From cb8faf7c5fed95e46309aa9964620525b5bd9354 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 26 Jun 2023 16:14:04 -0400 Subject: [PATCH] Fix the rest of the analyst entries --- salt/allowed_states.map.jinja | 19 +---- salt/common/files/analyst/README | 79 ------------------ salt/common/tools/sbin/so-common | 2 +- .../files}/so-lockscreen.jpg | Bin .../files}/so-login-logo-dark.svg | 0 .../files}/so-login-logo.svg | 0 .../files}/so-wallpaper.jpg | Bin salt/desktop/packages.sls | 2 +- salt/desktop/trusted-ca.sls | 2 +- salt/desktop/xwindows.sls | 2 +- salt/logstash/enabled.sls | 12 +-- salt/manager/tools/sbin/so-minion | 6 +- salt/manager/tools/sbin/soup | 2 +- salt/redis/enabled.sls | 4 +- salt/ssl/init.sls | 8 +- salt/telegraf/scripts/helixeps.sh | 36 -------- 16 files changed, 21 insertions(+), 153 deletions(-) delete mode 100644 salt/common/files/analyst/README rename salt/{common/files/analyst => desktop/files}/so-lockscreen.jpg (100%) rename salt/{common/files/analyst => desktop/files}/so-login-logo-dark.svg (100%) rename salt/{common/files/analyst => desktop/files}/so-login-logo.svg (100%) rename salt/{common/files/analyst => desktop/files}/so-wallpaper.jpg (100%) delete mode 100644 salt/telegraf/scripts/helixeps.sh diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 206c2fad6..805b54ab2 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -51,23 +51,6 @@ 'tcpreplay', 'docker_clean' ], - 'so-helixsensor': [ - 'salt.master', - 'ca', - 'ssl', - 'registry', - 'telegraf', - 'firewall', - 'idstools', - 'suricata.manager', - 'zeek', - 'redis', - 'elasticsearch', - 'logstash', - 'schedule', - 'tcpreplay', - 'docker_clean' - ], 'so-idh': [ 'ssl', 'telegraf', @@ -245,7 +228,7 @@ {% do allowed_states.append('playbook') %} {% endif %} - {% if grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} + {% if grains.role in ['so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} {% do allowed_states.append('logstash') %} {% endif %} diff --git a/salt/common/files/analyst/README b/salt/common/files/analyst/README deleted file mode 100644 index 99c444ea8..000000000 --- a/salt/common/files/analyst/README +++ /dev/null @@ -1,79 +0,0 @@ -The following GUI tools are available on the analyst workstation: - -chromium - url: https://www.chromium.org/Home - To run chromium, click Applications > Internet > Chromium Web Browser - -Wireshark - url: https://www.wireshark.org/ - To run Wireshark, click Applications > Internet > Wireshark Network Analyzer - -NetworkMiner - url: https://www.netresec.com - To run NetworkMiner, click Applications > Internet > NetworkMiner - -The following CLI tools are available on the analyst workstation: - -bit-twist - url: http://bittwist.sourceforge.net - To run bit-twist, open a terminal and type: bittwist -h - -chaosreader - url: http://chaosreader.sourceforge.net - To run chaosreader, open a terminal and type: chaosreader -h - -dnsiff - url: https://www.monkey.org/~dugsong/dsniff/ - To run dsniff, open a terminal and type: dsniff -h - -foremost - url: http://foremost.sourceforge.net - To run foremost, open a terminal and type: foremost -h - -hping3 - url: http://www.hping.org/hping3.html - To run hping3, open a terminal and type: hping3 -h - -netsed - url: http://silicone.homelinux.org/projects/netsed/ - To run netsed, open a terminal and type: netsed -h - -ngrep - url: https://github.com/jpr5/ngrep - To run ngrep, open a terminal and type: ngrep -h - -scapy - url: http://www.secdev.org/projects/scapy/ - To run scapy, open a terminal and type: scapy - -ssldump - url: http://www.rtfm.com/ssldump/ - To run ssldump, open a terminal and type: ssldump -h - -sslsplit - url: https://github.com/droe/sslsplit - To run sslsplit, open a terminal and type: sslsplit -h - -tcpdump - url: http://www.tcpdump.org - To run tcpdump, open a terminal and type: tcpdump -h - -tcpflow - url: https://github.com/simsong/tcpflow - To run tcpflow, open a terminal and type: tcpflow -h - -tcpstat - url: https://frenchfries.net/paul/tcpstat/ - To run tcpstat, open a terminal and type: tcpstat -h - -tcptrace - url: http://www.tcptrace.org - To run tcptrace, open a terminal and type: tcptrace -h - -tcpxtract - url: http://tcpxtract.sourceforge.net/ - To run tcpxtract, open a terminal and type: tcpxtract -h - -whois - url: http://www.linux.it/~md/software/ - To run whois, open a terminal and type: whois -h diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index f25bdb431..d41c8fc0c 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -243,7 +243,7 @@ is_manager_node() { is_sensor_node() { # Check to see if this is a sensor (forward) node is_single_node_grid && return 0 - grep "role: so-" /etc/salt/grains | grep -E "sensor|heavynode|helix" &> /dev/null + grep "role: so-" /etc/salt/grains | grep -E "sensor|heavynode" &> /dev/null } is_single_node_grid() { diff --git a/salt/common/files/analyst/so-lockscreen.jpg b/salt/desktop/files/so-lockscreen.jpg similarity index 100% rename from salt/common/files/analyst/so-lockscreen.jpg rename to salt/desktop/files/so-lockscreen.jpg diff --git a/salt/common/files/analyst/so-login-logo-dark.svg b/salt/desktop/files/so-login-logo-dark.svg similarity index 100% rename from salt/common/files/analyst/so-login-logo-dark.svg rename to salt/desktop/files/so-login-logo-dark.svg diff --git a/salt/common/files/analyst/so-login-logo.svg b/salt/desktop/files/so-login-logo.svg similarity index 100% rename from salt/common/files/analyst/so-login-logo.svg rename to salt/desktop/files/so-login-logo.svg diff --git a/salt/common/files/analyst/so-wallpaper.jpg b/salt/desktop/files/so-wallpaper.jpg similarity index 100% rename from salt/common/files/analyst/so-wallpaper.jpg rename to salt/desktop/files/so-wallpaper.jpg diff --git a/salt/desktop/packages.sls b/salt/desktop/packages.sls index 4bf5122fb..f0fe000c8 100644 --- a/salt/desktop/packages.sls +++ b/salt/desktop/packages.sls @@ -305,6 +305,6 @@ desktop_packages: desktop_packages_os_fail: test.fail_without_changes: - - comment: 'SO Analyst Workstation can only be installed on Rocky' + - comment: 'SO desktop can only be installed on Rocky' {% endif %} diff --git a/salt/desktop/trusted-ca.sls b/salt/desktop/trusted-ca.sls index 0045f9cd2..352b747b6 100644 --- a/salt/desktop/trusted-ca.sls +++ b/salt/desktop/trusted-ca.sls @@ -31,6 +31,6 @@ update_ca_certs: desktop_trusted-ca_os_fail: test.fail_without_changes: - - comment: 'SO Analyst Workstation can only be installed on CentOS' + - comment: 'SO Desktop can only be installed on CentOS' {% endif %} diff --git a/salt/desktop/xwindows.sls b/salt/desktop/xwindows.sls index 75230c532..71de07120 100644 --- a/salt/desktop/xwindows.sls +++ b/salt/desktop/xwindows.sls @@ -18,6 +18,6 @@ graphical_target: desktop_xwindows_os_fail: test.fail_without_changes: - - comment: 'SO Analyst Workstation can only be installed on Rocky' + - comment: 'SO Desktop can only be installed on Rocky' {% endif %} diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index abc28cfe6..ac937ca7b 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -54,7 +54,7 @@ so-logstash: - /opt/so/log/logstash:/var/log/logstash:rw - /sys/fs/cgroup:/sys/fs/cgroup:ro - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro - {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} + {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro {% endif %} @@ -62,12 +62,12 @@ so-logstash: - /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.crt:/usr/share/logstash/elasticfleet-logstash.crt:ro - /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.p8:/usr/share/logstash/elasticfleet-logstash.key:ro {% endif %} - {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} + {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro {% else %} - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro {% endif %} - {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %} + {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %} - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro {% endif %} @@ -91,15 +91,15 @@ so-logstash: {% endfor %} {% endfor %} - require: - {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} + {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} - x509: etc_filebeat_crt {% endif %} - {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} + {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - x509: pki_public_ca_crt {% else %} - x509: trusttheca {% endif %} - {% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} + {% if grains.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - file: cacertz - file: capemz {% endif %} diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index df0adb73c..ad2188644 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -184,12 +184,12 @@ function add_logstash_to_minion() { " " >> $PILLARFILE } -# Analyst Workstation -function add_analyst_to_minion() { +# Security Onion Desktop +function add_desktop_to_minion() { printf '%s\n'\ "host:"\ " mainint: '$MNIC'"\ - "workstation:"\ + "desktop:"\ " gui:"\ " enabled: true"\ "sensoroni:"\ diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index a4e22040d..3c565c760 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -840,7 +840,7 @@ main() { if [[ $is_airgap -eq 0 ]]; then echo "" echo "Cleaning repos on remote Security Onion nodes." - salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all" + salt -C 'not *_eval and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all" echo "" fi fi diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index c9ba37094..2a4f5a179 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -30,7 +30,7 @@ so-redis: - /opt/so/conf/redis/working:/redis:rw - /etc/pki/redis.crt:/certs/redis.crt:ro - /etc/pki/redis.key:/certs/redis.key:ro - {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} + {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - /etc/pki/ca.crt:/certs/ca.crt:ro {% else %} - /etc/ssl/certs/intca.crt:/certs/ca.crt:ro @@ -59,7 +59,7 @@ so-redis: - file: redisconf - x509: redis_crt - x509: redis_key - {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} + {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - x509: pki_public_ca_crt {% else %} - x509: trusttheca diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 96953ffff..358357459 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -16,7 +16,7 @@ {% set COMMONNAME = GLOBALS.manager %} {% endif %} -{% if grains.id.split('_')|last in ['manager', 'managersearch', 'eval', 'standalone', 'import', 'helixsensor'] %} +{% if grains.id.split('_')|last in ['manager', 'managersearch', 'eval', 'standalone', 'import'] %} include: - ca {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %} @@ -94,7 +94,7 @@ influxkeyperms: - mode: 640 - group: 939 -{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-fleet', 'so-receiver'] %} +{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-fleet', 'so-receiver'] %} # Create a cert for Redis encryption redis_key: x509.private_key_managed: @@ -332,7 +332,7 @@ eflogstashcrtlink: {% endif %} -{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} +{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} etc_filebeat_key: x509.private_key_managed: - name: /etc/pki/filebeat.key @@ -554,7 +554,7 @@ msslkeyperms: {% endif %} -{% if grains['role'] in ['so-sensor', 'so-manager', 'so-searchnode', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-idh', 'so-import', 'so-receiver'] %} +{% if grains['role'] in ['so-sensor', 'so-manager', 'so-searchnode', 'so-eval', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-idh', 'so-import', 'so-receiver'] %} fbcertdir: file.directory: diff --git a/salt/telegraf/scripts/helixeps.sh b/salt/telegraf/scripts/helixeps.sh deleted file mode 100644 index b85db2a8c..000000000 --- a/salt/telegraf/scripts/helixeps.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash -# -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -# if this script isn't already running -if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then - - PREVCOUNTFILE='/tmp/helixevents.txt' - EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')" - - if [ ! -z "$EVENTCOUNTCURRENT" ]; then - - if [ -f "$PREVCOUNTFILE" ]; then - EVENTCOUNTPREVIOUS=`cat $PREVCOUNTFILE` - else - echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE - exit 0 - fi - - echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE - EVENTS=$(((EVENTCOUNTCURRENT - EVENTCOUNTPREVIOUS)/30)) - if [ "$EVENTS" -lt 0 ]; then - EVENTS=0 - fi - - echo "helixeps eps=${EVENTS%%.*}" - fi - -fi - -exit 0