CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #60 from TOoSmOotH/master

Browse Source 
Alpha 1.1.0
This commit is contained in:
Mike Reeves
2019-07-25 16:04:23 -04:00
committed by GitHub
parent 1d738abf1f e98b0587c2
commit ac040dd7d9
37 changed files with 715 additions and 368 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@@ -1,21 +1,19 @@
## Hybrid Hunter 1.0.8
## Hybrid Hunter Alpha 1.1.0
### Changes:
- Suricata 4.1.4
- Eval and Master installs now ask which components you would like to install
- Fleet (osquery) now has it's own additional setup script. [See the docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Configuring-Osquery-with-Security-Onion)
- Fleet setup script now generates auto install packages for Windows, CentOS, and Ubuntu
- When Fleet setup is completed, all SO nodes will auto install the appropriate auto install package
- We now have a progress bar during install!
- The setup script will now tell you if it was successful
- Added Grafana plugin Pie Chart
- The Hive Docker moved to Centos 7 based container. [See the docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/The-Hive)
### Notes:
- Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release.
- If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master.
- Alpha is here!! Check out the [[Hybrid Hunter Quick Start Guide|Hybrid-Hunter-Quick-Start-Guide]].
- There is a new PCAP interface called [Sensoroni](https://github.com/sensoroni/sensoroni). Pivoting is done via Kibana. See details [[here|Pulling-PCAP]].
- Bond interface setup now uses `nmcli` for better compatibility in the network based setup script.
- Filebeat traffic for HH components now use a separate port (5644). This will allow you to send Beats to the default port (5044) and choose how you want to secure it. It is still recommended to use full SSL via Filebeat and if you already have this set up you will need to change to port 5044. We will continue to refine this in future versions.
- Authentication is now enabled by default for all the web based components. There will be some major changes before we get to beta with how authentication in general is handled due to Elastic "Features" and other components.
- Add users to the web interface via `so-user-add` and follow the prompts.
- `so-allow` now exists to make your life easier.
- Bro 2.6.2.
- All Docker images were updated to reflect Alpha status.
- Disabled DEBUG logging on a lot of components to reduce space usage.
- Added a rule update cron job so the master pulls new rules down every day at 7AM UTC.
- You can now manually run a rule update using the `so-rule-update` command.
### Warnings and Disclaimers

2
pillar/firewall/wazuh_endpoint.sls Normal file
View File

@@ -0,0 +1,2 @@
wazuh_endpoint:
- 127.0.0.1

2
salt/bro/files/local.bro
View File

@@ -100,7 +100,7 @@
# Uncomment the following line to enable the SMB analyzer. The analyzer
# is currently considered a preview and therefore not loaded by default.
@load policy/protocols/smb
@load base/protocols/smb
# Add the interface to the log event
#@load securityonion/add-interface-to-logs.bro

4
salt/bro/init.sls
View File

@@ -125,13 +125,13 @@ localbrosync:
so-broimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-bro:HH1.0.6
- name: docker pull --disable-content-trust=false soshybridhunter/so-bro:HH1.1.0
so-bro:
docker_container.running:
- require:
- so-broimage
- image: soshybridhunter/so-bro:HH1.0.6
- image: soshybridhunter/so-bro:HH1.1.0
- privileged: True
- binds:
- /nsm/bro/logs:/nsm/bro/logs:rw

34
salt/common/init.sls
View File

@@ -41,9 +41,11 @@ sensorpkgs:
{% if grains['os'] != 'CentOS' %}
- python-docker
- python-m2crypto
- apache2-utils
{% else %}
- net-tools
- tcpdump
- httpd-tools
{% endif %}
# Always keep these packages up to date
@@ -61,6 +63,16 @@ alwaysupdated:
Etc/UTC:
timezone.system
# Sync some Utilities
utilsyncscripts:
file.recurse:
- name: /usr/sbin
- user: 0
- group: 0
- file_mode: 755
- template: jinja
- source: salt://common/tools/sbin
# Make sure Docker is running!
docker:
service.running:
@@ -104,13 +116,13 @@ nginxtmp:
# Start the core docker
so-coreimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-core:HH1.0.7
- name: docker pull --disable-content-trust=false soshybridhunter/so-core:HH1.1.0
so-core:
docker_container.running:
- require:
- so-coreimage
- image: soshybridhunter/so-core:HH1.0.8
- image: soshybridhunter/so-core:HH1.1.0
- hostname: so-core
- user: socore
- binds:
@@ -164,13 +176,13 @@ tgrafconf:
so-telegrafimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-telegraf:HH1.0.7
- name: docker pull --disable-content-trust=false soshybridhunter/so-telegraf:HH1.1.0
so-telegraf:
docker_container.running:
- require:
- so-telegrafimage
- image: soshybridhunter/so-telegraf:HH1.0.7
- image: soshybridhunter/so-telegraf:HH1.1.0
- environment:
- HOST_PROC=/host/proc
- HOST_ETC=/host/etc
@@ -225,13 +237,13 @@ influxdbconf:
so-influximage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-influxdb:HH1.0.7
- name: docker pull --disable-content-trust=false soshybridhunter/so-influxdb:HH1.1.0
so-influxdb:
docker_container.running:
- require:
- so-influximage
- image: soshybridhunter/so-influxdb:HH1.0.7
- image: soshybridhunter/so-influxdb:HH1.1.0
- hostname: influxdb
- environment:
- INFLUXDB_HTTP_LOG_ENABLED=false
@@ -242,6 +254,8 @@ so-influxdb:
- /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro
- port_bindings:
- 0.0.0.0:8086:8086
- watch:
- file: /opt/so/conf/influxdb/etc/influxdb.conf
# Grafana all the things
grafanadir:
@@ -355,7 +369,7 @@ dashboard-{{ SN }}:
- defaults:
SERVERNAME: {{ SN }}
MANINT: {{ SNDATA.manint }}
MONINT: {{ SNDATA.monint }}
MONINT: {{ SNDATA.manint }}
CPUS: {{ SNDATA.totalcpus }}
UID: {{ SNDATA.guid }}
ROOTFS: {{ SNDATA.rootfs }}
@@ -386,9 +400,13 @@ dashboard-{{ SN }}:
{% endif %}
# Install the docker. This needs to be behind nginx at some point
so-grafanaimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-grafana:HH1.1.0
so-grafana:
docker_container.running:
- image: soshybridhunter/so-grafana:HH1.0.8
- image: soshybridhunter/so-grafana:HH1.1.0
- hostname: grafana
- user: socore
- binds:

40
salt/common/nginx/nginx.conf.so-eval
View File

@@ -100,6 +100,8 @@ http {
}
location /kibana/ {
auth_basic "Security Onion";
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
rewrite /kibana/(.*) /$1 break;
proxy_pass http://{{ masterip }}:5601/;
proxy_read_timeout 90;
@@ -125,6 +127,8 @@ http {
}
location /fleet/ {
auth_basic "Security Onion";
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
rewrite /fleet/(.*) /$1 break;
proxy_pass https://{{ masterip }}:8080/;
proxy_read_timeout 90;
@@ -157,6 +161,42 @@ http {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /sensoroni/ {
auth_basic "Security Onion";
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /kibana/app/sensoroni/ {
rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent;
}
location /kibana/app/fleet/ {
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
}
location /kibana/app/soctopus/ {
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
}
location /sensoroniagents/ {
proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
error_page 404 /404.html;
location = /40x.html {

41
salt/common/nginx/nginx.conf.so-master
View File

@@ -100,6 +100,8 @@ http {
}
location /kibana/ {
auth_basic "Security Onion";
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
rewrite /kibana/(.*) /$1 break;
proxy_pass http://{{ masterip }}:5601/;
proxy_read_timeout 90;
@@ -126,6 +128,8 @@ http {
location /fleet/ {
rewrite /fleet/(.*) /$1 break;
auth_basic "Security Onion";
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
proxy_pass https://{{ masterip }}:8080/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
@@ -159,6 +163,43 @@ http {
}
location /sensoroni/ {
auth_basic "Security Onion";
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /kibana/app/sensoroni/ {
rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent;
}
location /kibana/app/fleet/ {
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
}
location /kibana/app/soctopus/ {
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
}
location /sensoroniagents/ {
proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
error_page 404 /404.html;
location = /40x.html {
}

42
salt/common/tools/sbin/so-allow Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
got_root() {
# Make sure you are root
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
}
got_root
echo "This program allows you to add a firewall rule to allow connections from a new IP address."
echo ""
echo "Choose the role for the IP or Range you would like to add"
echo ""
echo "[a] - Analyst - ports 80/tcp and 443/tcp"
echo "[b] - Logstash Beat - port 5044/tcp"
echo "[o] - Osquery endpoint - port 8080/tcp"
echo "[w] - Wazuh endpoint - port 1514"
echo ""
echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
read ROLE
echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
read IP
if [ "$ROLE" == "a" ]; then
FULLROLE=analyst
elif [ "$ROLE" == "b" ]; then
FULLROLE=beats_endpoint
elif [ "$ROLE" == "o" ]; then
FULLROLE=osquery_endpoint
elif [ "$ROLE" == "w" ]; then
FULLROLE=wazuh_endpoint
else
echo "I don't recognize that role"
exit 1
fi
echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP

13
salt/common/tools/sbin/so-rule-update Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
got_root() {
# Make sure you are root
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
}
got_root
docker exec -it so-idstools /bin/bash -c 'cd /opt/so/idstools/etc && idstools-rulecat'

17
salt/common/tools/sbin/so-user-add Normal file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
USERNAME=$1
# Make sure a username is provided
[ $# -eq 0 ] && { echo "Usage: $0 username"; exit 1; }
# If the file is there already lets create it otherwise add the user
if [ ! -f /opt/so/conf/nginx/.htpasswd ]; then
# Create the password file
htpasswd -c /opt/so/conf/nginx/.htpasswd $USERNAME
else
htpasswd /opt/so/conf/nginx/.htpasswd $USERNAME
fi

4
salt/curator/init.sls
View File

@@ -114,13 +114,13 @@ curdel:
so-curatorimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-curator:HH1.0.3
- name: docker pull --disable-content-trust=false soshybridhunter/so-curator:HH1.1.0
so-curator:
docker_container.running:
- require:
- so-curatorimage
- image: soshybridhunter/so-curator:HH1.0.3
- image: soshybridhunter/so-curator:HH1.1.0
- hostname: curator
- name: so-curator
- user: curator

4
salt/elastalert/init.sls
View File

@@ -81,13 +81,13 @@ elastarules:
so-elastalertimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.0.3
- name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.1.0
so-elastalert:
docker_container.running:
- require:
- so-elastalertimage
- image: soshybridhunter/so-elastalert:HH1.0.3
- image: soshybridhunter/so-elastalert:HH1.1.0
- hostname: elastalert
- name: so-elastalert
- user: elastalert

4
salt/elasticsearch/init.sls
View File

@@ -92,13 +92,13 @@ eslogdir:
so-elasticsearchimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-elasticsearch:HH1.0.6
- name: docker pull --disable-content-trust=false soshybridhunter/so-elasticsearch:HH1.1.0
so-elasticsearch:
docker_container.running:
- require:
- so-elasticsearchimage
- image: soshybridhunter/so-elasticsearch:HH1.0.6
- image: soshybridhunter/so-elasticsearch:HH1.1.0
- hostname: elasticsearch
- name: so-elasticsearch
- user: elasticsearch

2
salt/filebeat/etc/filebeat.yml
View File

@@ -80,7 +80,7 @@ output.logstash:
enabled: true
# The Logstash hosts
hosts: ["{{ MASTER }}:5044"]
hosts: ["{{ MASTER }}:5644"]
# Number of workers per Logstash host.
worker: 1

4
salt/filebeat/init.sls
View File

@@ -51,13 +51,13 @@ filebeatconfsync:
so-filebeatimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-filebeat:HH1.0.6
- name: docker pull --disable-content-trust=false soshybridhunter/so-filebeat:HH1.1.0
so-filebeat:
docker_container.running:
- require:
- so-filebeatimage
- image: soshybridhunter/so-filebeat:HH1.0.6
- image: soshybridhunter/so-filebeat:HH1.1.0
- hostname: so-filebeat
- user: root
- extra_hosts: {{ MASTER }}:{{ MASTERIP }}

152
salt/firewall/init.sls
View File

@@ -315,6 +315,39 @@ enable_forwardnode_beats_5044_{{ip}}:
- position: 1
- save: True
enable_forwardnode_beats_5644_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 5644
- position: 1
- save: True
enable_forwardnode_sensoroni_443_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 443
- position: 1
- save: True
enable_forwardnode_sensoroni_9822_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 9822
- position: 1
- save: True
{% endfor %}
{% for ip in pillar.get('storage_nodes') %}
@@ -375,6 +408,33 @@ enable_standard_osquery_8080_{{ip}}:
{% endfor %}
# Allow Wazuh Endpoints to send their traffic
{% for ip in pillar.get('wazuh_endpoint') %}
enable_wazuh_endpoint_tcp_1514_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 1514
- position: 1
- save: True
enable_wazuh_endpoint_udp_1514_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: udp
- source: {{ ip }}
- dport: 1514
- position: 1
- save: True
{% endfor %}
# Allow Analysts
{% for ip in pillar.get('analyst') %}
@@ -400,49 +460,61 @@ enable_standard_analyst_443_{{ip}}:
- position: 1
- save: True
enable_standard_analyst_3000_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 3000
- position: 1
- save: True
#enable_standard_analyst_3000_{{ip}}:
# iptables.insert:
# - table: filter
# - chain: DOCKER-USER
# - jump: ACCEPT
# - proto: tcp
# - source: {{ ip }}
# - dport: 3000
# - position: 1
# - save: True
enable_standard_analyst_7000_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 7000
- position: 1
- save: True
#enable_standard_analyst_7000_{{ip}}:
# iptables.insert:
# - table: filter
# - chain: DOCKER-USER
# - jump: ACCEPT
# - proto: tcp
# - source: {{ ip }}
# - dport: 7000
# - position: 1
# - save: True
enable_standard_analyst_9000_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 9000
- position: 1
- save: True
#enable_standard_analyst_9000_{{ip}}:
# iptables.insert:
# - table: filter
# - chain: DOCKER-USER
# - jump: ACCEPT
# - proto: tcp
# - source: {{ ip }}
# - dport: 9000
# - position: 1
# - save: True
enable_standard_analyst_9001_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 9001
- position: 1
- save: True
#enable_standard_analyst_9001_{{ip}}:
# iptables.insert:
# - table: filter
# - chain: DOCKER-USER
# - jump: ACCEPT
# - proto: tcp
# - source: {{ ip }}
# - dport: 9001
# - position: 1
# - save: True
# This is temporary for sensoroni testing
#enable_standard_analyst_9822_{{ip}}:
# iptables.insert:
# - table: filter
# - chain: DOCKER-USER
# - jump: ACCEPT
# - proto: tcp
# - source: {{ ip }}
# - dport: 9822
# - position: 1
# - save: True
{% endfor %}

4
salt/fleet/init.sls
View File

@@ -61,13 +61,13 @@ fleetdbpriv:
so-fleetimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-fleet:HH1.0.6
- name: docker pull --disable-content-trust=false soshybridhunter/so-fleet:HH1.1.0
so-fleet:
docker_container.running:
- require:
- so-fleetimage
- image: soshybridhunter/so-fleet:HH1.0.6
- image: soshybridhunter/so-fleet:HH1.1.0
- hostname: so-fleet
- port_bindings:
- 0.0.0.0:8080:8080

2
salt/fleet/so-fleet-setup.sh
View File

@@ -27,7 +27,7 @@ mkdir /opt/so/conf/fleet/packages
docker run \
--mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
--mount type=bind,source=/etc/pki/launcher.crt,target=/var/launcher/launcher.crt \
soshybridhunter/so-fleet-launcher:HH1.0.8 "$esecret" "$1":8080
soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8080
cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/
#Update timestamp on packages webpage

10
salt/hive/init.sls
View File

@@ -33,13 +33,13 @@ hiveesdata:
so-thehive-esimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-thehive-es:HH1.0.7
- name: docker pull --disable-content-trust=false soshybridhunter/so-thehive-es:HH1.1.0
so-thehive-es:
docker_container.running:
- require:
- so-thehive-esimage
- image: soshybridhunter/so-thehive-es:HH1.0.7
- image: soshybridhunter/so-thehive-es:HH1.1.0
- hostname: so-thehive-es
- name: so-thehive-es
- user: 939
@@ -81,13 +81,13 @@ so-thehive-es:
so-thehiveimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-thehive:HH1.0.8
- name: docker pull --disable-content-trust=false soshybridhunter/so-thehive:HH1.1.0
so-thehive:
docker_container.running:
- require:
- so-thehiveimage
- image: soshybridhunter/so-thehive:HH1.0.8
- image: soshybridhunter/so-thehive:HH1.1.0
- environment:
- ELASTICSEARCH_HOST={{ MASTERIP }}
- hostname: so-thehive
@@ -97,7 +97,7 @@ so-thehive:
- /opt/so/conf/hive/etc/application.conf:/opt/thehive/conf/application.conf:ro
- port_bindings:
- 0.0.0.0:9000:9000
hivescript:
cmd.script:
- source: salt://hive/thehive/scripts/hive_init.sh

17
salt/idstools/init.sls
View File

@@ -21,6 +21,13 @@ idstoolsdir:
- group: 939
- makedirs: True
idstoolslogdir:
file.directory:
- name: /opt/so/log/idstools
- user: 939
- group: 939
- makedirs: True
idstoolsetcsync:
file.recurse:
- name: /opt/so/conf/idstools/etc
@@ -29,6 +36,12 @@ idstoolsetcsync:
- group: 939
- template: jinja
/usr/sbin/so-rule-update.sh > /opt/so/log/idstools/download.log:
cron.present:
- user: root
- minute: '1'
- hour: '7'
rulesdir:
file.directory:
- name: /opt/so/rules/nids
@@ -50,13 +63,13 @@ ruleslink:
so-idstoolsimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-idstools:HH1.0.3
- name: docker pull --disable-content-trust=false soshybridhunter/so-idstools:HH1.1.0
so-idstools:
docker_container.running:
- require:
- so-idstoolsimage
- image: soshybridhunter/so-idstools:HH1.0.3
- image: soshybridhunter/so-idstools:HH1.1.0
- hostname: so-idstools
- user: socore
- binds:

4
salt/kibana/init.sls
View File

@@ -56,14 +56,14 @@ synckibanacustom:
so-kibanaimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-kibana:HH1.0.7
- name: docker pull --disable-content-trust=false soshybridhunter/so-kibana:HH1.1.0
# Start the kibana docker
so-kibana:
docker_container.running:
- require:
- so-kibanaimage
- image: soshybridhunter/so-kibana:HH1.0.7
- image: soshybridhunter/so-kibana:HH1.1.0
- hostname: kibana
- user: kibana
- environment:

3
salt/logstash/conf/conf.enabled.txt.so-eval
View File

@@ -12,8 +12,9 @@
#/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
#/usr/share/logstash/pipeline.so/0003_input_syslog.conf
#/usr/share/logstash/pipeline.so/0005_input_suricata.conf
/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
#/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
/usr/share/logstash/pipeline.so/0007_input_import.conf
/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
#/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
#/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
#/usr/share/logstash/pipeline.so/1002_preprocess_json.conf

3
salt/logstash/conf/conf.enabled.txt.so-master
View File

@@ -12,6 +12,7 @@
/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
/usr/share/logstash/pipeline.so/0003_input_syslog.conf
/usr/share/logstash/pipeline.so/0005_input_suricata.conf
/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
#/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
/usr/share/logstash/pipeline.so/0007_input_import.conf
/usr/share/logstash/pipeline.dynamic/9999_output_redis.conf

40
salt/logstash/files/dynamic/0010_input_hhbeats.conf Normal file
View File

@@ -0,0 +1,40 @@
input {
beats {
port => "5644"
ssl => true
ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
ssl_certificate => "/usr/share/logstash/filebeat.crt"
ssl_key => "/usr/share/logstash/filebeat.key"
tags => [ "beat" ]
}
}
filter {
if [type] == "ids" or [type] =~ "bro" {
mutate {
rename => { "host" => "beat_host" }
remove_tag => ["beat"]
add_field => { "sensor_name" => "%{[beat][name]}" }
add_field => { "syslog-host_from" => "%{[beat][name]}" }
remove_field => [ "beat", "prospector", "input", "offset" ]
}
}
if [type] =~ "ossec" {
mutate {
rename => { "host" => "beat_host" }
remove_tag => ["beat"]
add_field => { "syslog-host_from" => "%{[beat][name]}" }
remove_field => [ "beat", "prospector", "input", "offset" ]
}
}
if [type] == "osquery" {
mutate {
rename => { "host" => "beat_host" }
remove_tag => ["beat"]
add_tag => ["osquery"]
}
json {
source => "message"
target => "osquery"
}
}
}

5
salt/logstash/init.sls
View File

@@ -148,13 +148,13 @@ lslogdir:
# Add the container
so-logstashimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-logstash:HH1.0.6
- name: docker pull --disable-content-trust=false soshybridhunter/so-logstash:HH1.1.0
so-logstash:
docker_container.running:
- require:
- so-logstashimage
- image: soshybridhunter/so-logstash:HH1.0.6
- image: soshybridhunter/so-logstash:HH1.1.0
- hostname: so-logstash
- name: so-logstash
- user: logstash
@@ -163,6 +163,7 @@ so-logstash:
- port_bindings:
- 0.0.0.0:514:514
- 0.0.0.0:5044:5044
- 0.0.0.0:5644:5644
- 0.0.0.0:6050:6050
- 0.0.0.0:6051:6051
- 0.0.0.0:6052:6052

4
salt/master/init.sls
View File

@@ -48,14 +48,14 @@ acngcopyconf:
so-acngimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-acng:HH1.0.7
- name: docker pull --disable-content-trust=false soshybridhunter/so-acng:HH1.1.0
# Install the apt-cacher-ng container
so-aptcacherng:
docker_container.running:
- require:
- so-acngimage
- image: soshybridhunter/so-acng:HH1.0.7
- image: soshybridhunter/so-acng:HH1.1.0
- hostname: so-acng
- port_bindings:
- 0.0.0.0:3142:3142

4
salt/mysql/init.sls
View File

@@ -50,13 +50,13 @@ mysqldatadir:
so-mysqlimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-mysql:HH1.0.7
- name: docker pull --disable-content-trust=false soshybridhunter/so-mysql:HH1.1.0
so-mysql:
docker_container.running:
- require:
- so-mysqlimage
- image: soshybridhunter/so-mysql:HH1.0.7
- image: soshybridhunter/so-mysql:HH1.1.0
- hostname: so-mysql
- user: socore
- port_bindings:

20
salt/pcap/files/sensoroni.json Normal file
View File

@@ -0,0 +1,20 @@
{%- set MASTER = grains['master'] -%}
{%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
{
"logFilename": "/opt/sensoroni/log/sensoroni.log",
"logLevel":"debug",
"agent": {
"pollIntervalMs": 10000,
"serverUrl": "https://{{ MASTER }}/sensoroniagents",
"verifyCert": false,
"modules": {
"statickeyauth": {
"apiKey": "{{ SENSORONIKEY }}"
},
"stenoquery": {
"pcapInputPath": "/nsm/pcap",
"pcapOutputPath": "/nsm/pcapout"
}
}
}
}

17
salt/pcap/init.sls
View File

@@ -44,6 +44,15 @@ stenoconf:
- mode: 644
- template: jinja
sensoroniagentconf:
file.managed:
- name: /opt/so/conf/steno/sensoroni.json
- source: salt://pcap/files/sensoroni.json
- user: root
- group: root
- mode: 644
- template: jinja
stenoca:
file.directory:
- name: /opt/so/conf/steno/certs
@@ -87,13 +96,13 @@ stenolog:
so-stenoimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-steno:HH1.0.3
- name: docker pull --disable-content-trust=false soshybridhunter/so-steno:HH1.1.0
so-steno:
docker_container.running:
- require:
- so-stenoimage
- image: soshybridhunter/so-steno:HH1.0.3
- image: soshybridhunter/so-steno:HH1.1.0
- network_mode: host
- privileged: True
- port_bindings:
@@ -106,3 +115,7 @@ so-steno:
- /nsm/pcaptmp:/tmp:rw
- /nsm/pcapout:/nsm/pcapout:rw
- /opt/so/log/stenographer:/var/log/stenographer:rw
- /opt/so/conf/steno/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/log/stenographer:/opt/sensoroni/log:rw
- watch:
- /opt/so/conf/steno/sensoroni.json

9
salt/redis/init.sls
View File

@@ -44,18 +44,15 @@ redisconfsync:
- group: 939
- template: jinja
toosmooth/so-redis:test2:
docker_image.present
so-redisimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.0.7
- name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.1.0
so-redis:
docker_container.running:
- require:
- so-redisimage
- image: soshybridhunter/so-redis:HH1.0.7
- image: soshybridhunter/so-redis:HH1.1.0
- hostname: so-redis
- user: socore
- port_bindings:
@@ -65,3 +62,5 @@ so-redis:
- /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro
- /opt/so/conf/redis/working:/redis:rw
- entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
- watch:
- file: /opt/so/conf/redis/etc

25
salt/sensoroni/files/sensoroni.json Normal file
View File

@@ -0,0 +1,25 @@
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
{%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
{
"logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
"server": {
"bindAddress": "0.0.0.0:9822",
"maxPacketCount": 5000,
"htmlDir": "html",
"modules": {
"filedatastore": {
"jobDir": "jobs"
},
"securityonion": {
"elasticsearchHost": "http://{{ MASTERIP }}:9200",
"elasticsearchUsername": "",
"elasticsearchPassword": "",
"elasticsearchVerifyCert": false
},
"statickeyauth": {
"anonymousCidr": "172.17.0.0/24",
"apiKey": "{{ SENSORONIKEY }}"
}
}
}
}

48
salt/sensoroni/init.sls Normal file
View File

@@ -0,0 +1,48 @@
sensoronidir:
file.directory:
- name: /opt/so/conf/sensoroni
- user: 939
- group: 939
- makedirs: True
sensoronidatadir:
file.directory:
- name: /nsm/sensoroni/jobs
- user: 939
- group: 939
- makedirs: True
sensoronilogdir:
file.directory:
- name: /opt/so/log/sensoroni
- user: 939
- group: 939
- makedirs: True
sensoronisync:
file.recurse:
- name: /opt/so/conf/sensoroni
- source: salt://sensoroni/files
- user: 939
- group: 939
- template: jinja
so-sensoroniimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-sensoroni:HH1.1.0
so-sensoroni:
docker_container.running:
- require:
- so-sensoroniimage
- image: soshybridhunter/so-sensoroni:HH1.1.0
- hostname: sensoroni
- name: so-sensoroni
- binds:
- /nsm/sensoroni/jobs:/opt/sensoroni/jobs:rw
- /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/log/sensoroni/:/opt/sensoroni/log/:rw
- port_bindings:
- 0.0.0.0:9822:9822
- watch:
- file: /opt/so/conf/sensoroni

4
salt/soctopus/init.sls
View File

@@ -15,13 +15,13 @@ soctopussync:
so-soctopusimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.0.8
- name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.1.0
so-soctopus:
docker_container.running:
- require:
- so-soctopusimage
- image: soshybridhunter/so-soctopus:HH1.0.8
- image: soshybridhunter/so-soctopus:HH1.1.0
- hostname: soctopus
- name: so-soctopus
- binds:

4
salt/suricata/init.sls
View File

@@ -72,13 +72,13 @@ suriconfigsync:
so-suricataimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-suricata:HH1.0.8
- name: docker pull --disable-content-trust=false soshybridhunter/so-suricata:HH1.1.0
so-suricata:
docker_container.running:
- require:
- so-suricataimage
- image: soshybridhunter/so-suricata:HH1.0.8
- image: soshybridhunter/so-suricata:HH1.1.0
- privileged: True
- environment:
- INTERFACE={{ interface }}

2
salt/top.sls
View File

@@ -25,6 +25,7 @@ base:
- ca
- ssl
- common
- sensoroni
- firewall
- master
- idstools
@@ -60,6 +61,7 @@ base:
- ca
- ssl
- common
- sensoroni
- firewall
- master
- idstools

4
salt/wazuh/init.sls
View File

@@ -58,13 +58,13 @@ wazuhagentregister:
so-wazuhimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-wazuh:HH1.0.7
- name: docker pull --disable-content-trust=false soshybridhunter/so-wazuh:HH1.1.0
so-wazuh:
docker_container.running:
- require:
- so-wazuhimage
- image: soshybridhunter/so-wazuh:HH1.0.7
- image: soshybridhunter/so-wazuh:HH1.1.0
- hostname: {{HOSTNAME}}-wazuh-manager
- name: so-wazuh
- detach: True

461
so-setup-network.sh
View File

@@ -23,23 +23,24 @@ CPUCORES=$(cat /proc/cpuinfo | grep processor | wc -l)
LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\""}')
RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
NODE_ES_PORT="9200"
SETUPLOG="/root/sosetup.log"
# Reset the Install Log
date -u >~/sosetup.log 2>&1
date -u >$SETUPLOG 2>&1
# End Global Variable Section
# Functions
accept_salt_key_local() {
echo "Accept the key locally on the master" >>~/sosetup.log 2>&1
echo "Accept the key locally on the master" >> $SETUPLOG 2>&1
# Accept the key locally on the master
salt-key -ya $HOSTNAME
}
accept_salt_key_remote() {
echo "Accept the key remotely on the master" >>~/sosetup.log 2>&1
echo "Accept the key remotely on the master" >> $SETUPLOG 2>&1
# Delete the key just in case.
ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y
salt-call state.apply ca
@@ -48,7 +49,7 @@ accept_salt_key_remote() {
}
add_master_hostfile() {
echo "Checking if I can resolve master. If not add to hosts file" >>~/sosetup.log 2>&1
echo "Checking if I can resolve master. If not add to hosts file" >> $SETUPLOG 2>&1
# Pop up an input to get the IP address
local MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
@@ -60,7 +61,7 @@ add_master_hostfile() {
}
add_socore_user_master() {
echo "Add socore on the master" >>~/sosetup.log 2>&1
echo "Add socore on the master" >> $SETUPLOG 2>&1
if [ $OS == 'centos' ]; then
local ADDUSER=adduser
else
@@ -75,7 +76,7 @@ add_socore_user_master() {
}
add_socore_user_notmaster() {
echo "Add socore user on non master" >>~/sosetup.log 2>&1
echo "Add socore user on non master" >> $SETUPLOG 2>&1
# Add socore user to the non master system. Probably not a bad idea to make system user
groupadd --gid 939 socore
$ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore
@@ -86,7 +87,7 @@ add_socore_user_notmaster() {
auth_pillar(){
if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
echo "Creating Auth Pillar" >>~/sosetup.log 2>&1
echo "Creating Auth Pillar" >> $SETUPLOG 2>&1
mkdir -p /opt/so/saltstack/pillar
echo "auth:" >> /opt/so/saltstack/pillar/auth.sls
echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls
@@ -97,7 +98,7 @@ auth_pillar(){
# Enable Bro Logs
bro_logs_enabled() {
echo "Enabling Bro Logs" >>~/sosetup.log 2>&1
echo "Enabling Bro Logs" >> $SETUPLOG 2>&1
echo "brologs:" > pillar/brologs.sls
echo " enabled:" >> pillar/brologs.sls
@@ -163,13 +164,13 @@ calculate_useable_cores() {
}
checkin_at_boot() {
echo "Enabling checkin at boot" >>~/sosetup.log 2>&1
echo "Enabling checkin at boot" >> $SETUPLOG 2>&1
echo "startup_states: highstate" >> /etc/salt/minion
}
chown_salt_master() {
echo "Chown the salt dirs on the master for socore" >>~/sosetup.log 2>&1
echo "Chown the salt dirs on the master for socore" >> $SETUPLOG 2>&1
chown -R socore:socore /opt/so
}
@@ -178,7 +179,7 @@ clear_master() {
# Clear out the old master public key in case this is a re-install.
# This only happens if you re-install the master.
if [ -f /etc/salt/pki/minion/minion_master.pub ]; then
echo "Clearing old master key" >>~/sosetup.log 2>&1
echo "Clearing old master key" >> $SETUPLOG 2>&1
rm /etc/salt/pki/minion/minion_master.pub
service salt-minion restart
fi
@@ -189,7 +190,7 @@ configure_minion() {
# You have to pass the TYPE to this function so it knows if its a master or not
local TYPE=$1
echo "Configuring minion type as $TYPE" >>~/sosetup.log 2>&1
echo "Configuring minion type as $TYPE" >> $SETUPLOG 2>&1
touch /etc/salt/grains
echo "role: so-$TYPE" > /etc/salt/grains
if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then
@@ -229,7 +230,7 @@ copy_minion_pillar() {
local TYPE=$1
# Copy over the pillar
echo "Copying the pillar over" >>~/sosetup.log 2>&1
echo "Copying the pillar over" >> $SETUPLOG 2>&1
scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls
}
@@ -245,113 +246,47 @@ copy_ssh_key() {
}
create_bond() {
# Create the bond interface
echo "Setting up Bond" >>~/sosetup.log 2>&1
create_bond_nmcli() {
echo "Setting up Bond" >> $SETUPLOG 2>&1
# Set the MTU
if [ $NSMSETUP != 'ADVANCED' ]; then
MTU=1500
fi
# Do something different based on the OS
if [ $OS == 'centos' ]; then
modprobe --first-time bonding
touch /etc/sysconfig/network-scripts/ifcfg-bond0
echo "DEVICE=bond0" > /etc/sysconfig/network-scripts/ifcfg-bond0
echo "NAME=bond0" >> /etc/sysconfig/network-scripts/ifcfg-bond0
echo "Type=Bond" >> /etc/sysconfig/network-scripts/ifcfg-bond0
echo "BONDING_MASTER=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0
echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond0
echo "BONDING_OPTS=\"mode=0\"" >> /etc/sysconfig/network-scripts/ifcfg-bond0
echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0
echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-bond0
# Create the bond interface
nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \
ipv4.method disabled \
ipv6.method link-local \
ethernet.mtu $MTU \
connection.autoconnect "yes" >> $SETUPLOG 2>&1
# Create Bond configs for the selected monitor interface
for BNIC in ${BNICS[@]}; do
BONDNIC="${BNIC%\"}"
BONDNIC="${BONDNIC#\"}"
sed -i 's/ONBOOT=no/ONBOOT=yes/g' /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
echo "MASTER=bond0" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
# Strip the quotes from the NIC names
BONDNIC="$(echo -e "${BNIC}" | tr -d '"')"
# Create the slave interface and assign it to the bond
nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \
ethernet.mtu $MTU \
connection.autoconnect "yes" >> $SETUPLOG 2>&1
# Bring the slave interface up
nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1
done
nmcli con reload >>~/sosetup.log 2>&1
systemctl restart network >>~/sosetup.log 2>&1
else
# Need to add 17.04 support still
apt-get -y install ifenslave >>~/sosetup.log 2>&1
if ! grep -q bonding /etc/modules; then
echo "bonding" >> /etc/modules
fi
modprobe bonding >>~/sosetup.log 2>&1
local LBACK=$(awk '/auto lo/,/^$/' /etc/network/interfaces)
local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces)
# Backup and create a new interface file
cp /etc/network/interfaces /etc/network/interfaces.sosetup
echo "source /etc/network/interfaces.d/*" > /etc/network/interfaces
echo "" >> /etc/network/interfaces
# Let's set up the new interface file
# Populate lo and create file for the management interface
IFS=$'\n'
for line in $LBACK
do
echo $line >> /etc/network/interfaces
done
IFS=$'\n'
for line in $MINT
do
echo $line >> /etc/network/interfaces.d/$MNIC
done
# Create entries for each interface that is part of the bond.
for BNIC in ${BNICS[@]}; do
BNIC=$(echo $BNIC | cut -d\" -f2)
echo "auto $BNIC" >> /etc/network/interfaces.d/$BNIC
echo "iface $BNIC inet manual" >> /etc/network/interfaces.d/$BNIC
echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/$BNIC
echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/$BNIC
echo " post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC
echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/$BNIC
echo " bond-master bond0" >> /etc/network/interfaces.d/$BNIC
echo " mtu $MTU" >> /etc/network/interfaces.d/$BNIC
done
BN=("${BNICS[@]//\"/}")
echo "auto bond0" > /etc/network/interfaces.d/bond0
echo "iface bond0 inet manual" >> /etc/network/interfaces.d/bond0
echo " bond-mode 0" >> /etc/network/interfaces.d/bond0
echo " bond-slaves $BN" >> /etc/network/interfaces.d/bond0
echo " mtu $MTU" >> /etc/network/interfaces.d/bond0
echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/bond0
echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/bond0
echo " post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0
echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/bond0
fi
}
detect_os() {
# Detect Base OS
echo "Detecting Base OS" >>~/sosetup.log 2>&1
echo "Detecting Base OS" >> $SETUPLOG 2>&1
if [ -f /etc/redhat-release ]; then
OS=centos
yum -y install bind-utils
elif [ -f /etc/os-release ]; then
OS=ubuntu
apt install -y network-manager
/bin/systemctl enable network-manager
/bin/systemctl start network-manager
else
echo "We were unable to determine if you are using a supported OS." >>~/sosetup.log 2>&1
echo "We were unable to determine if you are using a supported OS." >> $SETUPLOG 2>&1
exit
fi
@@ -365,26 +300,30 @@ docker_install() {
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum -y update
yum -y install docker-ce docker-python python-docker
docker_registry
echo "Restarting Docker" >>~/sosetup.log 2>&1
if [ $INSTALLTYPE != 'EVALMODE' ]; then
docker_registry
fi
echo "Restarting Docker" >> $SETUPLOG 2>&1
systemctl restart docker
systemctl enable docker
else
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
apt-get update >>~/sosetup.log 2>&1
apt-get -y install docker-ce >>~/sosetup.log 2>&1
docker_registry >>~/sosetup.log 2>&1
echo "Restarting Docker" >>~/sosetup.log 2>&1
systemctl restart docker >>~/sosetup.log 2>&1
apt-get update >> $SETUPLOG 2>&1
apt-get -y install docker-ce >> $SETUPLOG 2>&1
if [ $INSTALLTYPE != 'EVALMODE' ]; then
docker_registry >> $SETUPLOG 2>&1
fi
echo "Restarting Docker" >> $SETUPLOG 2>&1
systemctl restart docker >> $SETUPLOG 2>&1
else
apt-key add $TMP/gpg/docker.pub >>~/sosetup.log 2>&1
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >>~/sosetup.log 2>&1
apt-get update >>~/sosetup.log 2>&1
apt-get -y install docker-ce >>~/sosetup.log 2>&1
docker_registry >>~/sosetup.log 2>&1
echo "Restarting Docker" >>~/sosetup.log 2>&1
systemctl restart docker >>~/sosetup.log 2>&1
apt-key add $TMP/gpg/docker.pub >> $SETUPLOG 2>&1
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> $SETUPLOG 2>&1
apt-get update >> $SETUPLOG 2>&1
apt-get -y install docker-ce >> $SETUPLOG 2>&1
docker_registry >> $SETUPLOG 2>&1
echo "Restarting Docker" >> $SETUPLOG 2>&1
systemctl restart docker >> $SETUPLOG 2>&1
fi
fi
@@ -392,13 +331,13 @@ docker_install() {
docker_registry() {
echo "Setting up Docker Registry" >>~/sosetup.log 2>&1
mkdir -p /etc/docker >>~/sosetup.log 2>&1
echo "Setting up Docker Registry" >> $SETUPLOG 2>&1
mkdir -p /etc/docker >> $SETUPLOG 2>&1
# Make the host use the master docker registry
echo "{" > /etc/docker/daemon.json
echo " \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json
echo "}" >> /etc/docker/daemon.json
echo "Docker Registry Setup - Complete" >>~/sosetup.log 2>&1
echo "Docker Registry Setup - Complete" >> $SETUPLOG 2>&1
}
@@ -436,6 +375,7 @@ generate_passwords(){
MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
SENSORONIKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
}
get_filesystem_nsm(){
@@ -497,7 +437,7 @@ install_master() {
# Install the salt master package
if [ $OS == 'centos' ]; then
yum -y install wget salt-common salt-master >>~/sosetup.log 2>&1
yum -y install wget salt-common salt-master >> $SETUPLOG 2>&1
# Create a place for the keys for Ubuntu minions
mkdir -p /opt/so/gpg
@@ -583,6 +523,7 @@ master_static() {
echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls
echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls
echo " fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
echo " sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls
if [[ $MASTERUPDATES == 'MASTER' ]]; then
echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
else
@@ -810,7 +751,7 @@ EOF
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade
# Add the pre-requisites for installing docker-ce
apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl >>~/sosetup.log 2>&1
apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl >> $SETUPLOG 2>&1
# Grab the version from the os-release file
UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}')
@@ -840,8 +781,8 @@ EOF
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
# Initialize the new repos
apt-get update >>~/sosetup.log 2>&1
apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>~/sosetup.log 2>&1
apt-get update >> $SETUPLOG 2>&1
apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >> $SETUPLOG 2>&1
apt-mark hold salt-minion salt-common
else
@@ -854,8 +795,8 @@ EOF
echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
# Initialize the new repos
apt-get update >>~/sosetup.log 2>&1
apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>~/sosetup.log 2>&1
apt-get update >> $SETUPLOG 2>&1
apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >> $SETUPLOG 2>&1
apt-mark hold salt-minion salt-common
fi
@@ -868,25 +809,25 @@ salt_checkin() {
# Master State to Fix Mine Usage
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
echo "Building Certificate Authority"
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ca >> $SETUPLOG 2>&1
echo " *** Restarting Salt to fix any SSL errors. ***"
service salt-master restart >>~/sosetup.log 2>&1
service salt-master restart >> $SETUPLOG 2>&1
sleep 5
service salt-minion restart >>~/sosetup.log 2>&1
service salt-minion restart >> $SETUPLOG 2>&1
sleep 15
echo " Applyng a mine hack "
sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >>~/sosetup.log 2>&1
sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >> $SETUPLOG 2>&1
echo " Applying SSL state "
salt-call state.apply ssl >>~/sosetup.log 2>&1
salt-call state.apply ssl >> $SETUPLOG 2>&1
echo "Still Working... Hang in there"
#salt-call state.highstate
else
# Run Checkin
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
#salt-call state.highstate >>~/sosetup.log 2>&1
salt-call state.apply ca >> $SETUPLOG 2>&1
salt-call state.apply ssl >> $SETUPLOG 2>&1
#salt-call state.highstate >> $SETUPLOG 2>&1
fi
@@ -907,7 +848,7 @@ salt_checkin_message() {
salt_firstcheckin() {
#First Checkin
salt-call state.highstate >>~/sosetup.log 2>&1
salt-call state.highstate >> $SETUPLOG 2>&1
}
@@ -1456,7 +1397,7 @@ whiptail_sensor_config() {
whiptail_setup_complete() {
whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. A reboot is recommended." 8 78
whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE." 8 78
install_cleanup
exit
@@ -1464,7 +1405,7 @@ whiptail_setup_complete() {
whiptail_setup_failed() {
whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see /root/sosetup.log for details" 8 78
whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $SETUPLOG for details" 8 78
install_cleanup
exit
@@ -1623,83 +1564,83 @@ if (whiptail_you_sure); then
{
sleep 0.5
echo -e "XXX\n0\nInstalling and configuring Salt... \nXXX"
echo " ** Installing Salt and Dependencies **" >>~/sosetup.log
saltify >>~/sosetup.log 2>&1
echo " ** Installing Salt and Dependencies **" >> $SETUPLOG
saltify >> $SETUPLOG 2>&1
echo -e "XXX\n5\nInstalling Docker... \nXXX"
docker_install >>~/sosetup.log 2>&1
docker_install >> $SETUPLOG 2>&1
echo -e "XXX\n10\nConfiguring Salt Master... \nXXX"
echo " ** Configuring Minion **" >>~/sosetup.log
configure_minion master >>~/sosetup.log 2>&1
echo " ** Installing Salt Master **" >>~/sosetup.log
install_master >>~/sosetup.log 2>&1
salt_master_directories >>~/sosetup.log 2>&1
update_sudoers >>~/sosetup.log 2>&1
chown_salt_master >>~/sosetup.log 2>&1
es_heapsize >>~/sosetup.log 2>&1
ls_heapsize >>~/sosetup.log 2>&1
echo " ** Configuring Minion **" >> $SETUPLOG
configure_minion master >> $SETUPLOG 2>&1
echo " ** Installing Salt Master **" >> $SETUPLOG
install_master >> $SETUPLOG 2>&1
salt_master_directories >> $SETUPLOG 2>&1
update_sudoers >> $SETUPLOG 2>&1
chown_salt_master >> $SETUPLOG 2>&1
es_heapsize >> $SETUPLOG 2>&1
ls_heapsize >> $SETUPLOG 2>&1
echo -e "XXX\n25\nConfiguring Default Pillars... \nXXX"
master_static >>~/sosetup.log 2>&1
echo "** Generating the master pillar **" >>~/sosetup.log
master_pillar >>~/sosetup.log 2>&1
master_static >> $SETUPLOG 2>&1
echo "** Generating the master pillar **" >> $SETUPLOG
master_pillar >> $SETUPLOG 2>&1
echo -e "XXX\n30\nAccepting Salt Keys... \nXXX"
# Do a checkin to push the key up
echo "** Pushing the key up to Master **" >>~/sosetup.log
salt_firstcheckin >>~/sosetup.log 2>&1
echo "** Pushing the key up to Master **" >> $SETUPLOG
salt_firstcheckin >> $SETUPLOG 2>&1
# Accept the Master Key
echo "** Accepting the key on the master **" >>~/sosetup.log
accept_salt_key_local >>~/sosetup.log 2>&1
echo "** Accepting the key on the master **" >> $SETUPLOG
accept_salt_key_local >> $SETUPLOG 2>&1
echo -e "XXX\n35\nConfiguring Firewall... \nXXX"
# Open the firewall
echo "** Setting the initial firewall policy **" >>~/sosetup.log
set_initial_firewall_policy >>~/sosetup.log 2>&1
echo "** Setting the initial firewall policy **" >> $SETUPLOG
set_initial_firewall_policy >> $SETUPLOG 2>&1
# Do the big checkin but first let them know it will take a bit.
echo -e "XXX\n40\nGenerating CA... \nXXX"
salt_checkin >>~/sosetup.log 2>&1
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
salt_checkin >> $SETUPLOG 2>&1
salt-call state.apply ca >> $SETUPLOG 2>&1
salt-call state.apply ssl >> $SETUPLOG 2>&1
echo -e "XXX\n43\nInstalling Common Components... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1
salt-call state.apply common >> $SETUPLOG 2>&1
echo -e "XXX\n45\nApplying firewall rules... \nXXX"
salt-call state.apply firewall >>~/sosetup.log 2>&1
salt-call state.apply master >>~/sosetup.log 2>&1
salt-call state.apply idstools >>~/sosetup.log 2>&1
salt-call state.apply firewall >> $SETUPLOG 2>&1
salt-call state.apply master >> $SETUPLOG 2>&1
salt-call state.apply idstools >> $SETUPLOG 2>&1
echo -e "XXX\n40\nInstalling Redis... \nXXX"
salt-call state.apply redis >>~/sosetup.log 2>&1
salt-call state.apply redis >> $SETUPLOG 2>&1
if [[ $OSQUERY == '1' ]]; then
echo -e "XXX\n41\nInstalling MySQL... \nXXX"
salt-call state.apply mysql >>~/sosetup.log 2>&1
salt-call state.apply mysql >> $SETUPLOG 2>&1
fi
echo -e "XXX\n45\nInstalling Elastic Components... \nXXX"
salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
salt-call state.apply logstash >>~/sosetup.log 2>&1
salt-call state.apply kibana >>~/sosetup.log 2>&1
salt-call state.apply elastalert >>~/sosetup.log 2>&1
salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
salt-call state.apply logstash >> $SETUPLOG 2>&1
salt-call state.apply kibana >> $SETUPLOG 2>&1
salt-call state.apply elastalert >> $SETUPLOG 2>&1
if [[ $WAZUH == '1' ]]; then
echo -e "XXX\n68\nInstalling Wazuh... \nXXX"
salt-call state.apply wazuh >>~/sosetup.log 2>&1
salt-call state.apply wazuh >> $SETUPLOG 2>&1
fi
echo -e "XXX\n75\nInstalling Filebeat... \nXXX"
salt-call state.apply filebeat >>~/sosetup.log 2>&1
salt-call state.apply utility >>~/sosetup.log 2>&1
salt-call state.apply schedule >>~/sosetup.log 2>&1
salt-call state.apply filebeat >> $SETUPLOG 2>&1
salt-call state.apply utility >> $SETUPLOG 2>&1
salt-call state.apply schedule >> $SETUPLOG 2>&1
if [[ $OSQUERY == '1' ]]; then
echo -e "XXX\n79\nInstalling Fleet... \nXXX"
salt-call state.apply fleet >>~/sosetup.log 2>&1
salt-call state.apply launcher >>~/sosetup.log 2>&1
salt-call state.apply fleet >> $SETUPLOG 2>&1
salt-call state.apply launcher >> $SETUPLOG 2>&1
fi
echo -e "XXX\n85\nConfiguring SOctopus... \nXXX"
salt-call state.apply soctopus >>~/sosetup.log 2>&1
salt-call state.apply soctopus >> $SETUPLOG 2>&1
if [[ $THEHIVE == '1' ]]; then
echo -e "XXX\n87\nInstalling TheHive... \nXXX"
salt-call state.apply hive >>~/sosetup.log 2>&1
salt-call state.apply hive >> $SETUPLOG 2>&1
fi
echo -e "XXX\n75\nEnabling Checking at Boot... \nXXX"
checkin_at_boot >>~/sosetup.log 2>&1
checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XXX\n95\nVerifying Install... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1
salt-call state.highstate >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete
else
@@ -1740,39 +1681,39 @@ if (whiptail_you_sure); then
{
sleep 0.5
echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
set_initial_firewall_policy >>~/sosetup.log 2>&1
set_initial_firewall_policy >> $SETUPLOG 2>&1
echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
create_bond >>~/sosetup.log 2>&1
create_bond_nmcli >> $SETUPLOG 2>&1
echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
sensor_pillar >>~/sosetup.log 2>&1
sensor_pillar >> $SETUPLOG 2>&1
echo -e "XXX\n5\nInstalling Salt Components... \nXXX"
saltify >>~/sosetup.log 2>&1
saltify >> $SETUPLOG 2>&1
echo -e "XXX\n20\nInstalling Docker... \nXXX"
docker_install >>~/sosetup.log 2>&1
docker_install >> $SETUPLOG 2>&1
echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX"
configure_minion sensor >>~/sosetup.log 2>&1
configure_minion sensor >> $SETUPLOG 2>&1
echo -e "XXX\n24\nCopying Sensor Pillar to Master... \nXXX"
copy_minion_pillar sensors >>~/sosetup.log 2>&1
copy_minion_pillar sensors >> $SETUPLOG 2>&1
echo -e "XXX\n25\nSending Salt Key to Master... \nXXX"
salt_firstcheckin >>~/sosetup.log 2>&1
salt_firstcheckin >> $SETUPLOG 2>&1
echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX"
# Accept the Salt Key
accept_salt_key_remote >>~/sosetup.log 2>&1
accept_salt_key_remote >> $SETUPLOG 2>&1
echo -e "XXX\n27\nApplying SSL Certificates... \nXXX"
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
salt-call state.apply ca >> $SETUPLOG 2>&1
salt-call state.apply ssl >> $SETUPLOG 2>&1
echo -e "XXX\n35\nInstalling Core Components... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1
salt-call state.apply firewall >>~/sosetup.log 2>&1
salt-call state.apply common >> $SETUPLOG 2>&1
salt-call state.apply firewall >> $SETUPLOG 2>&1
echo -e "XXX\n50\nInstalling PCAP... \nXXX"
salt-call state.apply pcap >>~/sosetup.log 2>&1
salt-call state.apply pcap >> $SETUPLOG 2>&1
echo -e "XXX\n60\nInstalling IDS components... \nXXX"
salt-call state.apply suricata >>~/sosetup.log 2>&1
salt-call state.apply suricata >> $SETUPLOG 2>&1
echo -e "XXX\n80\nVerifying Install... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1
checkin_at_boot >>~/sosetup.log 2>&1
salt-call state.highstate >> $SETUPLOG 2>&1
checkin_at_boot >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete
else
@@ -1832,91 +1773,91 @@ if (whiptail_you_sure); then
{
sleep 0.5
echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
create_bond >>~/sosetup.log 2>&1
create_bond_nmcli >> $SETUPLOG 2>&1
echo -e "XXX\n1\nInstalling saltstack... \nXXX"
saltify >>~/sosetup.log 2>&1
saltify >> $SETUPLOG 2>&1
echo -e "XXX\n3\nInstalling docker... \nXXX"
docker_install >>~/sosetup.log 2>&1
docker_install >> $SETUPLOG 2>&1
echo -e "XXX\n5\nInstalling master code... \nXXX"
install_master >>~/sosetup.log 2>&1
install_master >> $SETUPLOG 2>&1
echo -e "XXX\n6\nCopying salt code... \nXXX"
salt_master_directories >>~/sosetup.log 2>&1
salt_master_directories >> $SETUPLOG 2>&1
echo -e "XXX\n6\nupdating suduers... \nXXX"
update_sudoers >>~/sosetup.log 2>&1
update_sudoers >> $SETUPLOG 2>&1
echo -e "XXX\n7\nFixing some permissions... \nXXX"
chown_salt_master >>~/sosetup.log 2>&1
chown_salt_master >> $SETUPLOG 2>&1
echo -e "XXX\n7\nCreating the static pillar... \nXXX"
# Set the static values
master_static >>~/sosetup.log 2>&1
master_static >> $SETUPLOG 2>&1
echo -e "XXX\n7\nCreating the master pillar... \nXXX"
master_pillar >>~/sosetup.log 2>&1
master_pillar >> $SETUPLOG 2>&1
echo -e "XXX\n7\nConfiguring minion... \nXXX"
configure_minion eval >>~/sosetup.log 2>&1
configure_minion eval >> $SETUPLOG 2>&1
echo -e "XXX\n7\nSetting the node type to eval... \nXXX"
set_node_type >>~/sosetup.log 2>&1
set_node_type >> $SETUPLOG 2>&1
echo -e "XXX\n7\nStorage node pillar... \nXXX"
node_pillar >>~/sosetup.log 2>&1
node_pillar >> $SETUPLOG 2>&1
echo -e "XXX\n8\nCreating firewall policies... \nXXX"
set_initial_firewall_policy >>~/sosetup.log 2>&1
set_initial_firewall_policy >> $SETUPLOG 2>&1
echo -e "XXX\n10\nRegistering agent... \nXXX"
salt_firstcheckin >>~/sosetup.log 2>&1
salt_firstcheckin >> $SETUPLOG 2>&1
echo -e "XXX\n11\nAccepting Agent... \nXXX"
accept_salt_key_local >>~/sosetup.log 2>&1
accept_salt_key_local >> $SETUPLOG 2>&1
echo -e "XXX\n12\nRunning the SSL states... \nXXX"
salt_checkin >>~/sosetup.log 2>&1
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
salt_checkin >> $SETUPLOG 2>&1
salt-call state.apply ca >> $SETUPLOG 2>&1
salt-call state.apply ssl >> $SETUPLOG 2>&1
echo -e "XXX\n15\nInstalling core components... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1
salt-call state.apply common >> $SETUPLOG 2>&1
echo -e "XXX\n18\nInitializing firewall rules... \nXXX"
salt-call state.apply firewall >>~/sosetup.log 2>&1
salt-call state.apply firewall >> $SETUPLOG 2>&1
echo -e "XXX\n25\nInstalling master components... \nXXX"
salt-call state.apply master >>~/sosetup.log 2>&1
salt-call state.apply idstools >>~/sosetup.log 2>&1
salt-call state.apply master >> $SETUPLOG 2>&1
salt-call state.apply idstools >> $SETUPLOG 2>&1
if [[ $OSQUERY == '1' ]]; then
salt-call state.apply mysql >>~/sosetup.log 2>&1
salt-call state.apply mysql >> $SETUPLOG 2>&1
fi
echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
echo -e "XXX\n40\nInstalling Logstash... \nXXX"
salt-call state.apply logstash >>~/sosetup.log 2>&1
echo -e "XXX\n45\nInstalling ElasticSearch... \nXXX"
salt-call state.apply kibana >>~/sosetup.log 2>&1
salt-call state.apply logstash >> $SETUPLOG 2>&1
echo -e "XXX\n45\nInstalling Kibana... \nXXX"
salt-call state.apply kibana >> $SETUPLOG 2>&1
echo -e "XXX\n50\nInstalling pcap... \nXXX"
salt-call state.apply pcap >>~/sosetup.log 2>&1
salt-call state.apply pcap >> $SETUPLOG 2>&1
echo -e "XXX\n52\nInstalling Suricata... \nXXX"
salt-call state.apply suricata >>~/sosetup.log 2>&1
salt-call state.apply suricata >> $SETUPLOG 2>&1
echo -e "XXX\n54\nInstalling Zeek... \nXXX"
salt-call state.apply bro >>~/sosetup.log 2>&1
salt-call state.apply bro >> $SETUPLOG 2>&1
echo -e "XXX\n56\nInstalling curator... \nXXX"
salt-call state.apply curator >>~/sosetup.log 2>&1
salt-call state.apply curator >> $SETUPLOG 2>&1
echo -e "XXX\n58\nInstalling elastalert... \nXXX"
salt-call state.apply elastalert >>~/sosetup.log 2>&1
salt-call state.apply elastalert >> $SETUPLOG 2>&1
if [[ $OSQUERY == '1' ]]; then
echo -e "XXX\n60\nInstalling fleet... \nXXX"
salt-call state.apply fleet >>~/sosetup.log 2>&1
salt-call state.apply redis >>~/sosetup.log 2>&1
salt-call state.apply fleet >> $SETUPLOG 2>&1
salt-call state.apply redis >> $SETUPLOG 2>&1
fi
if [[ $WAZUH == '1' ]]; then
echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
salt-call state.apply wazuh >>~/sosetup.log 2>&1
salt-call state.apply wazuh >> $SETUPLOG 2>&1
fi
echo -e "XXX\n85\nInstalling filebeat... \nXXX"
salt-call state.apply filebeat >>~/sosetup.log 2>&1
salt-call state.apply utility >>~/sosetup.log 2>&1
salt-call state.apply filebeat >> $SETUPLOG 2>&1
salt-call state.apply utility >> $SETUPLOG 2>&1
echo -e "XXX\n95\nInstalling misc components... \nXXX"
salt-call state.apply schedule >>~/sosetup.log 2>&1
salt-call state.apply soctopus >>~/sosetup.log 2>&1
salt-call state.apply schedule >> $SETUPLOG 2>&1
salt-call state.apply soctopus >> $SETUPLOG 2>&1
if [[ $THEHIVE == '1' ]]; then
salt-call state.apply hive >>~/sosetup.log 2>&1
salt-call state.apply hive >> $SETUPLOG 2>&1
fi
echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX"
checkin_at_boot >>~/sosetup.log 2>&1
checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XXX\n99\nVerifying Setup... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1
salt-call state.highstate >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [ $OS == 'centos' ]; then
if [[ $GOODSETUP == '1' ]]; then
whiptail_setup_complete
@@ -1972,37 +1913,37 @@ if (whiptail_you_sure); then
{
sleep 0.5
echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
set_initial_firewall_policy >>~/sosetup.log 2>&1
set_initial_firewall_policy >> $SETUPLOG 2>&1
echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
saltify >>~/sosetup.log 2>&1
saltify >> $SETUPLOG 2>&1
echo -e "XXX\n20\nInstalling Docker... \nXXX"
docker_install >>~/sosetup.log 2>&1
docker_install >> $SETUPLOG 2>&1
echo -e "XXX\n30\nInitializing Minion... \nXXX"
configure_minion node >>~/sosetup.log 2>&1
set_node_type >>~/sosetup.log 2>&1
node_pillar >>~/sosetup.log 2>&1
copy_minion_pillar nodes >>~/sosetup.log 2>&1
configure_minion node >> $SETUPLOG 2>&1
set_node_type >> $SETUPLOG 2>&1
node_pillar >> $SETUPLOG 2>&1
copy_minion_pillar nodes >> $SETUPLOG 2>&1
echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
salt_firstcheckin >>~/sosetup.log 2>&1
salt_firstcheckin >> $SETUPLOG 2>&1
# Accept the Salt Key
accept_salt_key_remote >>~/sosetup.log 2>&1
accept_salt_key_remote >> $SETUPLOG 2>&1
echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
salt-call state.apply ca >> $SETUPLOG 2>&1
salt-call state.apply ssl >> $SETUPLOG 2>&1
echo -e "XXX\n50\nConfiguring Firewall... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1
salt-call state.apply firewall >>~/sosetup.log 2>&1
salt-call state.apply common >> $SETUPLOG 2>&1
salt-call state.apply firewall >> $SETUPLOG 2>&1
echo -e "XXX\n70\nInstalling Elastic Components... \nXXX"
salt-call state.apply logstash >>~/sosetup.log 2>&1
salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
salt-call state.apply curator >>~/sosetup.log 2>&1
salt-call state.apply filebeat >>~/sosetup.log 2>&1
salt-call state.apply logstash >> $SETUPLOG 2>&1
salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
salt-call state.apply curator >> $SETUPLOG 2>&1
salt-call state.apply filebeat >> $SETUPLOG 2>&1
echo -e "XXX\n90\nVerifying Install... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1
checkin_at_boot >>~/sosetup.log 2>&1
salt-call state.highstate >> $SETUPLOG 2>&1
checkin_at_boot >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete
else