From 23cd006724755dac1a8fb22e6dd0126d19d3a00c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 14:06:10 -0400 Subject: [PATCH 01/21] so-ssh-harden fixes * Change when script is run during setup * Add newlines to sshd config for legibility --- salt/common/tools/sbin/so-ssh-harden | 8 +++++++- setup/so-functions | 2 -- setup/so-setup | 1 + 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 1fd7d58d9..5891e4309 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -38,8 +38,12 @@ print_msg() { fi } +# Add newline to ssh for legibility +echo "" >> /etc/ssh/sshd_config + if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then print_sshd_t "ciphers" "After" echo "" @@ -51,6 +55,7 @@ fi if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "After" echo "" @@ -62,6 +67,7 @@ fi if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then print_sshd_t "macs" "After" echo "" @@ -73,6 +79,7 @@ fi if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "After" echo "" @@ -90,4 +97,3 @@ fi {% if grains['os'] != 'CentOS' %} print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." {% endif %} - diff --git a/setup/so-functions b/setup/so-functions index 29a58e718..deeefb3ba 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1436,8 +1436,6 @@ install_cleanup() { info "Removing so-setup permission entry from sudoers file" sed -i '/so-setup/d' /etc/sudoers fi - - so-ssh-harden -q } import_registry_docker() { diff --git a/setup/so-setup b/setup/so-setup index 82e414ca4..ba76b303e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -888,6 +888,7 @@ set_redirect >> $setup_log 2>&1 set_progress_str 85 'Applying finishing touches' filter_unused_nics >> $setup_log 2>&1 network_setup >> $setup_log 2>&1 + so-ssh-harden -q >> $setup_log 2>&1 if [[ $is_manager || $is_import ]]; then set_progress_str 87 'Adding user to SOC' From 982f2de33ce0e6025b49552345eb174f15652bc0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Mar 2021 09:48:00 -0400 Subject: [PATCH 02/21] [fix] Refactor so-ssh-harden * Create a temp file to make changes, and only copy back over if any changes are made * Test changes as they're made, and exit if the test fails * Only add lines if they don't already exist in the config --- salt/common/tools/sbin/so-ssh-harden | 152 +++++++++++++++++---------- 1 file changed, 98 insertions(+), 54 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 5891e4309..0e0b28b39 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -6,14 +6,16 @@ if [[ $1 =~ ^(-q|--quiet) ]]; then quiet=true fi +sshd_config=/etc/ssh/sshd_config +temp_config=/tmp/sshd_config + before= after= reload_required=false -print_sshd_t() { +check_sshd_t() { local string=$1 local state=$2 - echo "${state}:" local grep_out grep_out=$(sshd -T | grep "^${string}") @@ -23,8 +25,17 @@ print_sshd_t() { else after=$grep_out fi +} - echo $grep_out +print_diff() { + local type=$1 + local diff + diff=$(diff -dqbB <(echo $before) <(echo $after)) + + if [[ -n $diff ]]; then + printf '%s\n' "$type" "$diff" + echo "" + fi } print_msg() { @@ -33,67 +44,100 @@ print_msg() { printf "%s\n" \ "----" \ "$msg" \ - "----" \ - "" + "----" fi } -# Add newline to ssh for legibility -echo "" >> /etc/ssh/sshd_config +add_if_missing() { + local string=$1 + if ! grep -q "$1" $temp_config; then + printf "%s\n\n" "$1" >> $temp_config + reload_required=true + fi +} -if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi -sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config -echo "" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "ciphers" "After" - echo "" -fi +test_config() { + local msg + msg=$(sshd -t -f $temp_config) + local ret=$? -if [[ $before != $after ]]; then - reload_required=true -fi + if [[ -n $msg ]]; then + echo "Error found in temp sshd config:" + echo $msg + fi -if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi -sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config -echo "" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "kexalgorithms" "After" - echo "" -fi + return $ret +} -if [[ $before != $after ]]; then - reload_required=true -fi +main() { + if ! [[ $quiet ]]; then echo "Copying current config to $temp_config"; fi + cp $sshd_config $temp_config -if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi -sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config -echo "" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "macs" "After" - echo "" -fi + # Add newline to ssh for legibility + echo "" >> $temp_config -if [[ $before != $after ]]; then - reload_required=true -fi + # Ciphers + check_sshd_t "ciphers" "Before" + local cipher_string + cipher_string=$(echo "$before" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g") -if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi -sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config -echo "" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "hostkeyalgorithms" "After" - echo "" -fi + check_sshd_t "ciphers" "After" -if [[ $before != $after ]]; then - reload_required=true -fi + if ! [[ $quiet ]]; then print_diff "ciphers"; fi -if [[ $reload_required == true ]]; then - print_msg "Reloading sshd to load config changes..." - systemctl reload sshd -fi + if [[ $before != $after ]]; then + add_if_missing "$cipher_string" && test_config || exit 1 + fi -{% if grains['os'] != 'CentOS' %} -print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." -{% endif %} + # KexAlgorithms + check_sshd_t "kexalgorithms" "Before" + + local kexalg_string + kexalg_string=$(echo "$before" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g") + + check_sshd_t "kexalgorithms" "After" + + if ! [[ $quiet ]]; then print_diff "kexalgorithms"; fi + + if [[ $before != $after ]]; then + add_if_missing "$kexalg_string" && test_config || exit 1 + fi + + # Macs + check_sshd_t "macs" "Before" + local macs_string + macs_string=$(echo "$before" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g") + + check_sshd_t "macs" "After" + + if ! [[ $quiet ]]; then print_diff "macs"; fi + + if [[ $before != $after ]]; then + add_if_missing "$mac_string" && test_config || exit 1 + fi + + # HostKeyAlgorithms + check_sshd_t "hostkeyalgorithms" "Before" + local hostkeyalg_string + hostkeyalg_string=$(echo "$before" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g") + + check_sshd_t "hostkeyalgorithms" "After" + + if ! [[ $quiet ]]; then print_diff "hostkeyalgorithms"; fi + + if [[ $before != $after ]]; then + add_if_missing "$hostkeyalg_string" && test_config || exit 1 + fi + + if [[ $reload_required == true ]]; then + mv -f $temp_config $sshd_config + if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes..."; fi + systemctl reload sshd + print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." + else + if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up."; fi + rm -f $temp_config + fi +} + +main From 89922a439e279a371973bab7b9ccd71bf2241cc7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 12:37:33 -0400 Subject: [PATCH 03/21] Move repo files --- salt/common/init.sls | 50 ++++++++++++++++++- .../common}/yum_repos/securityonion.repo | 0 .../common}/yum_repos/securityonioncache.repo | 0 setup/so-functions | 4 +- 4 files changed, 51 insertions(+), 3 deletions(-) rename {setup => salt/common}/yum_repos/securityonion.repo (100%) rename {setup => salt/common}/yum_repos/securityonioncache.repo (100%) diff --git a/salt/common/init.sls b/salt/common/init.sls index 3e6774219..d0dae49f5 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -64,7 +64,7 @@ salttmp: - group: 939 - makedirs: True -# Install epel +# Remove default Repos {% if grains['os'] == 'CentOS' %} repair_yumdb: cmd.run: @@ -72,6 +72,54 @@ repair_yumdb: - onlyif: - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' +crbase: + file.absent: + - name: /etc/yum.repos.d/CentOS-Base.repo + +crcr: + file.absent: + - name: /etc/yum.repos.d/CentOS-CR.repo + +crdebug: + file.absent: + - name: /etc/yum.repos.d/CentOS-Debuginfo.repo + +crfasttrack: + file.absent: + - name: /etc/yum.repos.d/CentOS-fasttrack.repo + +crmedia: + file.absent: + - name: /etc/yum.repos.d/CentOS-Media.repo + +crsources: + file.absent: + - name: /etc/yum.repos.d/CentOS-Sources.repo + +crvault: + file.absent: + - name: /etc/yum.repos.d/CentOS-Vault.repo + +crkernel: + file.absent: + - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo + +crepel: + file.absent: + - name: /etc/yum.repos.d/epel.repo + +crtesting: + file.absent: + - name: /etc/yum.repos.d/epel-testing.repo + +crssrepo: + file.absent: + - name: /etc/yum.repos.d/saltstack.repo + +crwazrepo: + file.absent: + - name: /etc/yum.repos.d/wazuh.repo + {% endif %} # Install common packages diff --git a/setup/yum_repos/securityonion.repo b/salt/common/yum_repos/securityonion.repo similarity index 100% rename from setup/yum_repos/securityonion.repo rename to salt/common/yum_repos/securityonion.repo diff --git a/setup/yum_repos/securityonioncache.repo b/salt/common/yum_repos/securityonioncache.repo similarity index 100% rename from setup/yum_repos/securityonioncache.repo rename to salt/common/yum_repos/securityonioncache.repo diff --git a/setup/so-functions b/setup/so-functions index aff7a8375..63cb5ca7c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2215,9 +2215,9 @@ securityonion_repo() { mv /etc/yum.repos.d/* /root/oldrepos/ rm -f /etc/yum.repos.d/* if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - cp -f ./yum_repos/securityonioncache.repo /etc/yum.repos.d/ + cp -f ../../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ else - cp -f ./yum_repos/securityonion.repo /etc/yum.repos.d/ + cp -f ../../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ fi else echo "This is Ubuntu" From f8d72413544642bf9feab5abdc8e0a96c3e218e9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 12:55:46 -0400 Subject: [PATCH 04/21] Fix repo file path --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 63cb5ca7c..73293bc47 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2215,9 +2215,9 @@ securityonion_repo() { mv /etc/yum.repos.d/* /root/oldrepos/ rm -f /etc/yum.repos.d/* if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - cp -f ../../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ + cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ else - cp -f ../../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ fi else echo "This is Ubuntu" From 9b84a92ced276c4dc045e67cb501d89860c4a20f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 16:47:04 -0400 Subject: [PATCH 05/21] Manage the repo files --- salt/common/init.sls | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index d0dae49f5..1ee64bb5a 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -2,6 +2,7 @@ {% if sls in allowed_states %} {% set role = grains.id.split('_') | last %} +{% set managerupdates = salt['pillar.get']('global:managerupdate', '0') %} # Remove variables.txt from /tmp - This is temp rmvariablesfile: @@ -84,6 +85,10 @@ crdebug: file.absent: - name: /etc/yum.repos.d/CentOS-Debuginfo.repo +crdockerce: + file.absent: + - name: /etc/yum.repos.d/docker-ce.repo + crfasttrack: file.absent: - name: /etc/yum.repos.d/CentOS-fasttrack.repo @@ -120,6 +125,17 @@ crwazrepo: file.absent: - name: /etc/yum.repos.d/wazuh.repo +crsecurityonionrepo: + file.managed: + {% if role in ['eval', 'standalone', 'import', 'manager' 'managersearch'] or managerupdates == 0 %} + - name: /etc/yum.repos.d/securityonion.repo + - source: salt://common/yum_repos.d/securityonion.repo + {% else %} + - name: /etc/yum.repos.d/securityonioncache.repo + - source: salt://commmon/yum_repos/securityonioncache.repo + {% endif %} + - mode: 644 + {% endif %} # Install common packages From 358f39753556883ba11034b3072dd970aa7a747f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 16:50:43 -0400 Subject: [PATCH 06/21] Manage the repo files --- salt/common/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 1ee64bb5a..c2ccb908f 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -88,7 +88,7 @@ crdebug: crdockerce: file.absent: - name: /etc/yum.repos.d/docker-ce.repo - + crfasttrack: file.absent: - name: /etc/yum.repos.d/CentOS-fasttrack.repo @@ -129,7 +129,7 @@ crsecurityonionrepo: file.managed: {% if role in ['eval', 'standalone', 'import', 'manager' 'managersearch'] or managerupdates == 0 %} - name: /etc/yum.repos.d/securityonion.repo - - source: salt://common/yum_repos.d/securityonion.repo + - source: salt://common/yum_repos/securityonion.repo {% else %} - name: /etc/yum.repos.d/securityonioncache.repo - source: salt://commmon/yum_repos/securityonioncache.repo From f387c4327a024f2f6993d5185cb5fe27628d51b3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 16:53:20 -0400 Subject: [PATCH 07/21] Manage the repo files --- salt/common/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index c2ccb908f..f15dfe70d 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -127,7 +127,7 @@ crwazrepo: crsecurityonionrepo: file.managed: - {% if role in ['eval', 'standalone', 'import', 'manager' 'managersearch'] or managerupdates == 0 %} + {% if role in ['eval', 'standalone', 'import', 'manager' 'managersearch'] %} - name: /etc/yum.repos.d/securityonion.repo - source: salt://common/yum_repos/securityonion.repo {% else %} From 13421bb04bb0b17f351c3f187382575c8c74a1dc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 16:59:15 -0400 Subject: [PATCH 08/21] Manage the repo files --- salt/common/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index f15dfe70d..0571cf2b3 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -132,7 +132,7 @@ crsecurityonionrepo: - source: salt://common/yum_repos/securityonion.repo {% else %} - name: /etc/yum.repos.d/securityonioncache.repo - - source: salt://commmon/yum_repos/securityonioncache.repo + - source: salt://common/yum_repos/securityonioncache.repo {% endif %} - mode: 644 From bfc5bb011f0d137a85dff07b64478cb8e3976219 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 17:03:52 -0400 Subject: [PATCH 09/21] Manage the repo files --- salt/common/init.sls | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 0571cf2b3..5d95e69b6 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -88,7 +88,7 @@ crdebug: crdockerce: file.absent: - name: /etc/yum.repos.d/docker-ce.repo - + crfasttrack: file.absent: - name: /etc/yum.repos.d/CentOS-fasttrack.repo @@ -127,9 +127,9 @@ crwazrepo: crsecurityonionrepo: file.managed: - {% if role in ['eval', 'standalone', 'import', 'manager' 'managersearch'] %} + {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} - name: /etc/yum.repos.d/securityonion.repo - - source: salt://common/yum_repos/securityonion.repo + - source: salt://common/yum_repos.d/securityonion.repo {% else %} - name: /etc/yum.repos.d/securityonioncache.repo - source: salt://common/yum_repos/securityonioncache.repo From 1509722185ebb4a8432edfcc0fe3dfc1fd27da4c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 17:04:56 -0400 Subject: [PATCH 10/21] Manage the repo files --- salt/common/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 5d95e69b6..f27af7233 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -128,7 +128,7 @@ crwazrepo: crsecurityonionrepo: file.managed: {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} - - name: /etc/yum.repos.d/securityonion.repo + - name: /etc/yum.repos/securityonion.repo - source: salt://common/yum_repos.d/securityonion.repo {% else %} - name: /etc/yum.repos.d/securityonioncache.repo From 96459885556393912a373c49d72c9e2bc7714bf3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 17:06:26 -0400 Subject: [PATCH 11/21] Manage the repo files --- salt/common/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index f27af7233..2bfc6b66c 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -129,7 +129,7 @@ crsecurityonionrepo: file.managed: {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} - name: /etc/yum.repos/securityonion.repo - - source: salt://common/yum_repos.d/securityonion.repo + - source: salt://common/yum_repos/securityonion.repo {% else %} - name: /etc/yum.repos.d/securityonioncache.repo - source: salt://common/yum_repos/securityonioncache.repo From 88eab865286fcd394a39b589868613c19f82dfc9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 17:07:30 -0400 Subject: [PATCH 12/21] Manage the repo files --- salt/common/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 2bfc6b66c..44a00024a 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -128,7 +128,7 @@ crwazrepo: crsecurityonionrepo: file.managed: {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} - - name: /etc/yum.repos/securityonion.repo + - name: /etc/yum.repos.d/securityonion.repo - source: salt://common/yum_repos/securityonion.repo {% else %} - name: /etc/yum.repos.d/securityonioncache.repo From 43c31b4e665fc993f6d5f6d07506ef19619cc924 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 1 Apr 2021 14:56:05 -0400 Subject: [PATCH 13/21] Fix script so changes are actually made --- salt/common/tools/sbin/so-ssh-harden | 70 ++++++++++++---------------- 1 file changed, 30 insertions(+), 40 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 0e0b28b39..532e2f737 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -4,6 +4,8 @@ if [[ $1 =~ ^(-q|--quiet) ]]; then quiet=true +elif [[ $1 =~ ^(-v|--verbose) ]]; then + verbose=true fi sshd_config=/etc/ssh/sshd_config @@ -12,39 +14,27 @@ temp_config=/tmp/sshd_config before= after= reload_required=false +change_header_printed=false check_sshd_t() { local string=$1 - local state=$2 local grep_out grep_out=$(sshd -T | grep "^${string}") - if [[ $state == "Before" ]]; then - before=$grep_out - else - after=$grep_out - fi + before=$grep_out } print_diff() { - local type=$1 local diff - diff=$(diff -dqbB <(echo $before) <(echo $after)) + diff=$(diff -dbB <(echo $before) <(echo $after) | awk 'NR>1') if [[ -n $diff ]]; then - printf '%s\n' "$type" "$diff" - echo "" - fi -} - -print_msg() { - local msg=$1 - if ! [[ $quiet ]]; then - printf "%s\n" \ - "----" \ - "$msg" \ - "----" + if [[ $change_header_printed == false ]]; then + printf '%s\n' '' "Changes" '-------' '' + change_header_printed=true + fi + echo -e "$diff\n" fi } @@ -77,65 +67,65 @@ main() { echo "" >> $temp_config # Ciphers - check_sshd_t "ciphers" "Before" + check_sshd_t "ciphers" local cipher_string cipher_string=$(echo "$before" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g") - check_sshd_t "ciphers" "After" + after=$cipher_string - if ! [[ $quiet ]]; then print_diff "ciphers"; fi + if [[ $verbose ]]; then print_diff; fi - if [[ $before != $after ]]; then + if [[ $before != "$after" ]]; then add_if_missing "$cipher_string" && test_config || exit 1 fi # KexAlgorithms - check_sshd_t "kexalgorithms" "Before" + check_sshd_t "kexalgorithms" local kexalg_string kexalg_string=$(echo "$before" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g") - check_sshd_t "kexalgorithms" "After" + after=$kexalg_string - if ! [[ $quiet ]]; then print_diff "kexalgorithms"; fi + if [[ $verbose ]]; then print_diff; fi - if [[ $before != $after ]]; then + if [[ $before != "$after" ]]; then add_if_missing "$kexalg_string" && test_config || exit 1 fi # Macs - check_sshd_t "macs" "Before" + check_sshd_t "macs" local macs_string macs_string=$(echo "$before" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g") - check_sshd_t "macs" "After" + after=$macs_string - if ! [[ $quiet ]]; then print_diff "macs"; fi + if [[ $verbose ]]; then print_diff; fi - if [[ $before != $after ]]; then - add_if_missing "$mac_string" && test_config || exit 1 + if [[ $before != "$after" ]]; then + add_if_missing "$macs_string" && test_config || exit 1 fi # HostKeyAlgorithms - check_sshd_t "hostkeyalgorithms" "Before" + check_sshd_t "hostkeyalgorithms" local hostkeyalg_string hostkeyalg_string=$(echo "$before" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g") - check_sshd_t "hostkeyalgorithms" "After" + after=$hostkeyalg_string - if ! [[ $quiet ]]; then print_diff "hostkeyalgorithms"; fi + if [[ $verbose ]]; then print_diff; fi - if [[ $before != $after ]]; then + if [[ $before != "$after" ]]; then add_if_missing "$hostkeyalg_string" && test_config || exit 1 fi if [[ $reload_required == true ]]; then mv -f $temp_config $sshd_config - if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes..."; fi + if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes"; fi systemctl reload sshd - print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." + echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." else - if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up."; fi + if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up"; fi rm -f $temp_config fi } From fd57996bc6980ce7ddb7147f8bd43039337311e8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 2 Apr 2021 10:00:27 -0400 Subject: [PATCH 14/21] Change behavior of adding lines to sshd config * Replace existing lines in cases where a change has already been made --- salt/common/tools/sbin/so-ssh-harden | 20 +++++++++++--------- setup/so-setup | 2 +- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 532e2f737..bdec9894b 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -38,12 +38,14 @@ print_diff() { fi } -add_if_missing() { - local string=$1 - if ! grep -q "$1" $temp_config; then - printf "%s\n\n" "$1" >> $temp_config - reload_required=true +replace_or_add() { + local type=$1 + local string=$2 + if grep -q "$type" $temp_config; then + sed -i "/$type .*/d" $temp_config fi + printf "%s\n\n" "$string" >> $temp_config + reload_required=true } test_config() { @@ -76,7 +78,7 @@ main() { if [[ $verbose ]]; then print_diff; fi if [[ $before != "$after" ]]; then - add_if_missing "$cipher_string" && test_config || exit 1 + replace_or_add "ciphers" "$cipher_string" && test_config || exit 1 fi # KexAlgorithms @@ -90,7 +92,7 @@ main() { if [[ $verbose ]]; then print_diff; fi if [[ $before != "$after" ]]; then - add_if_missing "$kexalg_string" && test_config || exit 1 + replace_or_add "kexalgorithms" "$kexalg_string" && test_config || exit 1 fi # Macs @@ -103,7 +105,7 @@ main() { if [[ $verbose ]]; then print_diff; fi if [[ $before != "$after" ]]; then - add_if_missing "$macs_string" && test_config || exit 1 + replace_or_add "macs" "$macs_string" && test_config || exit 1 fi # HostKeyAlgorithms @@ -116,7 +118,7 @@ main() { if [[ $verbose ]]; then print_diff; fi if [[ $before != "$after" ]]; then - add_if_missing "$hostkeyalg_string" && test_config || exit 1 + replace_or_add "hostkeyalgorithms" "$hostkeyalg_string" && test_config || exit 1 fi if [[ $reload_required == true ]]; then diff --git a/setup/so-setup b/setup/so-setup index a742630f7..584dc7933 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -906,7 +906,7 @@ set_redirect >> $setup_log 2>&1 set_progress_str 85 'Applying finishing touches' filter_unused_nics >> $setup_log 2>&1 network_setup >> $setup_log 2>&1 - so-ssh-harden -q >> $setup_log 2>&1 + so-ssh-harden >> $setup_log 2>&1 if [[ $is_manager || $is_import ]]; then set_progress_str 87 'Adding user to SOC' From 8b8086b91a16b9e2a382d139f17db7651e9ddbdc Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 2 Apr 2021 10:20:28 -0400 Subject: [PATCH 15/21] Update wording, as the new key tends to be ED25519, not ECDSA --- salt/common/tools/sbin/so-ssh-harden | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index bdec9894b..5e740c4dd 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -125,7 +125,7 @@ main() { mv -f $temp_config $sshd_config if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes"; fi systemctl reload sshd - echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." + echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the host key fingerprint for this server before reconnecting." else if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up"; fi rm -f $temp_config From d19c03efef69eaf4b9ddad6dea271764fad038bc Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 2 Apr 2021 14:49:22 -0400 Subject: [PATCH 16/21] Refactor search of config lines * Create arrays for each line and loop through them for better code readability * Add more host key algorithms for removal * Update regex to look for a comma or EOL at the end of the search term, to avoid missing last item in list --- salt/common/tools/sbin/so-ssh-harden | 68 ++++++++++++++++++++++++---- 1 file changed, 60 insertions(+), 8 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 5e740c4dd..2a057ff5e 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -70,8 +70,23 @@ main() { # Ciphers check_sshd_t "ciphers" - local cipher_string - cipher_string=$(echo "$before" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g") + + local bad_ciphers=( + "3des-cbc" + "aes128-cbc" + "aes192-cbc" + "aes256-cbc" + "arcfour" + "arcfour128" + "arcfour256" + "blowfish-cbc" + "cast128-cbc" + ) + + local cipher_string=$before + for cipher in "${bad_ciphers[@]}"; do + cipher_string=$(echo "$cipher_string" | sed "s/${cipher}\(,\|\$\)//g" | sed 's/,$//') + done after=$cipher_string @@ -84,8 +99,20 @@ main() { # KexAlgorithms check_sshd_t "kexalgorithms" - local kexalg_string - kexalg_string=$(echo "$before" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g") + local bad_kexalgs=( + "diffie-hellman-group-exchange-sha1" + "diffie-hellman-group-exchange-sha256" + "diffie-hellman-group1-sha1" + "diffie-hellman-group14-sha1" + "ecdh-sha2-nistp256" + "ecdh-sha2-nistp521" + "ecdh-sha2-nistp384" + ) + + local kexalg_string=$before + for kexalg in "${bad_kexalgs[@]}"; do + kexalg_string=$(echo "$kexalg_string" | sed "s/${kexalg}\(,\|\$\)//g" | sed 's/,$//') + done after=$kexalg_string @@ -97,8 +124,21 @@ main() { # Macs check_sshd_t "macs" - local macs_string - macs_string=$(echo "$before" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g") + + local bad_macs=( + "hmac-sha2-512" + "umac-128@openssh.com" + "hmac-sha2-256" + "umac-64@openssh.com" + "hmac-sha1" + "hmac-sha1-etm@openssh.com" + "umac-64-etm@openssh.com" + ) + + local macs_string=$before + for mac in "${bad_macs[@]}"; do + macs_string=$(echo "$macs_string" | sed "s/${mac}\(,\|\$\)//g" | sed 's/,$//') + done after=$macs_string @@ -110,8 +150,20 @@ main() { # HostKeyAlgorithms check_sshd_t "hostkeyalgorithms" - local hostkeyalg_string - hostkeyalg_string=$(echo "$before" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g") + + local optional_suffix_regex_hka="\(-cert-v01@openssh.com\)\?" + local bad_hostkeyalg_list=( + "ecdsa-sha2-nistp256" + "ecdsa-sha2-nistp384" + "ecdsa-sha2-nistp521" + "ssh-rsa" + "ssh-dss" + ) + + local hostkeyalg_string=$before + for alg in "${bad_hostkeyalg_list[@]}"; do + hostkeyalg_string=$(echo "$hostkeyalg_string" | sed "s/${alg}${optional_suffix_regex_hka}\(,\|\$\)//g" | sed 's/,$//') + done after=$hostkeyalg_string From 8ca0626387b6c8f61a4e79b92180c2e816cc8f2d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 5 Apr 2021 06:55:40 -0400 Subject: [PATCH 17/21] FIX: Hunt query for HTTP EXE downloads should work for both Zeek and Suricata #3753 --- salt/soc/files/soc/hunt.queries.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json index 840b4b373..93295364d 100644 --- a/salt/soc/files/soc/hunt.queries.json +++ b/salt/soc/files/soc/hunt.queries.json @@ -34,7 +34,7 @@ { "name": "HTTP", "description": "HTTP grouped by status code and message", "query": "event.dataset:http | groupby http.status_code http.status_message"}, { "name": "HTTP", "description": "HTTP grouped by method and user agent", "query": "event.dataset:http | groupby http.method http.useragent"}, { "name": "HTTP", "description": "HTTP grouped by virtual host", "query": "event.dataset:http | groupby http.virtual_host"}, - { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.dataset:http AND file.resp_mime_types:dosexec | groupby http.virtual_host"}, + { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host"}, { "name": "Intel", "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator.keyword"}, { "name": "IRC", "description": "IRC grouped by command", "query": "event.dataset:irc | groupby irc.command.type"}, { "name": "KERBEROS", "description": "KERBEROS grouped by service", "query": "event.dataset:kerberos | groupby kerberos.service"}, From f9dc040c7fc35fded3986e7c7e0947ae365411cb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 5 Apr 2021 11:38:39 -0400 Subject: [PATCH 18/21] Fix Raid --- salt/common/tools/sbin/so-raid-status | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-raid-status b/salt/common/tools/sbin/so-raid-status index d55d158fe..11909e012 100755 --- a/salt/common/tools/sbin/so-raid-status +++ b/salt/common/tools/sbin/so-raid-status @@ -66,11 +66,13 @@ mkdir -p /opt/so/log/raid {%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %} #check_boss_raid check_software_raid -echo "osraid=$BOSSRAID nsmraid=$SWRAID" > /opt/so/log/raid/status.log +#echo "osraid=$BOSSRAID nsmraid=$SWRAID" > /opt/so/log/raid/status.log +echo "osraid=1 nsmraid=$SWRAID" > /opt/so/log/raid/status.log {%- elif grains['sosmodel'] in ['SOS1000F', 'SOS1000', 'SOSSN7200', 'SOS10K', 'SOS4000'] %} #check_boss_raid check_lsi_raid -echo "osraid=$BOSSRAID nsmraid=$LSIRAID" > /opt/so/log/raid/status.log +#echo "osraid=$BOSSRAID nsmraid=$LSIRAID" > /opt/so/log/raid/status.log +echo "osraid=1 nsmraid=$LSIRAID" > /opt/so/log/raid/status.log {%- else %} exit 0 {%- endif %} From 5aefa2a02408f7f128831e34776d6430f22e1f80 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 5 Apr 2021 11:41:19 -0400 Subject: [PATCH 19/21] Fix Raid for Jertel compliance --- salt/telegraf/scripts/raid.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/telegraf/scripts/raid.sh b/salt/telegraf/scripts/raid.sh index c53644889..0938bb658 100644 --- a/salt/telegraf/scripts/raid.sh +++ b/salt/telegraf/scripts/raid.sh @@ -27,7 +27,7 @@ RAIDLOG=/var/log/raid/status.log RAIDSTATUS=$(cat /var/log/raid/status.log) if [ -f "$RAIDLOG" ]; then - echo "raid raidstatus=$RAIDSTATUS " + echo "raid $RAIDSTATUS" else exit 0 fi From bad22ab541ba746bcf4b15a1f727d98d6ee63758 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 5 Apr 2021 12:08:38 -0400 Subject: [PATCH 20/21] Add model to sensoroni config --- salt/sensoroni/files/sensoroni.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 23b967b04..dead05b64 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -1,5 +1,9 @@ {%- set URLBASE = salt['pillar.get']('global:url_base') %} -{%- set DESCRIPTION = salt['pillar.get']('sensoroni:node_description') %} +{%- if salt['pillar.get']('sensoroni:node_description') %} +{%- set DESCRIPTION = salt['pillar.get']('sensoroni:node_description') %} +{%- else %} +{%- set DESCRIPTION = salt['grains.get']('sosmodel', '') %} +{%- endif %} {%- set ADDRESS = salt['pillar.get']('sensoroni:node_address') %} {%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %} {%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %} From a824813cdb95b3a6b86f57026d9729b0e807bb00 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 5 Apr 2021 12:10:29 -0400 Subject: [PATCH 21/21] Add model to sensoroni config --- salt/sensoroni/files/sensoroni.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index dead05b64..df2990404 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -13,7 +13,7 @@ {%- else %} {%- set STENODEFAULT = False %} {%- endif %} -{%- set STENOENABLED = salt['pillar.get']('steno:enabled', STENODEFAULT) %} +{%- set STENOENABLED = salt['pillar.get']('steno:enabled', STENODEFAULT) %} { "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"info",