CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-20 16:03:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/dev' into bugfix/playbook-mysql

Browse Source
This commit is contained in:
Josh Brower
2020-05-06 08:30:45 -04:00
parent 2e3bcf600f 981801f23c
commit bc34c67f47
46 changed files with 2733 additions and 2826 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
salt/common/maps/broversion.map.jinja Normal file
View File

@@ -0,0 +1,5 @@
{% set docker = {
'containers': [
'so-zeek'
]
} %}

5
salt/common/maps/domainstats.map.jinja Normal file
View File

@@ -0,0 +1,5 @@
{% set docker = {
'containers': [
'so-domainstats'
]
} %}

18
salt/common/maps/eval.map.jinja Normal file
View File

@@ -0,0 +1,18 @@
{% set docker = {
'containers': [
'so-nginx',
'so-telegraf',
'so-dockerregistry',
'so-soc',
'so-kratos',
'so-idstools',
'so-elasticsearch',
'so-kibana',
'so-steno',
'so-suricata',
'so-zeek',
'so-curator',
'so-elastalert',
'so-soctopus'
]
} %}

10
salt/common/maps/fleet.map.jinja Normal file
View File

@@ -0,0 +1,10 @@
{% set docker = {
'containers': [
'so-mysql',
'so-fleet',
'so-redis',
'so-filebeat',
'so-nginx',
'so-telegraf'
]
} %}

7
salt/common/maps/fleet_master.map.jinja Normal file
View File

@@ -0,0 +1,7 @@
{% set docker = {
'containers': [
'so-mysql',
'so-fleet',
'so-redis'
]
} %}

5
salt/common/maps/freq.map.jinja Normal file
View File

@@ -0,0 +1,5 @@
{% set docker = {
'containers': [
'so-freqserver'
]
} %}

6
salt/common/maps/grafana.map.jinja Normal file
View File

@@ -0,0 +1,6 @@
{% set docker = {
'containers': [
'so-influxdb',
'so-grafana'
]
} %}

14
salt/common/maps/heavynode.map.jinja Normal file
View File

@@ -0,0 +1,14 @@
{% set docker = {
'containers': [
'so-nginx',
'so-telegraf',
'so-redis',
'so-logstash',
'so-elasticsearch',
'so-curator',
'so-steno',
'so-suricata',
'so-wazuh',
'so-filebeat
]
} %}

12
salt/common/maps/helixsensor.map.jinja Normal file
View File

@@ -0,0 +1,12 @@
{% set docker = {
'containers': [
'so-nginx',
'so-telegraf',
'so-idstools',
'so-steno',
'so-zeek',
'so-redis',
'so-logstash',
'so-filebeat
]
} %}

9
salt/common/maps/hotnode.map.jinja Normal file
View File

@@ -0,0 +1,9 @@
{% set docker = {
'containers': [
'so-nginx',
'so-telegraf',
'so-logstash',
'so-elasticsearch',
'so-curator',
]
} %}

18
salt/common/maps/master.map.jinja Normal file
View File

@@ -0,0 +1,18 @@
{% set docker = {
'containers': [
'so-dockerregistry',
'so-nginx',
'so-telegraf',
'so-soc',
'so-kratos',
'so-acng',
'so-idstools',
'so-redis',
'so-elasticsearch',
'so-logstash',
'so-kibana',
'so-elastalert',
'so-filebeat',
'so-soctopus'
]
} %}

18
salt/common/maps/mastersearch.map.jinja Normal file
View File

@@ -0,0 +1,18 @@
{% set docker = {
'containers': [
'so-nginx',
'so-telegraf',
'so-soc',
'so-kratos',
'so-acng',
'so-idstools',
'so-redis',
'so-logstash',
'so-elasticsearch',
'so-curator',
'so-kibana',
'so-elastalert',
'so-filebeat',
'so-soctopus'
]
} %}

6
salt/common/maps/playbook.map.jinja Normal file
View File

@@ -0,0 +1,6 @@
{% set docker = {
'containers': [
'so-playbook',
'so-navigator'
]
} %}

10
salt/common/maps/searchnode.map.jinja Normal file
View File

@@ -0,0 +1,10 @@
{% set docker = {
'containers': [
'so-nginx',
'so-telegraf',
'so-logstash',
'so-elasticsearch',
'so-curator',
'so-filebeat'
]
} %}

9
salt/common/maps/sensor.map.jinja Normal file
View File

@@ -0,0 +1,9 @@
{% set docker = {
'containers': [
'so-nginx',
'so-telegraf',
'so-steno',
'so-suricata',
'so-filebeat'
]
} %}

61
salt/common/maps/so-status.map.jinja Normal file
View File

@@ -0,0 +1,61 @@
{% set role = grains.id.split('_') | last %}
{% from 'common/maps/'~ role ~'.map.jinja' import docker with context %}
# Check if the service is enabled and append it's required containers
# to the list predefined by the role / minion id affix
{% macro append_containers(pillar_name, k, compare )%}
{% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
{% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
{% for li in d['containers'] %}
{{ docker['containers'].append(li) }}
{% endfor %}
{% endif %}
{% endmacro %}
{% set docker = salt['grains.filter_by']({
'*_'~role: {
'containers': docker['containers']
}
},grain='id', merge=salt['pillar.get']('docker')) %}
{% if role == 'eval' %}
{{ append_containers('master', 'grafana', 0) }}
{{ append_containers('static', 'fleet_master', 0) }}
{{ append_containers('master', 'wazuh', 0) }}
{{ append_containers('master', 'thehive', 0) }}
{{ append_containers('master', 'playbook', 0) }}
{{ append_containers('master', 'freq', 0) }}
{{ append_containers('master', 'domainstats', 0) }}
{% endif %}
{% if role == 'heavynode' %}
{{ append_containers('static', 'broversion', 'SURICATA') }}
{% endif %}
{% if role == 'mastersearch' %}
{{ append_containers('master', 'grafana', 0) }}
{{ append_containers('static', 'fleet_master', 0) }}
{{ append_containers('master', 'wazuh', 0) }}
{{ append_containers('master', 'thehive', 0) }}
{{ append_containers('master', 'playbook', 0) }}
{{ append_containers('master', 'freq', 0) }}
{{ append_containers('master', 'domainstats', 0) }}
{% endif %}
{% if role == 'master' %}
{{ append_containers('master', 'grafana', 0) }}
{{ append_containers('static', 'fleet_master', 0) }}
{{ append_containers('master', 'wazuh', 0) }}
{{ append_containers('master', 'thehive', 0) }}
{{ append_containers('master', 'playbook', 0) }}
{{ append_containers('master', 'freq', 0) }}
{{ append_containers('master', 'domainstats', 0) }}
{% endif %}
{% if role == 'searchnode' %}
{{ append_containers('master', 'wazuh', 0) }}
{% endif %}
{% if role == 'sensor' %}
{{ append_containers('static', 'broversion', 'SURICATA') }}
{% endif %}

7
salt/common/maps/thehive.map.jinja Normal file
View File

@@ -0,0 +1,7 @@
{% set docker = {
'containers': [
'so-thehive',
'so-thehive-es',
'so-cortex'
]
} %}

7
salt/common/maps/warmnode.map.jinja Normal file
View File

@@ -0,0 +1,7 @@
{% set docker = {
'containers': [
'so-nginx',
'so-telegraf',
'so-elasticsearch'
]
} %}

5
salt/common/maps/wazuh.map.jinja Normal file
View File

@@ -0,0 +1,5 @@
{% set docker = {
'containers': [
'so-wazuh'
]
} %}

31
salt/common/tools/sbin/so-status
View File

@@ -14,35 +14,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set pillar_suffix = ':containers' -%}
{%- if (salt['grains.get']('role') == 'so-mastersearch') -%}
{%- set pillar_val = 'master_search' -%}
{%- elif (salt['grains.get']('role') == 'so-master') -%}
{%- set pillar_val = 'master' -%}
{%- elif (salt['grains.get']('role') == 'so-heavynode') -%}
{%- set pillar_val = 'heavy_node' -%}
{%- elif (salt['grains.get']('role') == 'so-sensor') -%}
{%- set pillar_val = 'sensor' -%}
{%- elif (salt['grains.get']('role') == 'so-eval') -%}
{%- set pillar_val = 'eval' -%}
{%- elif (salt['grains.get']('role') == 'so-fleet') -%}
{%- set pillar_val = 'fleet' -%}
{%- elif (salt['grains.get']('role') == 'so-helix') -%}
{%- set pillar_val = 'helix' -%}
{%- elif (salt['grains.get']('role') == 'so-node') -%}
{%- if (salt['pillar.get']('node:node_type') == 'parser') -%}
{%- set pillar_val = 'parser_node' -%}
{%- elif (salt['pillar.get']('node:node_type') == 'hot') -%}
{%- set pillar_val = 'hot_node' -%}
{%- elif (salt['pillar.get']('node:node_type') == 'warm') -%}
{%- set pillar_val = 'warm_node' -%}
{%- elif (salt['pillar.get']('node:node_type') == 'search') -%}
{%- set pillar_val = 'search_node' -%}
{%- endif -%}
{%- endif -%}
{%- set pillar_name = pillar_val ~ pillar_suffix -%}
{%- set container_list = salt['pillar.get'](pillar_name) %}
{%- from 'common/maps/so-status.map.jinja' import docker with context %}
{%- set container_list = docker['containers'] %}
if ! [ "$(id -u)" = 0 ]; then
echo "This command must be run as root"

9
salt/fleet/init.sls
View File

@@ -13,6 +13,9 @@
{% set MAINIP = salt['pillar.get']('static:masterip') %}
{% endif %}
include:
- mysql
#{% if grains.id.split('_')|last in ['master', 'eval', 'fleet'] %}
#so/fleet:
# event.send:
@@ -86,6 +89,8 @@ fleetdb:
- connection_port: 3306
- connection_user: root
- connection_pass: {{ MYSQLPASS }}
- require:
- sls: mysql
fleetdbuser:
mysql_user.present:
@@ -95,6 +100,8 @@ fleetdbuser:
- connection_port: 3306
- connection_user: root
- connection_pass: {{ MYSQLPASS }}
- require:
- fleetdb
fleetdbpriv:
mysql_grants.present:
@@ -106,6 +113,8 @@ fleetdbpriv:
- connection_port: 3306
- connection_user: root
- connection_pass: {{ MYSQLPASS }}
- require:
- fleetdb
{% if FLEETPASS == None or FLEETJWT == None %}

3
salt/kibana/bin/so-kibana-config-load
View File

@@ -1,6 +1,7 @@
#!/bin/bash
{%- set MASTER = salt['pillar.get']('static:masterip', '') %}
{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
{%- set FLEET = salt['pillar.get']('static:fleet_ip', '') %}
{%- set KRATOS = salt['pillar.get']('kratos:redirect', '') %}
@@ -28,8 +29,10 @@ cp /opt/so/conf/kibana/saved_objects.ndjson.template /opt/so/conf/kibana/saved_o
# SOCtopus and Master
sed -i "s/PLACEHOLDER/{{ MASTER }}/g" /opt/so/conf/kibana/saved_objects.ndjson
{% if FLEET_NODE %}
# Fleet IP
sed -i "s/FLEETPLACEHOLDER/{{ FLEET }}/g" /opt/so/conf/kibana/saved_objects.ndjson
{% endif %}
# Kratos redirect
sed -i "s/PCAPPLACEHOLDER/{{ KRATOS }}/g" /opt/so/conf/kibana/saved_objects.ndjson

5
salt/mysql/init.sls
View File

@@ -85,4 +85,9 @@ so-mysql:
- /opt/so/log/mysql:/var/log/mysql:rw
- watch:
- /opt/so/conf/mysql/etc
cmd.run:
- name: until nc -z {{ MAINIP }} 3306; do sleep 1; done
- timeout: 120
- onchanges:
- docker_container: so-mysql
{% endif %}

14
salt/nginx/etc/nginx.conf.so-eval
View File

@@ -146,6 +146,20 @@ http {
}
location /cyberchef/ {
auth_request /auth/sessions/whoami;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /cyberchef {
rewrite ^ /cyberchef/ permanent;
}
location /packages/ {
try_files $uri =206;
auth_request /auth/sessions/whoami;

14
salt/nginx/etc/nginx.conf.so-master
View File

@@ -146,6 +146,20 @@ http {
}
location /cyberchef/ {
auth_request /auth/sessions/whoami;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /cyberchef {
rewrite ^ /cyberchef/ permanent;
}
location /packages/ {
try_files $uri =206;
auth_request /auth/sessions/whoami;

14
salt/nginx/etc/nginx.conf.so-mastersearch
View File

@@ -146,6 +146,20 @@ http {
}
location /cyberchef/ {
auth_request /auth/sessions/whoami;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /cyberchef {
rewrite ^ /cyberchef/ permanent;
}
location /packages/ {
try_files $uri =206;
auth_request /auth/sessions/whoami;

4
salt/top.sls
View File

@@ -21,7 +21,6 @@ base:
- ssl
- registry
- common
- nginx
- telegraf
- firewall
- idstools
@@ -37,7 +36,6 @@ base:
- ca
- ssl
- common
- nginx
- telegraf
- firewall
- pcap
@@ -192,7 +190,6 @@ base:
- ca
- ssl
- common
- nginx
- telegraf
- firewall
{%- if WAZUH != 0 %}
@@ -271,7 +268,6 @@ base:
- ca
- ssl
- common
- nginx
- telegraf
- firewall
- redis

17
salt/zeek/defaults.yml
View File

@@ -1,17 +0,0 @@
zeek:
zeekctl:
MailTo: root@localhost
MailConnectionSummary: 1
MinDiskSpace: 5
MailHostUpDown: 1
LogRotationInterval: 3600
LogExpireInterval: 0
StatsLogEnable: 1
StatsLogExpireInterval: 0
StatusCmdShowAll: 0
CrashExpireInterval: 0
SitePolicyScripts: local.zeek
LogDir: /nsm/zeek/logs
SpoolDir: /nsm/zeek/spool
CfgDir: /opt/zeek/etc
CompressLogs: 1

132
salt/zeek/files/local.zeek
View File

@@ -1,132 +0,0 @@
##! Local site policy. Customize as appropriate.
##!
##! This file will not be overwritten when upgrading or reinstalling!
# This script logs which scripts were loaded during each run.
@load misc/loaded-scripts
# Apply the default tuning scripts for common tuning settings.
@load tuning/defaults
# Estimate and log capture loss.
@load misc/capture-loss
# Enable logging of memory, packet and lag statistics.
@load misc/stats
# Load the scan detection script. It's disabled by default because
# it often causes performance issues.
#@load misc/scan
# Detect traceroute being run on the network. This could possibly cause
# performance trouble when there are a lot of traceroutes on your network.
# Enable cautiously.
#@load misc/detect-traceroute
# Generate notices when vulnerable versions of software are discovered.
# The default is to only monitor software found in the address space defined
# as "local". Refer to the software framework's documentation for more
# information.
@load frameworks/software/vulnerable
# Detect software changing (e.g. attacker installing hacked SSHD).
@load frameworks/software/version-changes
# This adds signatures to detect cleartext forward and reverse windows shells.
@load-sigs frameworks/signatures/detect-windows-shells
# Load all of the scripts that detect software in various protocols.
@load protocols/ftp/software
@load protocols/smtp/software
@load protocols/ssh/software
@load protocols/http/software
# The detect-webapps script could possibly cause performance trouble when
# running on live traffic. Enable it cautiously.
#@load protocols/http/detect-webapps
# This script detects DNS results pointing toward your Site::local_nets
# where the name is not part of your local DNS zone and is being hosted
# externally. Requires that the Site::local_zones variable is defined.
@load protocols/dns/detect-external-names
# Script to detect various activity in FTP sessions.
@load protocols/ftp/detect
# Scripts that do asset tracking.
@load protocols/conn/known-hosts
@load protocols/conn/known-services
@load protocols/ssl/known-certs
# This script enables SSL/TLS certificate validation.
@load protocols/ssl/validate-certs
# This script prevents the logging of SSL CA certificates in x509.log
@load protocols/ssl/log-hostcerts-only
# Uncomment the following line to check each SSL certificate hash against the ICSI
# certificate notary service; see http://notary.icsi.berkeley.edu .
# @load protocols/ssl/notary
# If you have GeoIP support built in, do some geographic detections and
# logging for SSH traffic.
@load protocols/ssh/geo-data
# Detect hosts doing SSH bruteforce attacks.
@load protocols/ssh/detect-bruteforcing
# Detect logins using "interesting" hostnames.
@load protocols/ssh/interesting-hostnames
# Detect SQL injection attacks.
@load protocols/http/detect-sqli
#### Network File Handling ####
# Enable MD5 and SHA1 hashing for all files.
@load frameworks/files/hash-all-files
# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
@load frameworks/files/detect-MHR
# Extend email alerting to include hostnames
@load policy/frameworks/notice/extend-email/hostnames
# Uncomment the following line to enable detection of the heartbleed attack. Enabling
# this might impact performance a bit.
# @load policy/protocols/ssl/heartbleed
# Uncomment the following line to enable logging of connection VLANs. Enabling
# this adds two VLAN fields to the conn.log file.
# @load policy/protocols/conn/vlan-logging
# Uncomment the following line to enable logging of link-layer addresses. Enabling
# this adds the link-layer address for each connection endpoint to the conn.log file.
# @load policy/protocols/conn/mac-logging
# JA3 - SSL Detection Goodness
@load ja3
# HASSH
@load hassh
# You can load your own intel into:
# /opt/so/saltstack/bro/policy/intel/ on the master
@load intel
# Load a custom Bro policy
# /opt/so/saltstack/bro/policy/custom/ on the master
#@load custom/somebropolicy.bro
# Write logs in JSON
redef LogAscii::use_json = T;
redef LogAscii::json_timestamps = JSON::TS_ISO8601;
# CVE-2020-0601
@load cve-2020-0601
# BPF Configuration
@load securityonion/bpfconf
# Community ID
@load securityonion/communityid
# Extracted files
@load securityonion/file-extraction

11
salt/zeek/files/local.zeek.jinja Normal file
View File

@@ -0,0 +1,11 @@
##! Local site policy.
{%- set ALLOWEDOPTIONS = [ '@load', '@load-sigs', 'redef' ] %}
{%- for k, v in LOCAL.items() %}
{%- if k|lower in ALLOWEDOPTIONS %}
{%- for li in v|sort %}
{{ k }} {{ li }}
{%- endfor %}
{%- endif %}
{%- endfor %}

4
salt/zeek/files/zeekctl.cfg.jinja
View File

@@ -2,8 +2,8 @@
{%- set ALLOWEDOPTIONS = ['commtimeout','commandtimeout','compresscmd','compressextension','compresslogs','compresslogsinflight','controltopic','crashexpireinterval','croncmd','debug','env_vars','havenfs','keeplogs','logdir','logexpireinterval','logrotationinterval','mailalarmsinterval','mailalarmsto','mailarchivelogfail','mailconnectionsummary','mailfrom','mailhostupdown','mailreceivingpackets','mailreplyto','mailsubjectprefix','mailto','makearchivename','memlimit','mindiskspace','pfringclusterid','pfringclustertype','pfringfirstappinstance','prefixes','savetraces','sendmail','sitepluginpath','sitepolicypath','sitepolicyscripts','statslogenable','statslogexpireinterval','statuscmdshowall','stoptimeout','stopwait','timefmt','timemachinehost','timemachineport','zeekargs','zeekport','bindir','capstatspath','cfgdir','debuglog','defaultstoredir','helperdir','libdir','libdir64','libdirinternal','localnetscfg','lockfile','logexpireminutes','nodecfg','os','pcapbufsize','pcapsnaplen','plugindir','pluginzeekdir','policydir','policydirsiteinstall','policydirsiteinstallauto','postprocdir','scriptsdir','spooldir','standalone','statefile','staticdir','statsdir','statslog','time','tmpdir','tmpexecdir','tracesummary','version','zeek','zeekbase'] %}
{%- for option in ZEEKCTL %}
{%- for option in ZEEKCTL|sort %}
{%- if option|lower in ALLOWEDOPTIONS %}
{{ option }} = {{ ZEEKCTL[option] }}
{%- endif %}
{%- endfor %}
{%- endfor %}

8
salt/zeek/init.sls
View File

@@ -4,8 +4,7 @@
{% set BPF_STATUS = 0 %}
{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
{% import_yaml 'zeek/defaults.yml' as ZEEKDEFAULTS %}
{% set ZEEK = salt['pillar.get']('zeek', default=ZEEKDEFAULTS.zeek, merge=True) %}
{% set ZEEK = salt['pillar.get']('zeek', {}) %}
# Zeek Salt State
@@ -144,13 +143,16 @@ zeekbpf:
- "ip or not ip"
{% endif %}
localzeeksync:
file.managed:
- name: /opt/so/conf/zeek/local.zeek
- source: salt://zeek/files/local.zeek
- source: salt://zeek/files/local.zeek.jinja
- user: 937
- group: 939
- template: jinja
- defaults:
LOCAL: {{ ZEEK.local | tojson }}
so-zeek:
docker_container.running: