CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into issue/10050

Browse Source
This commit is contained in:
m0duspwnens
2023-04-18 11:31:00 -04:00
parent 7c8ba04820 aade62491c
commit b0f9585da1
32 changed files with 331 additions and 301 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/backup/config_backup.sls
View File

@@ -25,6 +25,7 @@ config_backup_script:
so_config_backup:
cron.present:
- name: /usr/sbin/so-config-backup > /dev/null 2>&1
- identifier: so_config_backup
- user: root
- minute: '1'
- hour: '0'

31
salt/common/init.sls
View File

@@ -133,8 +133,10 @@ so-status_script:
{% if GLOBALS.role in GLOBALS.sensor_roles %}
# Add sensor cleanup
/usr/sbin/so-sensor-clean:
so-sensor-clean:
cron.present:
- name: /usr/sbin/so-sensor-clean
- identifier: so-sensor-clean
- user: root
- minute: '*'
- hour: '*'
@@ -154,8 +156,10 @@ sensorrotateconf:
- source: salt://common/files/sensor-rotate.conf
- mode: 644
/usr/local/bin/sensor-rotate:
sensor-rotate:
cron.present:
- name: /usr/local/bin/sensor-rotate
- identifier: sensor-rotate
- user: root
- minute: '1'
- hour: '0'
@@ -178,8 +182,10 @@ commonlogrotateconf:
- template: jinja
- mode: 644
/usr/local/bin/common-rotate:
common-rotate:
cron.present:
- name: /usr/local/bin/common-rotate
- identifier: common-rotate
- user: root
- minute: '1'
- hour: '0'
@@ -200,17 +206,11 @@ sostatus_log:
- name: /opt/so/log/sostatus/status.log
- mode: 644
common_pip_dependencies:
pip.installed:
- user: root
- pkgs:
- rich
- target: /usr/lib64/python3.6/site-packages
# Install sostatus check cron
sostatus_check_cron:
# Install sostatus check cron. This is used to populate Grid.
so-status_check_cron:
cron.present:
- name: '/usr/sbin/so-status -j > /opt/so/log/sostatus/status.log 2>&1'
- identifier: so-status_check_cron
- user: root
- minute: '*/1'
- hour: '*'
@@ -220,7 +220,7 @@ sostatus_check_cron:
remove_post_setup_cron:
cron.absent:
- name: 'salt-call state.highstate'
- name: 'PATH=$PATH:/usr/sbin salt-call state.highstate'
- identifier: post_setup_cron
{% if GLOBALS.role not in ['eval', 'manager', 'managersearch', 'standalone'] %}
@@ -234,7 +234,7 @@ soversionfile:
{% endif %}
{% if GLOBALS.so_model %}
{% if GLOBALS.so_model and GLOBALS.so_model not in ['SO2AMI01', 'SO2AZI01', 'SO2GCI01'] %}
{% if GLOBALS.os == 'Rocky' %}
# Install Raid tools
raidpkgs:
@@ -246,9 +246,10 @@ raidpkgs:
{% endif %}
# Install raid check cron
so_raid_status:
so-raid-status:
cron.present:
- name: '/usr/sbin/so-raid-status > /dev/null 2>&1'
- identifier: so-raid-status
- user: root
- minute: '*/15'
- hour: '*'

20
salt/common/packages.sls
View File

@@ -5,28 +5,37 @@ commonpkgs:
pkg.installed:
- skip_suggestions: True
- pkgs:
- chrony
- apache2-utils
- wget
- ntpdate
- jq
- python3-docker
- curl
- ca-certificates
- software-properties-common
- apt-transport-https
- openssl
- netcat
- python3-mysqldb
- sqlite3
- libssl-dev
- python3-dateutil
- python3-m2crypto
- python3-mysqldb
- python3-packaging
- python3-watchdog
- python3-lxml
- git
- vim
# since Ubuntu requires and internet connection we can use pip to install modules
python3-pip:
pkg.installed
python-rich:
pip.installed:
- name: rich
- target: /usr/local/lib/python3.8/dist-packages/
- require:
- pkg: python3-pip
{% elif GLOBALS.os == 'Rocky' %}
commonpkgs:
pkg.installed:
@@ -51,6 +60,7 @@ commonpkgs:
- python3-m2crypto
- rsync
- python3-rich
- python3-pyyaml
- python3-watchdog
- python3-packaging
- unzip

2
salt/common/tools/sbin/so-analyst-install
View File

@@ -61,7 +61,7 @@ if [ -f "$pillar_file" ]; then
reboot;
else
echo "There was an issue applying the workstation state. Please review the log above or at /opt/so/logs/salt/minion."
echo "There was an issue applying the workstation state. Please review the log above or at /opt/so/log/salt/minion."
fi
else # workstation is already added
echo "The workstation pillar already exists in $pillar_file."

106
salt/common/tools/sbin/so-elastic-clear
View File

@@ -21,15 +21,33 @@ Security Onion Elastic Clear
-y Skip interactive mode
EOF
}
while getopts "h:y" OPTION
while getopts "h:cdely" OPTION
do
case $OPTION in
h)
usage
exit 0
;;
c)
DELETE_CASES_DATA=1
SKIP=1
;;
d)
DONT_STOP_SERVICES=1
SKIP=1
;;
e)
DELETE_ELASTALERT_DATA=1
SKIP=1
;;
l)
DELETE_LOG_DATA=1
SKIP=1
;;
y)
DELETE_CASES_DATA=1
DELETE_ELASTALERT_DATA=1
DELETE_LOG_DATA=1
SKIP=1
;;
*)
@@ -54,41 +72,83 @@ if [ $SKIP -ne 1 ]; then
if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
fi
# Check to see if Logstash are running
LS_ENABLED=$(so-status | grep logstash)
EA_ENABLED=$(so-status | grep elastalert)
if [ ! -z "$LS_ENABLED" ]; then
if [ -z "$DONT_STOP_SERVICES" ]; then
# Stop Elastic Agent
for i in $(pgrep elastic-agent | grep -v grep); do
kill -9 $i;
done
# Check to see if Elastic Fleet, Logstash, Elastalert are running
#EF_ENABLED=$(so-status | grep elastic-fleet)
LS_ENABLED=$(so-status | grep logstash)
EA_ENABLED=$(so-status | grep elastalert)
#if [ ! -z "$EF_ENABLED" ]; then
# /usr/sbin/so-elastic-fleet-stop
#fi
if [ ! -z "$LS_ENABLED" ]; then
/usr/sbin/so-logstash-stop
fi
fi
if [ ! -z "$EA_ENABLED" ]; then
if [ ! -z "$EA_ENABLED" ]; then
/usr/sbin/so-elastalert-stop
fi
fi
# Delete data
echo "Deleting data..."
if [ ! -z "$DELETE_CASES_DATA" ]; then
# Delete Cases data
echo "Deleting Cases data..."
INDXS=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index | grep "so-case")
for INDX in ${INDXS}
do
echo "Deleting $INDX"
/usr/sbin/so-elasticsearch-query ${INDX} -XDELETE > /dev/null 2>&1
done
fi
INDXS=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }')
for INDX in ${INDXS}
do
curl -K /opt/so/conf/elasticsearch/curl.config-XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1
done
# Delete Elastalert data
if [ ! -z "$DELETE_ELASTALERT_DATA" ]; then
# Delete Elastalert data
echo "Deleting Elastalert data..."
INDXS=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index | grep "elastalert")
for INDX in ${INDXS}
do
echo "Deleting $INDX"
/usr/sbin/so-elasticsearch-query ${INDX} -XDELETE > /dev/null 2>&1
done
fi
#Start Logstash
if [ ! -z "$LS_ENABLED" ]; then
# Delete log data
if [ ! -z "$DELETE_LOG_DATA" ]; then
echo "Deleting log data ..."
DATASTREAMS=$(/usr/sbin/so-elasticsearch-query _data_stream | jq -r '.[] |.[].name')
for DATASTREAM in ${DATASTREAMS}
do
# Delete the data stream
echo "Deleting $DATASTREAM..."
/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} -XDELETE > /dev/null 2>&1
done
fi
if [ -z "$DONT_STOP_SERVICES" ]; then
#Start Logstash
if [ ! -z "$LS_ENABLED" ]; then
/usr/sbin/so-logstash-start
fi
fi
if [ ! -z "$EA_ENABLED" ]; then
#Start Elastic Fleet
#if [ ! -z "$EF_ENABLED" ]; then
# /usr/sbin/so-elastic-fleet-start
#fi
#Start Elastalert
if [ ! -z "$EA_ENABLED" ]; then
/usr/sbin/so-elastalert-start
fi
# Start Elastic Agent
/usr/bin/elastic-agent restart
fi

2
salt/common/tools/sbin/so-elastic-fleet-restart
View File

@@ -9,4 +9,4 @@
. /usr/sbin/so-common
/usr/sbin/so-restart elastic-fleet $1
/usr/sbin/so-restart elasticfleet $1

2
salt/common/tools/sbin/so-elastic-fleet-start
View File

@@ -9,4 +9,4 @@
. /usr/sbin/so-common
/usr/sbin/so-start elastic-fleet $1
/usr/sbin/so-start elasticfleet $1

2
salt/common/tools/sbin/so-elastic-fleet-stop
View File

@@ -9,4 +9,4 @@
. /usr/sbin/so-common
/usr/sbin/so-stop elastic-fleet $1
/usr/sbin/so-stop elasticfleet $1

3
salt/common/tools/sbin/so-status
View File

@@ -170,7 +170,8 @@ def main():
if "-h" in options or "--help" in options or "-?" in options:
showUsage(options, None)
if os.environ["USER"] != "root":
proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
if proc.stdout.strip() != "0":
fail("This program must be run as root")
console = Console()

74
salt/curator/files/bin/so-curator-cluster-delete-delete
View File

@@ -16,67 +16,35 @@ overlimit() {
[[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt "${LOG_SIZE_LIMIT}" ]]
}
closedindices() {
# If we can't query Elasticsearch, then immediately return false.
/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close > /dev/null 2>&1
[ $? -eq 1 ] && return false
# First, get the list of closed indices using _cat/indices?h=index,status | grep close | awk '{print $1}'.
# Next, filter out any so-case indices.
# Finally, use grep's -q option to return true if there are any remaining logstash-, so-, or .ds-logs- indices.
/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close | awk '{print $1}' | grep -v "so-case" | grep -q -E "(logstash-|so-|.ds-logs-)"
}
# Check for 2 conditions:
# 1. Are Elasticsearch indices using more disk space than LOG_SIZE_LIMIT?
# 2. Are there any closed indices that we can delete?
# If both conditions are true, keep on looping until one of the conditions is false.
while overlimit && closedindices; do
CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
# We iterate through the closed indices
for CLOSED_INDEX in ${CLOSED_INDICES}; do
# Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream
# To do so, we need to identify to which data stream this index is associated
# We extract the data stream name using the pattern below
DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+"
DATASTREAM=$(echo "${CLOSED_INDEX}" | grep -oE "$DATASTREAM_PATTERN")
# We look up the data stream, and determine the write index
CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name)
# We make sure we are not trying to delete a write index
if [ "${CLOSED_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then
# This should not be a write index, so we should be allowed to delete it
/usr/sbin/so-elasticsearch-query ${CLOSED_INDEX} -XDELETE
# Finally, write a log entry that says we deleted it.
echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${CLOSED_INDEX} deleted ..." >> ${LOG}
fi
if ! overlimit; then
exit
fi
done
done
# Check to see if Elasticsearch indices using more disk space than LOG_SIZE_LIMIT
# Closed indices will be deleted first. If we are able to bring disk space under LOG_SIZE_LIMIT, we will break out of the loop.
while overlimit; do
# We need to determine the oldest open index.
# First, get the list of open indices using _cat/indices?h=index,status | grep open | awk '{print $1}'.
# Next, filter out any so-case indices and only select the remaining logstash-, so-, or .ds-logs- indices.
# Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field.
OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
# We iterate through the open indices
for OPEN_INDEX in ${OPEN_INDICES}; do
# If we can't query Elasticsearch, then immediately return false.
/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status > /dev/null 2>&1
[ $? -eq 1 ] && echo "$(date) - Could not query Elasticsearch." >> ${LOG} && exit
# We iterate through the closed and open indices
CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'close$' | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'open$' | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
for INDEX in ${CLOSED_INDICES} ${OPEN_INDICES}; do
# Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream
# To do so, we need to identify to which data stream this index is associated
# We extract the data stream name using the pattern below
DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+"
DATASTREAM=$(echo "${OPEN_INDEX}" | grep -oE "$DATASTREAM_PATTERN")
# We look up the data stream, and determine the write index
DATASTREAM=$(echo "${INDEX}" | grep -oE "$DATASTREAM_PATTERN")
# We look up the data stream, and determine the write index. If there is only one backing index, we delete the entire data stream
BACKING_INDICES=$(/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} | jq -r '.data_streams[0].indices | length')
if [ "$BACKING_INDICES" -gt 1 ]; then
CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name)
# We make sure we are not trying to delete a write index
if [ "${OPEN_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then
if [ "${INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then
# This should not be a write index, so we should be allowed to delete it
/usr/sbin/so-elasticsearch-query ${OPEN_INDEX} -XDELETE
# Finally, write a log entry that says we deleted it.
echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${OPEN_INDEX} deleted ..." >> ${LOG}
printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Deleting ${INDEX} index...\n" >> ${LOG}
/usr/sbin/so-elasticsearch-query ${INDEX} -XDELETE >> ${LOG} 2>&1
fi
else
# We delete the entire data stream, since there is only one backing index
printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Deleting ${DATASTREAM} data stream...\n" >> ${LOG}
/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} -XDELETE >> ${LOG} 2>&1
fi
if ! overlimit; then
exit

6
salt/curator/init.sls
View File

@@ -126,9 +126,10 @@ delete_so-curator_so-status.disabled:
- regex: ^so-curator$
{% endif %}
so-curatorclusterclose:
so-curator-cluster-close:
cron.present:
- name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
- identifier: so-curator-cluster-close
- user: root
- minute: '2'
- hour: '*/1'
@@ -136,9 +137,10 @@ so-curatorclusterclose:
- month: '*'
- dayweek: '*'
so-curatorclusterdeletecron:
so-curator-cluster-delete:
cron.present:
- name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1
- identifier: so-curator-cluster-delete
- user: root
- minute: '*/5'
- hour: '*'

4
salt/elasticsearch/files/ingest/suricata.dns
View File

@@ -13,8 +13,8 @@
{ "rename": { "field": "message2.dns.rd", "target_field": "dns.recursion.desired", "ignore_missing": true } },
{ "rename": { "field": "message2.dns.ra", "target_field": "dns.recursion.available", "ignore_missing": true } },
{ "rename": { "field": "message2.dns.rcode", "target_field": "dns.response.code_name", "ignore_missing": true } },
{ "rename": { "field": "message2.grouped.A", "target_field": "dns.answers.data", "ignore_missing": true } },
{ "rename": { "field": "message2.grouped.CNAME", "target_field": "dns.answers.name", "ignore_missing": true } },
{ "rename": { "field": "message2.dns.grouped.A", "target_field": "dns.answers.data", "ignore_missing": true } },
{ "rename": { "field": "message2.dns.grouped.CNAME", "target_field": "dns.answers.name", "ignore_missing": true } },
{ "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } },
{ "pipeline": { "name": "common" } }
]

6
salt/elasticsearch/init.sls
View File

@@ -177,6 +177,7 @@ esyml:
ESCONFIG: {{ ESCONFIG }}
- template: jinja
{% if GLOBALS.role != "so-searchnode" %}
escomponenttemplates:
file.recurse:
- name: /opt/so/conf/elasticsearch/templates/component
@@ -219,6 +220,7 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
- cmd: so-elasticsearch-templates
{% endfor %}
{% endif %}
{% endif %}
esroles:
file.recurse:
@@ -363,6 +365,8 @@ append_so-elasticsearch_so-status.conf:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elasticsearch
{% if GLOBALS.role != "so-searchnode" %}
so-es-cluster-settings:
cmd.run:
- name: /usr/sbin/so-elasticsearch-cluster-settings
@@ -406,7 +410,7 @@ so-elasticsearch-roles-load:
- require:
- docker_container: so-elasticsearch
- file: es_sync_scripts
{% endif %}
{% else %}
{{sls}}_state_not_allowed:

3
salt/idstools/init.sls
View File

@@ -20,9 +20,10 @@ idstoolslogdir:
- group: 939
- makedirs: True
so-ruleupdatecron:
so-rule-update:
cron.present:
- name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
- identifier: so-rule-update
- user: root
- minute: '1'
- hour: '7'

1
salt/influxdb/init.sls
View File

@@ -127,6 +127,7 @@ metrics_link_file:
get_influxdb_size:
cron.present:
- name: 'du -s -k /nsm/influxdb | cut -f1 > /opt/so/log/telegraf/influxdb_size.log 2>&1'
- identifier: get_influxdb_size
- user: root
- minute: '*/1'
- hour: '*'

46
salt/kibana/files/saved_objects.ndjson
View File

File diff suppressed because one or more lines are too long

6
salt/manager/init.sls
View File

@@ -51,7 +51,7 @@ repo_sync_script:
- group: root
- mode: 755
reposync_cron:
so-repo-sync:
{% if MANAGERMERGED.reposync.enabled %}
cron.present:
{% else %}
@@ -59,6 +59,7 @@ reposync_cron:
{% endif %}
- user: socore
- name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1'
- identifier: so-repo-sync
- hour: '{{ MANAGERMERGED.reposync.hour }}'
- minute: '{{ MANAGERMERGED.reposync.minute }}'
@@ -83,10 +84,11 @@ yara_update_script:
ISAIRGAP: {{ GLOBALS.airgap }}
EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}
strelka_yara_update:
strelka-yara-update:
cron.present:
- user: root
- name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1'
- identifier: strelka-yara-update
- hour: '7'
- minute: '1'

3
salt/manager/sync_es_users.sls
View File

@@ -24,8 +24,9 @@ sync_es_users:
# we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate'
# is in the minion config. That line is added before the final highstate during setup
sosyncusers:
so-user_sync:
cron.present:
- user: root
- name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log'
- identifier: so-user_sync
- onlyif: "grep 'startup_states: highstate' /etc/salt/minion"

11
salt/ntp/init.sls
View File

@@ -2,8 +2,13 @@
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'ntp/config.map.jinja' import NTPCONFIG %}
chrony_pkg:
pkg.installed:
- name: chrony
chronyconf:
file.managed:
- name: /etc/chrony.conf
@@ -12,8 +17,14 @@ chronyconf:
- defaults:
NTPCONFIG: {{ NTPCONFIG }}
{% if GLOBALS.os == 'Rocky' %}
chronyd:
{% else %}
chrony:
{% endif %}
service.running:
- enable: True
- watch:
- file: chronyconf
- require:
- pkg: chrony_pkg

6
salt/playbook/init.sls
View File

@@ -113,15 +113,17 @@ append_so-playbook_so-status.conf:
{% endif %}
so-playbooksynccron:
so-playbook-sync_cron:
cron.present:
- name: /usr/sbin/so-playbook-sync > /opt/so/log/playbook/sync.log 2>&1
- identifier: so-playbook-sync_cron
- user: root
- minute: '*/5'
so-playbookruleupdatecron:
so-playbook-ruleupdate_cron:
cron.present:
- name: /usr/sbin/so-playbook-ruleupdate > /opt/so/log/playbook/update.log 2>&1
- identifier: so-playbook-ruleupdate_cron
- user: root
- minute: '1'
- hour: '6'

20
salt/repo/client/ubuntu.sls
View File

@@ -1,20 +0,0 @@
# this removes the repo file left by bootstrap-salt.sh without -r
remove_salt.list:
file.absent:
- name: /etc/apt/sources.list.d/salt.list
saltstack.list:
file.managed:
- name: /etc/apt/sources.list.d/saltstack.list
- contents:
- deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt3004.2/ {{grains.oscodename}} main
apt_update:
cmd.run:
- name: apt-get update
- onchanges:
- file: saltstack.list
- timeout: 30
- retry:
attempts: 5
interval: 30

10
salt/salt/init.sls
View File

@@ -1,16 +1,8 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if GLOBALS.os != 'Rocky' %}
{% if grains.oscodename == 'focal' %}
saltpymodules:
pkg.installed:
- pkgs:
{% if grains['oscodename'] == 'bionic' %}
- python-m2crypto
- python-docker
{% elif grains['oscodename'] == 'focal' %}
- python3-m2crypto
- python3-docker
{% endif %}
{% endif %}
salt_bootstrap:

5
salt/salt/minion-check.sls
View File

@@ -12,8 +12,9 @@ state-apply-test:
start: 0
end: 180
/usr/sbin/so-salt-minion-check -q:
so-salt-minion-check_cron:
cron.present:
- identifier: so-salt-minion-check
- name: /usr/sbin/so-salt-minion-check -q
- identifier: so-salt-minion-check_cron
- user: root
- minute: '*/5'

1
salt/setup/highstate_cron.sls
View File

@@ -1,6 +1,7 @@
post_setup_cron:
cron.present:
- name: 'PATH=$PATH:/usr/sbin salt-call state.highstate'
- identifier: post_setup_cron
- user: root
- minute: '*/1'
- identifier: post_setup_cron

21
salt/soc/files/bin/salt-relay.sh
View File

@@ -6,7 +6,8 @@
PIPE_OWNER=${PIPE_OWNER:-socore}
PIPE_GROUP=${PIPE_GROUP:-socore}
SOC_PIPE=${SOC_PIPE_REQUEST:-/opt/so/conf/soc/salt/pipe}
SOC_PIPE=${SOC_PIPE:-/opt/so/conf/soc/salt/pipe}
CMD_PREFIX=${CMD_PREFIX:-""}
PATH=${PATH}:/usr/sbin
function log() {
@@ -26,7 +27,7 @@ function make_pipe() {
make_pipe "${SOC_PIPE}"
function list_minions() {
response=$(so-minion -o=list)
response=$($CMD_PREFIX so-minion -o=list)
exit_code=$?
if [[ $exit_code -eq 0 ]]; then
log "Successful command execution"
@@ -42,7 +43,7 @@ function manage_minion() {
op=$(echo "$request" | jq -r .operation)
id=$(echo "$request" | jq -r .id)
response=$(so-minion "-o=$op" "-m=$id")
response=$($CMD_PREFIX so-minion "-o=$op" "-m=$id")
exit_code=$?
if [[ exit_code -eq 0 ]]; then
log "Successful command execution"
@@ -75,14 +76,14 @@ function manage_user() {
add|enable|disable|delete)
email=$(echo "$request" | jq -r .email)
log "Performing user '$op' for user '$email'"
response=$(so-user "$op" --email "$email" --skip-sync)
response=$($CMD_PREFIX so-user "$op" --email "$email" --skip-sync)
exit_code=$?
;;
addrole|delrole)
email=$(echo "$request" | jq -r .email)
role=$(echo "$request" | jq -r .role)
log "Performing '$op' for user '$email' with role '$role'"
response=$(so-user "$op" --email "$email" --role "$role" --skip-sync)
response=$($CMD_PREFIX so-user "$op" --email "$email" --role "$role" --skip-sync)
exit_code=$?
;;
password)
@@ -98,12 +99,12 @@ function manage_user() {
lastName=$(echo "$request" | jq -r .lastName)
note=$(echo "$request" | jq -r .note)
log "Performing '$op' update for user '$email' with firstname '$firstName', lastname '$lastName', and note '$note'"
response=$(so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note")
response=$($CMD_PREFIX so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note")
exit_code=$?
;;
sync)
log "Performing '$op'"
response=$(so-user "$op")
response=$($CMD_PREFIX so-user "$op")
exit_code=$?
;;
*)
@@ -142,17 +143,17 @@ function manage_salt() {
state)
log "Performing '$op' for '$state' on minion '$minion'"
state=$(echo "$request" | jq -r .state)
response=$(salt --async "$minion" state.apply "$state" queue=True)
response=$($CMD_PREFIX salt --async "$minion" state.apply "$state" queue=True)
exit_code=$?
;;
highstate)
log "Performing '$op' on minion $minion"
response=$(salt --async "$minion" state.highstate queue=True)
response=$($CMD_PREFIX salt --async "$minion" state.highstate queue=True)
exit_code=$?
;;
activejobs)
response=$($CMD_PREFIX salt-run jobs.active -out json -l quiet)
log "Querying active salt jobs"
response=$(salt-run jobs.active -out json -l quiet)
$(echo "$response" > "${SOC_PIPE}")
return
;;

1
salt/soc/init.sls
View File

@@ -91,6 +91,7 @@ socusersroles:
salt-relay:
cron.present:
- name: 'ps -ef | grep salt-relay.sh | grep -v grep > /dev/null 2>&1 || /opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &'
- identifier: salt-relay
so-soc:
docker_container.running:

2
salt/strelka/init.sls
View File

@@ -205,11 +205,13 @@ filecheck_restart:
filecheck_run:
cron.present:
- name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
- identifier: filecheck_run
- user: {{ filecheck_runas }}
filcheck_history_clean:
cron.present:
- name: '/usr/bin/find /nsm/strelka/history/ -type f -mtime +2 -exec rm {} + > /dev/null 2>&1'
- identifier: filecheck_history_clean
- minute: '33'
# End Filecheck Section

15
salt/suricata/init.sls
View File

@@ -79,8 +79,10 @@ surilogscript:
- source: salt://suricata/cron/surilogcompress
- mode: 755
/usr/local/bin/surilogcompress:
surilogcompress:
cron.present:
- name: /usr/local/bin/surilogcompress
- identifier: surilogcompress
- user: suricata
- minute: '17'
- hour: '*'
@@ -181,16 +183,6 @@ delete_so-suricata_so-status.disabled:
- regex: ^so-suricata$
{% endif %}
surirotate:
cron.absent:
- name: /usr/local/bin/surirotate
- user: root
- minute: '11'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
so-suricata-eve-clean:
file.managed:
- name: /usr/sbin/so-suricata-eve-clean
@@ -204,6 +196,7 @@ so-suricata-eve-clean:
clean_suricata_eve_files:
cron.present:
- name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1
- identifier: clean_suricata_eve_files
- user: root
- minute: '*/5'
- hour: '*'

1
salt/zeek/defaults.yaml
View File

@@ -21,6 +21,7 @@ zeek:
SpoolDir: /nsm/zeek/spool
CfgDir: /opt/zeek/etc
CompressLogs: 1
ZeekPort: 27760
local:
load:
- misc/loaded-scripts

73
setup/so-functions
View File

@@ -674,8 +674,13 @@ configure_ntp() {
'rtcsync' \
'logdir /var/log/chrony' >> $chrony_conf
if [ "$OS" == 'rocky' ]; then
systemctl enable chronyd
systemctl restart chronyd
elif [ "$OS" == 'ubuntu' ]; then
systemctl enable chrony
systemctl restart chrony
fi
# Tell the chrony daemon to sync time & update the system time
# Since these commands only make a call to chronyd, wait after each command to make sure the changes are made
@@ -770,11 +775,12 @@ check_requirements() {
}
check_sos_appliance() {
title "Is this is an SOS Appliance?"
if [ -f "/etc/SOSMODEL" ]; then
local MODEL=$(cat /etc/SOSMODEL)
info "Found SOS Model $MODEL"
echo "sosmodel: $MODEL" >> /etc/salt/grains
else
info "Not an appliance"
fi
}
@@ -959,19 +965,23 @@ installer_progress_loop() {
}
installer_prereq_packages() {
if [ "$OS" == rocky ]; then
if [[ ! $is_iso ]]; then
if ! command -v nmcli > /dev/null 2>&1; then
logCmd "dnf -y install NetworkManager"
fi
fi
logCmd "systemctl enable NetworkManager"
logCmd "systemctl start NetworkManager"
elif [ "$OS" == ubuntu ]; then
# if [ "$OS" == rocky ]; then
# if [[ ! $is_iso ]]; then
# if ! command -v nmcli > /dev/null 2>&1; then
# logCmd "dnf -y install NetworkManager"
# fi
# fi
# logCmd "systemctl enable NetworkManager"
# logCmd "systemctl start NetworkManager"
# el
if [ "$OS" == ubuntu ]; then
# Print message to stdout so the user knows setup is doing something
info "Running apt-get update"
retry 150 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1
# Install network manager so we can do interface stuff
if ! command -v nmcli > /dev/null 2>&1; then
info "Installing network-manager"
retry 150 10 "apt-get -y install network-manager" >> "$setup_log" 2>&1 || exit 1
{
systemctl enable NetworkManager
@@ -2008,14 +2018,19 @@ saltify() {
)
retry 150 20 "apt-get -y install ${pkg_arr[*]}" || exit 1
logCmd "mkdir -vp /opt/so/gpg"
logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/SALTSTACK-GPG-KEY.pub"
logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg"
logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub"
logCmd "apt-key add /opt/so/gpg/docker.pub"
logCmd "mkdir -vp /etc/apt/keyrings"
#logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/SALTSTACK-GPG-KEY.pub"
logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg"
logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/3006.0rc3/SALT-PROJECT-GPG-PUBKEY-2023.gpg"
echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/3006.0rc3/ focal main" | sudo tee /etc/apt/sources.list.d/salt.list
logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg"
#logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub"
logCmd "apt-key add /etc/apt/keyrings/docker.pub"
# Add SO Saltstack Repo
echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt3004.2/ focal main" > /etc/apt/sources.list.d/saltstack.list
#echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt3004.2/ focal main" > /etc/apt/sources.list.d/saltstack.list
# Add Docker Repo
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
@@ -2023,27 +2038,25 @@ saltify() {
# Ain't nothing but a GPG
retry 150 20 "apt-get update" "" "Err:" || exit 1
retry 150 20 "apt-get -y install salt-minion=3004.2+ds-1 salt-common=3004.2+ds-1" || exit 1
retry 150 20 "apt-get -y install salt-common salt-minion" || exit 1
retry 150 20 "apt-mark hold salt-minion salt-common" || exit 1
retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1
#retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1
fi
if [[ $is_rocky ]]; then
# THIS IS A TEMP HACK
#logCmd "dnf -y install securityonion-salt python3-audit python3-libsemanage python3-policycoreutils python3-setools python3-setuptools python3-chardet python3-idna python3-pysocks python3-requests python3-urllib3 python3-websocket-client python3-docker"
if [[ $waitforstate ]]; then
# install all for a manager
logCmd "dnf -y install salt salt-master salt-minion"
else
# We just need the minion
logCmd "dnf -y install salt salt-minion"
fi
fi
logCmd "mkdir -p /etc/salt/minion.d"
logCmd "salt-pip install docker --no-index --only-binary=:all: --find-links files/salt_module_deps/docker/"
logCmd "salt-pip install pymysql --no-index --only-binary=:all: --find-links files/salt_module_deps/pymysql/"
#if [[ $waitforstate ]]; then
# # Since this is a salt master so let's install it
# logCmd ""
#else
# # We just need the minion
# logCmd "dnf -y install salt-minion"
#fi
fi
}
@@ -2383,7 +2396,9 @@ update_packages() {
logCmd "dnf repolist"
logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*"
else
retry 150 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1
info "Running apt-get update"
retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || exit 1
info "Running apt-get upgrade"
retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1
fi
}

27
setup/so-setup
View File

@@ -337,7 +337,7 @@ if ! [[ -f $install_opt_file ]]; then
# If you are a manager ask ALL the manager things here. I know there is code re-use but this makes it easier to add new roles.
if [[ $is_eval ]]; then
waitforstate=true
ubuntu_check
#ubuntu_check
monints=true
check_elastic_license
check_requirements "manager"
@@ -361,7 +361,7 @@ if ! [[ -f $install_opt_file ]]; then
whiptail_end_settings
elif [[ $is_standalone ]]; then
waitforstate=true
ubuntu_check
#ubuntu_check
monints=true
check_elastic_license
check_requirements "manager"
@@ -386,7 +386,7 @@ if ! [[ -f $install_opt_file ]]; then
elif [[ $is_manager ]]; then
check_elastic_license
waitforstate=true
ubuntu_check
#ubuntu_check
check_requirements "manager"
networking_needful
collect_net_method
@@ -408,7 +408,7 @@ if ! [[ -f $install_opt_file ]]; then
elif [[ $is_managersearch ]]; then
check_elastic_license
waitforstate=true
ubuntu_check
#ubuntu_check
check_requirements "manager"
networking_needful
collect_net_method
@@ -428,7 +428,8 @@ if ! [[ -f $install_opt_file ]]; then
collect_so_allow
whiptail_end_settings
elif [[ $is_sensor ]]; then
ubuntu_check
#ubuntu_check
installer_prereq_packages
monints=true
check_requirements "sensor"
calculate_useable_cores
@@ -444,7 +445,8 @@ if ! [[ -f $install_opt_file ]]; then
whiptail_end_settings
elif [[ $is_searchnode ]]; then
ubuntu_check
#ubuntu_check
installer_prereq_packages
check_requirements "elasticsearch"
networking_needful
check_network_manager_conf
@@ -457,7 +459,8 @@ if ! [[ -f $install_opt_file ]]; then
whiptail_end_settings
elif [[ $is_heavynode ]]; then
ubuntu_check
#ubuntu_check
installer_prereq_packages
monints=true
check_requirements "heavynode"
calculate_useable_cores
@@ -469,7 +472,8 @@ if ! [[ -f $install_opt_file ]]; then
whiptail_end_settings
elif [[ $is_idh ]]; then
ubuntu_check
#ubuntu_check
installer_prereq_packages
check_requirements "idh"
networking_needful
collect_mngr_hostname
@@ -481,7 +485,7 @@ if ! [[ -f $install_opt_file ]]; then
whiptail_end_settings
elif [[ $is_import ]]; then
ubuntu_check
#ubuntu_check
waitforstate=true
monints=true
check_elastic_license
@@ -503,7 +507,8 @@ if ! [[ -f $install_opt_file ]]; then
whiptail_end_settings
elif [[ $is_receiver ]]; then
ubuntu_check
#ubuntu_check
installer_prereq_packages
check_requirements "receiver"
networking_needful
collect_mngr_hostname
@@ -594,6 +599,7 @@ if ! [[ -f $install_opt_file ]]; then
# Start the master service
copy_salt_master_config
configure_minion "$minion_type"
check_sos_appliance
logCmd "salt-key -yd $MINION_ID"
logCmd "salt-call state.show_top"
@@ -656,6 +662,7 @@ if ! [[ -f $install_opt_file ]]; then
update_packages
saltify
configure_minion "$minion_type"
check_sos_appliance
drop_install_options
checkin_at_boot
logCmd "salt-call state.apply setup.highstate_cron --local --file-root=../salt/"

17
setup/so-whiptail
View File

@@ -523,6 +523,7 @@ whiptail_install_type() {
[ -n "$TESTING" ] && return
# What kind of install are we doing?
if [[ $OS = 'rocky' ]]; then
install_type=$(whiptail --title "$whiptail_title" --menu \
"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture.html" 18 65 5 \
"IMPORT" "Import PCAP or log files " \
@@ -532,6 +533,14 @@ whiptail_install_type() {
"OTHER" "Other install types" \
3>&1 1>&2 2>&3
)
elif [[ $OS = 'ubuntu' ]]; then
install_type=$(whiptail --title "$whiptail_title" --menu \
"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture.html" 18 65 5 \
"DISTRIBUTED" "Distributed install submenu " \
"OTHER" "Other install types" \
3>&1 1>&2 2>&3
)
fi
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -554,11 +563,19 @@ whiptail_install_type_dist() {
[ -n "$TESTING" ] && return
if [[ $OS = 'rocky' ]]; then
dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \
"New Deployment " "Create a new Security Onion deployment" \
"Existing Deployment " "Join to an existing Security Onion deployment " \
3>&1 1>&2 2>&3
)
elif [[ $OS = 'ubuntu' ]]; then
dist_option=$(whiptail --title "$whiptail_title" --menu "Since this is Ubuntu, this box can only be connected to \nan existing deployment." 11 75 2 \
"Existing Deployment " "Join to an existing Security Onion deployment " \
3>&1 1>&2 2>&3
)
fi
local exitstatus=$?
whiptail_check_exitstatus $exitstatus