From cc5565d5bc1fe95993076fe0a5736fba5e5e9359 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 18 Nov 2019 15:33:21 -0500 Subject: [PATCH 1/9] fix needs_restarting module --- salt/_modules/needs_restarting.py | 7 +++---- salt/motd/init.sls | 2 +- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/salt/_modules/needs_restarting.py b/salt/_modules/needs_restarting.py index 49f82bbf2..5afb6f02a 100644 --- a/salt/_modules/needs_restarting.py +++ b/salt/_modules/needs_restarting.py @@ -4,20 +4,19 @@ import subprocess def check(): os = __grains__['os'] + retval = 'False' if os == 'Ubuntu': if path.exists('/var/run/reboot-required'): retval = 'True' - else: - retval = 'False' elif os == 'CentOS': cmd = 'needs-restarting -r > /dev/null 2>&1' + try: - needs_restarting = subprocess.check_call(cmd.split(), shell=True) + needs_restarting = subprocess.check_call(cmd, shell=True) except subprocess.CalledProcessError: retval = 'True' - retval = 'False' else: retval = 'Unsupported OS: %s' % os diff --git a/salt/motd/init.sls b/salt/motd/init.sls index a314ddb80..4dae979bf 100644 --- a/salt/motd/init.sls +++ b/salt/motd/init.sls @@ -1,5 +1,5 @@ package_update_reboot_required_motd: - file.append: + file.managed: - name: /etc/motd - source: salt://motd/files/package_update_reboot_required.jinja - template: jinja From 726251cd940b46d932f0e4e3b1939d70a375f82e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 18 Nov 2019 16:02:48 -0500 Subject: [PATCH 2/9] changes to patch motd so nodes can be removed after they restarted - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/112 --- salt/patch/needs_restarting.sls | 4 ++++ salt/patch/os/init.sls | 9 +++------ 2 files changed, 7 insertions(+), 6 deletions(-) create mode 100644 salt/patch/needs_restarting.sls diff --git a/salt/patch/needs_restarting.sls b/salt/patch/needs_restarting.sls new file mode 100644 index 000000000..f7ba2626d --- /dev/null +++ b/salt/patch/needs_restarting.sls @@ -0,0 +1,4 @@ +needs_restarting: + module.run: + - mine.send: + - func: needs_restarting.check diff --git a/salt/patch/os/init.sls b/salt/patch/os/init.sls index 97183199b..a29bf8d12 100644 --- a/salt/patch/os/init.sls +++ b/salt/patch/os/init.sls @@ -1,5 +1,6 @@ -{% if grains.os == "CentOS" %} include: + - patch.needs_restarting +{% if grains.os == "CentOS" %} - yum.packages {% endif %} @@ -7,8 +8,4 @@ patch_os: pkg.uptodate: - name: patch_os - refresh: True - -needs_restarting: - module.run: - - mine.send: - - func: needs_restarting.check + - onchanges_in: needs_restarting From bec95f3aef89160d8c18b09d84966c4478bc8aa5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 18 Nov 2019 16:25:06 -0500 Subject: [PATCH 3/9] apply patch.needs_restarting state to all nodes --- salt/top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/top.sls b/salt/top.sls index 46745a38b..7f3d7fef4 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -6,6 +6,7 @@ {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%} base: '*': + = patch.needs_restarting - patch.os.schedule - motd From 767115c218cb9c147a4d732d7168dc4979ac143e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 18 Nov 2019 16:27:14 -0500 Subject: [PATCH 4/9] fix typo in salt top file --- salt/top.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/top.sls b/salt/top.sls index 7f3d7fef4..b1c64def4 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -6,7 +6,7 @@ {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%} base: '*': - = patch.needs_restarting + - patch.needs_restarting - patch.os.schedule - motd From 09bf22c97a6e738672de2f7a2bbb277af700939c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 19 Nov 2019 10:06:52 -0500 Subject: [PATCH 5/9] fix issues with updating motd if nodes needs restarted due to OS patch updates --- salt/patch/needs_restarting.sls | 1 + salt/patch/os/init.sls | 1 - salt/top.sls | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/patch/needs_restarting.sls b/salt/patch/needs_restarting.sls index f7ba2626d..f60909d22 100644 --- a/salt/patch/needs_restarting.sls +++ b/salt/patch/needs_restarting.sls @@ -2,3 +2,4 @@ needs_restarting: module.run: - mine.send: - func: needs_restarting.check + - order: last diff --git a/salt/patch/os/init.sls b/salt/patch/os/init.sls index a29bf8d12..7f2adc65b 100644 --- a/salt/patch/os/init.sls +++ b/salt/patch/os/init.sls @@ -8,4 +8,3 @@ patch_os: pkg.uptodate: - name: patch_os - refresh: True - - onchanges_in: needs_restarting diff --git a/salt/top.sls b/salt/top.sls index b1c64def4..a2662a89b 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -6,8 +6,8 @@ {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%} base: '*': - - patch.needs_restarting - patch.os.schedule + - patch.needs_restarting - motd 'G@role:so-sensor': From 34460a6b07c0814ae623564a3ef7907b234c78ac Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 19 Nov 2019 16:25:10 +0000 Subject: [PATCH 6/9] add Cortex org user to setup --- so-setup-network.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/so-setup-network.sh b/so-setup-network.sh index 12029a4d3..5bf574429 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -436,6 +436,7 @@ generate_passwords(){ FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) CORTEXKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) + CORTEXORGUSERKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) SENSORONIKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) } @@ -604,6 +605,9 @@ master_static() { echo " cortexuser: cortexadmin" >> /opt/so/saltstack/pillar/static.sls echo " cortexpassword: cortexchangeme" >> /opt/so/saltstack/pillar/static.sls echo " cortexkey: $CORTEXKEY" >> /opt/so/saltstack/pillar/static.sls + echo " cortexorgname: SecurityOnion" >> /opt/so/saltstack/pillar/static.sls + echo " cortexorguser: soadmin" >> /opt/so/saltstack/pillar/static.sls + echo " cortexorguserkey: $CORTEXORGUSERKEY" >> /opt/so/saltstack/pillar/static.sls echo " fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls echo " sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls if [[ $MASTERUPDATES == 'MASTER' ]]; then From b7ad65a837bfaac5d31160f54c42b4bec9a33e87 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 19 Nov 2019 16:28:05 +0000 Subject: [PATCH 7/9] add Cortex org user --- salt/hive/thehive/scripts/cortex_init.sh | 26 +++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/salt/hive/thehive/scripts/cortex_init.sh b/salt/hive/thehive/scripts/cortex_init.sh index 3596c98dd..506b14be5 100644 --- a/salt/hive/thehive/scripts/cortex_init.sh +++ b/salt/hive/thehive/scripts/cortex_init.sh @@ -3,6 +3,9 @@ {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %} {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', '') %} {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} +{%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %} +{%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %} +{%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %} cortex_init(){ sleep 60 @@ -10,17 +13,34 @@ cortex_init(){ CORTEX_USER="{{CORTEXUSER}}" CORTEX_PASSWORD="{{CORTEXPASSWORD}}" CORTEX_KEY="{{CORTEXKEY}}" + CORTEX_ORG_NAME="{{CORTEXORGNAME}}" + CORTEX_ORG_DESC="{{CORTEXORGNAME}} organization created by Security Onion setup" + CORTEX_ORG_USER="{{CORTEXORGUSER}}" + CORTEX_ORG_USER_KEY="{{CORTEXORGUSERKEY}}" SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf" + # Migrate DB curl -v -k -XPOST "https://$CORTEX_IP:/cortex/api/maintenance/migrate" - # Create intial Cortex user + # Create intial Cortex superadmin curl -v -k "https://$CORTEX_IP/cortex/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$CORTEX_USER\",\"name\" : \"$CORTEX_USER\",\"roles\" : [\"superadmin\"],\"preferences\" : \"{}\",\"password\" : \"$CORTEX_PASSWORD\", \"key\": \"$CORTEX_KEY\"}" - # Enable URLScan.io Analyzer - curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization/analyzer/Urlscan_io_Search_0_1_0" -d '{"name":"Urlscan_io_Search_0_1_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2}}' + # Create user-supplied org + curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization" -d "{ \"name\": \"$CORTEX_ORG_NAME\",\"description\": \"$CORTEX_ORG_DESC\",\"status\": \"Active\"}" + # Create user-supplied org user + curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/user" -d "{\"name\": \"$CORTEX_ORG_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_ORG_USER\",\"key\": \"$CORTEX_ORG_USER_KEY\" }" + + # Enable URLScan.io Analyzer + curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization/analyzer/Urlscan_io_Search_0_1_0" -d '{"name":"Urlscan_io_Search_0_1_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2}}' + + # Enable Cert PassiveDNS Analyzer + curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization/analyzer/CERTatPassiveDNS_2_0" -d '{"name":"CERTatPassiveDNS_2_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2, "limit": 100}}' + + # Revoke $CORTEX_USER key + curl -k -XDELETE -H "Authorization: Bearer $CORTEX_KEY" "https:///$CORTEX_IP/api/user/$CORTEX_USER/key" + # Update SOCtopus config with apikey value #sed -i "s/cortex_key = .*/cortex_key = $CORTEX_KEY/" $SOCTOPUS_CONFIG From 76cdc02305abb43c8709af760723a5a29cda1c95 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 19 Nov 2019 16:28:42 +0000 Subject: [PATCH 8/9] user Cortex org user instead --- salt/hive/thehive/etc/application.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/hive/thehive/etc/application.conf b/salt/hive/thehive/etc/application.conf index 6cc72813e..3b6c89637 100644 --- a/salt/hive/thehive/etc/application.conf +++ b/salt/hive/thehive/etc/application.conf @@ -1,5 +1,5 @@ {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} -{%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} +{%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %} # Secret Key # The secret key is used to secure cryptographic functions. From 7373473b3f2719ba5c7acfc051dbf32f4f06ab5b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 19 Nov 2019 15:02:35 -0500 Subject: [PATCH 9/9] Fix dup events --- .../files/dynamic/0006_input_beats.conf | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/salt/logstash/files/dynamic/0006_input_beats.conf b/salt/logstash/files/dynamic/0006_input_beats.conf index 1a6b66bbe..a7140f859 100644 --- a/salt/logstash/files/dynamic/0006_input_beats.conf +++ b/salt/logstash/files/dynamic/0006_input_beats.conf @@ -9,23 +9,6 @@ input { } } filter { - if [type] == "ids" or [type] =~ "bro" { - mutate { - rename => { "host" => "beat_host" } - remove_tag => ["beat"] - add_field => { "sensor_name" => "%{[beat][name]}" } - add_field => { "syslog-host_from" => "%{[beat][name]}" } - remove_field => [ "beat", "prospector", "input", "offset" ] - } - } - if [type] =~ "ossec" { - mutate { - rename => { "host" => "beat_host" } - remove_tag => ["beat"] - add_field => { "syslog-host_from" => "%{[beat][name]}" } - remove_field => [ "beat", "prospector", "input", "offset" ] - } - } if [type] == "osquery" { mutate { rename => { "host" => "beat_host" }