diff --git a/VERSION b/VERSION index 23aa83906..f0bb29e76 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.2.2 +1.3.0 diff --git a/salt/elasticsearch/files/ingest/zeek.dns b/salt/elasticsearch/files/ingest/zeek.dns index b017699ed..050c6d414 100644 --- a/salt/elasticsearch/files/ingest/zeek.dns +++ b/salt/elasticsearch/files/ingest/zeek.dns @@ -23,7 +23,7 @@ { "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } }, { "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } }, { "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } }, - { "pipeline": { "if": "ctx.dns.query.type_name != 'NB' && ctx.dns.query.type_name != 'TKEY' && ctx.dns.query.type_name != 'NBSTAT' && ctx.dns.query.type_name != 'PTR'", "name": "zeek.dns.tld"} }, + { "pipeline": { "if": "ctx.dns.query.name.contains('.')", "name": "zeek.dns.tld"} }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/hive/thehive/etc/application.conf b/salt/hive/thehive/etc/application.conf index ae588a42d..230d87d67 100644 --- a/salt/hive/thehive/etc/application.conf +++ b/salt/hive/thehive/etc/application.conf @@ -23,7 +23,7 @@ search { # Number of shards nbshards = 5 # Number of replicas - nbreplicas = 1 + nbreplicas = 0 # Arbitrary settings settings { # Maximum number of nested fields diff --git a/salt/hive/thehive/etc/cortex-application.conf b/salt/hive/thehive/etc/cortex-application.conf index 543a2a3e9..356bfd7b3 100644 --- a/salt/hive/thehive/etc/cortex-application.conf +++ b/salt/hive/thehive/etc/cortex-application.conf @@ -22,7 +22,7 @@ search { # Number of shards nbshards = 5 # Number of replicas - nbreplicas = 1 + nbreplicas = 0 # Arbitrary settings settings { # Maximum number of nested fields diff --git a/salt/hive/thehive/scripts/hive_init b/salt/hive/thehive/scripts/hive_init index 03b43e74f..b1ef62d68 100755 --- a/salt/hive/thehive/scripts/hive_init +++ b/salt/hive/thehive/scripts/hive_init @@ -5,7 +5,7 @@ {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} hive_init(){ - sleep 60 + sleep 120 HIVE_IP="{{MASTERIP}}" HIVE_USER="{{HIVEUSER}}" HIVE_PASSWORD="{{HIVEPASSWORD}}" @@ -16,7 +16,7 @@ hive_init(){ COUNT=0 HIVE_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - curl --output /dev/null --silent --head --fail -k "https://$HIVE_IP:/thehive" + curl --output /dev/null --silent --head --fail -k "https://$HIVE_IP/thehive" if [ $? -eq 0 ]; then HIVE_CONNECTED="yes" echo "connected!" @@ -52,7 +52,7 @@ if [ -f /opt/so/state/thehive.txt ]; then exit 0 else rm -f garbage_file - while ! wget -O garbage_file {{MASTERIP}}:9500 2>/dev/null + while ! wget -O garbage_file {{MASTERIP}}:9400 2>/dev/null do echo "Waiting for Elasticsearch..." rm -f garbage_file diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 6193e7343..6b76e622c 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -98,7 +98,7 @@ { "name": "Connections", "description": "Connections grouped by Service", "query": "event.module:zeek AND event.dataset:conn | groupby network.protocol destination.port"}, { "name": "Connections", "description": "Connections grouped by destination country", "query": "event.module:zeek AND event.dataset:conn | groupby destination.geo.country_name"}, { "name": "Connections", "description": "Connections grouped by source country", "query": "event.module:zeek AND event.dataset:conn | groupby source.geo.country_name"}, - { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.module:zeek AND event.dataset:dce_rpc | groupby operation"}, + { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.module:zeek AND event.dataset:dce_rpc | groupby dce_rpc.operation"}, { "name": "DHCP", "description": "DHCP leases", "query": "event.module:zeek AND event.dataset:dhcp | groupby host.hostname host.domain dhcp.requested_address"}, { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.module:zeek AND event.dataset:dhcp | groupby dhcp.message_types"}, { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.module:zeek AND event.dataset:dnp3 | groupby dnp3.fc_reply"}, diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 1f23423ad..d6130abb9 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -43,14 +43,6 @@ ossec: # - user: 945 # - group: 945 -# Add wazuh agent -wazuhpkgs: - pkg.installed: - - skip_suggestions: False - - pkgs: - - wazuh-agent: 3.10.2-1 - - update_holds: True - # Add Wazuh agent conf wazuhagentconf: file.managed: diff --git a/setup/so-functions b/setup/so-functions index 69b282961..a20953035 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -553,6 +553,7 @@ disable_onion_user() { } disable_misc_network_features() { + filter_unused_nics if [ ${#filtered_nics[@]} -ne 0 ]; then for unused_nic in "${filtered_nics[@]}"; do # Disable DHCPv4/v6 and autoconnect @@ -1065,7 +1066,7 @@ saltify() { openssl\ jq; yum -y update exclude=salt*; - systemctl enable salt-minion + systemctl enable salt-minion; } >> "$setup_log" 2>&1 echo "exclude=salt*" >> /etc/yum.conf else @@ -1131,8 +1132,7 @@ saltify() { apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list >> "$setup_log" 2>&1 echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list >> "$setup_log" 2>&1 - apt-mark hold wazuh-agent >> "$setup_log" 2>&1 - ;; + ;; esac apt-get update >> "$setup_log" 2>&1 set_progress_str 8 'Installing salt-minion & python modules' @@ -1212,12 +1212,10 @@ setup_salt_master_dirs() { } set_progress_str() { - local percentage_input - percentage_input=$1 - local progress_bar_text - progress_bar_text=$2 + local percentage_input=$1 + local progress_bar_text=$2 - if [ "$percentage_input" -gt "$percentage" ]; then + if (( "$percentage_input" >= "$percentage" )); then percentage="$percentage_input" fi @@ -1225,7 +1223,10 @@ set_progress_str() { echo -e "$percentage_str" - printf '%s\n' '----' "${progress_bar_text^^}" "----" >> "$setup_log" 2>&1 + printf '%s\n' \ + '----'\ + "$percentage% - ${progress_bar_text^^}"\ + "----" >> "$setup_log" 2>&1 sleep 5 } diff --git a/setup/so-setup b/setup/so-setup index 39fcae904..efbccb93e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -250,112 +250,114 @@ if [[ "$setup_type" == 'iso' ]]; then disable_onion_user fi -set_hostname 2>> "$setup_log" -set_version 2>> "$setup_log" -clear_master 2>> "$setup_log" +set_hostname >> $setup_log 2>&1 +set_version >> $setup_log 2>&1 +clear_master >> $setup_log 2>&1 if [[ $is_master ]]; then - generate_passwords 2>> "$setup_log" - secrets_pillar 2>> "$setup_log" - add_socore_user_master 2>> "$setup_log" + generate_passwords >> $setup_log 2>&1 + secrets_pillar >> $setup_log 2>&1 + add_socore_user_master >> $setup_log 2>&1 fi if [[ $is_master && ! $is_eval ]]; then - add_soremote_user_master 2>> "$setup_log" + add_soremote_user_master >> $setup_log 2>&1 fi -set_main_ip 2>> "$setup_log" +set_main_ip >> $setup_log 2>&1 if [[ $is_minion ]]; then - set_updates 2>> "$setup_log" - copy_ssh_key 2>> "$setup_log" + set_updates >> $setup_log 2>&1 + copy_ssh_key >> $setup_log 2>&1 fi # Begin install - -# Set initial percentage to 0 -export percentage=0 { + # Set initial percentage to 0 + export percentage=0 + + set_progress_str 1 'Updating packages' + update_packages >> $setup_log 2>&1 if [[ $is_sensor || $is_helix ]]; then - set_progress_str 1 'Creating bond interface' - create_sensor_bond >> "$setup_log" 2>&1 + set_progress_str 2 'Creating bond interface' + create_sensor_bond >> $setup_log 2>&1 - set_progress_str 2 'Generating sensor pillar' - sensor_pillar >> "$setup_log" 2>&1 + set_progress_str 3 'Generating sensor pillar' + sensor_pillar >> $setup_log 2>&1 fi if [[ $is_minion ]]; then - set_progress_str 3 'Configuring firewall' - set_initial_firewall_policy 2>> "$setup_log" + set_progress_str 4 'Configuring firewall' + set_initial_firewall_policy >> $setup_log 2>&1 fi - set_progress_str 4 'Installing Salt and dependencies' - saltify 2>> "$setup_log" + set_progress_str 5 'Installing Salt and dependencies' + saltify 2>> $setup_log set_progress_str 7 'Installing Docker and dependencies' - docker_install 2>> "$setup_log" + docker_install >> $setup_log 2>&1 set_progress_str 8 'Generating patch pillar' - patch_pillar 2>> "$setup_log" + patch_pillar >> $setup_log 2>&1 set_progress_str 9 'Initializing Salt minion' - configure_minion "$minion_type" 2>> "$setup_log" + configure_minion "$minion_type" >> $setup_log 2>&1 if [[ $is_master || $is_helix ]]; then set_progress_str 10 'Configuring Salt master' - copy_master_config 2>> "$setup_log" - setup_salt_master_dirs 2>> "$setup_log" - firewall_generate_templates 2>> "$setup_log" + copy_master_config >> $setup_log 2>&1 + setup_salt_master_dirs >> $setup_log 2>&1 + firewall_generate_templates >> $setup_log 2>&1 set_progress_str 11 'Updating sudoers file for soremote user' - update_sudoers 2>> "$setup_log" + update_sudoers >> $setup_log 2>&1 set_progress_str 12 'Generating master static pillar' - master_static 2>> "$setup_log" + master_static >> $setup_log 2>&1 set_progress_str 13 'Generating master pillar' - master_pillar 2>> "$setup_log" + master_pillar >> $setup_log 2>&1 fi set_progress_str 16 'Running first Salt checkin' - salt_firstcheckin 2>> "$setup_log" + salt_firstcheckin >> $setup_log 2>&1 if [[ $is_helix ]]; then set_progress_str 17 'Generating the FireEye pillar' - fireeye_pillar 2>> "$setup_log" + fireeye_pillar >> $setup_log 2>&1 fi if [[ $is_node ]]; then set_progress_str 18 'Setting node type' - set_node_type 2>> "$setup_log" + set_node_type >> $setup_log 2>&1 set_progress_str 19 'Generating search node pillar' - node_pillar 2>> "$setup_log" + node_pillar >> $setup_log 2>&1 fi if [[ $is_minion ]]; then set_progress_str 20 'Accepting Salt key on master' - accept_salt_key_remote 2>> "$setup_log" + accept_salt_key_remote >> $setup_log 2>&1 fi if [[ $is_master ]]; then set_progress_str 20 'Accepting Salt key' - salt-key -ya "$MINION_ID" >> "$setup_log" 2>&1 + salt-key -ya "$MINION_ID" >> $setup_log 2>&1 fi set_progress_str 21 'Copying minion pillars to master' - copy_minion_tmp_files 2>> "$setup_log" + copy_minion_tmp_files >> $setup_log 2>&1 set_progress_str 22 'Generating CA and checking in' - salt_checkin 2>> "$setup_log" + salt_checkin >> $setup_log 2>&1 if [[ $is_master || $is_helix ]]; then set_progress_str 25 'Configuring firewall' - set_initial_firewall_policy 2>> "$setup_log" + set_initial_firewall_policy >> $setup_log 2>&1 if [[ "$setup_type" == 'iso' ]]; then set_progress_str 26 'Copying containers from iso' @@ -363,8 +365,8 @@ export percentage=0 set_progress_str 26 'Downloading containers from the internet' fi - salt-call state.apply -l info registry >> "$setup_log" 2>&1 - docker_seed_registry 2>> "$setup_log" # ~ 60% when finished + salt-call state.apply -l info registry >> $setup_log 2>&1 + docker_seed_registry 2>> "$setup_log" # ~ 60% when finished set_progress_str 61 "$(print_salt_state_apply 'master')" salt-call state.apply -l info master >> $setup_log 2>&1 @@ -380,6 +382,9 @@ export percentage=0 set_progress_str 63 "$(print_salt_state_apply 'common')" salt-call state.apply -l info common >> $setup_log 2>&1 + set_progress_str 64 "$(print_salt_state_apply 'nginx')" + salt-call state.apply -l info nginx >> $setup_log 2>&1 + if [[ $is_master || $is_node ]]; then set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')" salt-call state.apply -l info elasticsearch >> $setup_log 2>&1 @@ -403,7 +408,7 @@ export percentage=0 if [[ $is_master ]]; then set_progress_str 69 "$(print_salt_state_apply 'soc')" - salt-call state.apply -l info soc >> "$setup_log" 2>&1 + salt-call state.apply -l info soc >> $setup_log 2>&1 set_progress_str 70 "$(print_salt_state_apply 'kibana')" salt-call state.apply -l info kibana >> $setup_log 2>&1 @@ -424,6 +429,13 @@ export percentage=0 fi if [[ "$WAZUH" = 1 ]]; then + if [ $OS = 'centos' ]; then + yum -y install wazuh-agent-3.10.2-1 >> "$setup_log" 2>&1 + echo "exclude=wazuh-agent" >> /etc/yum.repos.d/wazuh.repo + else + apt-get -y install wazuh-agent=3.10.2-1 >> "$setup_log" 2>&1 + apt-mark hold wazuh-agent >> "$setup_log" 2>&1 + fi set_progress_str 75 "$(print_salt_state_apply 'wazuh')" salt-call state.apply -l info wazuh >> $setup_log 2>&1 fi @@ -462,19 +474,16 @@ export percentage=0 fi set_progress_str 85 'Applying finishing touches' - filter_unused_nics 2>> "$setup_log" - network_setup 2>> "$setup_log" - - set_progress_str 86 'Updating packages' - update_packages 2>> "$setup_log" + filter_unused_nics >> $setup_log 2>&1 + network_setup >> $setup_log 2>&1 if [[ $is_master ]]; then set_progress_str 87 'Adding user to SOC' - add_web_user 2>> "$setup_log" + add_web_user >> $setup_log 2>&1 fi set_progress_str 90 'Enabling checkin at boot' - checkin_at_boot 2>> "$setup_log" + checkin_at_boot >> $setup_log 2>&1 set_progress_str 95 'Verifying setup' salt-call -l info state.highstate >> $setup_log 2>&1 diff --git a/setup/yum_repos/wazuh.repo b/setup/yum_repos/wazuh.repo index 1f75912ca..70d23ccdd 100644 --- a/setup/yum_repos/wazuh.repo +++ b/setup/yum_repos/wazuh.repo @@ -4,5 +4,4 @@ gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ -protect=1 -exclude=wazuh-agent \ No newline at end of file +protect=1 \ No newline at end of file