CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into feature/auth

Browse Source
This commit is contained in:
Jason Ertel
2020-04-09 17:37:09 -04:00
parent bb470be4e6 cf8c33ccea
commit c130c8fbf4
22 changed files with 249 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pillar/firewall/fleet_nodes.sls
View File

@@ -1,3 +0,0 @@
fleet_nodes:
- 127.0.0.1

9
salt/common/nginx/nginx.conf.so-eval
View File

@@ -1,5 +1,7 @@
{%- set masterip = salt['pillar.get']('master:mainip', '') %}
{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %}
{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %}
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
@@ -217,6 +219,11 @@ http {
}
{%- if FLEET_NODE %}
location /fleet/ {
return 301 https://{{ FLEET_IP }}/fleet;
}
{%- else %}
location /fleet/ {
proxy_pass https://{{ masterip }}:8080;
proxy_read_timeout 90;
@@ -225,8 +232,8 @@ http {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
{%- endif %}
location /thehive/ {
proxy_pass http://{{ masterip }}:9000/thehive/;

9
salt/common/nginx/nginx.conf.so-master
View File

@@ -1,5 +1,7 @@
{%- set masterip = salt['pillar.get']('master:mainip', '') %}
{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %}
{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %}
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
@@ -217,6 +219,11 @@ http {
}
{%- if FLEET_NODE %}
location /fleet/ {
return 301 https://{{ FLEET_IP }}/fleet;
}
{%- else %}
location /fleet/ {
proxy_pass https://{{ masterip }}:8080;
proxy_read_timeout 90;
@@ -225,8 +232,8 @@ http {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
{%- endif %}
location /thehive/ {
proxy_pass http://{{ masterip }}:9000/thehive/;

9
salt/common/nginx/nginx.conf.so-mastersearch
View File

@@ -1,5 +1,7 @@
{%- set masterip = salt['pillar.get']('master:mainip', '') %}
{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %}
{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %}
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
@@ -217,6 +219,11 @@ http {
}
{%- if FLEET_NODE %}
location /fleet/ {
return 301 https://{{ FLEET_IP }}/fleet;
}
{%- else %}
location /fleet/ {
proxy_pass https://{{ masterip }}:8080;
proxy_read_timeout 90;
@@ -225,8 +232,8 @@ http {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
{%- endif %}
location /thehive/ {
proxy_pass http://{{ masterip }}:9000/thehive/;

2
salt/common/tools/sbin/so-status
View File

@@ -107,7 +107,7 @@ populate_container_lists() {
systemctl is-active --quiet docker
if [[ $? = 0 ]]; then
mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/v2/containers/json?all=1 \
mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/v1.40/containers/json?all=1 \
| jq -c '.[] | { Name: .Names[0], State: .State }' \
| tr -d '/{"}')
else

1
salt/elasticsearch/files/ingest/ossec.alert
View File

@@ -33,6 +33,7 @@
{ "rename": { "field": "data.win.eventdata.user", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "data.win.system.eventID", "target_field": "event.code", "ignore_missing": true } },
{ "rename": { "field": "predecoder.program_name", "target_field": "process.name", "ignore_missing": true } },
{ "rename": { "field": "rule.description", "target_field": "rule.name", "ignore_missing": true } },
{ "set": { "if": "ctx.rule.level == 1", "field": "rule.category", "value": "None" } },
{ "set": { "if": "ctx.rule.level == 2", "field": "rule.category", "value": "System low priority notification" } },
{ "set": { "if": "ctx.rule.level == 3", "field": "rule.category", "value": "Successful/authorized event" } },

2
salt/elasticsearch/files/ingest/strelka.file
View File

@@ -5,7 +5,7 @@
{ "rename": { "field": "message2.file", "target_field": "file", "ignore_missing": true } },
{ "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } },
{ "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } },
{ "rename": { "field": "scan.hash", "target_field": "file.hash", "ignore_missing": true } },
{ "rename": { "field": "scan.hash", "target_field": "hash", "ignore_missing": true } },
{ "remove": { "field": ["host", "path"], "ignore_missing": true } },
{ "pipeline": { "name": "common" } }
]

6
salt/elasticsearch/files/ingest/zeek.dnp3
View File

@@ -3,9 +3,9 @@
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.fc_request", "target_field": "fc_request", "ignore_missing": true } },
{ "rename": { "field": "message2.fc_reply", "target_field": "fc_reply", "ignore_missing": true } },
{ "rename": { "field": "message2.iin", "target_field": "iin", "ignore_missing": true } },
{ "rename": { "field": "message2.fc_request", "target_field": "dnp3.fc_request", "ignore_missing": true } },
{ "rename": { "field": "message2.fc_reply", "target_field": "dnp3.fc_reply", "ignore_missing": true } },
{ "rename": { "field": "message2.iin", "target_field": "dnp3.iin", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

4
salt/elasticsearch/files/ingest/zeek.files
View File

@@ -4,8 +4,8 @@
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.rx_hosts", "target_field": "file.receive_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.tx_hosts", "target_field": "file.transmit_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.rx_hosts", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.tx_hosts", "target_field": "source.ip", "ignore_missing": true } },
{ "set": { "field": "server.ip", "value": "{{source.ip}}", "ignore_failure": true } },
{ "set": { "field": "client.ip", "value": "{{destination.ip}}", "ignore_failure": true } },
{ "rename": { "field": "message2.conn_uids", "target_field": "log.id.uids", "ignore_missing": true } },

28
salt/elasticsearch/files/ingest/zeek.notice
View File

@@ -7,20 +7,20 @@
{ "rename": { "field": "message2.mime", "target_field": "file.mimetype", "ignore_missing": true } },
{ "rename": { "field": "message2.desc", "target_field": "file.description", "ignore_missing": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } },
{ "rename": { "field": "message2.msg", "target_field": "msg", "ignore_missing": true } },
{ "rename": { "field": "message2.sub", "target_field": "sub_msg", "ignore_missing": true } },
{ "rename": { "field": "message2.p", "target_field": "p", "ignore_missing": true } },
{ "rename": { "field": "message2.n", "target_field": "n", "ignore_missing": true } },
{ "rename": { "field": "message2.peer_descr", "target_field": "peer_description", "ignore_missing": true } },
{ "rename": { "field": "message2.actions", "target_field": "action", "ignore_missing": true } },
{ "rename": { "field": "message2.suppress_for", "target_field": "suppress_for", "ignore_missing": true } },
{ "rename": { "field": "message2.dropped", "target_field": "dropped", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_country_code", "target_field": "destination_country_code", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_region", "target_field": "destination_region", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_city", "target_field": "destination_city", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_latitude", "target_field": "destination_latitude", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_longitude", "target_field": "destination_longitude", "ignore_missing": true } },
{ "rename": { "field": "message2.note", "target_field": "notice.note", "ignore_missing": true } },
{ "rename": { "field": "message2.msg", "target_field": "notice.message", "ignore_missing": true } },
{ "rename": { "field": "message2.sub", "target_field": "notice.sub_message", "ignore_missing": true } },
{ "rename": { "field": "message2.p", "target_field": "notice.p", "ignore_missing": true } },
{ "rename": { "field": "message2.n", "target_field": "notice.n", "ignore_missing": true } },
{ "rename": { "field": "message2.peer_descr", "target_field": "notice.peer_description", "ignore_missing": true } },
{ "rename": { "field": "message2.actions", "target_field": "notice.action", "ignore_missing": true } },
{ "rename": { "field": "message2.suppress_for", "target_field": "notice.suppress_for", "ignore_missing": true } },
{ "rename": { "field": "message2.dropped", "target_field": "notice.dropped", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_country_code", "target_field": "geo.destination_country_code", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_region", "target_field": "geo.destination_region", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_city", "target_field": "geo.destination_city", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_latitude", "target_field": "geo.destination_latitude", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_longitude", "target_field": "geo.destination_longitude", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

2
salt/elasticsearch/files/ingest/zeek.rfb
View File

@@ -8,7 +8,7 @@
{ "rename": { "field": "message2.server_major_version", "target_field": "rfb.server_major_version", "ignore_missing": true } },
{ "rename": { "field": "message2.server_minor_version", "target_field": "rfb.server_minor_version", "ignore_missing": true } },
{ "rename": { "field": "message2.authentication_method", "target_field": "rfb.authentication.method","ignore_missing": true } },
{ "rename": { "field": "message2.auth", "target_field": "rfb.authenticaiton.success", "ignore_missing": true } },
{ "rename": { "field": "message2.auth", "target_field": "rfb.authentication.success", "ignore_missing": true } },
{ "rename": { "field": "message2.share_flag", "target_field": "rfb.share_flag", "ignore_missing": true } },
{ "rename": { "field": "message2.desktop_name", "target_field": "rfb.desktop.name", "ignore_missing": true } },
{ "rename": { "field": "message2.width", "target_field": "rfb.desktop.width", "ignore_missing": true } },

4
salt/filebeat/etc/filebeat.yml
View File

@@ -7,8 +7,8 @@
{%- set HOSTNAME = salt['grains.get']('host', '') %}
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '1') %}
{%- set WAZUHENABLED = salt['pillar.get']('master:wazuh_enabled', '0') %}
{%- set STRELKAENABLED = salt['pillar.get']('master:strelka_enabled', '0') %}
{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
{%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}

18
salt/firewall/init.sls
View File

@@ -8,6 +8,8 @@
{%- elif grains['role'] == 'so-fleet' %}
{%- set ip = salt['pillar.get']('node:mainip', '') %}
{%- endif %}
{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
{%- set FLEET_NODE_IP = salt['pillar.get']('static:fleet_ip') %}
# Quick Fix for Docker being difficult
iptables_fix_docker:
@@ -424,6 +426,22 @@ enable_forwardnode_sensoroni_9822_{{ip}}:
{% endfor %}
# Allow Fleet Node to send its beats traffic
{% if FLEET_NODE %}
enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ FLEET_NODE_IP }}
- dport: 5644
- position: 1
- save: True
{% endif %}
{% for ip in pillar.get('search_nodes') %}
enable_searchnode_redis_6379_{{ip}}:

2
salt/fleet/event_gen-packages.sls
View File

@@ -1,4 +1,4 @@
{% set ENROLLSECRET = salt['pillar.get']('auth:fleet_enroll-secret') %}
{% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %}
so/fleet:
event.send:

31
salt/fleet/files/dedicated-index.html
View File

@@ -86,40 +86,9 @@ a {
<p>
<div style="text-align: center;">
<h1>Security Onion - Dedicated Fleet Node</h1>
<h2>Osquery Packages</h2>
</div>
<br/>
<h2>Notes</h2>
<ul>
<li>These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from <a href="https://osquery.io/downloads">osquery.io</a></li>
<li>Packages are not signed.</li>
</ul>
<br/>
<h2>Downloads</h2>
<div>
Generated: {{ PACKAGESTS }}
<br/>
<br/>
Packages:
<ul>
<li><a href="/launcher.msi" download="msi-launcher.msi">MSI (Windows)</a></li>
<li><a href="/launcher.deb" download="deb-launcher.deb">DEB (Debian)</a></li>
<li><a href="/launcher.rpm" download="rpm-launcher.rpm">RPM (RPM)</a></li>
<li><a href="/launcher.pkg" download="pkg-launcher.pkg">PKG (MacOS)</a></li>
</ul>
<br/>
<br/>
Config Files:
<ul>
<li><a href="/launcher.flags" download="launcher.flags.txt">RPM & DEB Flag File</a></li>
<li><a href="/launcher-msi.flags" download="launcher-msi.flags.txt">MSI Flag File</a></li>
</ul>
</div>
<br/>
<h2>Known Issues</h2>
<ul>
<li>None</li>
</ul>
</p>
</div>
</div>

4
salt/kibana/bin/so-kibana-config-load
View File

@@ -31,8 +31,8 @@ curl -X PUT "localhost:5601/api/saved_objects/config/$KIBANA_VERSION" -H 'kbn-xs
}'
# Sub our IP for placholders
for i in FLEETPLACEHOLDER PCAPPLACEHOLDER SOCTOPUSPLACEHOLDER; do
sed -i "s/$i/{{ MASTER }}/" /opt/so/saltstack/salt/kibana/saved_objects.ndjson
for i in PLACEHOLDER FLEETPLACEHOLDER PCAPPLACEHOLDER SOCTOPUSPLACEHOLDER; do
sed -i "s/$i/{{ MASTER }}/g" /opt/so/saltstack/salt/kibana/saved_objects.ndjson
done
# Load saved objects

207
salt/kibana/saved_objects.ndjson
View File

File diff suppressed because one or more lines are too long

16
salt/logstash/pipelines/templates/so/so-common-template.json
View File

@@ -184,6 +184,10 @@
"type":"object",
"dynamic": true
},
"irc":{
"type":"object",
"dynamic": true
},
"kerberos":{
"type":"object",
"dynamic": true
@@ -208,10 +212,18 @@
"type":"object",
"dynamic": true
},
"mysql":{
"type":"object",
"dynamic": true
},
"network":{
"type":"object",
"dynamic": true
},
"notice":{
"type":"object",
"dynamic": true
},
"ntlm":{
"type":"object",
"dynamic": true
@@ -316,6 +328,10 @@
"type":"object",
"dynamic": true
},
"syslog":{
"type":"object",
"dynamic": true
},
"tags":{
"type":"text",
"fields":{

8
salt/reactor/fleet.sls
View File

@@ -15,9 +15,9 @@ def run():
MAINIP = data['data']['mainip']
STATICFILE = '/opt/so/saltstack/pillar/static.sls'
AUTHFILE = '/opt/so/saltstack/pillar/auth.sls'
SECRETSFILE = '/opt/so/saltstack/pillar/secrets.sls'
if MINIONID.split('_')[-1] in ['master','eval','fleet']:
if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']:
if ACTION == 'enablefleet':
logging.info('so/fleet enablefleet reactor')
@@ -29,8 +29,8 @@ def run():
line = re.sub(r'fleet_master: \S*', f"fleet_master: True", line.rstrip())
print(line)
# Update the enroll secret in the auth pillar
for line in fileinput.input(AUTHFILE, inplace=True):
# Update the enroll secret in the secrets pillar
for line in fileinput.input(SECRETSFILE, inplace=True):
line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip())
print(line)

2
salt/soctopus/files/SOCtopus.conf
View File

@@ -3,7 +3,7 @@
{%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %}
[es]
es_url = https://{{ip}}:9200
es_url = http://{{ip}}:9200
es_user = YOURESUSER
es_pass = YOURESPASS
es_index_pattern = so-*

2
salt/ssl/init.sls
View File

@@ -142,7 +142,7 @@ fbcrtlink:
backup: True
{% endif %}
{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-master' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}
{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-master' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' or grains['role'] == 'so-fleet' %}
fbcertdir:
file.directory:

2
salt/top.sls
View File

@@ -6,7 +6,7 @@
{%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
{%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
{%- set STRELKA = salt['pillar.get']('master:strelka', '1') -%}
{%- set STRELKA = salt['pillar.get']('master:strelka', '0') -%}
base: