CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into issue/10229

Browse Source
This commit is contained in:
m0duspwnens
2023-05-16 09:22:48 -04:00
parent a0e08e4f41 1724565331
commit b253cd45ca
9 changed files with 49 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/docker/defaults.yaml
View File

@@ -73,6 +73,7 @@ docker:
- 80:80 - 80:80
- 443:443 - 443:443
- 8443:8443 - 8443:8443
- 7788:7788
custom_bind_mounts: [] custom_bind_mounts: []
extra_hosts: [] extra_hosts: []
'so-playbook': 'so-playbook':

2
salt/elasticfleet/install_agent_grid.sls
View File

@@ -9,7 +9,7 @@
run_installer: run_installer:
cmd.script: cmd.script:
- name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
- cwd: /opt/so - cwd: /opt/so
- args: -token={{ GRIDNODETOKEN }} - args: -token={{ GRIDNODETOKEN }}

40
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
View File

@@ -4,20 +4,23 @@
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0. # this file except in compliance with the Elastic License 2.0.
#so-elastic-agent-gen-installers $FleetHost $EnrollmentToken #so-elastic-agent-gen-installers $FleetHostURLs $EnrollmentToken
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
. /usr/sbin/so-common . /usr/sbin/so-common
FLEETHOST="https://{{ GLOBALS.manager_ip }}:8220"
for i in {1..30}
do
ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints")) | .api_key') ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints")) | .api_key')
#FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts' | jq -r '.items[].host_urls[]' | paste -sd ',')
if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]]; then break; else sleep 10; fi
done
if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then printf "\nFleet Host URL or Enrollment Token empty - exiting..." && exit; fi
#FLEETHOST=$(lookup_pillar "server:url" "elasticfleet") OSARCH=( "linux-x86_64" "windows-x86_64" "darwin-x86_64" "darwin-aarch64" )
FLEETHOST="{{ GLOBALS.manager_ip }}"
#FLEETHOST=$1
#ENROLLMENTOKEN=$2
TARGETOS=( "linux" "darwin" "windows" )
printf "\n### Creating a temp directory at /nsm/elastic-agent-workspace\n" printf "\n### Creating a temp directory at /nsm/elastic-agent-workspace\n"
rm -rf /nsm/elastic-agent-workspace rm -rf /nsm/elastic-agent-workspace
@@ -25,9 +28,10 @@ mkdir -p /nsm/elastic-agent-workspace
printf "\n### Extracting outer tarball and then each individual tarball/zip\n" printf "\n### Extracting outer tarball and then each individual tarball/zip\n"
tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-{{ GLOBALS.so_version }}.tar.gz -C /nsm/elastic-agent-workspace/ tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-{{ GLOBALS.so_version }}.tar.gz -C /nsm/elastic-agent-workspace/
unzip /nsm/elastic-agent-workspace/elastic-agent-*.zip -d /nsm/elastic-agent-workspace/ unzip -q /nsm/elastic-agent-workspace/elastic-agent-*.zip -d /nsm/elastic-agent-workspace/
for archive in /nsm/elastic-agent-workspace/*.tar.gz for archive in /nsm/elastic-agent-workspace/*.tar.gz
do do
printf "\nExtracting $archive..."
tar xf "$archive" -C /nsm/elastic-agent-workspace/ tar xf "$archive" -C /nsm/elastic-agent-workspace/
done done
@@ -35,23 +39,27 @@ printf "\n### Stripping out unused components"
find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -regex '.*fleet.*\|.*packet.*\|.*apm*.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -regex '.*fleet.*\|.*packet.*\|.*apm*.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete
printf "\n### Tarring everything up again" printf "\n### Tarring everything up again"
for OS in "${TARGETOS[@]}" for OS in "${OSARCH[@]}"
do do
printf "\nCreating tarball for $OS..."
rm -rf /nsm/elastic-agent-workspace/elastic-agent rm -rf /nsm/elastic-agent-workspace/elastic-agent
mv /nsm/elastic-agent-workspace/elastic-agent-*-$OS-x86_64 /nsm/elastic-agent-workspace/elastic-agent mv /nsm/elastic-agent-workspace/elastic-agent-*-$OS /nsm/elastic-agent-workspace/elastic-agent
tar -czvf /nsm/elastic-agent-workspace/$OS.tar.gz -C /nsm/elastic-agent-workspace elastic-agent tar -czf /nsm/elastic-agent-workspace/$OS.tar.gz -C /nsm/elastic-agent-workspace elastic-agent
done done
GOTARGETOS=( "linux" "windows" "darwin" "darwin/arm64" )
GOARCH="amd64"
printf "\n### Generating OS packages using the cleaned up tarballs" printf "\n### Generating OS packages using the cleaned up tarballs"
for OS in "${TARGETOS[@]}" for GOOS in "${GOTARGETOS[@]}"
do do
printf "\n\n### Generating $OS Installer...\n" if [[ $GOOS == 'darwin/arm64' ]]; then GOOS="darwin" && GOARCH="arm64"; fi
docker run -e CGO_ENABLED=0 -e GOOS=$OS \ printf "\n\n### Generating $GOOS/$GOARCH Installer...\n"
docker run -e CGO_ENABLED=0 -e GOOS=$GOOS -e GOARCH=$GOARCH \
--mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \
--mount type=bind,source=/nsm/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ --mount type=bind,source=/nsm/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \
--mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \ --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \
{{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHostURLsList=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_${GOOS}_${GOARCH}
printf "\n### $OS Installer Generated...\n" printf "\n### $GOOS/$GOARCH Installer Generated...\n"
done done
printf "\n### Cleaning up temp files in /nsm/elastic-agent-workspace" printf "\n### Cleaning up temp files in /nsm/elastic-agent-workspace"

9
salt/firewall/defaults.yaml
View File

@@ -94,6 +94,10 @@ firewall:
tcp: tcp:
- 5601 - 5601
udp: [] udp: []
localrules:
tcp:
- 7788
udp: []
mysql: mysql:
tcp: tcp:
- 3306 - 3306
@@ -181,6 +185,7 @@ firewall:
- influxdb - influxdb
- elasticsearch_rest - elasticsearch_rest
- elasticsearch_node - elasticsearch_node
- localrules
sensor: sensor:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -364,6 +369,7 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- localrules
sensor: sensor:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -501,6 +507,7 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- localrules
sensor: sensor:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -648,6 +655,7 @@ firewall:
- elastic_agent_update - elastic_agent_update
- endgame - endgame
- strelka_frontend - strelka_frontend
- localrules
fleet: fleet:
portgroups: portgroups:
- elasticsearch_rest - elasticsearch_rest
@@ -1005,6 +1013,7 @@ firewall:
- elasticsearch_rest - elasticsearch_rest
- elasticsearch_node - elasticsearch_node
- elastic_agent_control - elastic_agent_control
- localrules
sensor: sensor:
portgroups: portgroups:
- beats_5044 - beats_5044

3
salt/firewall/soc_firewall.yaml
View File

@@ -118,6 +118,9 @@ firewall:
kibana: kibana:
tcp: *tcpsettings tcp: *tcpsettings
udp: *udpsettings udp: *udpsettings
localrules:
tcp: *tcpsettings
udp: *udpsettings
mysql: mysql:
tcp: *tcpsettings tcp: *tcpsettings
udp: *udpsettings udp: *udpsettings

2
salt/idstools/etc/rulecat.conf
View File

@@ -3,7 +3,7 @@
{%- if GLOBALS.airgap is sameas true -%} {%- if GLOBALS.airgap is sameas true -%}
--merged=/opt/so/rules/nids/all.rules --merged=/opt/so/rules/nids/all.rules
--local=/opt/so/rules/nids/local.rules --local=/opt/so/rules/nids/local.rules
{%- if GLOBAL.md_engine == "SURICATA" %} {%- if GLOBALS.md_engine == "SURICATA" %}
--local=/opt/so/rules/nids/sorules/extraction.rules --local=/opt/so/rules/nids/sorules/extraction.rules
--local=/opt/so/rules/nids/sorules/filters.rules --local=/opt/so/rules/nids/sorules/filters.rules
{%- endif %} {%- endif %}

12
setup/so-functions
View File

@@ -37,14 +37,8 @@ logCmd() {
airgap_rules() { airgap_rules() {
# Copy the rules for suricata if using Airgap # Copy the rules for suricata if using Airgap
mkdir -p /nsm/repo/rules mkdir -p /nsm/rules
cp -v /root/SecurityOnion/agrules/emerging-all.rules /nsm/repo/rules/ cp -Rv /root/SecurityOnion/agrules/* /nsm/rules/
# Copy over sigma rules
cp -Rv /root/SecurityOnion/agrules/sigma /nsm/repo/rules/
# Don't leave Strelka out
cp -Rv /root/SecurityOnion/agrules/strelka /nsm/repo/rules/
} }
add_admin_user() { add_admin_user() {
@@ -973,7 +967,7 @@ download_elastic_agent_artifacts() {
else else
logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/" logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
logCmd "curl --retry 5 --retry-delay 60 https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz" logCmd "curl --retry 5 --retry-delay 60 https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz"
logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
fi fi
} }

5
setup/so-setup
View File

@@ -202,12 +202,13 @@ if [ -n "$test_profile" ]; then
MINION_CIDR=10.0.0.0/8 MINION_CIDR=10.0.0.0/8
MSRV=manager MSRV=manager
if [[ "$test_profile" =~ "-net" ]]; then if [[ "$test_profile" =~ "-net" ]] || [[ "$test_profile" =~ "-iso" ]]; then
address_type=DHCP address_type=DHCP
elif [[ "$test_profile" =~ "-cloud" ]]; then elif [[ "$test_profile" =~ "-cloud" ]]; then
MSRVIP=10.99.1.20 MSRVIP=10.99.1.20
elif [[ "$test_profile" =~ "-airgap" ]]; then elif [[ "$test_profile" =~ "-airgap" ]]; then
is_airgap=true is_airgap=true
address_type=DHCP
fi fi
if [ -f "/root/public_ip" ]; then if [ -f "/root/public_ip" ]; then
@@ -224,6 +225,8 @@ if [ -n "$test_profile" ]; then
WEBUSER=onionuser@somewhere.invalid WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r WEBPASSWD2=0n10nus3r
update_sudoers_for_testing
fi fi
# Make sure the setup type is suppoted. # Make sure the setup type is suppoted.

1
setup/so-verify
View File

@@ -44,6 +44,7 @@ log_has_errors() {
grep -vE "Exception in callback None" | \ grep -vE "Exception in callback None" | \
grep -vE "deprecation: ERROR" | \ grep -vE "deprecation: ERROR" | \
grep -vE "code: 100" | \ grep -vE "code: 100" | \
grep -vE "/nsm/repo/rules/sigma/rules*" | \
grep -vE "Running scope as unit" &> "$error_log" grep -vE "Running scope as unit" &> "$error_log"
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then