From b1c09a9b72ffb5b3a88beb42da1e9fd94dcdb8b6 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 28 Jul 2020 15:23:17 -0400 Subject: [PATCH 01/11] Typo fix - ingest parser - win.eventlogs --- salt/elasticsearch/files/ingest/win.eventlogs | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/files/ingest/win.eventlogs b/salt/elasticsearch/files/ingest/win.eventlogs index acdf97263..b6022f294 100644 --- a/salt/elasticsearch/files/ingest/win.eventlogs +++ b/salt/elasticsearch/files/ingest/win.eventlogs @@ -1,13 +1,11 @@ { "description" : "win.eventlogs", "processors" : [ - { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, { "set": { "if": "ctx.winlog?.channel != null", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } }, { "rename": { "field": "agent.hostname", "target_field": "agent.name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } } ] -} \ No newline at end of file +} From e7b9e001e1ed485c1a88dfe06066aab1b9ab3468 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 28 Jul 2020 22:08:00 -0400 Subject: [PATCH 02/11] mysql init.sls - change startup time from 2 min to 15min Closes https://github.com/Security-Onion-Solutions/securityonion/issues/1106 --- salt/mysql/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index c4caa5fcd..78240fe2f 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -89,7 +89,7 @@ so-mysql: - /opt/so/conf/mysql/etc cmd.run: - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done - - timeout: 120 + - timeout: 900 - onchanges: - docker_container: so-mysql -{% endif %} \ No newline at end of file +{% endif %} From 7d432091e2d8e7a68c1fe14a043bff2b6bcafba8 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 29 Jul 2020 08:35:07 -0400 Subject: [PATCH 03/11] Remove LS syslog port binding --- pillar/logstash/init.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/pillar/logstash/init.sls b/pillar/logstash/init.sls index 6d51d0471..c2dfd9cfd 100644 --- a/pillar/logstash/init.sls +++ b/pillar/logstash/init.sls @@ -1,7 +1,6 @@ logstash: docker_options: port_bindings: - - 0.0.0.0:514:514 - 0.0.0.0:5044:5044 - 0.0.0.0:5644:5644 - 0.0.0.0:6050:6050 From e3da326fcb5a03791d0d1eb5d34e2a6a2fe4aa43 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 29 Jul 2020 09:27:18 -0400 Subject: [PATCH 04/11] Remove non used pillar items --- setup/so-functions | 3 --- 1 file changed, 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index c955c5f8b..5d5c9f585 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1510,9 +1510,6 @@ sensor_pillar() { echo " suriprocs: $BASICSURI" >> "$pillar_file" fi printf '%s\n'\ - " zeekbpf:"\ - " pcapbpf:"\ - " nidsbpf:"\ " manager: $MSRV"\ " mtu: $MTU"\ " uniqueid: $(date '+%s')" >> "$pillar_file" From 9db390023be344edd44b17f29cebe39163a4d57a Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 29 Jul 2020 13:51:46 -0400 Subject: [PATCH 05/11] Increase timeout from 10s to 30s --- salt/wazuh/files/agent/wazuh-register-agent | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent index f2fd8693f..bed0ba57f 100755 --- a/salt/wazuh/files/agent/wazuh-register-agent +++ b/salt/wazuh/files/agent/wazuh-register-agent @@ -135,7 +135,7 @@ shift $(($OPTIND - 1)) # fi # Default action -> try to register the agent -sleep 10s +sleep 30s STATUS=$(curl -s -k -u $USER:$PASSWORD $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g') if [[ $STATUS == "Active" ]]; then echo "Agent $AGENT_ID already registered!" From c48ba8abaf2b22483f6e5368d35c731c70188d13 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 29 Jul 2020 13:52:12 -0400 Subject: [PATCH 06/11] Re-arrange config --- salt/wazuh/init.sls | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 314a5f47f..2695febd5 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -46,13 +46,6 @@ wazuhpkgs: - hold: True - update_holds: True -wazuhdir: - file.directory: - - name: /nsm/wazuh - - user: 945 - - group: 945 - - makedirs: True - # Add Wazuh agent conf wazuhagentconf: file.managed: @@ -62,6 +55,13 @@ wazuhagentconf: - group: 945 - template: jinja +wazuhdir: + file.directory: + - name: /nsm/wazuh + - user: 945 + - group: 945 + - makedirs: True + # Wazuh agent registration script wazuhagentregister: file.managed: From 2fab00458b0ddcd1fa083584a8c77dfb3bb207f1 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 30 Jul 2020 10:23:00 -0400 Subject: [PATCH 07/11] Add randomized play secrets for Cortex + TheHive --- setup/so-functions | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 5d5c9f585..2f1ea7198 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -875,8 +875,10 @@ generate_passwords(){ FLEETPASS=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) FLEETJWT=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) HIVEKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) + HIVEPLAYSECRET=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) CORTEXKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) CORTEXORGUSERKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) + CORTEXPLAYSECRET=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) SENSORONIKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) KRATOSKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) } @@ -1027,12 +1029,14 @@ manager_static() { " hiveuser: $WEBUSER"\ " hivepassword: '$WEBPASSWD1'"\ " hivekey: $HIVEKEY"\ + " hiveplaysecret: $HIVEPLAYSECRET"\ " cortexuser: $WEBUSER"\ " cortexpassword: '$WEBPASSWD1'"\ " cortexkey: $CORTEXKEY"\ " cortexorgname: SecurityOnion"\ - " cortexorguser: $WEBUSER"\ + " cortexorguser: soadmin"\ " cortexorguserkey: $CORTEXORGUSERKEY"\ + " cortexplaysecret: $CORTEXPLAYSECRET"\ " fleet_custom_hostname: "\ " fleet_manager: False"\ " fleet_node: False"\ From b6a053070f7d99d325cb655f941f07a3950e008d Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 30 Jul 2020 10:25:07 -0400 Subject: [PATCH 08/11] Change TheHive play secret --- salt/thehive/etc/application.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/thehive/etc/application.conf b/salt/thehive/etc/application.conf index f06c3f7c6..8aaf7a9a5 100644 --- a/salt/thehive/etc/application.conf +++ b/salt/thehive/etc/application.conf @@ -1,10 +1,11 @@ {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %} +{%- set HIVEPLAYSECRET = salt['pillar.get']('static:hiveplaysecret', '') %} # Secret Key # The secret key is used to secure cryptographic functions. # WARNING: If you deploy your application on several servers, make sure to use the same key. -play.http.secret.key="letsdewdis" +play.http.secret.key="{{ HIVEPLAYSECRET }}" play.http.context=/thehive/ search.uri = "http://{{ MANAGERIP }}:9400" # Elasticsearch From c58ee8a37daf366646464ec2f8c0b99ecb363ce9 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 30 Jul 2020 10:25:53 -0400 Subject: [PATCH 09/11] Add Cortex play secret --- salt/thehive/etc/cortex-application.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/thehive/etc/cortex-application.conf b/salt/thehive/etc/cortex-application.conf index b9cbe20cc..c8e96ee3e 100644 --- a/salt/thehive/etc/cortex-application.conf +++ b/salt/thehive/etc/cortex-application.conf @@ -1,4 +1,5 @@ {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} +{%- set CORTEXPLAYSECRET = salt['pillar.get']('static:cortexplaysecret', '') %} # Secret Key # The secret key is used to secure cryptographic functions. From 4282930f0838019a0bea2d0fed1045e5c6c729d9 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 30 Jul 2020 10:26:49 -0400 Subject: [PATCH 10/11] Update cortex-application.conf --- salt/thehive/etc/cortex-application.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/thehive/etc/cortex-application.conf b/salt/thehive/etc/cortex-application.conf index c8e96ee3e..c7e52d954 100644 --- a/salt/thehive/etc/cortex-application.conf +++ b/salt/thehive/etc/cortex-application.conf @@ -4,7 +4,7 @@ # Secret Key # The secret key is used to secure cryptographic functions. # WARNING: If you deploy your application on several servers, make sure to use the same key. -play.http.secret.key="letsdewdis" +play.http.secret.key="{{ CORTEXPLAYSECRET }}" play.http.context=/cortex/ search.uri = "http://{{ MANAGERIP }}:9400" From 4e01ef279530e05ccb3f8036e4c214f301affaad Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 30 Jul 2020 16:34:48 -0400 Subject: [PATCH 11/11] Fleet - Update osquery config for 4.4 windows_events --- salt/fleet/files/packs/osquery-config.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/fleet/files/packs/osquery-config.conf b/salt/fleet/files/packs/osquery-config.conf index 2558efd88..4ce82cb8d 100644 --- a/salt/fleet/files/packs/osquery-config.conf +++ b/salt/fleet/files/packs/osquery-config.conf @@ -22,6 +22,8 @@ spec: distributed_tls_max_attempts: 3 distributed_tls_read_endpoint: /api/v1/osquery/distributed/read distributed_tls_write_endpoint: /api/v1/osquery/distributed/write + enable_windows_events_publisher: true + enable_windows_events_subscriber: true logger_plugin: tls logger_tls_endpoint: /api/v1/osquery/log logger_tls_period: 10