Merge remote-tracking branch 'remotes/origin/dev' into salt3003.1

salt/common/init.sls

@@ -2,6 +2,7 @@
 {% if sls in allowed_states %}
 
 {% set role = grains.id.split('_') | last %}
+{% set managerupdates = salt['pillar.get']('global:managerupdate', '0') %}
 
 # Remove variables.txt from /tmp - This is temp
 rmvariablesfile:
@@ -64,7 +65,7 @@ salttmp:
     - group: 939
     - makedirs: True
 
-# Install epel
+# Remove default Repos
 {% if grains['os'] == 'CentOS' %}
 repair_yumdb:
   cmd.run:
@@ -72,6 +73,69 @@ repair_yumdb:
     - onlyif:
       - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"'
 
+crbase:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Base.repo
+
+crcr:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-CR.repo
+
+crdebug:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Debuginfo.repo
+
+crdockerce:
+  file.absent: 
+    - name: /etc/yum.repos.d/docker-ce.repo
+    
+crfasttrack:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-fasttrack.repo
+
+crmedia:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Media.repo
+
+crsources:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Sources.repo
+
+crvault:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Vault.repo
+
+crkernel:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo
+
+crepel:
+  file.absent:
+    - name: /etc/yum.repos.d/epel.repo
+
+crtesting:
+  file.absent:
+    - name: /etc/yum.repos.d/epel-testing.repo
+
+crssrepo:
+  file.absent:
+    - name: /etc/yum.repos.d/saltstack.repo
+
+crwazrepo:
+  file.absent:
+    - name: /etc/yum.repos.d/wazuh.repo
+
+crsecurityonionrepo:
+  file.managed:
+    {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %}
+    - name: /etc/yum.repos.d/securityonion.repo
+    - source: salt://common/yum_repos/securityonion.repo
+    {% else %}
+    - name: /etc/yum.repos.d/securityonioncache.repo
+    - source: salt://common/yum_repos/securityonioncache.repo
+    {% endif %}
+    - mode: 644
+
 {% endif %}
 
 # Install common packages

salt/common/tools/sbin/so-raid-status

@@ -66,11 +66,13 @@ mkdir -p /opt/so/log/raid
   {%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %}
 #check_boss_raid
 check_software_raid
-echo "osraid=$BOSSRAID nsmraid=$SWRAID" > /opt/so/log/raid/status.log
+#echo "osraid=$BOSSRAID nsmraid=$SWRAID" > /opt/so/log/raid/status.log
+echo "osraid=1 nsmraid=$SWRAID" > /opt/so/log/raid/status.log
   {%- elif grains['sosmodel'] in ['SOS1000F', 'SOS1000', 'SOSSN7200', 'SOS10K', 'SOS4000'] %}
 #check_boss_raid
 check_lsi_raid
-echo "osraid=$BOSSRAID nsmraid=$LSIRAID" > /opt/so/log/raid/status.log
+#echo "osraid=$BOSSRAID nsmraid=$LSIRAID" > /opt/so/log/raid/status.log
+echo "osraid=1 nsmraid=$LSIRAID" > /opt/so/log/raid/status.log
   {%- else %}
 exit 0
   {%- endif %}

salt/common/tools/sbin/so-ssh-harden

@@ -4,90 +4,184 @@
 
 if [[ $1 =~ ^(-q|--quiet) ]]; then
 	quiet=true
+elif [[ $1 =~ ^(-v|--verbose) ]]; then
+	verbose=true
 fi
 
+sshd_config=/etc/ssh/sshd_config
+temp_config=/tmp/sshd_config
+
 before=
 after=
 reload_required=false
+change_header_printed=false
 
-print_sshd_t() {
+check_sshd_t() {
 	local string=$1
-	local state=$2
-	echo "${state}:"
 
 	local grep_out
 	grep_out=$(sshd -T | grep "^${string}")
 
-	if [[ $state == "Before" ]]; then
 	before=$grep_out
-	else
-		after=$grep_out
-	fi
-
-	echo $grep_out
 }
 
-print_msg() {
+print_diff() {
-	local msg=$1
+	local diff
-	if ! [[ $quiet ]]; then
+	diff=$(diff -dbB <(echo $before) <(echo $after) | awk 'NR>1')
-	printf "%s\n" \
+
-		"----" \
+	if [[ -n $diff ]]; then
-		"$msg" \
+		if [[ $change_header_printed == false ]]; then
-		"----" \
+			printf '%s\n' '' "Changes" '-------' ''
-		""
+			change_header_printed=true
+		fi
+		echo -e "$diff\n"
 	fi
 }
 
-if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi
+replace_or_add() {
-sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config
+	local type=$1
-if ! [[ $quiet ]]; then
+	local string=$2
-	print_sshd_t "ciphers" "After"
+	if grep -q "$type" $temp_config; then
-	echo ""
+		sed -i "/$type .*/d" $temp_config
 	fi
-
+	printf "%s\n\n" "$string" >> $temp_config
-if [[ $before != $after ]]; then
 	reload_required=true
+}
+
+test_config() {
+	local msg
+	msg=$(sshd -t -f $temp_config)
+	local ret=$?
+
+	if [[ -n $msg ]]; then
+		echo "Error found in temp sshd config:"
+		echo $msg
 	fi
 
-if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi
+	return $ret
-sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config
+}
-if ! [[ $quiet ]]; then
+
-	print_sshd_t "kexalgorithms" "After"
+main() {
-	echo ""
+	if ! [[ $quiet ]]; then echo "Copying current config to $temp_config"; fi
+	cp $sshd_config $temp_config
+
+	# Add newline to ssh for legibility
+	echo "" >> $temp_config
+
+	# Ciphers
+	check_sshd_t "ciphers"
+
+	local bad_ciphers=(
+		"3des-cbc"
+		"aes128-cbc"
+		"aes192-cbc"
+		"aes256-cbc"
+		"arcfour"
+		"arcfour128"
+		"arcfour256"
+		"blowfish-cbc"
+		"cast128-cbc"
+	)
+
+	local cipher_string=$before
+	for cipher in "${bad_ciphers[@]}"; do
+		cipher_string=$(echo "$cipher_string" | sed "s/${cipher}\(,\|\$\)//g" | sed 's/,$//')
+	done
+
+	after=$cipher_string
+
+	if [[ $verbose ]]; then print_diff; fi
+
+	if [[ $before != "$after" ]]; then
+		replace_or_add "ciphers" "$cipher_string" && test_config || exit 1
 	fi
 
-if [[ $before != $after ]]; then
+	# KexAlgorithms
-	reload_required=true
+	check_sshd_t "kexalgorithms"
+
+	local bad_kexalgs=(
+		"diffie-hellman-group-exchange-sha1"
+		"diffie-hellman-group-exchange-sha256"
+		"diffie-hellman-group1-sha1"
+		"diffie-hellman-group14-sha1"
+		"ecdh-sha2-nistp256"
+		"ecdh-sha2-nistp521"
+		"ecdh-sha2-nistp384"
+	)
+
+	local kexalg_string=$before
+	for kexalg in "${bad_kexalgs[@]}"; do
+		kexalg_string=$(echo "$kexalg_string" | sed "s/${kexalg}\(,\|\$\)//g" | sed 's/,$//')
+	done
+
+	after=$kexalg_string
+
+	if [[ $verbose ]]; then print_diff; fi
+
+	if [[ $before != "$after" ]]; then
+		replace_or_add "kexalgorithms" "$kexalg_string" && test_config || exit 1
 	fi
 
-if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi
+	# Macs
-sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config
+	check_sshd_t "macs"
-if ! [[ $quiet ]]; then
+	
-	print_sshd_t "macs" "After"
+	local bad_macs=(
-	echo ""
+		"hmac-sha2-512"
+		"umac-128@openssh.com"
+		"hmac-sha2-256"
+		"umac-64@openssh.com"
+		"hmac-sha1"
+		"hmac-sha1-etm@openssh.com"
+		"umac-64-etm@openssh.com"
+	)
+
+	local macs_string=$before
+	for mac in "${bad_macs[@]}"; do
+		macs_string=$(echo "$macs_string" | sed "s/${mac}\(,\|\$\)//g" | sed 's/,$//')
+	done
+
+	after=$macs_string
+
+	if [[ $verbose ]]; then print_diff; fi
+
+	if [[ $before != "$after" ]]; then
+		replace_or_add "macs" "$macs_string" && test_config || exit 1
 	fi
 
-if [[ $before != $after ]]; then
+	# HostKeyAlgorithms
-	reload_required=true
+	check_sshd_t "hostkeyalgorithms"
-fi
 	
-if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi
+	local optional_suffix_regex_hka="\(-cert-v01@openssh.com\)\?"
-sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config
+	local bad_hostkeyalg_list=(
-if ! [[ $quiet ]]; then
+		"ecdsa-sha2-nistp256"
-	print_sshd_t "hostkeyalgorithms" "After"
+		"ecdsa-sha2-nistp384"
-	echo ""
+		"ecdsa-sha2-nistp521"
-fi
+		"ssh-rsa"
+		"ssh-dss"
+	)
 
-if [[ $before != $after ]]; then
+	local hostkeyalg_string=$before
-	reload_required=true
+	for alg in "${bad_hostkeyalg_list[@]}"; do
+		hostkeyalg_string=$(echo "$hostkeyalg_string" | sed "s/${alg}${optional_suffix_regex_hka}\(,\|\$\)//g" | sed 's/,$//')
+	done
+
+	after=$hostkeyalg_string
+	
+	if [[ $verbose ]]; then print_diff; fi
+	
+	if [[ $before != "$after" ]]; then
+		replace_or_add "hostkeyalgorithms" "$hostkeyalg_string" && test_config || exit 1
 	fi
 
 	if [[ $reload_required == true ]]; then
-	print_msg "Reloading sshd to load config changes..."
+		mv -f $temp_config $sshd_config
+		if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes"; fi
 		systemctl reload sshd
+		echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the host key fingerprint for this server before reconnecting."
+	else
+		if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up"; fi
+		rm -f $temp_config
 	fi
+}
 
-{% if grains['os'] != 'CentOS' %}
+main
-print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting."
-{% endif %}
-

salt/sensoroni/files/sensoroni.json

@@ -1,5 +1,9 @@
 {%- set URLBASE = salt['pillar.get']('global:url_base') %}
+{%- if salt['pillar.get']('sensoroni:node_description') %}
 {%-   set DESCRIPTION = salt['pillar.get']('sensoroni:node_description') %}
+{%- else %}
+{%-   set DESCRIPTION = salt['grains.get']('sosmodel', '') %}
+{%- endif %}
 {%- set ADDRESS = salt['pillar.get']('sensoroni:node_address') %}
 {%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %}
 {%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %}

salt/soc/files/soc/hunt.queries.json

@@ -34,7 +34,7 @@
           { "name": "HTTP", "description": "HTTP grouped by status code and message", "query": "event.dataset:http | groupby http.status_code http.status_message"},
           { "name": "HTTP", "description": "HTTP grouped by method and user agent", "query": "event.dataset:http | groupby http.method http.useragent"},
           { "name": "HTTP", "description": "HTTP grouped by virtual host", "query": "event.dataset:http | groupby http.virtual_host"},
-          { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.dataset:http AND file.resp_mime_types:dosexec | groupby http.virtual_host"},
+          { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host"},
           { "name": "Intel", "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator.keyword"},
           { "name": "IRC", "description": "IRC grouped by command", "query": "event.dataset:irc | groupby irc.command.type"},
           { "name": "KERBEROS", "description": "KERBEROS grouped by service", "query": "event.dataset:kerberos | groupby kerberos.service"},

salt/telegraf/scripts/raid.sh

@@ -27,7 +27,7 @@ RAIDLOG=/var/log/raid/status.log
 RAIDSTATUS=$(cat /var/log/raid/status.log)
 
 if [ -f "$RAIDLOG" ]; then
-    echo "raid raidstatus=$RAIDSTATUS "
+    echo "raid $RAIDSTATUS"
 else
     exit 0
 fi

setup/so-functions

@@ -1454,8 +1454,6 @@ install_cleanup() {
 		info "Removing so-setup permission entry from sudoers file"
 		sed -i '/so-setup/d' /etc/sudoers
 	fi
-
-	so-ssh-harden -q
 }
 
 import_registry_docker() {
@@ -2277,9 +2275,9 @@ securityonion_repo() {
 	    mv /etc/yum.repos.d/* /root/oldrepos/
 		rm -f /etc/yum.repos.d/*
 		if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then
-		    cp -f ./yum_repos/securityonioncache.repo /etc/yum.repos.d/
+		    cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/
 		else
-		    cp -f ./yum_repos/securityonion.repo /etc/yum.repos.d/
+		    cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/
 		fi
 	else
         echo "This is Ubuntu"

setup/so-setup

@@ -906,6 +906,7 @@ set_redirect >> $setup_log 2>&1
 	set_progress_str 85 'Applying finishing touches'
 	filter_unused_nics >> $setup_log 2>&1
 	network_setup >> $setup_log 2>&1
+	so-ssh-harden >> $setup_log 2>&1
 
 	if [[ $is_manager || $is_import ]]; then
 		set_progress_str 87 'Adding user to SOC'