Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion-saltstack into dev

VERSION

@@ -1 +1 @@
-1.2.2
+1.3.0

salt/elasticsearch/files/ingest/zeek.dns

@@ -23,7 +23,7 @@
     { "rename": 	{ "field": "message2.TTLs", 		"target_field": "dns.ttls",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.rejected", 	"target_field": "dns.query.rejected",		"ignore_missing": true 	} },
     { "script": 	{ "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()",	"ignore_failure": true  } },
-    { "pipeline":       { "if": "ctx.dns.query.type_name != 'NB' && ctx.dns.query.type_name != 'TKEY' && ctx.dns.query.type_name != 'NBSTAT' && ctx.dns.query.type_name != 'PTR'", "name": "zeek.dns.tld"} },
+    { "pipeline": { "if": "ctx.dns.query.name.contains('.')", "name": "zeek.dns.tld"} },
     { "pipeline":       { "name": "zeek.common"											} }
   ]
 }

salt/hive/thehive/etc/application.conf

@@ -23,7 +23,7 @@ search {
  # Number of shards
  nbshards = 5
  # Number of replicas
- nbreplicas = 1
+ nbreplicas = 0
  # Arbitrary settings
  settings {
    # Maximum number of nested fields

salt/hive/thehive/etc/cortex-application.conf

@@ -22,7 +22,7 @@ search {
  # Number of shards
  nbshards = 5
  # Number of replicas
- nbreplicas = 1
+ nbreplicas = 0
  # Arbitrary settings
  settings {
    # Maximum number of nested fields

salt/hive/thehive/scripts/hive_init

@@ -5,7 +5,7 @@
 {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %}
 
 hive_init(){
-    sleep 60
+    sleep 120
     HIVE_IP="{{MASTERIP}}"
     HIVE_USER="{{HIVEUSER}}"
     HIVE_PASSWORD="{{HIVEPASSWORD}}"
@@ -16,7 +16,7 @@ hive_init(){
     COUNT=0
     HIVE_CONNECTED="no"
     while [[ "$COUNT" -le 240 ]]; do
-        curl --output /dev/null --silent --head --fail -k "https://$HIVE_IP:/thehive"
+        curl --output /dev/null --silent --head --fail -k "https://$HIVE_IP/thehive"
             if [ $? -eq 0 ]; then
                 HIVE_CONNECTED="yes"
                 echo "connected!"
@@ -52,7 +52,7 @@ if [ -f /opt/so/state/thehive.txt ]; then
     exit 0
 else
     rm -f garbage_file
-    while ! wget -O garbage_file {{MASTERIP}}:9500 2>/dev/null
+    while ! wget -O garbage_file {{MASTERIP}}:9400 2>/dev/null
     do
       echo "Waiting for Elasticsearch..."
       rm -f garbage_file

salt/soc/files/soc/soc.json

@@ -98,7 +98,7 @@
           { "name": "Connections", "description": "Connections grouped by Service", "query": "event.module:zeek AND event.dataset:conn | groupby network.protocol destination.port"},
           { "name": "Connections", "description": "Connections grouped by destination country", "query": "event.module:zeek AND event.dataset:conn | groupby destination.geo.country_name"},
           { "name": "Connections", "description": "Connections grouped by source country", "query": "event.module:zeek AND event.dataset:conn | groupby source.geo.country_name"},
-          { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.module:zeek AND event.dataset:dce_rpc | groupby operation"},
+          { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.module:zeek AND event.dataset:dce_rpc | groupby dce_rpc.operation"},
           { "name": "DHCP", "description": "DHCP leases", "query": "event.module:zeek AND event.dataset:dhcp | groupby host.hostname host.domain dhcp.requested_address"},
           { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.module:zeek AND event.dataset:dhcp | groupby dhcp.message_types"},
           { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.module:zeek AND event.dataset:dnp3 | groupby dnp3.fc_reply"},

salt/wazuh/init.sls

@@ -43,14 +43,6 @@ ossec:
 #    - user: 945
 #    - group: 945
 
-# Add wazuh agent
-wazuhpkgs:
-  pkg.installed:
-    - skip_suggestions: False
-    - pkgs:
-      - wazuh-agent: 3.10.2-1
-    - update_holds: True
-
 # Add Wazuh agent conf
 wazuhagentconf:
   file.managed:

setup/so-functions

@@ -553,6 +553,7 @@ disable_onion_user() {
 }
 
 disable_misc_network_features() {
+	filter_unused_nics
 	if [ ${#filtered_nics[@]} -ne 0 ]; then
 		for unused_nic in "${filtered_nics[@]}"; do
 			# Disable DHCPv4/v6 and autoconnect
@@ -1065,7 +1066,7 @@ saltify() {
 				openssl\
 				jq;
 			yum -y update exclude=salt*;
-			systemctl enable salt-minion
+			systemctl enable salt-minion;
 		} >> "$setup_log" 2>&1
 		echo "exclude=salt*" >> /etc/yum.conf
 	else
@@ -1131,7 +1132,6 @@ saltify() {
 				apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1
 				echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list >> "$setup_log" 2>&1
 				echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list >> "$setup_log" 2>&1
-                apt-mark hold wazuh-agent >> "$setup_log" 2>&1
                 ;;
 		esac
 		apt-get update >> "$setup_log" 2>&1
@@ -1212,12 +1212,10 @@ setup_salt_master_dirs() {
 }
 
 set_progress_str() {
-	local percentage_input
+	local percentage_input=$1
-	percentage_input=$1
+	local progress_bar_text=$2
-	local progress_bar_text
-	progress_bar_text=$2
 
-	if [ "$percentage_input" -gt "$percentage" ]; then
+	if (( "$percentage_input" >= "$percentage" )); then
 		percentage="$percentage_input"
 	fi
 
@@ -1225,7 +1223,10 @@ set_progress_str() {
 
 	echo -e "$percentage_str"
 
-	printf '%s\n' '----' "${progress_bar_text^^}" "----" >> "$setup_log" 2>&1
+	printf '%s\n' \
+	'----'\
+	"$percentage% - ${progress_bar_text^^}"\
+	"----" >> "$setup_log" 2>&1
 	
 	sleep 5
 }

setup/so-setup

@@ -250,112 +250,114 @@ if [[ "$setup_type" == 'iso' ]]; then
 	disable_onion_user
 fi
 
-set_hostname 2>> "$setup_log"
+set_hostname >> $setup_log 2>&1
-set_version 2>> "$setup_log"
+set_version >> $setup_log 2>&1
-clear_master 2>> "$setup_log"
+clear_master >> $setup_log 2>&1
 
 if [[ $is_master ]]; then
-	generate_passwords 2>> "$setup_log"
+	generate_passwords >> $setup_log 2>&1
-	secrets_pillar 2>> "$setup_log"
+	secrets_pillar >> $setup_log 2>&1
-	add_socore_user_master 2>> "$setup_log"
+	add_socore_user_master >> $setup_log 2>&1
 fi
 
 if [[ $is_master && ! $is_eval ]]; then
-	add_soremote_user_master 2>> "$setup_log"
+	add_soremote_user_master >> $setup_log 2>&1
 fi
 
-set_main_ip 2>> "$setup_log"
+set_main_ip >> $setup_log 2>&1
 
 if [[ $is_minion ]]; then
-	set_updates 2>> "$setup_log"
+	set_updates >> $setup_log 2>&1
-	copy_ssh_key 2>> "$setup_log"
+	copy_ssh_key >> $setup_log 2>&1
 fi
 
 # Begin install
-
+{
 	# Set initial percentage to 0
 	export percentage=0
-{
+
+	set_progress_str 1 'Updating packages'
+	update_packages >> $setup_log 2>&1
 
 	if [[ $is_sensor || $is_helix ]]; then
-		set_progress_str 1 'Creating bond interface'
+		set_progress_str 2 'Creating bond interface'
-		create_sensor_bond >> "$setup_log" 2>&1
+		create_sensor_bond >> $setup_log 2>&1
 		
-		set_progress_str 2 'Generating sensor pillar'
+		set_progress_str 3 'Generating sensor pillar'
-		sensor_pillar >> "$setup_log" 2>&1
+		sensor_pillar >> $setup_log 2>&1
 	fi
 
 	if [[ $is_minion ]]; then
-		set_progress_str 3 'Configuring firewall'
+		set_progress_str 4 'Configuring firewall'
-		set_initial_firewall_policy 2>> "$setup_log"
+		set_initial_firewall_policy >> $setup_log 2>&1
 	fi
 
-	set_progress_str 4 'Installing Salt and dependencies'
+	set_progress_str 5 'Installing Salt and dependencies'
-	saltify 2>> "$setup_log"
+	saltify 2>> $setup_log
 
 	set_progress_str 7 'Installing Docker and dependencies'
-	docker_install 2>> "$setup_log"
+	docker_install >> $setup_log 2>&1
 	
 	set_progress_str 8 'Generating patch pillar'
-	patch_pillar 2>> "$setup_log"
+	patch_pillar >> $setup_log 2>&1
 
 	set_progress_str 9 'Initializing Salt minion'
-	configure_minion "$minion_type" 2>> "$setup_log"
+	configure_minion "$minion_type" >> $setup_log 2>&1
 
 
 	if [[ $is_master || $is_helix ]]; then
 		set_progress_str 10 'Configuring Salt master'
-		copy_master_config 2>> "$setup_log"
+		copy_master_config >> $setup_log 2>&1
-		setup_salt_master_dirs 2>> "$setup_log"
+		setup_salt_master_dirs >> $setup_log 2>&1
-		firewall_generate_templates 2>> "$setup_log"
+		firewall_generate_templates >> $setup_log 2>&1
 		
 		set_progress_str 11 'Updating sudoers file for soremote user'
-		update_sudoers 2>> "$setup_log"
+		update_sudoers >> $setup_log 2>&1
 		
 		set_progress_str 12 'Generating master static pillar'
-		master_static 2>> "$setup_log"
+		master_static >> $setup_log 2>&1
 		
 		set_progress_str 13 'Generating master pillar'
-		master_pillar 2>> "$setup_log"
+		master_pillar >> $setup_log 2>&1
 	fi
 
 
 	set_progress_str 16 'Running first Salt checkin'
-	salt_firstcheckin 2>> "$setup_log"
+	salt_firstcheckin >> $setup_log 2>&1
 
 	if [[ $is_helix ]]; then
 		set_progress_str 17 'Generating the FireEye pillar'
-		fireeye_pillar 2>> "$setup_log"
+		fireeye_pillar >> $setup_log 2>&1
 	fi
 	
 	if [[ $is_node ]]; then
 		set_progress_str 18 'Setting node type'
-		set_node_type 2>> "$setup_log"
+		set_node_type >> $setup_log 2>&1
 
 		set_progress_str 19 'Generating search node pillar'
-		node_pillar 2>> "$setup_log"
+		node_pillar >> $setup_log 2>&1
 	fi
 
 	if [[ $is_minion ]]; then
 		set_progress_str 20 'Accepting Salt key on master'
-		accept_salt_key_remote 2>> "$setup_log"
+		accept_salt_key_remote >> $setup_log 2>&1
 	fi
 
 	if [[ $is_master ]]; then
 		set_progress_str 20 'Accepting Salt key'
-		salt-key -ya "$MINION_ID" >> "$setup_log" 2>&1
+		salt-key -ya "$MINION_ID" >> $setup_log 2>&1
 	fi
 
 	set_progress_str 21 'Copying minion pillars to master'
-	copy_minion_tmp_files 2>> "$setup_log"
+	copy_minion_tmp_files >> $setup_log 2>&1
 
 	set_progress_str 22 'Generating CA and checking in'
-	salt_checkin 2>> "$setup_log"
+	salt_checkin >> $setup_log 2>&1
 
 	
 	if [[ $is_master || $is_helix ]]; then
 		set_progress_str 25 'Configuring firewall'
-		set_initial_firewall_policy 2>> "$setup_log"
+		set_initial_firewall_policy >> $setup_log 2>&1
 		
 		if [[ "$setup_type" == 'iso' ]]; then
 			set_progress_str 26 'Copying containers from iso'
@@ -363,7 +365,7 @@ export percentage=0
 			set_progress_str 26 'Downloading containers from the internet'
 		fi
 
-		salt-call state.apply -l info registry >> "$setup_log" 2>&1
+		salt-call state.apply -l info registry >> $setup_log 2>&1
 		docker_seed_registry  2>> "$setup_log" # ~ 60% when finished
 		
 		set_progress_str 61 "$(print_salt_state_apply 'master')"
@@ -380,6 +382,9 @@ export percentage=0
 	set_progress_str 63 "$(print_salt_state_apply 'common')"
 	salt-call state.apply -l info common >> $setup_log 2>&1
 
+	set_progress_str 64 "$(print_salt_state_apply 'nginx')"
+	salt-call state.apply -l info nginx >> $setup_log 2>&1
+
 	if [[ $is_master || $is_node ]]; then
 		set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')"
 		salt-call state.apply -l info elasticsearch >> $setup_log 2>&1
@@ -403,7 +408,7 @@ export percentage=0
 
 	if [[ $is_master ]]; then
 		set_progress_str 69 "$(print_salt_state_apply 'soc')"
-		salt-call state.apply -l info soc >> "$setup_log" 2>&1
+		salt-call state.apply -l info soc >> $setup_log 2>&1
 
 		set_progress_str 70 "$(print_salt_state_apply 'kibana')"
 		salt-call state.apply -l info kibana >> $setup_log 2>&1
@@ -424,6 +429,13 @@ export percentage=0
 	fi
 
 	if [[ "$WAZUH" = 1 ]]; then
+		if [ $OS = 'centos' ]; then
+			yum -y install wazuh-agent-3.10.2-1 >> "$setup_log" 2>&1
+			echo "exclude=wazuh-agent" >> /etc/yum.repos.d/wazuh.repo
+		else
+			apt-get -y install wazuh-agent=3.10.2-1 >> "$setup_log" 2>&1
+			apt-mark hold wazuh-agent >> "$setup_log" 2>&1
+		fi
 		set_progress_str 75 "$(print_salt_state_apply 'wazuh')"
 		salt-call state.apply -l info wazuh >> $setup_log 2>&1
 	fi
@@ -462,19 +474,16 @@ export percentage=0
 	fi
 
 	set_progress_str 85 'Applying finishing touches'
-	filter_unused_nics 2>> "$setup_log"
+	filter_unused_nics >> $setup_log 2>&1
-	network_setup 2>> "$setup_log"
+	network_setup >> $setup_log 2>&1
-
-	set_progress_str 86 'Updating packages'
-	update_packages 2>> "$setup_log"
 
 	if [[ $is_master ]]; then
 		set_progress_str 87 'Adding user to SOC'
-		add_web_user 2>> "$setup_log"
+		add_web_user >> $setup_log 2>&1
 	fi
 
 	set_progress_str 90 'Enabling checkin at boot'
-	checkin_at_boot 2>> "$setup_log"
+	checkin_at_boot >> $setup_log 2>&1
 
 	set_progress_str 95 'Verifying setup'
 	salt-call -l info  state.highstate >> $setup_log 2>&1

setup/yum_repos/wazuh.repo

@@ -5,4 +5,3 @@ enabled=1
 name=Wazuh repository
 baseurl=https://packages.wazuh.com/3.x/yum/
 protect=1
-exclude=wazuh-agent