From 569cb24861d016934a4b874b1839928c383d5880 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Nov 2021 16:53:01 -0500 Subject: [PATCH 1/9] Use python lib to make cidr validation more strict Also update ipv4 validation to match the method used to validate cidr strings --- salt/common/tools/sbin/so-common | 57 ++++++++++++++++++++++++-------- tests/validation.sh | 18 +++++----- 2 files changed, 52 insertions(+), 23 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index fe97c9b27..314cf3d9f 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -390,20 +390,30 @@ has_uppercase() { } valid_cidr() { - # Verify there is a backslash in the string - echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1 - - local cidr - local ip + local cidr=$1 - cidr=$(echo "$1" | sed 's/.*\///') - ip=$(echo "$1" | sed 's/\/.*//' ) - - if valid_ip4 "$ip"; then - [[ $cidr =~ ([0-9]|[1-2][0-9]|3[0-2]) ]] && return 0 || return 1 - else - return 1 - fi + read -r -d '' cidr_python <<- EOM + import ipaddress + import sys + + def validate_cidr(cidr: str) -> bool: + # We want the string to be a cidr block and not a single ip + if '/' not in cidr: + return False + try: + ipaddress.ip_network(cidr) + except ValueError: + return False + return True + + if validate_cidr('$cidr'): + sys.exit(0) + else: + sys.exit(1) + EOM + + python3 -c "$cidr_python" + return $? } valid_cidr_list() { @@ -447,7 +457,26 @@ valid_hostname() { valid_ip4() { local ip=$1 - echo "$ip" | grep -qP '^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$' && return 0 || return 1 + local ip_python + read -r -d '' ip_python <<- EOM + import ipaddress + import sys + + def validate_ip(ip: str) -> bool: + try: + ipaddress.ip_address(ip) + except ValueError: + return False + return True + + if validate_ip('$ip'): + sys.exit(0) + else: + sys.exit(1) + EOM + + python3 -c "$ip_python" + return $? } valid_int() { diff --git a/tests/validation.sh b/tests/validation.sh index 6ec2a5247..cfec11198 100644 --- a/tests/validation.sh +++ b/tests/validation.sh @@ -46,7 +46,7 @@ test_fun 1 valid_fqdn "rwwiv." test_fun 1 valid_fqdn "" -sleep 0.15s +sleep 0.15 header "ip4" @@ -62,13 +62,13 @@ test_fun 1 valid_ip4 "192.168.1.1." test_fun 1 valid_ip4 "" -sleep 0.15s +sleep 0.15 header "CIDR (ipv4)" test_fun 0 valid_cidr "192.168.1.0/24" -test_fun 0 valid_cidr "192.168.1.0/12" +test_fun 0 valid_cidr "192.160.0.0/12" test_fun 1 valid_cidr "192.168.1.0" @@ -78,7 +78,7 @@ test_fun 1 valid_ip4 "/24" test_fun 1 valid_cidr "" -sleep 0.15s +sleep 0.15 header "CIDR list" @@ -90,7 +90,7 @@ test_fun 1 valid_cidr_list "10.0.0.0/8,192.168.0.0/16172.16.0.0/12" test_fun 1 valid_cidr_list "10.0.0.0" -sleep 0.15s +sleep 0.15 header "DNS" @@ -104,7 +104,7 @@ test_fun 1 valid_dns_list "8.8.8.,8.8.4.4" test_fun 1 valid_dns_list "192.168.9." -sleep 0.15s +sleep 0.15 header "int (default min: 1, default max: 1000000000)" @@ -130,7 +130,7 @@ test_fun 1 valid_int "not_a_num" test_fun 1 valid_int "" -sleep 0.15s +sleep 0.15 header "hostname" @@ -146,7 +146,7 @@ test_fun 1 valid_hostname "localhost" test_fun 1 valid_hostname "" -sleep 0.15s +sleep 0.15 header "string (default min_length: 1, default max_length: 64)" @@ -168,7 +168,7 @@ test_fun 1 valid_string "too_long" "" "4" test_fun 1 valid_string "" -sleep 0.15s +sleep 0.15 header "Linux user" From 62b41af0694bcb3377eddfc5f8c9affc088db6b8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Nov 2021 17:17:19 -0500 Subject: [PATCH 2/9] Fix docs link being cut off --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 13bfa82b4..5514774ed 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -735,7 +735,7 @@ whiptail_install_type() { # What kind of install are we doing? install_type=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose install type. See https://docs.securityonion.net/architecture for details." 12 65 5 \ + "Choose install type. See https://docs.securityonion.net/architecture for details." 13 65 5 \ "EVAL" "Evaluation mode (not for production) " ON \ "STANDALONE" "Standalone production install " OFF \ "DISTRIBUTED" "Distributed install submenu " OFF \ From ed3b2e45697a1e2e3f7902f9c4df80ef7b1a8784 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Nov 2021 17:46:35 -0500 Subject: [PATCH 3/9] Put entire ref to doc page on new line --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 5514774ed..8e5ef408d 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -735,7 +735,7 @@ whiptail_install_type() { # What kind of install are we doing? install_type=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose install type. See https://docs.securityonion.net/architecture for details." 13 65 5 \ + "Choose install type. \nSee https://docs.securityonion.net/architecture for details." 13 65 5 \ "EVAL" "Evaluation mode (not for production) " ON \ "STANDALONE" "Standalone production install " OFF \ "DISTRIBUTED" "Distributed install submenu " OFF \ From 3cd1b5687e9bdd4b701156b50c0f80edef1fade2 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 12 Nov 2021 12:06:39 -0500 Subject: [PATCH 4/9] Make pivot condition independent for ENDGAMEHOST --- salt/soc/files/soc/menu.actions.json | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/salt/soc/files/soc/menu.actions.json b/salt/soc/files/soc/menu.actions.json index 0c144c3cb..b088780f8 100644 --- a/salt/soc/files/soc/menu.actions.json +++ b/salt/soc/files/soc/menu.actions.json @@ -1,4 +1,4 @@ -{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} +{%- set ENDGAMEHOST = salt['pillar.get']('soc:endgamehost', False) %} [ { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", "links": [ @@ -31,11 +31,10 @@ "links": [ "https://www.virustotal.com/gui/search/{value}" ]} - {%- if HIGHLANDER %} - {%- set EGHOST = salt['pillar.get']('soc:endgamehost', 'EGHOSTNOTPOPULATED') %} + {%- if ENDGAMEGHOST %} ,{ "name": "Endgame", "description": "Endgame Endpoint Investigation and Response", "icon": "fa-external-link-alt", "target": "_blank", "links": [ - "https://{{ EGHOST }}/endpoints/{:agent.id}" + "https://{{ ENDGAMEHOST }}/endpoints/{:agent.id}" ]} {% endif %} ] From df5901a65d0da065af2ecee857c5967a2a922046 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 12 Nov 2021 12:16:26 -0500 Subject: [PATCH 5/9] Adjust how manager pillar is populated for ENDGAME and default SOC config --- setup/so-functions | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 3f48cbd78..142bb070f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1637,12 +1637,13 @@ manager_pillar() { printf '%s\n'\ " kratoskey: '$KRATOSKEY'"\ "" >> "$pillar_file" - + printf '%s\n'\ + "soc:"\ + " es_index_patterns: '*:so-*,*:endgame-*'"\ + "" >> "$pillar_file" if [[ -n $ENDGAMEHOST ]]; then printf '%s\n'\ - "soc:"\ " endgamehost: '$ENDGAMEHOST'"\ - " es_index_patterns: '*:so-*,*:endgame-*'"\ "" >> "$pillar_file" fi } From bc2e470da974d8f99b80ceedc9b2a8d649ed3d6b Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 12 Nov 2021 12:20:00 -0500 Subject: [PATCH 6/9] Fix indentation --- setup/so-functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 142bb070f..6368e0287 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1638,9 +1638,9 @@ manager_pillar() { " kratoskey: '$KRATOSKEY'"\ "" >> "$pillar_file" printf '%s\n'\ - "soc:"\ - " es_index_patterns: '*:so-*,*:endgame-*'"\ - "" >> "$pillar_file" + "soc:"\ + " es_index_patterns: '*:so-*,*:endgame-*'"\ + "" >> "$pillar_file" if [[ -n $ENDGAMEHOST ]]; then printf '%s\n'\ " endgamehost: '$ENDGAMEHOST'"\ From 9141c271f05c1375a7a5fb3ba1eef5bb920c5312 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 12 Nov 2021 12:25:32 -0500 Subject: [PATCH 7/9] Fix indent --- setup/so-functions | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 6368e0287..3bff5d542 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1637,14 +1637,14 @@ manager_pillar() { printf '%s\n'\ " kratoskey: '$KRATOSKEY'"\ "" >> "$pillar_file" - printf '%s\n'\ + printf '%s\n'\ "soc:"\ " es_index_patterns: '*:so-*,*:endgame-*'"\ - "" >> "$pillar_file" - if [[ -n $ENDGAMEHOST ]]; then - printf '%s\n'\ - " endgamehost: '$ENDGAMEHOST'"\ - "" >> "$pillar_file" + "" >> "$pillar_file" + if [[ -n $ENDGAMEHOST ]]; then + printf '%s\n'\ + " endgamehost: '$ENDGAMEHOST'"\ + "" >> "$pillar_file" fi } From 48c71c8b12dddac8fe7a6343c23216cf632913e9 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 12 Nov 2021 18:23:09 +0000 Subject: [PATCH 8/9] Add soc pillar entry --- salt/common/tools/sbin/soup | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e267ab55a..a4b30f996 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -680,6 +680,11 @@ up_2.3.80_to_2.3.90() { INSTALLEDVERSION=2.3.90 + for i in manager eval standalone; do + echo "soc:" >> /opt/so/saltstack/local/pillar/minions/*$i*.sls + sed -i "/^soc:/a \\ es_index_patterns: '*:so-*,*:endgame-*'" /opt/so/saltstack/local/pillar/minions/*$i*.sls + done + } verify_upgradespace() { From 2fb9196604d04bcaacd589bbc55b98504334fc6e Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 12 Nov 2021 18:26:21 +0000 Subject: [PATCH 9/9] Move logic above version declaration --- salt/common/tools/sbin/soup | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a4b30f996..2a664285a 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -677,14 +677,12 @@ up_2.3.5X_to_2.3.80() { } up_2.3.80_to_2.3.90() { - - INSTALLEDVERSION=2.3.90 - for i in manager eval standalone; do - echo "soc:" >> /opt/so/saltstack/local/pillar/minions/*$i*.sls + echo "soc:" >> /opt/so/saltstack/local/pillar/minions/*$i*.sls sed -i "/^soc:/a \\ es_index_patterns: '*:so-*,*:endgame-*'" /opt/so/saltstack/local/pillar/minions/*$i*.sls done - + + INSTALLEDVERSION=2.3.90 } verify_upgradespace() {