diff --git a/salt/common/init.sls b/salt/common/init.sls index 7945a678a..5fe3d9081 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -2,6 +2,7 @@ {% if sls in allowed_states %} {% set role = grains.id.split('_') | last %} +{% set managerupdates = salt['pillar.get']('global:managerupdate', '0') %} # Remove variables.txt from /tmp - This is temp rmvariablesfile: @@ -64,7 +65,7 @@ salttmp: - group: 939 - makedirs: True -# Install epel +# Remove default Repos {% if grains['os'] == 'CentOS' %} repair_yumdb: cmd.run: @@ -72,6 +73,69 @@ repair_yumdb: - onlyif: - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' +crbase: + file.absent: + - name: /etc/yum.repos.d/CentOS-Base.repo + +crcr: + file.absent: + - name: /etc/yum.repos.d/CentOS-CR.repo + +crdebug: + file.absent: + - name: /etc/yum.repos.d/CentOS-Debuginfo.repo + +crdockerce: + file.absent: + - name: /etc/yum.repos.d/docker-ce.repo + +crfasttrack: + file.absent: + - name: /etc/yum.repos.d/CentOS-fasttrack.repo + +crmedia: + file.absent: + - name: /etc/yum.repos.d/CentOS-Media.repo + +crsources: + file.absent: + - name: /etc/yum.repos.d/CentOS-Sources.repo + +crvault: + file.absent: + - name: /etc/yum.repos.d/CentOS-Vault.repo + +crkernel: + file.absent: + - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo + +crepel: + file.absent: + - name: /etc/yum.repos.d/epel.repo + +crtesting: + file.absent: + - name: /etc/yum.repos.d/epel-testing.repo + +crssrepo: + file.absent: + - name: /etc/yum.repos.d/saltstack.repo + +crwazrepo: + file.absent: + - name: /etc/yum.repos.d/wazuh.repo + +crsecurityonionrepo: + file.managed: + {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} + - name: /etc/yum.repos.d/securityonion.repo + - source: salt://common/yum_repos/securityonion.repo + {% else %} + - name: /etc/yum.repos.d/securityonioncache.repo + - source: salt://common/yum_repos/securityonioncache.repo + {% endif %} + - mode: 644 + {% endif %} # Install common packages diff --git a/salt/common/tools/sbin/so-raid-status b/salt/common/tools/sbin/so-raid-status index d55d158fe..11909e012 100755 --- a/salt/common/tools/sbin/so-raid-status +++ b/salt/common/tools/sbin/so-raid-status @@ -66,11 +66,13 @@ mkdir -p /opt/so/log/raid {%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %} #check_boss_raid check_software_raid -echo "osraid=$BOSSRAID nsmraid=$SWRAID" > /opt/so/log/raid/status.log +#echo "osraid=$BOSSRAID nsmraid=$SWRAID" > /opt/so/log/raid/status.log +echo "osraid=1 nsmraid=$SWRAID" > /opt/so/log/raid/status.log {%- elif grains['sosmodel'] in ['SOS1000F', 'SOS1000', 'SOSSN7200', 'SOS10K', 'SOS4000'] %} #check_boss_raid check_lsi_raid -echo "osraid=$BOSSRAID nsmraid=$LSIRAID" > /opt/so/log/raid/status.log +#echo "osraid=$BOSSRAID nsmraid=$LSIRAID" > /opt/so/log/raid/status.log +echo "osraid=1 nsmraid=$LSIRAID" > /opt/so/log/raid/status.log {%- else %} exit 0 {%- endif %} diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 1fd7d58d9..2a057ff5e 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -4,90 +4,184 @@ if [[ $1 =~ ^(-q|--quiet) ]]; then quiet=true +elif [[ $1 =~ ^(-v|--verbose) ]]; then + verbose=true fi +sshd_config=/etc/ssh/sshd_config +temp_config=/tmp/sshd_config + before= after= reload_required=false +change_header_printed=false -print_sshd_t() { +check_sshd_t() { local string=$1 - local state=$2 - echo "${state}:" local grep_out grep_out=$(sshd -T | grep "^${string}") - if [[ $state == "Before" ]]; then - before=$grep_out + before=$grep_out +} + +print_diff() { + local diff + diff=$(diff -dbB <(echo $before) <(echo $after) | awk 'NR>1') + + if [[ -n $diff ]]; then + if [[ $change_header_printed == false ]]; then + printf '%s\n' '' "Changes" '-------' '' + change_header_printed=true + fi + echo -e "$diff\n" + fi +} + +replace_or_add() { + local type=$1 + local string=$2 + if grep -q "$type" $temp_config; then + sed -i "/$type .*/d" $temp_config + fi + printf "%s\n\n" "$string" >> $temp_config + reload_required=true +} + +test_config() { + local msg + msg=$(sshd -t -f $temp_config) + local ret=$? + + if [[ -n $msg ]]; then + echo "Error found in temp sshd config:" + echo $msg + fi + + return $ret +} + +main() { + if ! [[ $quiet ]]; then echo "Copying current config to $temp_config"; fi + cp $sshd_config $temp_config + + # Add newline to ssh for legibility + echo "" >> $temp_config + + # Ciphers + check_sshd_t "ciphers" + + local bad_ciphers=( + "3des-cbc" + "aes128-cbc" + "aes192-cbc" + "aes256-cbc" + "arcfour" + "arcfour128" + "arcfour256" + "blowfish-cbc" + "cast128-cbc" + ) + + local cipher_string=$before + for cipher in "${bad_ciphers[@]}"; do + cipher_string=$(echo "$cipher_string" | sed "s/${cipher}\(,\|\$\)//g" | sed 's/,$//') + done + + after=$cipher_string + + if [[ $verbose ]]; then print_diff; fi + + if [[ $before != "$after" ]]; then + replace_or_add "ciphers" "$cipher_string" && test_config || exit 1 + fi + + # KexAlgorithms + check_sshd_t "kexalgorithms" + + local bad_kexalgs=( + "diffie-hellman-group-exchange-sha1" + "diffie-hellman-group-exchange-sha256" + "diffie-hellman-group1-sha1" + "diffie-hellman-group14-sha1" + "ecdh-sha2-nistp256" + "ecdh-sha2-nistp521" + "ecdh-sha2-nistp384" + ) + + local kexalg_string=$before + for kexalg in "${bad_kexalgs[@]}"; do + kexalg_string=$(echo "$kexalg_string" | sed "s/${kexalg}\(,\|\$\)//g" | sed 's/,$//') + done + + after=$kexalg_string + + if [[ $verbose ]]; then print_diff; fi + + if [[ $before != "$after" ]]; then + replace_or_add "kexalgorithms" "$kexalg_string" && test_config || exit 1 + fi + + # Macs + check_sshd_t "macs" + + local bad_macs=( + "hmac-sha2-512" + "umac-128@openssh.com" + "hmac-sha2-256" + "umac-64@openssh.com" + "hmac-sha1" + "hmac-sha1-etm@openssh.com" + "umac-64-etm@openssh.com" + ) + + local macs_string=$before + for mac in "${bad_macs[@]}"; do + macs_string=$(echo "$macs_string" | sed "s/${mac}\(,\|\$\)//g" | sed 's/,$//') + done + + after=$macs_string + + if [[ $verbose ]]; then print_diff; fi + + if [[ $before != "$after" ]]; then + replace_or_add "macs" "$macs_string" && test_config || exit 1 + fi + + # HostKeyAlgorithms + check_sshd_t "hostkeyalgorithms" + + local optional_suffix_regex_hka="\(-cert-v01@openssh.com\)\?" + local bad_hostkeyalg_list=( + "ecdsa-sha2-nistp256" + "ecdsa-sha2-nistp384" + "ecdsa-sha2-nistp521" + "ssh-rsa" + "ssh-dss" + ) + + local hostkeyalg_string=$before + for alg in "${bad_hostkeyalg_list[@]}"; do + hostkeyalg_string=$(echo "$hostkeyalg_string" | sed "s/${alg}${optional_suffix_regex_hka}\(,\|\$\)//g" | sed 's/,$//') + done + + after=$hostkeyalg_string + + if [[ $verbose ]]; then print_diff; fi + + if [[ $before != "$after" ]]; then + replace_or_add "hostkeyalgorithms" "$hostkeyalg_string" && test_config || exit 1 + fi + + if [[ $reload_required == true ]]; then + mv -f $temp_config $sshd_config + if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes"; fi + systemctl reload sshd + echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the host key fingerprint for this server before reconnecting." else - after=$grep_out - fi - - echo $grep_out -} - -print_msg() { - local msg=$1 - if ! [[ $quiet ]]; then - printf "%s\n" \ - "----" \ - "$msg" \ - "----" \ - "" + if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up"; fi + rm -f $temp_config fi } -if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi -sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "ciphers" "After" - echo "" -fi - -if [[ $before != $after ]]; then - reload_required=true -fi - -if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi -sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "kexalgorithms" "After" - echo "" -fi - -if [[ $before != $after ]]; then - reload_required=true -fi - -if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi -sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "macs" "After" - echo "" -fi - -if [[ $before != $after ]]; then - reload_required=true -fi - -if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi -sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "hostkeyalgorithms" "After" - echo "" -fi - -if [[ $before != $after ]]; then - reload_required=true -fi - -if [[ $reload_required == true ]]; then - print_msg "Reloading sshd to load config changes..." - systemctl reload sshd -fi - -{% if grains['os'] != 'CentOS' %} -print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." -{% endif %} - +main diff --git a/setup/yum_repos/securityonion.repo b/salt/common/yum_repos/securityonion.repo similarity index 100% rename from setup/yum_repos/securityonion.repo rename to salt/common/yum_repos/securityonion.repo diff --git a/setup/yum_repos/securityonioncache.repo b/salt/common/yum_repos/securityonioncache.repo similarity index 100% rename from setup/yum_repos/securityonioncache.repo rename to salt/common/yum_repos/securityonioncache.repo diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 23b967b04..df2990404 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -1,5 +1,9 @@ {%- set URLBASE = salt['pillar.get']('global:url_base') %} -{%- set DESCRIPTION = salt['pillar.get']('sensoroni:node_description') %} +{%- if salt['pillar.get']('sensoroni:node_description') %} +{%- set DESCRIPTION = salt['pillar.get']('sensoroni:node_description') %} +{%- else %} +{%- set DESCRIPTION = salt['grains.get']('sosmodel', '') %} +{%- endif %} {%- set ADDRESS = salt['pillar.get']('sensoroni:node_address') %} {%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %} {%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %} @@ -9,7 +13,7 @@ {%- else %} {%- set STENODEFAULT = False %} {%- endif %} -{%- set STENOENABLED = salt['pillar.get']('steno:enabled', STENODEFAULT) %} +{%- set STENOENABLED = salt['pillar.get']('steno:enabled', STENODEFAULT) %} { "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"info", diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json index 840b4b373..93295364d 100644 --- a/salt/soc/files/soc/hunt.queries.json +++ b/salt/soc/files/soc/hunt.queries.json @@ -34,7 +34,7 @@ { "name": "HTTP", "description": "HTTP grouped by status code and message", "query": "event.dataset:http | groupby http.status_code http.status_message"}, { "name": "HTTP", "description": "HTTP grouped by method and user agent", "query": "event.dataset:http | groupby http.method http.useragent"}, { "name": "HTTP", "description": "HTTP grouped by virtual host", "query": "event.dataset:http | groupby http.virtual_host"}, - { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.dataset:http AND file.resp_mime_types:dosexec | groupby http.virtual_host"}, + { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host"}, { "name": "Intel", "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator.keyword"}, { "name": "IRC", "description": "IRC grouped by command", "query": "event.dataset:irc | groupby irc.command.type"}, { "name": "KERBEROS", "description": "KERBEROS grouped by service", "query": "event.dataset:kerberos | groupby kerberos.service"}, diff --git a/salt/telegraf/scripts/raid.sh b/salt/telegraf/scripts/raid.sh index c53644889..0938bb658 100644 --- a/salt/telegraf/scripts/raid.sh +++ b/salt/telegraf/scripts/raid.sh @@ -27,7 +27,7 @@ RAIDLOG=/var/log/raid/status.log RAIDSTATUS=$(cat /var/log/raid/status.log) if [ -f "$RAIDLOG" ]; then - echo "raid raidstatus=$RAIDSTATUS " + echo "raid $RAIDSTATUS" else exit 0 fi diff --git a/setup/so-functions b/setup/so-functions index 75e8951ad..8dd5d2f75 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1454,8 +1454,6 @@ install_cleanup() { info "Removing so-setup permission entry from sudoers file" sed -i '/so-setup/d' /etc/sudoers fi - - so-ssh-harden -q } import_registry_docker() { @@ -2277,9 +2275,9 @@ securityonion_repo() { mv /etc/yum.repos.d/* /root/oldrepos/ rm -f /etc/yum.repos.d/* if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - cp -f ./yum_repos/securityonioncache.repo /etc/yum.repos.d/ + cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ else - cp -f ./yum_repos/securityonion.repo /etc/yum.repos.d/ + cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ fi else echo "This is Ubuntu" diff --git a/setup/so-setup b/setup/so-setup index 0aa78aa10..584dc7933 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -906,6 +906,7 @@ set_redirect >> $setup_log 2>&1 set_progress_str 85 'Applying finishing touches' filter_unused_nics >> $setup_log 2>&1 network_setup >> $setup_log 2>&1 + so-ssh-harden >> $setup_log 2>&1 if [[ $is_manager || $is_import ]]; then set_progress_str 87 'Adding user to SOC'