CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/TOoSmOotH/securityonion-saltstack

Browse Source
This commit is contained in:
m0duspwnens
2019-12-12 11:02:25 -05:00
parent 1deb520a56 6eab27f1de
commit af61469bad
5 changed files with 148 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/common/init.sls
View File

@@ -117,13 +117,13 @@ nginxtmp:
# Start the core docker # Start the core docker
so-coreimage: so-coreimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.2 - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.3
so-core: so-core:
docker_container.running: docker_container.running:
- require: - require:
- so-coreimage - so-coreimage
- image: docker.io/soshybridhunter/so-core:HH1.1.2 - image: docker.io/soshybridhunter/so-core:HH1.1.3
- hostname: so-core - hostname: so-core
- user: socore - user: socore
- binds: - binds:

53
salt/logstash/files/dynamic/9997_output_helix.conf
View File

@@ -1,7 +1,7 @@
{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
filter { filter {
if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl$/ { if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
grok { grok {
match => [ match => [
"source_ip", "^%{IPV4:srcipv4}$", "source_ip", "^%{IPV4:srcipv4}$",
@@ -72,7 +72,8 @@ filter {
if "bro_dhcp" in [class] { if "bro_dhcp" in [class] {
mutate{ mutate{
#add_field = { "metaclass" => "dhcp"} #add_field = { "metaclass" => "dhcp"}
rename => { "ips" => "ip" } rename => { "message_types" => "direction" }
rename => { "lease_time" => "duration" }
} }
} }
if "bro_files" in [class] { if "bro_files" in [class] {
@@ -109,25 +110,35 @@ filter {
rename => { "request_body_len" => "sentbodybytes" } rename => { "request_body_len" => "sentbodybytes" }
} }
} }
} if "bro_weird" in [class] {
} mutate{
#add_field = { "metaclass" => "dns"}
#output { rename => { "name" => "eventname" }
# if [event_type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl$/ { }
# http { }
# url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload" if "bro_x509" in [class] {
# http_method => post mutate{
# http_compression => true #add_field = { "metaclass" => "dns"}
# socket_timeout => 60 rename => { "certificate_common_name" => "certname" }
# headers => ["Authorization","{{ HELIX_API_KEY }}"] rename => { "certificate_subject" => "certsubject" }
# format => json_batch rename => { "issuer_common_name" => "issuer" }
# } reanme => { "certificate_issuer" => "issuersubject" }
# } rename => { "certificate_not_valid_before" => "issuetime" }
#} rename => { "certificate_key_type" => "cert_type" }
output { }
if [event_type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl$/ { }
file { }
path => "/var/log/logstash/output.json" }
output {
if [event_type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
http {
url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
http_method => post
http_compression => true
socket_timeout => 60
headers => ["Authorization","{{ HELIX_API_KEY }}"]
format => json_batch
} }
} }
} }

9
setup/functions.sh
View File

@@ -1166,6 +1166,15 @@ set_hostname() {
} }
set_hostname_iso() {
hostnamectl set-hostname --static $HOSTNAME
echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts
echo "::1 localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
echo $HOSTNAME > /etc/hostname
}
set_initial_firewall_policy() { set_initial_firewall_policy() {
get_main_ip get_main_ip

42
setup/so-setup.sh
View File

@@ -71,13 +71,13 @@ if (whiptail_you_sure) ; then
# Set management nic # Set management nic
whiptail_management_nic whiptail_management_nic
whiptail_create_socore_user # whiptail_create_socore_user
SCMATCH=no # SCMATCH=no
while [ $SCMATCH != yes ]; do # while [ $SCMATCH != yes ]; do
whiptail_create_socore_user_password1 # whiptail_create_socore_user_password1
whiptail_create_socore_user_password2 # whiptail_create_socore_user_password2
check_socore_pass # check_socore_pass
done # done
else else
@@ -98,7 +98,7 @@ if (whiptail_you_sure) ; then
fi fi
# Go ahead and bring up networking so other parts of the install work # Go ahead and bring up networking so other parts of the install work
set_hostname set_hostname_iso
set_management_interface set_management_interface
# Add an admin user # Add an admin user
@@ -166,7 +166,10 @@ if (whiptail_you_sure) ; then
get_filesystem_root get_filesystem_root
get_filesystem_nsm get_filesystem_nsm
get_main_ip get_main_ip
add_socore_user_master if [ $INSTALLMETHOD == iso ]; then
disable_onion_user
fi
#add_socore_user_master
# Install salt and dependencies # Install salt and dependencies
{ {
sleep 0.5 sleep 0.5
@@ -285,6 +288,15 @@ if (whiptail_you_sure) ; then
fi fi
fi fi
# Get a password for the socore user
whiptail_create_socore_user
SCMATCH=no
while [ $SCMATCH != yes ]; do
whiptail_create_socore_user_password1
whiptail_create_socore_user_password2
check_socore_pass
done
# Last Chance to back out # Last Chance to back out
whiptail_make_changes whiptail_make_changes
set_hostname set_hostname
@@ -300,6 +312,9 @@ if (whiptail_you_sure) ; then
# Figure out the main IP address # Figure out the main IP address
get_main_ip get_main_ip
if [ $INSTALLMETHOD == iso ]; then
disable_onion_user
fi
# Add the user so we can sit back and relax # Add the user so we can sit back and relax
#echo "" #echo ""
@@ -441,6 +456,9 @@ if (whiptail_you_sure) ; then
mkdir -p /nsm mkdir -p /nsm
get_filesystem_root get_filesystem_root
get_filesystem_nsm get_filesystem_nsm
if [ $INSTALLMETHOD == iso ]; then
disable_onion_user
fi
copy_ssh_key >> $SETUPLOG 2>&1 copy_ssh_key >> $SETUPLOG 2>&1
{ {
sleep 0.5 sleep 0.5
@@ -535,6 +553,9 @@ if (whiptail_you_sure) ; then
get_filesystem_nsm get_filesystem_nsm
get_log_size_limit get_log_size_limit
get_main_ip get_main_ip
if [ $INSTALLMETHOD == iso ]; then
disable_onion_user
fi
# Add the user so we can sit back and relax # Add the user so we can sit back and relax
add_socore_user_master add_socore_user_master
{ {
@@ -688,6 +709,9 @@ if (whiptail_you_sure) ; then
mkdir -p /nsm mkdir -p /nsm
get_filesystem_root get_filesystem_root
get_filesystem_nsm get_filesystem_nsm
if [ $INSTALLMETHOD == iso ]; then
disable_onion_user
fi
copy_ssh_key >> $SETUPLOG 2>&1 copy_ssh_key >> $SETUPLOG 2>&1
{ {
sleep 0.5 sleep 0.5

72
setup/whiptail.sh
View File

@@ -106,6 +106,32 @@ whiptail_check_exitstatus() {
} }
whiptail_create_admin_user() {
ADMINUSER=$(whiptail --title "Security Onion Install" --inputbox \
"Please enter a username for your new admin user" 10 60 3>&1 1>&2 2>&3)
}
whiptail_create_admin_user_password1() {
ADMINPASS1=$(whiptail --title "Security Onion Install" --passwordbox \
"Enter a password for $ADMINUSER" 10 60 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_create_admin_user_password2() {
ADMINPASS2=$(whiptail --title "Security Onion Install" --passwordbox \
"Re-enter a password for $ADMINUSER" 10 60 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_create_socore_user() { whiptail_create_socore_user() {
whiptail --title "Security Onion Setup" --msgbox "Set a password for the socore user. This account is used for adding sensors remotely." 8 75 whiptail --title "Security Onion Setup" --msgbox "Set a password for the socore user. This account is used for adding sensors remotely." 8 75
@@ -141,6 +167,18 @@ whiptail_cur_close_days() {
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
} }
whiptail_dhcp_or_static() {
ADDRESSTYPE=$(whiptail --title "Security Onion Setup" --radiolist \
"Choose how to set up your management interface:" 20 78 4 \
"STATIC" "Set a static IPv4 address" ON \
"DHCP" "Use DHCP to configure the Management Interface" OFF 3>&1 1>&2 2>&3 )
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_enable_components() { whiptail_enable_components() {
COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \ COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
"Select Components to install" 20 75 8 \ "Select Components to install" 20 75 8 \
@@ -239,6 +277,40 @@ whiptail_log_size_limit() {
} }
whiptail_management_interface_dns() {
MDNS=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your DNS server using space between multiple" 10 60 8.8.8.8 8.8.4.4 3>&1 1>&2 2>&3)
}
whiptail_management_interface_dns_search() {
MSEARCH=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your DNS search domain" 10 60 searchdomain.local 3>&1 1>&2 2>&3)
}
whiptail_management_interface_gateway() {
MGATEWAY=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your gateway" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
}
whiptail_management_interface_ip() {
MIP=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your IP address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
}
whiptail_management_interface_mask() {
MMASK=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter the bit mask for your subnet" 10 60 24 3>&1 1>&2 2>&3)
}
whiptail_management_nic() { whiptail_management_nic() {