Merge remote-tracking branch 'remotes/origin/dev' into issue/1091

pillar/logstash/init.sls

@@ -1,7 +1,6 @@
 logstash:
   docker_options:
     port_bindings:
-      - 0.0.0.0:514:514
       - 0.0.0.0:5044:5044
       - 0.0.0.0:5644:5644
       - 0.0.0.0:6050:6050

salt/elasticsearch/files/ingest/win.eventlogs

@@ -1,13 +1,11 @@
 {
   "description" : "win.eventlogs",
   "processors" : [ 
-   
     { "set":           { "if": "ctx.winlog?.channel != null",   "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true }  },
     { "set":           { "if": "ctx.agent?.type != null",   "field": "module", "value": "{{agent.type}}", "override": true }  }, 
     { "set":           { "if": "ctx.winlog?.channel != null",   "field": "event.dataset", "value": "{{winlog.channel}}", "override": true }  },
     { "rename": 	   { "field": "agent.hostname", 			            "target_field": "agent.name",		"ignore_missing": true 	} },
-
     { "rename": 	   { "field": "winlog.event_data.SubjectUserName", 			  "target_field": "user.name",		"ignore_missing": true 	} },
-    { "rename": 	   { "field": "winlog.event_data.User", 			            "target_field": "user.name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.User", 			            "target_field": "user.name",		"ignore_missing": true 	} }
   ]
 }

salt/fleet/files/packs/osquery-config.conf

@@ -22,6 +22,8 @@ spec:
       distributed_tls_max_attempts: 3
       distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
       distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
+      enable_windows_events_publisher: true
+      enable_windows_events_subscriber: true
       logger_plugin: tls
       logger_tls_endpoint: /api/v1/osquery/log
       logger_tls_period: 10

salt/mysql/init.sls

@@ -89,7 +89,7 @@ so-mysql:
       - /opt/so/conf/mysql/etc
   cmd.run:
     - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done
-    - timeout: 120
+    - timeout: 900
     - onchanges:
       - docker_container: so-mysql
 {% endif %}

salt/thehive/etc/application.conf

@@ -1,10 +1,11 @@
 {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
 {%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %}
+{%- set HIVEPLAYSECRET = salt['pillar.get']('static:hiveplaysecret', '') %}
 
 # Secret Key
 # The secret key is used to secure cryptographic functions.
 # WARNING: If you deploy your application on several servers, make sure to use the same key.
-play.http.secret.key="letsdewdis"
+play.http.secret.key="{{ HIVEPLAYSECRET }}"
 play.http.context=/thehive/
 search.uri = "http://{{ MANAGERIP }}:9400"
 # Elasticsearch

salt/thehive/etc/cortex-application.conf

@@ -1,9 +1,10 @@
 {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
+{%- set CORTEXPLAYSECRET = salt['pillar.get']('static:cortexplaysecret', '') %}
 
 # Secret Key
 # The secret key is used to secure cryptographic functions.
 # WARNING: If you deploy your application on several servers, make sure to use the same key.
-play.http.secret.key="letsdewdis"
+play.http.secret.key="{{ CORTEXPLAYSECRET }}"
 play.http.context=/cortex/
 search.uri = "http://{{ MANAGERIP }}:9400"
 

salt/wazuh/files/agent/wazuh-register-agent

@@ -135,7 +135,7 @@ shift $(($OPTIND - 1))
 #  fi
 
 # Default action -> try to register the agent
-sleep 10s
+sleep 30s
 STATUS=$(curl -s -k -u $USER:$PASSWORD $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g')
 if [[ $STATUS == "Active" ]]; then
   echo "Agent $AGENT_ID already registered!"

salt/wazuh/init.sls

@@ -46,13 +46,6 @@ wazuhpkgs:
     - hold: True
     - update_holds: True
 
-wazuhdir:
- file.directory:
-   - name: /nsm/wazuh
-   - user: 945
-   - group: 945
-   - makedirs: True
-
 # Add Wazuh agent conf
 wazuhagentconf:
   file.managed:
@@ -62,6 +55,13 @@ wazuhagentconf:
     - group: 945
     - template: jinja
 
+wazuhdir:
+ file.directory:
+   - name: /nsm/wazuh
+   - user: 945
+   - group: 945
+   - makedirs: True
+
 # Wazuh agent registration script
 wazuhagentregister:
   file.managed:

setup/so-functions

@@ -875,8 +875,10 @@ generate_passwords(){
   FLEETPASS=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
   FLEETJWT=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
   HIVEKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
+  HIVEPLAYSECRET=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
   CORTEXKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
   CORTEXORGUSERKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
+  CORTEXPLAYSECRET=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
   SENSORONIKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
   KRATOSKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
 }
@@ -1027,12 +1029,14 @@ manager_static() {
 		"  hiveuser: $WEBUSER"\
 		"  hivepassword: '$WEBPASSWD1'"\
 		"  hivekey: $HIVEKEY"\
+		"  hiveplaysecret: $HIVEPLAYSECRET"\
 		"  cortexuser: $WEBUSER"\
 		"  cortexpassword: '$WEBPASSWD1'"\
 		"  cortexkey: $CORTEXKEY"\
 		"  cortexorgname: SecurityOnion"\
-		"  cortexorguser: $WEBUSER"\
+		"  cortexorguser: soadmin"\
 		"  cortexorguserkey: $CORTEXORGUSERKEY"\
+		"  cortexplaysecret: $CORTEXPLAYSECRET"\
 		"  fleet_custom_hostname: "\
 		"  fleet_manager: False"\
 		"  fleet_node: False"\
@@ -1510,9 +1514,6 @@ sensor_pillar() {
 		echo "  suriprocs: $BASICSURI" >> "$pillar_file"
 	fi
 	printf '%s\n'\
-		"  zeekbpf:"\
-		"  pcapbpf:"\
-		"  nidsbpf:"\
 		"  manager: $MSRV"\
 		"  mtu: $MTU"\
 		"  uniqueid: $(date '+%s')" >> "$pillar_file"