From d5075d68b1e8b8b8d24e8b307bf0f26c3d83379d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 28 Apr 2020 14:00:20 -0400 Subject: [PATCH 01/12] Change Version Files --- VERSION | 2 +- upgrade/so-update-functions | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 6085e9465..23aa83906 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.2.1 +1.2.2 diff --git a/upgrade/so-update-functions b/upgrade/so-update-functions index 4f0e48f66..49dca0352 100644 --- a/upgrade/so-update-functions +++ b/upgrade/so-update-functions @@ -17,7 +17,7 @@ # Set the new SO Version -UPDATEVERSION=1.2.1 +UPDATEVERSION=1.2.2 BUILD=HH #Determine the current install version From bf6b525359ed4f85131a7533f1bae9b2d0d2896d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 29 Apr 2020 16:39:41 -0400 Subject: [PATCH 02/12] Update Salt Version --- setup/so-functions | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 3402dd6b1..d3dd8c9ee 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -818,10 +818,10 @@ install_master() { else if [ $OSVER != "xenial" ]; then - apt-get install -y salt-common=2019.2.3+ds-1 salt-master=2019.2.3+ds-1 salt-minion=2019.2.3+ds-1 libssl-dev python-m2crypto + apt-get install -y salt-common=2019.2.4+ds-1 salt-master=2019.2.4+ds-1 salt-minion=2019.2.4+ds-1 libssl-dev python-m2crypto apt-mark hold salt-common salt-master salt-minion else - apt-get install -y salt-common=2019.2.3+ds-1 salt-master=2019.2.3+ds-1 salt-minion=2019.2.3+ds-1 libssl-dev python-m2crypto + apt-get install -y salt-common=2019.2.4+ds-1 salt-master=2019.2.4+ds-1 salt-minion=2019.2.4+ds-1 libssl-dev python-m2crypto apt-mark hold salt-common salt-master salt-minion fi fi @@ -1233,17 +1233,17 @@ EOF fi yum clean expire-cache - yum -y install epel-release salt-minion-2019.2.3 yum-utils device-mapper-persistent-data lvm2 openssl jq + yum -y install epel-release salt-minion-2019.2.4 yum-utils device-mapper-persistent-data lvm2 openssl jq yum -y update exclude=salt* systemctl enable salt-minion if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then - yum -y install salt-master-2019.2.3 python3 python36-m2crypto salt-minion-2019.2.3 python36-dateutil python36-mysql python36-docker + yum -y install salt-master-2019.2.4 python3 python36-m2crypto salt-minion-2019.2.4 python36-dateutil python36-mysql python36-docker systemctl enable salt-master elif [ $INSTALLTYPE == 'FLEET' ]; then - yum -y install salt-minion-2019.2.3 python3 python36-m2crypto python36-dateutil python36-docker python36-mysql + yum -y install salt-minion-2019.2.4 python3 python36-m2crypto python36-dateutil python36-docker python36-mysql else - yum -y install salt-minion-2019.2.3 python3 python36-m2crypto python36-dateutil python36-docker + yum -y install salt-minion-2019.2.4 python3 python36-m2crypto python36-dateutil python36-docker fi echo "exclude=salt*" >> /etc/yum.conf @@ -1298,11 +1298,11 @@ EOF # Initialize the new repos apt-get update >> $SETUPLOG 2>&1 if [ $OSVER != "xenial" ]; then - apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python3-dateutil python3-m2crypto sqlite3 argon2 curl jq openssl >> $SETUPLOG 2>&1 + apt-get -y install salt-minion=2019.2.4+ds-1 salt-common=2019.2.4+ds-1 python3-dateutil python3-m2crypto sqlite3 argon2 curl jq openssl >> $SETUPLOG 2>&1 apt-mark hold salt-minion salt-common else # Need to add python packages here - apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto sqlite3 argon2 curl jq openssl >> $SETUPLOG 2>&1 + apt-get -y install salt-minion=2019.2.4+ds-1 salt-common=2019.2.4+ds-1 python-dateutil python-m2crypto sqlite3 argon2 curl jq openssl >> $SETUPLOG 2>&1 apt-mark hold salt-minion salt-common fi else @@ -1329,11 +1329,11 @@ EOF # Initialize the new repos apt-get update >> $SETUPLOG 2>&1 if [ $OSVER != "xenial" ]; then - apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python3-dateutil python3-m2crypto >> $SETUPLOG 2>&1 + apt-get -y install salt-minion=2019.2.4+ds-1 salt-common=2019.2.4+ds-1 python3-dateutil python3-m2crypto >> $SETUPLOG 2>&1 apt-mark hold salt-minion salt-common else # Need to add python packages here - apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1 + apt-get -y install salt-minion=2019.2.4+ds-1 salt-common=2019.2.4+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1 apt-mark hold salt-minion salt-common fi fi From 793b887aea5963b394782bbda8732a24eb3344ad Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 30 Apr 2020 09:44:49 -0400 Subject: [PATCH 03/12] Update vertsion to 1.2.2 --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index d3dd8c9ee..5682205a1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -17,7 +17,7 @@ SCRIPTDIR=$(dirname "$0") source $SCRIPTDIR/so-whiptail -SOVERSION=1.2.1 +SOVERSION=1.2.2 accept_salt_key_local() { echo "Accept the key locally on the master" >> $SETUPLOG 2>&1 From 784e2896bdd662840951bef7f94bc288d0f005b9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 30 Apr 2020 11:31:07 -0400 Subject: [PATCH 04/12] Fix Strelka Versioning --- salt/strelka/init.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index b9efef638..482b28db5 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -72,7 +72,7 @@ strelka_gatekeeper: strelka_frontend: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-frontend:HH1.2.1 + - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-frontend:{{ VERSION }} - binds: - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro - /nsm/strelka/log/:/var/log/strelka/:rw @@ -84,7 +84,7 @@ strelka_frontend: strelka_backend: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-backend:HH1.2.1 + - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-backend:{{ VERSION }} - binds: - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - /opt/so/conf/strelka/backend/yara:/etc/yara/:ro @@ -94,7 +94,7 @@ strelka_backend: strelka_manager: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-manager:HH1.2.1 + - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-manager:{{ VERSION }} - binds: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - name: so-strelka-manager @@ -102,7 +102,7 @@ strelka_manager: strelka_filestream: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-filestream:HH1.2.1 + - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-filestream:{{ VERSION }} - binds: - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /nsm/strelka:/nsm/strelka From 90840f6d00d0a087b4a6fa967bacae48c975df3f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 30 Apr 2020 15:21:52 -0400 Subject: [PATCH 05/12] Update Kratos yaml --- salt/soc/files/kratos/kratos.yaml | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/salt/soc/files/kratos/kratos.yaml b/salt/soc/files/kratos/kratos.yaml index 032027d96..406683a5d 100644 --- a/salt/soc/files/kratos/kratos.yaml +++ b/salt/soc/files/kratos/kratos.yaml @@ -6,6 +6,13 @@ selfservice: password: enabled: true + settings: + privileged_session_max_age: 1m + after: + profile: + hooks: + - hook: verify + verify: return_to: https://{{ WEBACCESS }}/ @@ -14,29 +21,14 @@ selfservice: login: request_lifespan: 10m - after: - password: - - - job: session - - - job: redirect - config: - default_redirect_url: https://{{ WEBACCESS }}/ - allow_user_defined_redirect: true registration: request_lifespan: 10m after: password: - - - job: verify - - - job: session - - - job: redirect - config: - default_redirect_url: https://{{ WEBACCESS }}/ - allow_user_defined_redirect: true + hooks: + - hook: session + - hook: verify log: level: debug @@ -58,7 +50,7 @@ urls: public: https://{{ WEBACCESS }}/auth/ admin: https://{{ WEBACCESS }}/kratos/ default_return_to: https://{{ WEBACCESS }}/ - whitelisted_return_to_domains: + whitelisted_return_to_urls: - http://127.0.0.1 hashers: From a0310b1c2c698da22f1f7deb92cd73c286231e2b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 May 2020 10:38:04 -0400 Subject: [PATCH 06/12] Update Readme --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index 1b7661956..bf6b06b23 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,13 @@ +## Hybrid Hunter Beta 1.2.2 - Beta 1 + +### Changes: + +- Updated Saltstack to 2019.2.4 to address [CVE-2020-11651](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651) +- Updated Suricata to 4.1.8 to address some possible security issues. Details [here](https://suricata-ids.org/2020/04/28/suricata-4-1-8-released/). +- Fixed an issue that was preventing Strelka to function properly. +- ISO installs should now use the built in docker containers instead of re-downloading them. + + ## Hybrid Hunter Beta 1.2.1 - Beta 1 ### Changes: From aeebc893de201a7d2ec99cb4eb8f08f7fc644bf9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 May 2020 10:44:05 -0400 Subject: [PATCH 07/12] Update SOC page --- salt/soc/files/soc/changes.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 3e368d002..a917fe706 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -1,6 +1,11 @@ { - "title": "Introducing Hybrid Hunter 1.2.1 Beta 1", + "title": "Introducing Hybrid Hunter 1.2.2 Beta 1", "changes": [ + + { "summary": "Saltstack has been upgraded to 2019.2.4 to address CVE-2020-11651." }, + { "summary": "Updated Suricata to 4.1.8 to address some possible security issues." }, + { "summary": "Fixed an issue that was preventing Strelka to function properly." }, + { "summary": "ISO installs should now use the built in docker containers instead of re-downloading them." }, { "summary": "Full support for Ubuntu 18.04. 16.04 is no longer supported for Hybrid Hunter." }, { "summary": "Introduction of the Security Onion Console. Once logged in you are directly taken to the SOC." }, { "summary": "New authentication using Kratos." }, From 92c2222879bde6af5e627a62735b6fe320915175 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 19 May 2020 16:59:43 -0400 Subject: [PATCH 08/12] ensure wazuh-agent service is enabled and running --- salt/wazuh/init.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index d6130abb9..c464dd3a9 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -72,6 +72,11 @@ wazuhmgrwhitelist: - mode: 755 - template: jinja +wazuhagentservice: + service.running: + - name: wazuh-agent + - enable: True + so-wazuh: docker_container.running: - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:{{ VERSION }} From 51250ef75124ab8fcf58f44025984b8516a74c34 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 20 May 2020 09:56:27 -0400 Subject: [PATCH 09/12] Update wazuh.repo --- setup/yum_repos/wazuh.repo | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/yum_repos/wazuh.repo b/setup/yum_repos/wazuh.repo index 70d23ccdd..ae462c62f 100644 --- a/setup/yum_repos/wazuh.repo +++ b/setup/yum_repos/wazuh.repo @@ -4,4 +4,4 @@ gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ -protect=1 \ No newline at end of file +protect=1 From d4840d203c3d0e6f2470e6ce43d4d90a3d4fbb16 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 May 2020 11:23:55 -0400 Subject: [PATCH 10/12] fix version lock for wazuh --- salt/patch/os/init.sls | 3 --- salt/top.sls | 5 +++++ salt/wazuh/init.sls | 8 ++++++++ salt/yum/packages.sls | 4 ++++ setup/so-setup | 6 +++++- 5 files changed, 22 insertions(+), 4 deletions(-) diff --git a/salt/patch/os/init.sls b/salt/patch/os/init.sls index ade35294a..1464a3397 100644 --- a/salt/patch/os/init.sls +++ b/salt/patch/os/init.sls @@ -1,7 +1,4 @@ include: -{% if grains.os == "CentOS" %} - - yum.packages -{% endif %} - patch.needs_restarting patch_os: diff --git a/salt/top.sls b/salt/top.sls index 207fd509a..95acae1fd 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -11,6 +11,11 @@ base: + + 'os:CentOS': + - match: grain + - yum.packages + '*': - salt - docker diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index c464dd3a9..54db40787 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -43,6 +43,14 @@ ossec: # - user: 945 # - group: 945 +wazuhpkgs: + pkg.installed: + - skip_suggestions: False + - pkgs: + - wazuh-agent: 3.10.2-1 + - hold: True + - update_holds: True + # Add Wazuh agent conf wazuhagentconf: file.managed: diff --git a/salt/yum/packages.sls b/salt/yum/packages.sls index 4c773d0e9..50f763b0f 100644 --- a/salt/yum/packages.sls +++ b/salt/yum/packages.sls @@ -1,3 +1,7 @@ install_yum_utils: pkg.installed: - name: yum-utils + +install_yum_versionlock: + pkg.installed: + - name: yum-plugin-versionlock diff --git a/setup/so-setup b/setup/so-setup index efbccb93e..d949173cf 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -354,7 +354,6 @@ fi set_progress_str 22 'Generating CA and checking in' salt_checkin >> $setup_log 2>&1 - if [[ $is_master || $is_helix ]]; then set_progress_str 25 'Configuring firewall' set_initial_firewall_policy >> $setup_log 2>&1 @@ -379,6 +378,11 @@ fi set_progress_str 62 "$(print_salt_state_apply 'firewall')" salt-call state.apply -l info firewall >> $setup_log 2>&1 + if [ $OS = 'centos' ]; then + set_progress_str 63 'Installing Yum utilities' + salt-call state.apply -l info yum.packages >> $setup_log 2>&1 + fi + set_progress_str 63 "$(print_salt_state_apply 'common')" salt-call state.apply -l info common >> $setup_log 2>&1 From e07f6af1568c8c086397b38ff6f43159f474e9f1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 May 2020 11:41:33 -0400 Subject: [PATCH 11/12] remove wazuh-agent exlude being added to repo conf during setup --- setup/so-setup | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index d949173cf..be8c95212 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -435,7 +435,6 @@ fi if [[ "$WAZUH" = 1 ]]; then if [ $OS = 'centos' ]; then yum -y install wazuh-agent-3.10.2-1 >> "$setup_log" 2>&1 - echo "exclude=wazuh-agent" >> /etc/yum.repos.d/wazuh.repo else apt-get -y install wazuh-agent=3.10.2-1 >> "$setup_log" 2>&1 apt-mark hold wazuh-agent >> "$setup_log" 2>&1 From 4917d88db086df0b8ad7828c66b20bb1885a9240 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 May 2020 11:45:54 -0400 Subject: [PATCH 12/12] remove wazuh-agent being installed during setup, let salt mage it --- setup/so-setup | 6 ------ 1 file changed, 6 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index be8c95212..406d69763 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -433,12 +433,6 @@ fi fi if [[ "$WAZUH" = 1 ]]; then - if [ $OS = 'centos' ]; then - yum -y install wazuh-agent-3.10.2-1 >> "$setup_log" 2>&1 - else - apt-get -y install wazuh-agent=3.10.2-1 >> "$setup_log" 2>&1 - apt-mark hold wazuh-agent >> "$setup_log" 2>&1 - fi set_progress_str 75 "$(print_salt_state_apply 'wazuh')" salt-call state.apply -l info wazuh >> $setup_log 2>&1 fi