From c8dfc2495c60858d80ba17c44f1dc259f5162621 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 18 Aug 2020 14:21:23 -0400 Subject: [PATCH 1/8] add strelka to heavynode if strelka is enabled - https://github.com/Security-Onion-Solutions/securityonion/issues/1188 --- salt/top.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/top.sls b/salt/top.sls index 4b560c3c1..fdcbcab3e 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -361,6 +361,9 @@ base: - logstash - curator - filebeat + {%- if STRELKA %} + - strelka + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package - redis From eaad0487b5e29308fc399cfa97b9e6b89fe41b82 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 18 Aug 2020 14:54:11 -0400 Subject: [PATCH 2/8] Enable YARA rules by default --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 640363f2b..51febf59f 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -326,7 +326,7 @@ if [[ $is_manager && ! $is_eval ]]; then fi if [[ $STRELKA == 1 ]]; then - whiptail_strelka_rules + STRELKARULES=1 fi if [ "$MANAGERADV" = 'ADVANCED' ] && [ "$ZEEKVERSION" != 'SURICATA' ]; then From 44fcd999fdf9e8579c717e5d6d1000004ae8d204 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 18 Aug 2020 15:08:24 -0400 Subject: [PATCH 3/8] Address #1205 --- salt/ssl/init.sls | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index b7b347ec5..82512068c 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -254,6 +254,13 @@ ealstickeyperms: - name: /etc/pki/elasticsearch.key - mode: 640 - group: 930 + +elasticp12perms: + file.managed: + - replace: False + - name: /etc/pki/elasticsearch.p12 + - mode: 640 + - group: 930 # Create a cert for Redis encryption /etc/pki/redis.key: @@ -530,11 +537,19 @@ fleetkeyperms: - onchanges: - x509: /etc/pki/elasticsearch.key -miniokeyperms: +elasticp12perms: + file.managed: + - replace: False + - name: /etc/pki/elasticsearch.p12 + - mode: 640 + - group: 930 + +elastickeyperms: file.managed: - replace: False - name: /etc/pki/elasticsearch.key - mode: 640 - group: 930 + {%- endif %} -{%- endif %} \ No newline at end of file +{%- endif %} From 5a3d95d9a1985ea7afd5bcfd98fb50b218eb3e03 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 18 Aug 2020 15:09:21 -0400 Subject: [PATCH 4/8] remove monint from manager since it doesnt have a monint --- salt/grafana/init.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 32c7dbdf6..a83facb97 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -91,7 +91,6 @@ dashboard-manager: - defaults: SERVERNAME: {{ SN }} MANINT: {{ SNDATA.manint }} - MONINT: {{ SNDATA.monint }} CPUS: {{ SNDATA.totalcpus }} UID: so_overview ROOTFS: {{ SNDATA.rootfs }} From 47ad3f65ef37bceaec7d09917971066364c80e58 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 Aug 2020 15:26:30 -0400 Subject: [PATCH 5/8] Only fail setup when the root mailbox is not empty for ISO installations, since network installations can't be sure if the error came from setup or something unrelated --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 51febf59f..2bb97cc16 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -711,7 +711,7 @@ success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') if [[ $success != 0 ]]; then SO_ERROR=1; fi # Check entire setup log for errors or unexpected salt states and ensure cron jobs are not reporting errors to root's mailbox -if grep -q -E "ERROR|Result: False" $setup_log || [[ -s /var/spool/mail/root ]]; then SO_ERROR=1; fi +if grep -q -E "ERROR|Result: False" $setup_log || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then SO_ERROR=1; fi if [[ -n $SO_ERROR ]]; then echo "Errors detected during setup; skipping post-setup steps to allow for analysis of failures." >> $setup_log 2>&1 From 65d9afd8d51f2637373d9878828b9ea9a61cf779 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 18 Aug 2020 15:37:17 -0400 Subject: [PATCH 6/8] remove monint from nodestab grafana dashboard since search nodes dont have monint --- salt/grafana/init.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index a83facb97..ce70a4a22 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -182,7 +182,6 @@ dashboardsearch-{{ SN }}: - defaults: SERVERNAME: {{ SN }} MANINT: {{ SNDATA.manint }} - MONINT: {{ SNDATA.monint }} CPUS: {{ SNDATA.totalcpus }} UID: {{ SNDATA.guid }} ROOTFS: {{ SNDATA.rootfs }} From a4e986ea373cdcd63ed193b5138e5393ae132a83 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 18 Aug 2020 15:43:43 -0400 Subject: [PATCH 7/8] Don't echo pillar to setup log --- setup/so-functions | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 741929399..dc81ddafe 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1207,7 +1207,6 @@ manager_global() { " interval: 5" >> "$global_pillar" printf '%s\n' '----' >> "$setup_log" 2>&1 - cat "$global_pillar" >> "$setup_log" 2>&1 } minio_generate_keys() { From d4f7a07f857d9bd9461ff38c4de19e28c07eb9aa Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 18 Aug 2020 15:54:11 -0400 Subject: [PATCH 8/8] Osquery Parsing fix --- salt/elasticsearch/files/ingest/osquery.query_result | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/ingest/osquery.query_result b/salt/elasticsearch/files/ingest/osquery.query_result index 2005252b6..3a6ed15a3 100644 --- a/salt/elasticsearch/files/ingest/osquery.query_result +++ b/salt/elasticsearch/files/ingest/osquery.query_result @@ -18,8 +18,8 @@ "source": "def dict = ['result': new HashMap()]; for (entry in ctx['message2'].entrySet()) { dict['result'][entry.getKey()] = entry.getValue(); } ctx['osquery'] = dict; " } }, - { "set": { "field": "event.module", "value": "osquery" } }, - { "set": { "field": "event.dataset", "value": "{{osquery.result.name}}"} }, + { "set": { "field": "event.module", "value": "osquery", "override": false } }, + { "set": { "field": "event.dataset", "value": "{{osquery.result.name}}", "override": false} }, { "pipeline": { "name": "common" } } ] } \ No newline at end of file