From 7ebf93fcb5ac98a1dcb6ac7e847ced75e77c1e99 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Sep 2020 15:53:32 -0400 Subject: [PATCH 1/5] IDSTools Overhaul --- salt/common/tools/sbin/soup | 24 ++++++++++++++++++++++-- salt/idstools/init.sls | 2 +- salt/idstools/localrules/local.rules | 1 - setup/so-functions | 12 ++++++++++++ setup/so-setup | 2 ++ 5 files changed, 37 insertions(+), 4 deletions(-) delete mode 100644 salt/idstools/localrules/local.rules diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d9fadce29..849ba9f09 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -123,7 +123,19 @@ pillar_changes() { # Move baseurl in global.sls if [[ "$INSTALLEDVERSION" =~ rc.1 ]]; then - # Move the static file to global.sls + rc1_to_rc2 + rc2_to_rc3 + fi + + if [[ "$INSTALLEDVERSION" =~ rc.2 ]]; then + rc2_to_rc3 + fi + +} + +rc1_to_rc2() { + + # Move the static file to global.sls echo "Migrating static.sls to global.sls" mv -v /opt/so/saltstack/local/pillar/static.sls /opt/so/saltstack/local/pillar/global.sls >> "$SOUP_LOG" 2>&1 sed -i '1c\global:' /opt/so/saltstack/local/pillar/global.sls >> "$SOUP_LOG" 2>&1 @@ -158,8 +170,16 @@ pillar_changes() { curl -XPUT http://localhost:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"'$NAME'": {"skip_unavailable": "true", "seeds": ["'$EHOSTNAME':9300"]}}}}}' done > "$setup_log" 2>&1 } +airgap_rules() { + # Copy the rules for suricata if using Airgap + mkdir -p /opt/so/rules/nids + cp -v /root/SecurityOnion/agrules/emerging-all.rules /opt/so/rules/nids/ +} + analyze_system() { title "System Characteristics" logCmd "uptime" @@ -630,6 +636,12 @@ create_local_directories() { } +create_local_nids_rules() { + # Create a local.rules file so it doesn't get blasted on updates + mkdir -p /opt/so/saltstack/local/salt/idstools + echo "# Custom Suricata rules go in this file" > /opt/so/saltstack/local/salt/idstools/local.rules +} + create_repo() { # Create the repo for airgap createrepo /nsm/repo diff --git a/setup/so-setup b/setup/so-setup index f771d7d57..d04f4afc5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -465,6 +465,7 @@ fi if [[ $is_manager && $is_airgap ]]; then info "Creating airgap repo" create_repo >> $setup_log 2>&1 + airgap_rules >> $setup_log 2>&1 fi if [[ $is_minion ]]; then @@ -575,6 +576,7 @@ fi salt-call state.apply -l info manager >> $setup_log 2>&1 set_progress_str 61 "$(print_salt_state_apply 'idstools')" + create_local_nids_rules >> $setup_log 2>&1 salt-call state.apply -l info idstools >> $setup_log 2>&1 set_progress_str 61 "$(print_salt_state_apply 'suricata.manager')" From 45b11b2321aaf861ab73ee1585220b1ff0bf742a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Sep 2020 18:38:07 -0400 Subject: [PATCH 2/5] Fix Rulecat --- salt/idstools/etc/rulecat.conf | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index b7b7f8424..bdea850aa 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,19 +1,29 @@ {%- set URLS = salt['pillar.get']('idstools:config:urls') -%} {%- set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} {%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%} +{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%} +{% if ISAIRGAP is sameas true %} +--merged=/opt/so/rules/nids/all.rules +--local=/opt/so/rules/nids/local.rules +--local=/opt/so/rules/nids/emerging-all.rules +--disable=/opt/so/idstools/etc/disable.conf +--enable=/opt/so/idstools/etc/enable.conf +--modify=/opt/so/idstools/etc/modify.conf +{%- else -%} --suricata-version=5.0 --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf -{%- if RULESET == 'ETOPEN' %} + {%- if RULESET == 'ETOPEN' -%} --etopen -{%- elif RULESET == 'ETPRO' %} + {%- elif RULESET == 'ETPRO' -%} --etpro={{ OINKCODE }} -{%- elif RULESET == 'TALOS' %} + {%- elif RULESET == 'TALOS' -%} --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} -{%- endif %} + {%- endif -%} +{%- endif -%} {%- if URLS != None %} {%- for URL in URLS %} --url={{ URL }} From 5d4e8925a3d7aee6d7657131f71912d36752588b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Sep 2020 21:16:40 -0400 Subject: [PATCH 3/5] Add Firewall Logic --- pillar/firewall/ports.sls | 1 + salt/firewall/assigned_hostgroups.map.yaml | 6 ++++++ salt/firewall/portgroups.yaml | 3 +++ salt/idstools/etc/rulecat.conf | 13 +++++++------ salt/nginx/etc/nginx.conf.so-manager | 16 ++++++++++++++++ setup/so-functions | 4 ++-- 6 files changed, 35 insertions(+), 8 deletions(-) diff --git a/pillar/firewall/ports.sls b/pillar/firewall/ports.sls index 1e0be460b..c10554fce 100644 --- a/pillar/firewall/ports.sls +++ b/pillar/firewall/ports.sls @@ -26,6 +26,7 @@ firewall: - 4200 - 5601 - 6379 + - 7788 - 8086 - 8090 - 9001 diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 0105542ad..4c05f2241 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -1,3 +1,4 @@ +{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% import_yaml 'firewall/portgroups.yaml' as portgroups %} {% set portgroups = portgroups.firewall.aliases.ports %} @@ -109,6 +110,9 @@ role: - {{ portgroups.elasticsearch_node }} - {{ portgroups.cortex_es_rest }} - {{ portgroups.cortex_es_node }} + {% if ISAIRGAP is sameas true %} + - {{ portgroups.agrules }} + {% endif %} minion: portgroups: - {{ portgroups.acng }} @@ -117,7 +121,9 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.wazuh_api }} - {{ portgroups.fleet_api }} + {% if ISAIRGAP is sameas true %} - {{ portgroups.yum }} + {% endif %} sensor: portgroups: - {{ portgroups.sensoroni }} diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index 177f35fdd..55a09c6bf 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -9,6 +9,9 @@ firewall: acng: tcp: - 3142 + agrules: + tcp: + - 7788 beats_5044: tcp: - 5044 diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index bdea850aa..a7e28afd3 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -2,10 +2,11 @@ {%- set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} {%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%} {%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%} -{% if ISAIRGAP is sameas true %} +{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%} +{%- if ISAIRGAP is sameas true -%} --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules ---local=/opt/so/rules/nids/emerging-all.rules +--url=http://{{ MANAGERIP }}/repo/rules/emerging-all.rules --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf @@ -24,8 +25,8 @@ --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} {%- endif -%} {%- endif -%} -{%- if URLS != None %} -{%- for URL in URLS %} +{%- if URLS != None -%} +{%- for URL in URLS -%} --url={{ URL }} -{%- endfor %} -{%- endif %} +{%- endfor -%} +{%- endif -%} diff --git a/salt/nginx/etc/nginx.conf.so-manager b/salt/nginx/etc/nginx.conf.so-manager index 76de6de2d..7118c196a 100644 --- a/salt/nginx/etc/nginx.conf.so-manager +++ b/salt/nginx/etc/nginx.conf.so-manager @@ -67,6 +67,22 @@ http { server_name _; return 301 https://$host$request_uri; } + {%- if ISAIRGAP is sameas true %} + server { + listen 7788; + server_name _; + root /opt/socore/html/repo + location /rules/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + } + {%- endif %} {% if FLEET_MANAGER %} server { diff --git a/setup/so-functions b/setup/so-functions index de98543a5..2bcae4a30 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -48,8 +48,8 @@ logCmd() { airgap_rules() { # Copy the rules for suricata if using Airgap - mkdir -p /opt/so/rules/nids - cp -v /root/SecurityOnion/agrules/emerging-all.rules /opt/so/rules/nids/ + mkdir -p /nsm/repo/rules + cp -v /root/SecurityOnion/agrules/emerging-all.rules /nsm/repo/rules/ } analyze_system() { From ef46094b0cc7e7a87c06f4a718b652b9cb645ffc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 10 Sep 2020 13:55:56 -0400 Subject: [PATCH 4/5] Update all nginx configs --- salt/idstools/etc/rulecat.conf | 2 +- salt/nginx/etc/nginx.conf.so-eval | 17 +++++++++++++++++ salt/nginx/etc/nginx.conf.so-manager | 2 +- salt/nginx/etc/nginx.conf.so-managersearch | 17 +++++++++++++++++ salt/nginx/etc/nginx.conf.so-standalone | 17 +++++++++++++++++ salt/nginx/init.sls | 3 +++ 6 files changed, 56 insertions(+), 2 deletions(-) diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index a7e28afd3..90de18277 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -6,7 +6,7 @@ {%- if ISAIRGAP is sameas true -%} --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules ---url=http://{{ MANAGERIP }}/repo/rules/emerging-all.rules +--url=http://{{ MANAGERIP }}:7788/rules/emerging-all.rules --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf diff --git a/salt/nginx/etc/nginx.conf.so-eval b/salt/nginx/etc/nginx.conf.so-eval index 1e1c83675..cfc37a626 100644 --- a/salt/nginx/etc/nginx.conf.so-eval +++ b/salt/nginx/etc/nginx.conf.so-eval @@ -67,6 +67,23 @@ http { server_name _; return 301 https://$host$request_uri; } + {%- if ISAIRGAP is sameas true %} + server { + listen 7788; + server_name _; + root /opt/socore/html/repo; + location /rules/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + } + {%- endif %} + {% if FLEET_MANAGER %} server { diff --git a/salt/nginx/etc/nginx.conf.so-manager b/salt/nginx/etc/nginx.conf.so-manager index 7118c196a..86122602c 100644 --- a/salt/nginx/etc/nginx.conf.so-manager +++ b/salt/nginx/etc/nginx.conf.so-manager @@ -71,7 +71,7 @@ http { server { listen 7788; server_name _; - root /opt/socore/html/repo + root /opt/socore/html/repo; location /rules/ { allow all; sendfile on; diff --git a/salt/nginx/etc/nginx.conf.so-managersearch b/salt/nginx/etc/nginx.conf.so-managersearch index 012a91ba3..f3dd219b7 100644 --- a/salt/nginx/etc/nginx.conf.so-managersearch +++ b/salt/nginx/etc/nginx.conf.so-managersearch @@ -67,6 +67,23 @@ http { server_name _; return 301 https://$host$request_uri; } + {%- if ISAIRGAP is sameas true %} + server { + listen 7788; + server_name _; + root /opt/socore/html/repo; + location /rules/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + } + {%- endif %} + {% if FLEET_MANAGER %} server { diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone index 19a029813..35e1488ac 100644 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ b/salt/nginx/etc/nginx.conf.so-standalone @@ -66,6 +66,23 @@ http { server_name _; return 301 https://$host$request_uri; } + {%- if ISAIRGAP is sameas true %} + server { + listen 7788; + server_name _; + root /opt/socore/html/repo; + location /rules/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + } + {%- endif %} + {% if FLEET_MANAGER %} server { diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 2cb7984db..acb19d711 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -83,6 +83,9 @@ so-nginx: - port_bindings: - 80:80 - 443:443 + {% if ISAIRGAP is sameas true %} + - 7788:7788 + {% enfid %} {%- if FLEETMANAGER or FLEETNODE %} - 8090:8090 {%- endif %} From 53319738c4677373e91f78cae589be0993954c51 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 10 Sep 2020 16:56:48 -0400 Subject: [PATCH 5/5] Fix Nginx state --- salt/nginx/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index acb19d711..7df33aa74 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -85,7 +85,7 @@ so-nginx: - 443:443 {% if ISAIRGAP is sameas true %} - 7788:7788 - {% enfid %} + {% endif %} {%- if FLEETMANAGER or FLEETNODE %} - 8090:8090 {%- endif %}