diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 000000000..76c0577d6 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,104 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## Overview + +Security Onion is an open-source network security monitoring (NSM) platform that combines multiple security tools into a unified solution. It's designed for threat hunting, enterprise security monitoring, and log management. The platform integrates tools for intrusion detection, packet capture, log management, and security analytics in a comprehensive security monitoring solution. + +## Architecture + +Security Onion uses a microservice architecture with containerized components: + +- **Deployment Models**: + - Standalone: Single all-in-one instance + - Distributed: Manager/sensor architecture with multiple node types + - Manager: Central management server + - Search Nodes: Data storage and search + - Sensor Nodes: Network monitoring and data collection + - Heavy Nodes: Combined sensor/search capabilities + - IDH (Intrusion Deception Host): Honeypot services + +- **Core Components**: + - Data Collection: Zeek, Suricata, Steno (PCAP), Elastic Agents + - Data Processing: Logstash, Kafka, Strelka (file analysis) + - Data Storage: Elasticsearch, InfluxDB, Redis + - User Interface: Kibana, SOC (custom Security Onion web UI), Kratos/Hydra (auth) + - Management: Salt, Docker, Registry, Nginx + +## Development Environment + +### Prerequisites + +- Linux environment (Oracle Linux or compatible) +- Git +- Docker and Docker Compose +- SaltStack + +### Testing + +Run validation tests: +```bash +cd tests +./validation.sh +``` + +Run Python tests (requires Python 3): +```bash +./pyci.sh salt/sensoroni/files/analyzers/urlhaus +``` + +### Key Files and Directories + +- `/salt`: SaltStack states for all components +- `/setup`: Installation scripts and utilities +- `/pillar`: SaltStack pillar data (configuration) +- `/files`: Additional configuration files +- `/tests`: Test utilities and validation + +## Common Tasks + +### Testing Salt States + +To test a specific Salt state without applying it: +```bash +salt-call state.show_sls +``` + +To apply a Salt state in test mode: +```bash +salt-call state.apply test=True +``` + +### Working with Docker Containers + +View running containers: +```bash +so-status +``` + +Access container logs: +```bash +docker logs +``` + +### Development Workflow + +1. Make code changes +2. Run validation: `./tests/validation.sh` +3. Run Python tests if applicable: `./pyci.sh ` + +## Code Conventions + +- All Bash scripts should pass ShellCheck analysis +- YAML (Salt states and pillars) should be properly formatted +- Python code should pass flake8 checks (configured in pytest.ini) +- Code should match the pre-existing style of Security Onion +- All commits must be signed with a valid key + +## Important Notes + +- Security Onion uses Salt for configuration management +- Most components run as Docker containers +- The project follows a distributed architecture with different node types +- Testing should cover both code functionality and deployment scenarios \ No newline at end of file diff --git a/salt/sensor/files/so-combine-bond b/salt/sensor/files/so-combine-bond new file mode 100644 index 000000000..fdb7dfd4c --- /dev/null +++ b/salt/sensor/files/so-combine-bond @@ -0,0 +1,72 @@ +#!/bin/bash + +# Script to find all interfaces of bond0 and set channel parameters +# Compatible with Oracle Linux 9, Ubuntu, and Debian + +. /usr/sbin/so-common + +{% set NICCHANNELS = salt['pillar.get']('sensor:channels', '1') %} + +# Number of channels to set +CHANNELS={{ NICCHANNELS }} + +# Exit on any error +set -e + +# Check if running as root +if [[ $EUID -ne 0 ]]; then + exit 1 +fi + +# Check if bond0 exists +if ! ip link show bond0 &>/dev/null; then + exit 1 +fi + +# Function to get slave interfaces - works across distributions +get_bond_slaves() { + local bond_name="$1" + local slaves="" + + # Method 1: Try /sys/class/net first (most reliable) + if [ -f "/sys/class/net/$bond_name/bonding/slaves" ]; then + slaves=$(cat "/sys/class/net/$bond_name/bonding/slaves" 2>/dev/null) + fi + + # Method 2: Try /proc/net/bonding (older systems) + if [ -z "$slaves" ] && [ -f "/proc/net/bonding/$bond_name" ]; then + slaves=$(grep "Slave Interface:" "/proc/net/bonding/$bond_name" 2>/dev/null | awk '{print $3}' | tr '\n' ' ') + fi + + # Method 3: Parse ip link output (universal fallback) + if [ -z "$slaves" ]; then + slaves=$(ip -o link show | grep "master $bond_name" | awk -F': ' '{print $2}' | cut -d'@' -f1 | tr '\n' ' ') + fi + + echo "$slaves" +} + +# Get slave interfaces +SLAVES=$(get_bond_slaves bond0) + +if [ -z "$SLAVES" ]; then + exit 1 +fi + +# Process each slave interface +for interface in $SLAVES; do + # Skip if interface doesn't exist + if ! ip link show "$interface" &>/dev/null; then + continue + fi + + # Try combined mode first + if ethtool -L "$interface" combined $CHANNELS &>/dev/null; then + continue + fi + + # Fall back to separate rx/tx + ethtool -L "$interface" rx $CHANNELS tx $CHANNELS &>/dev/null || true +done + +exit 0