.txt.so-master index c33e46abe..6464496fa 100644 --- a/salt/logstash/conf/conf.enabled.txt.so-master +++ b/salt/logstash/conf/conf.enabled.txt.so-master @@ -12,6 +12,7 @@ /usr/share/logstash/pipeline.so/0002_input_windows_json.conf /usr/share/logstash/pipeline.so/0003_input_syslog.conf /usr/share/logstash/pipeline.so/0005_input_suricata.conf -/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf +#/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf +/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf /usr/share/logstash/pipeline.so/0007_input_import.conf /usr/share/logstash/pipeline.dynamic/9999_output_redis.conf diff --git a/salt/logstash/files/dynamic/0010_input_hhbeats.conf b/salt/logstash/files/dynamic/0010_input_hhbeats.conf new file mode 100644 index 000000000..6b7667f5c --- /dev/null +++ b/salt/logstash/files/dynamic/0010_input_hhbeats.conf @@ -0,0 +1,40 @@ +input { + beats { + port => "5644" + ssl => true + ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"] + ssl_certificate => "/usr/share/logstash/filebeat.crt" + ssl_key => "/usr/share/logstash/filebeat.key" + tags => [ "beat" ] + } +} +filter { + if [type] == "ids" or [type] =~ "bro" { + mutate { + rename => { "host" => "beat_host" } + remove_tag => ["beat"] + add_field => { "sensor_name" => "%{[beat][name]}" } + add_field => { "syslog-host_from" => "%{[beat][name]}" } + remove_field => [ "beat", "prospector", "input", "offset" ] + } + } + if [type] =~ "ossec" { + mutate { + rename => { "host" => "beat_host" } + remove_tag => ["beat"] + add_field => { "syslog-host_from" => "%{[beat][name]}" } + remove_field => [ "beat", "prospector", "input", "offset" ] + } + } + if [type] == "osquery" { + mutate { + rename => { "host" => "beat_host" } + remove_tag => ["beat"] + add_tag => ["osquery"] + } + json { + source => "message" + target => "osquery" + } + } +} diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index eff920150..302598a45 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -148,13 +148,13 @@ lslogdir: # Add the container so-logstashimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-logstash:HH1.0.6 + - name: docker pull --disable-content-trust=false soshybridhunter/so-logstash:HH1.1.0 so-logstash: docker_container.running: - require: - so-logstashimage - - image: soshybridhunter/so-logstash:HH1.0.6 + - image: soshybridhunter/so-logstash:HH1.1.0 - hostname: so-logstash - name: so-logstash - user: logstash @@ -163,6 +163,7 @@ so-logstash: - port_bindings: - 0.0.0.0:514:514 - 0.0.0.0:5044:5044 + - 0.0.0.0:5644:5644 - 0.0.0.0:6050:6050 - 0.0.0.0:6051:6051 - 0.0.0.0:6052:6052 diff --git a/salt/master/init.sls b/salt/master/init.sls index b6d240863..8b68a3cf1 100644 --- a/salt/master/init.sls +++ b/salt/master/init.sls @@ -48,14 +48,14 @@ acngcopyconf: so-acngimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-acng:HH1.0.7 + - name: docker pull --disable-content-trust=false soshybridhunter/so-acng:HH1.1.0 # Install the apt-cacher-ng container so-aptcacherng: docker_container.running: - require: - so-acngimage - - image: soshybridhunter/so-acng:HH1.0.7 + - image: soshybridhunter/so-acng:HH1.1.0 - hostname: so-acng - port_bindings: - 0.0.0.0:3142:3142 diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index f956a37bc..4ade15f33 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -50,13 +50,13 @@ mysqldatadir: so-mysqlimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-mysql:HH1.0.7 + - name: docker pull --disable-content-trust=false soshybridhunter/so-mysql:HH1.1.0 so-mysql: docker_container.running: - require: - so-mysqlimage - - image: soshybridhunter/so-mysql:HH1.0.7 + - image: soshybridhunter/so-mysql:HH1.1.0 - hostname: so-mysql - user: socore - port_bindings: diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json new file mode 100644 index 000000000..be2577c0a --- /dev/null +++ b/salt/pcap/files/sensoroni.json @@ -0,0 +1,20 @@ +{%- set MASTER = grains['master'] -%} +{%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%} +{ + "logFilename": "/opt/sensoroni/log/sensoroni.log", + "logLevel":"debug", + "agent": { + "pollIntervalMs": 10000, + "serverUrl": "https://{{ MASTER }}/sensoroniagents", + "verifyCert": false, + "modules": { + "statickeyauth": { + "apiKey": "{{ SENSORONIKEY }}" + }, + "stenoquery": { + "pcapInputPath": "/nsm/pcap", + "pcapOutputPath": "/nsm/pcapout" + } + } + } +} diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index bb381cb10..5a67a6ec6 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -44,6 +44,15 @@ stenoconf: - mode: 644 - template: jinja +sensoroniagentconf: + file.managed: + - name: /opt/so/conf/steno/sensoroni.json + - source: salt://pcap/files/sensoroni.json + - user: root + - group: root + - mode: 644 + - template: jinja + stenoca: file.directory: - name: /opt/so/conf/steno/certs @@ -87,13 +96,13 @@ stenolog: so-stenoimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-steno:HH1.0.3 + - name: docker pull --disable-content-trust=false soshybridhunter/so-steno:HH1.1.0 so-steno: docker_container.running: - require: - so-stenoimage - - image: soshybridhunter/so-steno:HH1.0.3 + - image: soshybridhunter/so-steno:HH1.1.0 - network_mode: host - privileged: True - port_bindings: @@ -106,3 +115,7 @@ so-steno: - /nsm/pcaptmp:/tmp:rw - /nsm/pcapout:/nsm/pcapout:rw - /opt/so/log/stenographer:/var/log/stenographer:rw + - /opt/so/conf/steno/sensoroni.json:/opt/sensoroni/sensoroni.json:ro + - /opt/so/log/stenographer:/opt/sensoroni/log:rw + - watch: + - /opt/so/conf/steno/sensoroni.json diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 369f39966..174c1725b 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -44,18 +44,15 @@ redisconfsync: - group: 939 - template: jinja -toosmooth/so-redis:test2: - docker_image.present - so-redisimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.0.7 + - name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.1.0 so-redis: docker_container.running: - require: - so-redisimage - - image: soshybridhunter/so-redis:HH1.0.7 + - image: soshybridhunter/so-redis:HH1.1.0 - hostname: so-redis - user: socore - port_bindings: @@ -65,3 +62,5 @@ so-redis: - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro - /opt/so/conf/redis/working:/redis:rw - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" + - watch: + - file: /opt/so/conf/redis/etc diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json new file mode 100644 index 000000000..d53fe0a66 --- /dev/null +++ b/salt/sensoroni/files/sensoroni.json @@ -0,0 +1,25 @@ +{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} +{%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%} +{ + "logFilename": "/opt/sensoroni/logs/sensoroni-server.log", + "server": { + "bindAddress": "0.0.0.0:9822", + "maxPacketCount": 5000, + "htmlDir": "html", + "modules": { + "filedatastore": { + "jobDir": "jobs" + }, + "securityonion": { + "elasticsearchHost": "http://{{ MASTERIP }}:9200", + "elasticsearchUsername": "", + "elasticsearchPassword": "", + "elasticsearchVerifyCert": false + }, + "statickeyauth": { + "anonymousCidr": "172.17.0.0/24", + "apiKey": "{{ SENSORONIKEY }}" + } + } + } +} diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls new file mode 100644 index 000000000..9c6cf1906 --- /dev/null +++ b/salt/sensoroni/init.sls @@ -0,0 +1,48 @@ +sensoronidir: + file.directory: + - name: /opt/so/conf/sensoroni + - user: 939 + - group: 939 + - makedirs: True + +sensoronidatadir: + file.directory: + - name: /nsm/sensoroni/jobs + - user: 939 + - group: 939 + - makedirs: True + +sensoronilogdir: + file.directory: + - name: /opt/so/log/sensoroni + - user: 939 + - group: 939 + - makedirs: True + +sensoronisync: + file.recurse: + - name: /opt/so/conf/sensoroni + - source: salt://sensoroni/files + - user: 939 + - group: 939 + - template: jinja + +so-sensoroniimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-sensoroni:HH1.1.0 + +so-sensoroni: + docker_container.running: + - require: + - so-sensoroniimage + - image: soshybridhunter/so-sensoroni:HH1.1.0 + - hostname: sensoroni + - name: so-sensoroni + - binds: + - /nsm/sensoroni/jobs:/opt/sensoroni/jobs:rw + - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro + - /opt/so/log/sensoroni/:/opt/sensoroni/log/:rw + - port_bindings: + - 0.0.0.0:9822:9822 + - watch: + - file: /opt/so/conf/sensoroni diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index ed2ce8900..22b21eb8f 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -15,13 +15,13 @@ soctopussync: so-soctopusimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.0.8 + - name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.1.0 so-soctopus: docker_container.running: - require: - so-soctopusimage - - image: soshybridhunter/so-soctopus:HH1.0.8 + - image: soshybridhunter/so-soctopus:HH1.1.0 - hostname: soctopus - name: so-soctopus - binds: diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 0453988f0..2739f4318 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -72,13 +72,13 @@ suriconfigsync: so-suricataimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-suricata:HH1.0.8 + - name: docker pull --disable-content-trust=false soshybridhunter/so-suricata:HH1.1.0 so-suricata: docker_container.running: - require: - so-suricataimage - - image: soshybridhunter/so-suricata:HH1.0.8 + - image: soshybridhunter/so-suricata:HH1.1.0 - privileged: True - environment: - INTERFACE={{ interface }} diff --git a/salt/top.sls b/salt/top.sls index 0b22afa03..f3f8c0a73 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -25,6 +25,7 @@ base: - ca - ssl - common + - sensoroni - firewall - master - idstools @@ -60,6 +61,7 @@ base: - ca - ssl - common + - sensoroni - firewall - master - idstools diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index eb0fa5cb9..4ff937c08 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -58,13 +58,13 @@ wazuhagentregister: so-wazuhimage: cmd.run: - - name: docker pull --disable-content-trust=false soshybridhunter/so-wazuh:HH1.0.7 + - name: docker pull --disable-content-trust=false soshybridhunter/so-wazuh:HH1.1.0 so-wazuh: docker_container.running: - require: - so-wazuhimage - - image: soshybridhunter/so-wazuh:HH1.0.7 + - image: soshybridhunter/so-wazuh:HH1.1.0 - hostname: {{HOSTNAME}}-wazuh-manager - name: so-wazuh - detach: True diff --git a/so-setup-network.sh b/so-setup-network.sh index b31e86369..24a1ddf5b 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -23,23 +23,24 @@ CPUCORES=$(cat /proc/cpuinfo | grep processor | wc -l) LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\""}') RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) NODE_ES_PORT="9200" +SETUPLOG="/root/sosetup.log" # Reset the Install Log -date -u >~/sosetup.log 2>&1 +date -u >$SETUPLOG 2>&1 # End Global Variable Section # Functions accept_salt_key_local() { - echo "Accept the key locally on the master" >>~/sosetup.log 2>&1 + echo "Accept the key locally on the master" >> $SETUPLOG 2>&1 # Accept the key locally on the master salt-key -ya $HOSTNAME } accept_salt_key_remote() { - echo "Accept the key remotely on the master" >>~/sosetup.log 2>&1 + echo "Accept the key remotely on the master" >> $SETUPLOG 2>&1 # Delete the key just in case. ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y salt-call state.apply ca @@ -48,7 +49,7 @@ accept_salt_key_remote() { } add_master_hostfile() { - echo "Checking if I can resolve master. If not add to hosts file" >>~/sosetup.log 2>&1 + echo "Checking if I can resolve master. If not add to hosts file" >> $SETUPLOG 2>&1 # Pop up an input to get the IP address local MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3) @@ -60,7 +61,7 @@ add_master_hostfile() { } add_socore_user_master() { - echo "Add socore on the master" >>~/sosetup.log 2>&1 + echo "Add socore on the master" >> $SETUPLOG 2>&1 if [ $OS == 'centos' ]; then local ADDUSER=adduser else @@ -75,7 +76,7 @@ add_socore_user_master() { } add_socore_user_notmaster() { - echo "Add socore user on non master" >>~/sosetup.log 2>&1 + echo "Add socore user on non master" >> $SETUPLOG 2>&1 # Add socore user to the non master system. Probably not a bad idea to make system user groupadd --gid 939 socore $ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore @@ -86,7 +87,7 @@ add_socore_user_notmaster() { auth_pillar(){ if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then - echo "Creating Auth Pillar" >>~/sosetup.log 2>&1 + echo "Creating Auth Pillar" >> $SETUPLOG 2>&1 mkdir -p /opt/so/saltstack/pillar echo "auth:" >> /opt/so/saltstack/pillar/auth.sls echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls @@ -97,7 +98,7 @@ auth_pillar(){ # Enable Bro Logs bro_logs_enabled() { - echo "Enabling Bro Logs" >>~/sosetup.log 2>&1 + echo "Enabling Bro Logs" >> $SETUPLOG 2>&1 echo "brologs:" > pillar/brologs.sls echo " enabled:" >> pillar/brologs.sls @@ -163,13 +164,13 @@ calculate_useable_cores() { } checkin_at_boot() { - echo "Enabling checkin at boot" >>~/sosetup.log 2>&1 + echo "Enabling checkin at boot" >> $SETUPLOG 2>&1 echo "startup_states: highstate" >> /etc/salt/minion } chown_salt_master() { - echo "Chown the salt dirs on the master for socore" >>~/sosetup.log 2>&1 + echo "Chown the salt dirs on the master for socore" >> $SETUPLOG 2>&1 chown -R socore:socore /opt/so } @@ -178,7 +179,7 @@ clear_master() { # Clear out the old master public key in case this is a re-install. # This only happens if you re-install the master. if [ -f /etc/salt/pki/minion/minion_master.pub ]; then - echo "Clearing old master key" >>~/sosetup.log 2>&1 + echo "Clearing old master key" >> $SETUPLOG 2>&1 rm /etc/salt/pki/minion/minion_master.pub service salt-minion restart fi @@ -189,7 +190,7 @@ configure_minion() { # You have to pass the TYPE to this function so it knows if its a master or not local TYPE=$1 - echo "Configuring minion type as $TYPE" >>~/sosetup.log 2>&1 + echo "Configuring minion type as $TYPE" >> $SETUPLOG 2>&1 touch /etc/salt/grains echo "role: so-$TYPE" > /etc/salt/grains if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then @@ -229,7 +230,7 @@ copy_minion_pillar() { local TYPE=$1 # Copy over the pillar - echo "Copying the pillar over" >>~/sosetup.log 2>&1 + echo "Copying the pillar over" >> $SETUPLOG 2>&1 scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls } @@ -245,113 +246,47 @@ copy_ssh_key() { } -create_bond() { - - # Create the bond interface - echo "Setting up Bond" >>~/sosetup.log 2>&1 +create_bond_nmcli() { + echo "Setting up Bond" >> $SETUPLOG 2>&1 # Set the MTU if [ $NSMSETUP != 'ADVANCED' ]; then MTU=1500 fi - # Do something different based on the OS - if [ $OS == 'centos' ]; then - modprobe --first-time bonding - touch /etc/sysconfig/network-scripts/ifcfg-bond0 - echo "DEVICE=bond0" > /etc/sysconfig/network-scripts/ifcfg-bond0 - echo "NAME=bond0" >> /etc/sysconfig/network-scripts/ifcfg-bond0 - echo "Type=Bond" >> /etc/sysconfig/network-scripts/ifcfg-bond0 - echo "BONDING_MASTER=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0 - echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond0 - echo "BONDING_OPTS=\"mode=0\"" >> /etc/sysconfig/network-scripts/ifcfg-bond0 - echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0 - echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-bond0 +# Create the bond interface + nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \ + ipv4.method disabled \ + ipv6.method link-local \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> $SETUPLOG 2>&1 - # Create Bond configs for the selected monitor interface for BNIC in ${BNICS[@]}; do - BONDNIC="${BNIC%\"}" - BONDNIC="${BONDNIC#\"}" - sed -i 's/ONBOOT=no/ONBOOT=yes/g' /etc/sysconfig/network-scripts/ifcfg-$BONDNIC - echo "MASTER=bond0" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC - echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC - echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC + # Strip the quotes from the NIC names + BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" + # Create the slave interface and assign it to the bond + nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> $SETUPLOG 2>&1 + # Bring the slave interface up + nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1 done - nmcli con reload >>~/sosetup.log 2>&1 - systemctl restart network >>~/sosetup.log 2>&1 - - else - - # Need to add 17.04 support still - apt-get -y install ifenslave >>~/sosetup.log 2>&1 - if ! grep -q bonding /etc/modules; then - echo "bonding" >> /etc/modules - fi - modprobe bonding >>~/sosetup.log 2>&1 - - local LBACK=$(awk '/auto lo/,/^$/' /etc/network/interfaces) - local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces) - - # Backup and create a new interface file - cp /etc/network/interfaces /etc/network/interfaces.sosetup - echo "source /etc/network/interfaces.d/*" > /etc/network/interfaces - echo "" >> /etc/network/interfaces - - # Let's set up the new interface file - # Populate lo and create file for the management interface - IFS=$'\n' - for line in $LBACK - do - echo $line >> /etc/network/interfaces - done - - IFS=$'\n' - for line in $MINT - do - echo $line >> /etc/network/interfaces.d/$MNIC - done - - # Create entries for each interface that is part of the bond. - for BNIC in ${BNICS[@]}; do - - BNIC=$(echo $BNIC | cut -d\" -f2) - echo "auto $BNIC" >> /etc/network/interfaces.d/$BNIC - echo "iface $BNIC inet manual" >> /etc/network/interfaces.d/$BNIC - echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/$BNIC - echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/$BNIC - echo " post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC - echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/$BNIC - echo " bond-master bond0" >> /etc/network/interfaces.d/$BNIC - echo " mtu $MTU" >> /etc/network/interfaces.d/$BNIC - - done - - BN=("${BNICS[@]//\"/}") - - echo "auto bond0" > /etc/network/interfaces.d/bond0 - echo "iface bond0 inet manual" >> /etc/network/interfaces.d/bond0 - echo " bond-mode 0" >> /etc/network/interfaces.d/bond0 - echo " bond-slaves $BN" >> /etc/network/interfaces.d/bond0 - echo " mtu $MTU" >> /etc/network/interfaces.d/bond0 - echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/bond0 - echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/bond0 - echo " post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0 - echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/bond0 - fi - } detect_os() { # Detect Base OS - echo "Detecting Base OS" >>~/sosetup.log 2>&1 + echo "Detecting Base OS" >> $SETUPLOG 2>&1 if [ -f /etc/redhat-release ]; then OS=centos yum -y install bind-utils elif [ -f /etc/os-release ]; then OS=ubuntu + apt install -y network-manager + /bin/systemctl enable network-manager + /bin/systemctl start network-manager else - echo "We were unable to determine if you are using a supported OS." >>~/sosetup.log 2>&1 + echo "We were unable to determine if you are using a supported OS." >> $SETUPLOG 2>&1 exit fi @@ -365,26 +300,30 @@ docker_install() { yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo yum -y update yum -y install docker-ce docker-python python-docker - docker_registry - echo "Restarting Docker" >>~/sosetup.log 2>&1 + if [ $INSTALLTYPE != 'EVALMODE' ]; then + docker_registry + fi + echo "Restarting Docker" >> $SETUPLOG 2>&1 systemctl restart docker systemctl enable docker else if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then - apt-get update >>~/sosetup.log 2>&1 - apt-get -y install docker-ce >>~/sosetup.log 2>&1 - docker_registry >>~/sosetup.log 2>&1 - echo "Restarting Docker" >>~/sosetup.log 2>&1 - systemctl restart docker >>~/sosetup.log 2>&1 + apt-get update >> $SETUPLOG 2>&1 + apt-get -y install docker-ce >> $SETUPLOG 2>&1 + if [ $INSTALLTYPE != 'EVALMODE' ]; then + docker_registry >> $SETUPLOG 2>&1 + fi + echo "Restarting Docker" >> $SETUPLOG 2>&1 + systemctl restart docker >> $SETUPLOG 2>&1 else - apt-key add $TMP/gpg/docker.pub >>~/sosetup.log 2>&1 - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >>~/sosetup.log 2>&1 - apt-get update >>~/sosetup.log 2>&1 - apt-get -y install docker-ce >>~/sosetup.log 2>&1 - docker_registry >>~/sosetup.log 2>&1 - echo "Restarting Docker" >>~/sosetup.log 2>&1 - systemctl restart docker >>~/sosetup.log 2>&1 + apt-key add $TMP/gpg/docker.pub >> $SETUPLOG 2>&1 + add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> $SETUPLOG 2>&1 + apt-get update >> $SETUPLOG 2>&1 + apt-get -y install docker-ce >> $SETUPLOG 2>&1 + docker_registry >> $SETUPLOG 2>&1 + echo "Restarting Docker" >> $SETUPLOG 2>&1 + systemctl restart docker >> $SETUPLOG 2>&1 fi fi @@ -392,13 +331,13 @@ docker_install() { docker_registry() { - echo "Setting up Docker Registry" >>~/sosetup.log 2>&1 - mkdir -p /etc/docker >>~/sosetup.log 2>&1 + echo "Setting up Docker Registry" >> $SETUPLOG 2>&1 + mkdir -p /etc/docker >> $SETUPLOG 2>&1 # Make the host use the master docker registry echo "{" > /etc/docker/daemon.json echo " \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json echo "}" >> /etc/docker/daemon.json - echo "Docker Registry Setup - Complete" >>~/sosetup.log 2>&1 + echo "Docker Registry Setup - Complete" >> $SETUPLOG 2>&1 } @@ -436,6 +375,7 @@ generate_passwords(){ MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) + SENSORONIKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) } get_filesystem_nsm(){ @@ -497,7 +437,7 @@ install_master() { # Install the salt master package if [ $OS == 'centos' ]; then - yum -y install wget salt-common salt-master >>~/sosetup.log 2>&1 + yum -y install wget salt-common salt-master >> $SETUPLOG 2>&1 # Create a place for the keys for Ubuntu minions mkdir -p /opt/so/gpg @@ -583,6 +523,7 @@ master_static() { echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls echo " fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls + echo " sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls if [[ $MASTERUPDATES == 'MASTER' ]]; then echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls else @@ -810,7 +751,7 @@ EOF DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade # Add the pre-requisites for installing docker-ce - apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl >>~/sosetup.log 2>&1 + apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl >> $SETUPLOG 2>&1 # Grab the version from the os-release file UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') @@ -840,8 +781,8 @@ EOF echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list # Initialize the new repos - apt-get update >>~/sosetup.log 2>&1 - apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>~/sosetup.log 2>&1 + apt-get update >> $SETUPLOG 2>&1 + apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >> $SETUPLOG 2>&1 apt-mark hold salt-minion salt-common else @@ -854,8 +795,8 @@ EOF echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list # Initialize the new repos - apt-get update >>~/sosetup.log 2>&1 - apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>~/sosetup.log 2>&1 + apt-get update >> $SETUPLOG 2>&1 + apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >> $SETUPLOG 2>&1 apt-mark hold salt-minion salt-common fi @@ -868,25 +809,25 @@ salt_checkin() { # Master State to Fix Mine Usage if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then echo "Building Certificate Authority" - salt-call state.apply ca >>~/sosetup.log 2>&1 + salt-call state.apply ca >> $SETUPLOG 2>&1 echo " *** Restarting Salt to fix any SSL errors. ***" - service salt-master restart >>~/sosetup.log 2>&1 + service salt-master restart >> $SETUPLOG 2>&1 sleep 5 - service salt-minion restart >>~/sosetup.log 2>&1 + service salt-minion restart >> $SETUPLOG 2>&1 sleep 15 echo " Applyng a mine hack " - sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >>~/sosetup.log 2>&1 + sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >> $SETUPLOG 2>&1 echo " Applying SSL state " - salt-call state.apply ssl >>~/sosetup.log 2>&1 + salt-call state.apply ssl >> $SETUPLOG 2>&1 echo "Still Working... Hang in there" #salt-call state.highstate else # Run Checkin - salt-call state.apply ca >>~/sosetup.log 2>&1 - salt-call state.apply ssl >>~/sosetup.log 2>&1 - #salt-call state.highstate >>~/sosetup.log 2>&1 + salt-call state.apply ca >> $SETUPLOG 2>&1 + salt-call state.apply ssl >> $SETUPLOG 2>&1 + #salt-call state.highstate >> $SETUPLOG 2>&1 fi @@ -907,7 +848,7 @@ salt_checkin_message() { salt_firstcheckin() { #First Checkin - salt-call state.highstate >>~/sosetup.log 2>&1 + salt-call state.highstate >> $SETUPLOG 2>&1 } @@ -1456,7 +1397,7 @@ whiptail_sensor_config() { whiptail_setup_complete() { - whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. A reboot is recommended." 8 78 + whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE." 8 78 install_cleanup exit @@ -1464,7 +1405,7 @@ whiptail_setup_complete() { whiptail_setup_failed() { - whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see /root/sosetup.log for details" 8 78 + whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $SETUPLOG for details" 8 78 install_cleanup exit @@ -1623,83 +1564,83 @@ if (whiptail_you_sure); then { sleep 0.5 echo -e "XXX\n0\nInstalling and configuring Salt... \nXXX" - echo " ** Installing Salt and Dependencies **" >>~/sosetup.log - saltify >>~/sosetup.log 2>&1 + echo " ** Installing Salt and Dependencies **" >> $SETUPLOG + saltify >> $SETUPLOG 2>&1 echo -e "XXX\n5\nInstalling Docker... \nXXX" - docker_install >>~/sosetup.log 2>&1 + docker_install >> $SETUPLOG 2>&1 echo -e "XXX\n10\nConfiguring Salt Master... \nXXX" - echo " ** Configuring Minion **" >>~/sosetup.log - configure_minion master >>~/sosetup.log 2>&1 - echo " ** Installing Salt Master **" >>~/sosetup.log - install_master >>~/sosetup.log 2>&1 - salt_master_directories >>~/sosetup.log 2>&1 - update_sudoers >>~/sosetup.log 2>&1 - chown_salt_master >>~/sosetup.log 2>&1 - es_heapsize >>~/sosetup.log 2>&1 - ls_heapsize >>~/sosetup.log 2>&1 + echo " ** Configuring Minion **" >> $SETUPLOG + configure_minion master >> $SETUPLOG 2>&1 + echo " ** Installing Salt Master **" >> $SETUPLOG + install_master >> $SETUPLOG 2>&1 + salt_master_directories >> $SETUPLOG 2>&1 + update_sudoers >> $SETUPLOG 2>&1 + chown_salt_master >> $SETUPLOG 2>&1 + es_heapsize >> $SETUPLOG 2>&1 + ls_heapsize >> $SETUPLOG 2>&1 echo -e "XXX\n25\nConfiguring Default Pillars... \nXXX" - master_static >>~/sosetup.log 2>&1 - echo "** Generating the master pillar **" >>~/sosetup.log - master_pillar >>~/sosetup.log 2>&1 + master_static >> $SETUPLOG 2>&1 + echo "** Generating the master pillar **" >> $SETUPLOG + master_pillar >> $SETUPLOG 2>&1 echo -e "XXX\n30\nAccepting Salt Keys... \nXXX" # Do a checkin to push the key up - echo "** Pushing the key up to Master **" >>~/sosetup.log - salt_firstcheckin >>~/sosetup.log 2>&1 + echo "** Pushing the key up to Master **" >> $SETUPLOG + salt_firstcheckin >> $SETUPLOG 2>&1 # Accept the Master Key - echo "** Accepting the key on the master **" >>~/sosetup.log - accept_salt_key_local >>~/sosetup.log 2>&1 + echo "** Accepting the key on the master **" >> $SETUPLOG + accept_salt_key_local >> $SETUPLOG 2>&1 echo -e "XXX\n35\nConfiguring Firewall... \nXXX" # Open the firewall - echo "** Setting the initial firewall policy **" >>~/sosetup.log - set_initial_firewall_policy >>~/sosetup.log 2>&1 + echo "** Setting the initial firewall policy **" >> $SETUPLOG + set_initial_firewall_policy >> $SETUPLOG 2>&1 # Do the big checkin but first let them know it will take a bit. echo -e "XXX\n40\nGenerating CA... \nXXX" - salt_checkin >>~/sosetup.log 2>&1 - salt-call state.apply ca >>~/sosetup.log 2>&1 - salt-call state.apply ssl >>~/sosetup.log 2>&1 + salt_checkin >> $SETUPLOG 2>&1 + salt-call state.apply ca >> $SETUPLOG 2>&1 + salt-call state.apply ssl >> $SETUPLOG 2>&1 echo -e "XXX\n43\nInstalling Common Components... \nXXX" - salt-call state.apply common >>~/sosetup.log 2>&1 + salt-call state.apply common >> $SETUPLOG 2>&1 echo -e "XXX\n45\nApplying firewall rules... \nXXX" - salt-call state.apply firewall >>~/sosetup.log 2>&1 - salt-call state.apply master >>~/sosetup.log 2>&1 - salt-call state.apply idstools >>~/sosetup.log 2>&1 + salt-call state.apply firewall >> $SETUPLOG 2>&1 + salt-call state.apply master >> $SETUPLOG 2>&1 + salt-call state.apply idstools >> $SETUPLOG 2>&1 echo -e "XXX\n40\nInstalling Redis... \nXXX" - salt-call state.apply redis >>~/sosetup.log 2>&1 + salt-call state.apply redis >> $SETUPLOG 2>&1 if [[ $OSQUERY == '1' ]]; then echo -e "XXX\n41\nInstalling MySQL... \nXXX" - salt-call state.apply mysql >>~/sosetup.log 2>&1 + salt-call state.apply mysql >> $SETUPLOG 2>&1 fi echo -e "XXX\n45\nInstalling Elastic Components... \nXXX" - salt-call state.apply elasticsearch >>~/sosetup.log 2>&1 - salt-call state.apply logstash >>~/sosetup.log 2>&1 - salt-call state.apply kibana >>~/sosetup.log 2>&1 - salt-call state.apply elastalert >>~/sosetup.log 2>&1 + salt-call state.apply elasticsearch >> $SETUPLOG 2>&1 + salt-call state.apply logstash >> $SETUPLOG 2>&1 + salt-call state.apply kibana >> $SETUPLOG 2>&1 + salt-call state.apply elastalert >> $SETUPLOG 2>&1 if [[ $WAZUH == '1' ]]; then echo -e "XXX\n68\nInstalling Wazuh... \nXXX" - salt-call state.apply wazuh >>~/sosetup.log 2>&1 + salt-call state.apply wazuh >> $SETUPLOG 2>&1 fi echo -e "XXX\n75\nInstalling Filebeat... \nXXX" - salt-call state.apply filebeat >>~/sosetup.log 2>&1 - salt-call state.apply utility >>~/sosetup.log 2>&1 - salt-call state.apply schedule >>~/sosetup.log 2>&1 + salt-call state.apply filebeat >> $SETUPLOG 2>&1 + salt-call state.apply utility >> $SETUPLOG 2>&1 + salt-call state.apply schedule >> $SETUPLOG 2>&1 if [[ $OSQUERY == '1' ]]; then echo -e "XXX\n79\nInstalling Fleet... \nXXX" - salt-call state.apply fleet >>~/sosetup.log 2>&1 - salt-call state.apply launcher >>~/sosetup.log 2>&1 + salt-call state.apply fleet >> $SETUPLOG 2>&1 + salt-call state.apply launcher >> $SETUPLOG 2>&1 fi echo -e "XXX\n85\nConfiguring SOctopus... \nXXX" - salt-call state.apply soctopus >>~/sosetup.log 2>&1 + salt-call state.apply soctopus >> $SETUPLOG 2>&1 if [[ $THEHIVE == '1' ]]; then echo -e "XXX\n87\nInstalling TheHive... \nXXX" - salt-call state.apply hive >>~/sosetup.log 2>&1 + salt-call state.apply hive >> $SETUPLOG 2>&1 fi echo -e "XXX\n75\nEnabling Checking at Boot... \nXXX" - checkin_at_boot >>~/sosetup.log 2>&1 + checkin_at_boot >> $SETUPLOG 2>&1 echo -e "XXX\n95\nVerifying Install... \nXXX" - salt-call state.highstate >>~/sosetup.log 2>&1 + salt-call state.highstate >> $SETUPLOG 2>&1 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 - GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}') + GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}') if [[ $GOODSETUP == '0' ]]; then whiptail_setup_complete else @@ -1740,39 +1681,39 @@ if (whiptail_you_sure); then { sleep 0.5 echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX" - set_initial_firewall_policy >>~/sosetup.log 2>&1 + set_initial_firewall_policy >> $SETUPLOG 2>&1 echo -e "XXX\n3\nCreating Bond Interface... \nXXX" - create_bond >>~/sosetup.log 2>&1 + create_bond_nmcli >> $SETUPLOG 2>&1 echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX" - sensor_pillar >>~/sosetup.log 2>&1 + sensor_pillar >> $SETUPLOG 2>&1 echo -e "XXX\n5\nInstalling Salt Components... \nXXX" - saltify >>~/sosetup.log 2>&1 + saltify >> $SETUPLOG 2>&1 echo -e "XXX\n20\nInstalling Docker... \nXXX" - docker_install >>~/sosetup.log 2>&1 + docker_install >> $SETUPLOG 2>&1 echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX" - configure_minion sensor >>~/sosetup.log 2>&1 + configure_minion sensor >> $SETUPLOG 2>&1 echo -e "XXX\n24\nCopying Sensor Pillar to Master... \nXXX" - copy_minion_pillar sensors >>~/sosetup.log 2>&1 + copy_minion_pillar sensors >> $SETUPLOG 2>&1 echo -e "XXX\n25\nSending Salt Key to Master... \nXXX" - salt_firstcheckin >>~/sosetup.log 2>&1 + salt_firstcheckin >> $SETUPLOG 2>&1 echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX" # Accept the Salt Key - accept_salt_key_remote >>~/sosetup.log 2>&1 + accept_salt_key_remote >> $SETUPLOG 2>&1 echo -e "XXX\n27\nApplying SSL Certificates... \nXXX" - salt-call state.apply ca >>~/sosetup.log 2>&1 - salt-call state.apply ssl >>~/sosetup.log 2>&1 + salt-call state.apply ca >> $SETUPLOG 2>&1 + salt-call state.apply ssl >> $SETUPLOG 2>&1 echo -e "XXX\n35\nInstalling Core Components... \nXXX" - salt-call state.apply common >>~/sosetup.log 2>&1 - salt-call state.apply firewall >>~/sosetup.log 2>&1 + salt-call state.apply common >> $SETUPLOG 2>&1 + salt-call state.apply firewall >> $SETUPLOG 2>&1 echo -e "XXX\n50\nInstalling PCAP... \nXXX" - salt-call state.apply pcap >>~/sosetup.log 2>&1 + salt-call state.apply pcap >> $SETUPLOG 2>&1 echo -e "XXX\n60\nInstalling IDS components... \nXXX" - salt-call state.apply suricata >>~/sosetup.log 2>&1 + salt-call state.apply suricata >> $SETUPLOG 2>&1 echo -e "XXX\n80\nVerifying Install... \nXXX" - salt-call state.highstate >>~/sosetup.log 2>&1 - checkin_at_boot >>~/sosetup.log 2>&1 + salt-call state.highstate >> $SETUPLOG 2>&1 + checkin_at_boot >> $SETUPLOG 2>&1 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 - GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}') + GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}') if [[ $GOODSETUP == '0' ]]; then whiptail_setup_complete else @@ -1832,91 +1773,91 @@ if (whiptail_you_sure); then { sleep 0.5 echo -e "XXX\n0\nCreating Bond Interface... \nXXX" - create_bond >>~/sosetup.log 2>&1 + create_bond_nmcli >> $SETUPLOG 2>&1 echo -e "XXX\n1\nInstalling saltstack... \nXXX" - saltify >>~/sosetup.log 2>&1 + saltify >> $SETUPLOG 2>&1 echo -e "XXX\n3\nInstalling docker... \nXXX" - docker_install >>~/sosetup.log 2>&1 + docker_install >> $SETUPLOG 2>&1 echo -e "XXX\n5\nInstalling master code... \nXXX" - install_master >>~/sosetup.log 2>&1 + install_master >> $SETUPLOG 2>&1 echo -e "XXX\n6\nCopying salt code... \nXXX" - salt_master_directories >>~/sosetup.log 2>&1 + salt_master_directories >> $SETUPLOG 2>&1 echo -e "XXX\n6\nupdating suduers... \nXXX" - update_sudoers >>~/sosetup.log 2>&1 + update_sudoers >> $SETUPLOG 2>&1 echo -e "XXX\n7\nFixing some permissions... \nXXX" - chown_salt_master >>~/sosetup.log 2>&1 + chown_salt_master >> $SETUPLOG 2>&1 echo -e "XXX\n7\nCreating the static pillar... \nXXX" # Set the static values - master_static >>~/sosetup.log 2>&1 + master_static >> $SETUPLOG 2>&1 echo -e "XXX\n7\nCreating the master pillar... \nXXX" - master_pillar >>~/sosetup.log 2>&1 + master_pillar >> $SETUPLOG 2>&1 echo -e "XXX\n7\nConfiguring minion... \nXXX" - configure_minion eval >>~/sosetup.log 2>&1 + configure_minion eval >> $SETUPLOG 2>&1 echo -e "XXX\n7\nSetting the node type to eval... \nXXX" - set_node_type >>~/sosetup.log 2>&1 + set_node_type >> $SETUPLOG 2>&1 echo -e "XXX\n7\nStorage node pillar... \nXXX" - node_pillar >>~/sosetup.log 2>&1 + node_pillar >> $SETUPLOG 2>&1 echo -e "XXX\n8\nCreating firewall policies... \nXXX" - set_initial_firewall_policy >>~/sosetup.log 2>&1 + set_initial_firewall_policy >> $SETUPLOG 2>&1 echo -e "XXX\n10\nRegistering agent... \nXXX" - salt_firstcheckin >>~/sosetup.log 2>&1 + salt_firstcheckin >> $SETUPLOG 2>&1 echo -e "XXX\n11\nAccepting Agent... \nXXX" - accept_salt_key_local >>~/sosetup.log 2>&1 + accept_salt_key_local >> $SETUPLOG 2>&1 echo -e "XXX\n12\nRunning the SSL states... \nXXX" - salt_checkin >>~/sosetup.log 2>&1 - salt-call state.apply ca >>~/sosetup.log 2>&1 - salt-call state.apply ssl >>~/sosetup.log 2>&1 + salt_checkin >> $SETUPLOG 2>&1 + salt-call state.apply ca >> $SETUPLOG 2>&1 + salt-call state.apply ssl >> $SETUPLOG 2>&1 echo -e "XXX\n15\nInstalling core components... \nXXX" - salt-call state.apply common >>~/sosetup.log 2>&1 + salt-call state.apply common >> $SETUPLOG 2>&1 echo -e "XXX\n18\nInitializing firewall rules... \nXXX" - salt-call state.apply firewall >>~/sosetup.log 2>&1 + salt-call state.apply firewall >> $SETUPLOG 2>&1 echo -e "XXX\n25\nInstalling master components... \nXXX" - salt-call state.apply master >>~/sosetup.log 2>&1 - salt-call state.apply idstools >>~/sosetup.log 2>&1 + salt-call state.apply master >> $SETUPLOG 2>&1 + salt-call state.apply idstools >> $SETUPLOG 2>&1 if [[ $OSQUERY == '1' ]]; then - salt-call state.apply mysql >>~/sosetup.log 2>&1 + salt-call state.apply mysql >> $SETUPLOG 2>&1 fi echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX" - salt-call state.apply elasticsearch >>~/sosetup.log 2>&1 + salt-call state.apply elasticsearch >> $SETUPLOG 2>&1 echo -e "XXX\n40\nInstalling Logstash... \nXXX" - salt-call state.apply logstash >>~/sosetup.log 2>&1 - echo -e "XXX\n45\nInstalling ElasticSearch... \nXXX" - salt-call state.apply kibana >>~/sosetup.log 2>&1 + salt-call state.apply logstash >> $SETUPLOG 2>&1 + echo -e "XXX\n45\nInstalling Kibana... \nXXX" + salt-call state.apply kibana >> $SETUPLOG 2>&1 echo -e "XXX\n50\nInstalling pcap... \nXXX" - salt-call state.apply pcap >>~/sosetup.log 2>&1 + salt-call state.apply pcap >> $SETUPLOG 2>&1 echo -e "XXX\n52\nInstalling Suricata... \nXXX" - salt-call state.apply suricata >>~/sosetup.log 2>&1 + salt-call state.apply suricata >> $SETUPLOG 2>&1 echo -e "XXX\n54\nInstalling Zeek... \nXXX" - salt-call state.apply bro >>~/sosetup.log 2>&1 + salt-call state.apply bro >> $SETUPLOG 2>&1 echo -e "XXX\n56\nInstalling curator... \nXXX" - salt-call state.apply curator >>~/sosetup.log 2>&1 + salt-call state.apply curator >> $SETUPLOG 2>&1 echo -e "XXX\n58\nInstalling elastalert... \nXXX" - salt-call state.apply elastalert >>~/sosetup.log 2>&1 + salt-call state.apply elastalert >> $SETUPLOG 2>&1 if [[ $OSQUERY == '1' ]]; then echo -e "XXX\n60\nInstalling fleet... \nXXX" - salt-call state.apply fleet >>~/sosetup.log 2>&1 - salt-call state.apply redis >>~/sosetup.log 2>&1 + salt-call state.apply fleet >> $SETUPLOG 2>&1 + salt-call state.apply redis >> $SETUPLOG 2>&1 fi if [[ $WAZUH == '1' ]]; then echo -e "XXX\n65\nInstalling Wazuh components... \nXXX" - salt-call state.apply wazuh >>~/sosetup.log 2>&1 + salt-call state.apply wazuh >> $SETUPLOG 2>&1 fi echo -e "XXX\n85\nInstalling filebeat... \nXXX" - salt-call state.apply filebeat >>~/sosetup.log 2>&1 - salt-call state.apply utility >>~/sosetup.log 2>&1 + salt-call state.apply filebeat >> $SETUPLOG 2>&1 + salt-call state.apply utility >> $SETUPLOG 2>&1 echo -e "XXX\n95\nInstalling misc components... \nXXX" - salt-call state.apply schedule >>~/sosetup.log 2>&1 - salt-call state.apply soctopus >>~/sosetup.log 2>&1 + salt-call state.apply schedule >> $SETUPLOG 2>&1 + salt-call state.apply soctopus >> $SETUPLOG 2>&1 if [[ $THEHIVE == '1' ]]; then - salt-call state.apply hive >>~/sosetup.log 2>&1 + salt-call state.apply hive >> $SETUPLOG 2>&1 fi echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX" - checkin_at_boot >>~/sosetup.log 2>&1 + checkin_at_boot >> $SETUPLOG 2>&1 echo -e "XXX\n99\nVerifying Setup... \nXXX" - salt-call state.highstate >>~/sosetup.log 2>&1 + salt-call state.highstate >> $SETUPLOG 2>&1 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 - GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}') + GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}') if [ $OS == 'centos' ]; then if [[ $GOODSETUP == '1' ]]; then whiptail_setup_complete @@ -1972,37 +1913,37 @@ if (whiptail_you_sure); then { sleep 0.5 echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX" - set_initial_firewall_policy >>~/sosetup.log 2>&1 + set_initial_firewall_policy >> $SETUPLOG 2>&1 echo -e "XXX\n5\nInstalling Salt Packages... \nXXX" - saltify >>~/sosetup.log 2>&1 + saltify >> $SETUPLOG 2>&1 echo -e "XXX\n20\nInstalling Docker... \nXXX" - docker_install >>~/sosetup.log 2>&1 + docker_install >> $SETUPLOG 2>&1 echo -e "XXX\n30\nInitializing Minion... \nXXX" - configure_minion node >>~/sosetup.log 2>&1 - set_node_type >>~/sosetup.log 2>&1 - node_pillar >>~/sosetup.log 2>&1 - copy_minion_pillar nodes >>~/sosetup.log 2>&1 + configure_minion node >> $SETUPLOG 2>&1 + set_node_type >> $SETUPLOG 2>&1 + node_pillar >> $SETUPLOG 2>&1 + copy_minion_pillar nodes >> $SETUPLOG 2>&1 echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX" - salt_firstcheckin >>~/sosetup.log 2>&1 + salt_firstcheckin >> $SETUPLOG 2>&1 # Accept the Salt Key - accept_salt_key_remote >>~/sosetup.log 2>&1 + accept_salt_key_remote >> $SETUPLOG 2>&1 echo -e "XXX\n40\nApplying SSL Certificates... \nXXX" - salt-call state.apply ca >>~/sosetup.log 2>&1 - salt-call state.apply ssl >>~/sosetup.log 2>&1 + salt-call state.apply ca >> $SETUPLOG 2>&1 + salt-call state.apply ssl >> $SETUPLOG 2>&1 echo -e "XXX\n50\nConfiguring Firewall... \nXXX" - salt-call state.apply common >>~/sosetup.log 2>&1 - salt-call state.apply firewall >>~/sosetup.log 2>&1 + salt-call state.apply common >> $SETUPLOG 2>&1 + salt-call state.apply firewall >> $SETUPLOG 2>&1 echo -e "XXX\n70\nInstalling Elastic Components... \nXXX" - salt-call state.apply logstash >>~/sosetup.log 2>&1 - salt-call state.apply elasticsearch >>~/sosetup.log 2>&1 - salt-call state.apply curator >>~/sosetup.log 2>&1 - salt-call state.apply filebeat >>~/sosetup.log 2>&1 + salt-call state.apply logstash >> $SETUPLOG 2>&1 + salt-call state.apply elasticsearch >> $SETUPLOG 2>&1 + salt-call state.apply curator >> $SETUPLOG 2>&1 + salt-call state.apply filebeat >> $SETUPLOG 2>&1 echo -e "XXX\n90\nVerifying Install... \nXXX" - salt-call state.highstate >>~/sosetup.log 2>&1 - checkin_at_boot >>~/sosetup.log 2>&1 + salt-call state.highstate >> $SETUPLOG 2>&1 + checkin_at_boot >> $SETUPLOG 2>&1 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 - GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}') + GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}') if [[ $GOODSETUP == '0' ]]; then whiptail_setup_complete else