CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/TOoSmOotH/securityonion-saltstack

Browse Source
This commit is contained in:
m0duspwnens
2019-12-12 11:02:25 -05:00
parent 1deb520a56 6eab27f1de
commit af61469bad
5 changed files with 148 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/common/init.sls
View File

@@ -117,13 +117,13 @@ nginxtmp:
# Start the core docker
so-coreimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.2
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.3
so-core:
docker_container.running:
- require:
- so-coreimage
- image: docker.io/soshybridhunter/so-core:HH1.1.2
- image: docker.io/soshybridhunter/so-core:HH1.1.3
- hostname: so-core
- user: socore
- binds:

53
salt/logstash/files/dynamic/9997_output_helix.conf
View File

@@ -1,7 +1,7 @@
{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
filter {
if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl$/ {
if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
grok {
match => [
"source_ip", "^%{IPV4:srcipv4}$",
@@ -72,7 +72,8 @@ filter {
if "bro_dhcp" in [class] {
mutate{
#add_field = { "metaclass" => "dhcp"}
rename => { "ips" => "ip" }
rename => { "message_types" => "direction" }
rename => { "lease_time" => "duration" }
}
}
if "bro_files" in [class] {
@@ -109,25 +110,35 @@ filter {
rename => { "request_body_len" => "sentbodybytes" }
}
}
}
}
#output {
# if [event_type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl$/ {
# http {
# url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
# http_method => post
# http_compression => true
# socket_timeout => 60
# headers => ["Authorization","{{ HELIX_API_KEY }}"]
# format => json_batch
# }
# }
#}
output {
if [event_type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl$/ {
file {
path => "/var/log/logstash/output.json"
if "bro_weird" in [class] {
mutate{
#add_field = { "metaclass" => "dns"}
rename => { "name" => "eventname" }
}
}
if "bro_x509" in [class] {
mutate{
#add_field = { "metaclass" => "dns"}
rename => { "certificate_common_name" => "certname" }
rename => { "certificate_subject" => "certsubject" }
rename => { "issuer_common_name" => "issuer" }
reanme => { "certificate_issuer" => "issuersubject" }
rename => { "certificate_not_valid_before" => "issuetime" }
rename => { "certificate_key_type" => "cert_type" }
}
}
}
}
output {
if [event_type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
http {
url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
http_method => post
http_compression => true
socket_timeout => 60
headers => ["Authorization","{{ HELIX_API_KEY }}"]
format => json_batch
}
}
}

9
setup/functions.sh
View File

@@ -1166,6 +1166,15 @@ set_hostname() {
}
set_hostname_iso() {
hostnamectl set-hostname --static $HOSTNAME
echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts
echo "::1 localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
echo $HOSTNAME > /etc/hostname
}
set_initial_firewall_policy() {
get_main_ip

42
setup/so-setup.sh
View File

@@ -71,13 +71,13 @@ if (whiptail_you_sure) ; then
# Set management nic
whiptail_management_nic
whiptail_create_socore_user
SCMATCH=no
while [ $SCMATCH != yes ]; do
whiptail_create_socore_user_password1
whiptail_create_socore_user_password2
check_socore_pass
done
# whiptail_create_socore_user
# SCMATCH=no
# while [ $SCMATCH != yes ]; do
# whiptail_create_socore_user_password1
# whiptail_create_socore_user_password2
# check_socore_pass
# done
else
@@ -98,7 +98,7 @@ if (whiptail_you_sure) ; then
fi
# Go ahead and bring up networking so other parts of the install work
set_hostname
set_hostname_iso
set_management_interface
# Add an admin user
@@ -166,7 +166,10 @@ if (whiptail_you_sure) ; then
get_filesystem_root
get_filesystem_nsm
get_main_ip
add_socore_user_master
if [ $INSTALLMETHOD == iso ]; then
disable_onion_user
fi
#add_socore_user_master
# Install salt and dependencies
{
sleep 0.5
@@ -285,6 +288,15 @@ if (whiptail_you_sure) ; then
fi
fi
# Get a password for the socore user
whiptail_create_socore_user
SCMATCH=no
while [ $SCMATCH != yes ]; do
whiptail_create_socore_user_password1
whiptail_create_socore_user_password2
check_socore_pass
done
# Last Chance to back out
whiptail_make_changes
set_hostname
@@ -300,6 +312,9 @@ if (whiptail_you_sure) ; then
# Figure out the main IP address
get_main_ip
if [ $INSTALLMETHOD == iso ]; then
disable_onion_user
fi
# Add the user so we can sit back and relax
#echo ""
@@ -441,6 +456,9 @@ if (whiptail_you_sure) ; then
mkdir -p /nsm
get_filesystem_root
get_filesystem_nsm
if [ $INSTALLMETHOD == iso ]; then
disable_onion_user
fi
copy_ssh_key >> $SETUPLOG 2>&1
{
sleep 0.5
@@ -535,6 +553,9 @@ if (whiptail_you_sure) ; then
get_filesystem_nsm
get_log_size_limit
get_main_ip
if [ $INSTALLMETHOD == iso ]; then
disable_onion_user
fi
# Add the user so we can sit back and relax
add_socore_user_master
{
@@ -688,6 +709,9 @@ if (whiptail_you_sure) ; then
mkdir -p /nsm
get_filesystem_root
get_filesystem_nsm
if [ $INSTALLMETHOD == iso ]; then
disable_onion_user
fi
copy_ssh_key >> $SETUPLOG 2>&1
{
sleep 0.5

72
setup/whiptail.sh
View File

@@ -106,6 +106,32 @@ whiptail_check_exitstatus() {
}
whiptail_create_admin_user() {
ADMINUSER=$(whiptail --title "Security Onion Install" --inputbox \
"Please enter a username for your new admin user" 10 60 3>&1 1>&2 2>&3)
}
whiptail_create_admin_user_password1() {
ADMINPASS1=$(whiptail --title "Security Onion Install" --passwordbox \
"Enter a password for $ADMINUSER" 10 60 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_create_admin_user_password2() {
ADMINPASS2=$(whiptail --title "Security Onion Install" --passwordbox \
"Re-enter a password for $ADMINUSER" 10 60 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_create_socore_user() {
whiptail --title "Security Onion Setup" --msgbox "Set a password for the socore user. This account is used for adding sensors remotely." 8 75
@@ -141,6 +167,18 @@ whiptail_cur_close_days() {
whiptail_check_exitstatus $exitstatus
}
whiptail_dhcp_or_static() {
ADDRESSTYPE=$(whiptail --title "Security Onion Setup" --radiolist \
"Choose how to set up your management interface:" 20 78 4 \
"STATIC" "Set a static IPv4 address" ON \
"DHCP" "Use DHCP to configure the Management Interface" OFF 3>&1 1>&2 2>&3 )
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_enable_components() {
COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
"Select Components to install" 20 75 8 \
@@ -239,6 +277,40 @@ whiptail_log_size_limit() {
}
whiptail_management_interface_dns() {
MDNS=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your DNS server using space between multiple" 10 60 8.8.8.8 8.8.4.4 3>&1 1>&2 2>&3)
}
whiptail_management_interface_dns_search() {
MSEARCH=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your DNS search domain" 10 60 searchdomain.local 3>&1 1>&2 2>&3)
}
whiptail_management_interface_gateway() {
MGATEWAY=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your gateway" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
}
whiptail_management_interface_ip() {
MIP=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your IP address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
}
whiptail_management_interface_mask() {
MMASK=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter the bit mask for your subnet" 10 60 24 3>&1 1>&2 2>&3)
}
whiptail_management_nic() {