CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #337 from Security-Onion-Solutions/dev

Browse Source 
1.1.4
This commit is contained in:
Doug Burks
2020-02-12 09:55:34 -05:00
committed by GitHub
parent 72c84f7e25 e656e5af45
commit d3826bc605
363 changed files with 18839 additions and 3616 deletions
Download Patch File Download Diff File Expand all files Collapse all files

205
pillar/docker/config.sls Normal file
View File

@@ -0,0 +1,205 @@
{% set OSQUERY = salt['pillar.get']('master:osquery', '0') %}
{% set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
{% set THEHIVE = salt['pillar.get']('master:thehive', '0') %}
{% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %}
{% set FREQSERVER = salt['pillar.get']('master:freq', '0') %}
{% set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') %}
{% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
eval:
containers:
- so-core
- so-telegraf
{% if GRAFANA == '1' %}
- so-influxdb
- so-grafana
{% endif %}
- so-dockerregistry
- so-sensoroni
- so-idstools
- so-auth-api
- so-auth-ui
{% if OSQUERY != '0' %}
- so-mysql
- so-fleet
- so-redis
{% endif %}
- so-elasticsearch
- so-logstash
- so-kibana
- so-steno
- so-suricata
- so-zeek
- so-curator
- so-elastalert
{% if WAZUH != '0' %}
- so-wazuh
{% endif %}
- so-soctopus
{% if THEHIVE != '0' %}
- so-thehive
- so-thehive-es
- so-cortex
{% endif %}
{% if PLAYBOOK != '0' %}
- so-playbook
- so-navigator
{% endif %}
{% if FREQSERVER != '0' %}
- so-freqserver
{% endif %}
{% if DOMAINSTATS != '0' %}
- so-domainstats
{% endif %}
heavy_node:
containers:
- so-core
- so-telegraf
- so-redis
- so-logstash
- so-elasticsearch
- so-curator
- so-steno
- so-suricata
- so-wazuh
- so-filebeat
{% if BROVER != 'SURICATA' %}
- so-zeek
{% endif %}
helix:
containers:
- so-core
- so-telegraf
- so-idstools
- so-steno
- so-zeek
- so-redis
- so-logstash
- so-filebeat
hot_node:
containers:
- so-core
- so-telegraf
- so-logstash
- so-elasticsearch
- so-curator
master_search:
containers:
- so-core
- so-telegraf
- so-sensoroni
- so-acng
- so-idstools
- so-redis
- so-auth-api
- so-auth-ui
- so-logstash
- so-elasticsearch
- so-curator
- so-kibana
- so-elastalert
- so-filebeat
- so-soctopus
{% if OSQUERY != '0' %}
- so-mysql
- so-fleet
- so-redis
{% endif %}
{% if WAZUH != '0' %}
- so-wazuh
{% endif %}
- so-soctopus
{% if THEHIVE != '0' %}
- so-thehive
- so-thehive-es
- so-cortex
{% endif %}
{% if PLAYBOOK != '0' %}
- so-playbook
- so-navigator
{% endif %}
{% if FREQSERVER != '0' %}
- so-freqserver
{% endif %}
{% if DOMAINSTATS != '0' %}
- so-domainstats
{% endif %}
master:
containers:
- so-dockerregistry
- so-core
- so-telegraf
{% if GRAFANA == '1' %}
- so-influxdb
- so-grafana
{% endif %}
- so-sensoroni
- so-acng
- so-idstools
- so-redis
- so-auth-api
- so-auth-ui
- so-elasticsearch
- so-logstash
- so-kibana
- so-elastalert
- so-filebeat
{% if OSQUERY != '0' %}
- so-mysql
- so-fleet
- so-redis
{% endif %}
{% if WAZUH != '0' %}
- so-wazuh
{% endif %}
- so-soctopus
{% if THEHIVE != '0' %}
- so-thehive
- so-thehive-es
- so-cortex
{% endif %}
{% if PLAYBOOK != '0' %}
- so-playbook
- so-navigator
{% endif %}
{% if FREQSERVER != '0' %}
- so-freqserver
{% endif %}
{% if DOMAINSTATS != '0' %}
- so-domainstats
{% endif %}
parser_node:
containers:
- so-core
- so-telegraf
- so-logstash
search_node:
containers:
- so-core
- so-telegraf
- so-logstash
- so-elasticsearch
- so-curator
- so-filebeat
{% if WAZUH != '0' %}
- so-wazuh
{% endif %}
sensor:
containers:
- so-core
- so-telegraf
- so-steno
- so-suricata
{% if BROVER != 'SURICATA' %}
- so-zeek
{% endif %}
- so-wazuh
- so-filebeat
warm_node:
containers:
- so-core
- so-telegraf
- so-elasticsearch

2
pillar/firewall/search_nodes.sls Normal file
View File

@@ -0,0 +1,2 @@
search_nodes:
- 127.0.0.1

2
pillar/firewall/storage_nodes.sls
View File

@@ -1,2 +0,0 @@
storage_nodes:
- 127.0.0.1

4
pillar/logstash/eval.sls Normal file
View File

@@ -0,0 +1,4 @@
logstash:
pipelines:
eval:
config: "/usr/share/logstash/pipelines/eval/*.conf"

4
pillar/logstash/helix.sls Normal file
View File

@@ -0,0 +1,4 @@
logstash:
pipelines:
helix:
config: "/usr/share/logstash/pipelines/helix/*.conf"

4
pillar/logstash/master.sls Normal file
View File

@@ -0,0 +1,4 @@
logstash:
pipelines:
master:
config: "/usr/share/logstash/pipelines/master/*.conf"

4
pillar/logstash/search.sls Normal file
View File

@@ -0,0 +1,4 @@
logstash:
pipelines:
search:
config: "/usr/share/logstash/pipelines/search/*.conf"

44
pillar/thresholding/pillar.example Normal file
View File

@@ -0,0 +1,44 @@
thresholding:
sids:
8675309:
- threshold:
gen_id: 1
type: threshold
track: by_src
count: 10
seconds: 10
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 100
seconds: 30
- rate_filter:
gen_id: 1
track: by_rule
count: 50
seconds: 30
new_action: alert
timeout: 30
- suppress:
gen_id: 1
track: by_either
ip: 10.10.3.7
11223344:
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 10
seconds: 10
- rate_filter:
gen_id: 1
track: by_src
count: 50
seconds: 20
new_action: pass
timeout: 60
- suppress:
gen_id: 1
track: by_src
ip: 10.10.3.0/24

20
pillar/thresholding/pillar.usage Normal file
View File

@@ -0,0 +1,20 @@
thresholding:
sids:
<signature id>:
- threshold:
gen_id: <generator id>
type: <threshold | limit | both>
track: <by_src | by_dst>
count: <count>
seconds: <seconds>
- rate_filter:
gen_id: <generator id>
track: <by_src | by_dst | by_rule | by_both>
count: <count>
seconds: <seconds>
new_action: <alert | pass>
timeout: <seconds>
- suppress:
gen_id: <generator id>
track: <by_src | by_dst | by_either>
ip: <ip | subnet>

39
pillar/top.sls
View File

@@ -1,38 +1,55 @@
base: base:
'*': '*':
- patch.needs_restarting - patch.needs_restarting
- docker.config
'G@role:so-mastersearch or G@role:so-heavynode':
- match: compound
- logstash.master
- logstash.search
'G@role:so-sensor': 'G@role:so-sensor':
- sensors.{{ grains.id }}
- static - static
- firewall.* - firewall.*
- brologs - brologs
- minions.{{ grains.id }}
'G@role:so-master or G@role:so-mastersearch':
- match: compound
- static
- firewall.*
- data.*
- auth
- minions.{{ grains.id }}
'G@role:so-master': 'G@role:so-master':
- masters.{{ grains.id }} - logstash.master
- static
- firewall.*
- data.*
- auth
'G@role:so-eval': 'G@role:so-eval':
- masters.{{ grains.id }}
- static - static
- firewall.* - firewall.*
- data.* - data.*
- brologs - brologs
- auth - auth
- logstash.eval
- minions.{{ grains.id }}
'G@role:so-node': 'G@role:so-node':
- nodes.{{ grains.id }}
- static - static
- firewall.* - firewall.*
- minions.{{ grains.id }}
'G@role:so-heavynode':
- static
- firewall.*
- brologs
- minions.{{ grains.id }}
'G@role:so-helix': 'G@role:so-helix':
- masters.{{ grains.id }}
- sensors.{{ grains.id }}
- static - static
- firewall.* - firewall.*
- fireeye - fireeye
- static
- brologs - brologs
- logstash.helix
- static
- minions.{{ grains.id }}

30
salt/auth/init.sls Normal file
View File

@@ -0,0 +1,30 @@
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
{% set MASTER = salt['grains.get']('master') %}
so-auth-api-dir:
file.directory:
- name: /opt/so/conf/auth/api
- user: 939
- group: 939
- makedirs: True
so-auth-api:
docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:{{ VERSION }}
- hostname: so-auth-api
- name: so-auth-api
- environment:
- BASE_PATH: "/so-auth/api"
- AUTH_TOKEN_TIMEOUT: 32400
- binds:
- /opt/so/conf/auth/api:/data
- port_bindings:
- 0.0.0.0:5656:5656
so-auth-ui:
docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:{{ VERSION }}
- hostname: so-auth-ui
- name: so-auth-ui
- port_bindings:
- 0.0.0.0:4242:80

6
salt/common/grafana/etc/dashboards/dashboard.yml
View File

@@ -17,13 +17,13 @@ providers:
editable: true editable: true
options: options:
path: /etc/grafana/grafana_dashboards/forward_nodes path: /etc/grafana/grafana_dashboards/forward_nodes
- name: 'Storage Nodes' - name: 'Search Nodes'
folder: 'Storage Nodes' folder: 'Search Nodes'
type: file type: file
disableDeletion: false disableDeletion: false
editable: true editable: true
options: options:
path: /etc/grafana/grafana_dashboards/storage_nodes path: /etc/grafana/grafana_dashboards/search_nodes
{%- else %} {%- else %}
- name: 'Security Onion' - name: 'Security Onion'
folder: 'Eval Mode' folder: 'Eval Mode'

4
salt/common/grafana/grafana_dashboards/eval/eval.json
View File

@@ -1395,7 +1395,7 @@
"condition": "AND", "condition": "AND",
"key": "container_name", "key": "container_name",
"operator": "=", "operator": "=",
"value": "so-bro" "value": "so-zeek"
} }
] ]
} }
@@ -1913,7 +1913,7 @@
"condition": "AND", "condition": "AND",
"key": "container_name", "key": "container_name",
"operator": "=", "operator": "=",
"value": "so-bro" "value": "so-zeek"
} }
] ]
} }

4
salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
View File

@@ -1396,7 +1396,7 @@
"condition": "AND", "condition": "AND",
"key": "container_name", "key": "container_name",
"operator": "=", "operator": "=",
"value": "so-bro" "value": "so-zeek"
} }
] ]
} }
@@ -1901,7 +1901,7 @@
"condition": "AND", "condition": "AND",
"key": "container_name", "key": "container_name",
"operator": "=", "operator": "=",
"value": "so-bro" "value": "so-zeek"
} }
] ]
} }

4
salt/common/grafana/grafana_dashboards/storage_nodes/storage.json → salt/common/grafana/grafana_dashboards/search_nodes/searchnode.json
View File

@@ -12,7 +12,7 @@
} }
] ]
}, },
"description": "This Dashboard provides a general overview of a Storage Node", "description": "This Dashboard provides a general overview of a Search Node",
"editable": true, "editable": true,
"gnetId": 2381, "gnetId": 2381,
"graphTooltip": 0, "graphTooltip": 0,
@@ -3433,7 +3433,7 @@
] ]
}, },
"timezone": "browser", "timezone": "browser",
"title": "Storage Node - {{ SERVERNAME }} Overview", "title": "Search Node - {{ SERVERNAME }} Overview",
"uid": "{{ UID }}", "uid": "{{ UID }}",
"version": 3 "version": 3
} }

46
salt/common/init.sls
View File

@@ -1,4 +1,6 @@
{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
{% set MASTER = salt['grains.get']('master') %}
{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
# Add socore Group # Add socore Group
socoregroup: socoregroup:
group.present: group.present:
@@ -114,16 +116,9 @@ nginxtmp:
- group: 939 - group: 939
- makedirs: True - makedirs: True
# Start the core docker
so-coreimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.3
so-core: so-core:
docker_container.running: docker_container.running:
- require: - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }}
- so-coreimage
- image: docker.io/soshybridhunter/so-core:HH1.1.3
- hostname: so-core - hostname: so-core
- user: socore - user: socore
- binds: - binds:
@@ -175,15 +170,9 @@ tgrafconf:
- template: jinja - template: jinja
- source: salt://common/telegraf/etc/telegraf.conf - source: salt://common/telegraf/etc/telegraf.conf
so-telegrafimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-telegraf:HH1.1.0
so-telegraf: so-telegraf:
docker_container.running: docker_container.running:
- require: - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }}
- so-telegrafimage
- image: docker.io/soshybridhunter/so-telegraf:HH1.1.0
- environment: - environment:
- HOST_PROC=/host/proc - HOST_PROC=/host/proc
- HOST_ETC=/host/etc - HOST_ETC=/host/etc
@@ -214,7 +203,7 @@ so-telegraf:
- /opt/so/conf/telegraf/etc/telegraf.conf - /opt/so/conf/telegraf/etc/telegraf.conf
- /opt/so/conf/telegraf/scripts - /opt/so/conf/telegraf/scripts
# If its a master or eval lets install the back end for now # If its a master or eval lets install the back end for now
{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' and GRAFANA == 1 %} {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' and GRAFANA == 1 %}
# Influx DB # Influx DB
@@ -236,15 +225,9 @@ influxdbconf:
- template: jinja - template: jinja
- source: salt://common/influxdb/etc/influxdb.conf - source: salt://common/influxdb/etc/influxdb.conf
so-influximage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-influxdb:HH1.1.0
so-influxdb: so-influxdb:
docker_container.running: docker_container.running:
- require: - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }}
- so-influximage
- image: docker.io/soshybridhunter/so-influxdb:HH1.1.0
- hostname: influxdb - hostname: influxdb
- environment: - environment:
- INFLUXDB_HTTP_LOG_ENABLED=false - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -303,7 +286,7 @@ grafanadashfndir:
grafanadashsndir: grafanadashsndir:
file.directory: file.directory:
- name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes
- user: 939 - user: 939
- group: 939 - group: 939
- makedirs: True - makedirs: True
@@ -360,13 +343,13 @@ dashboard-{{ SN }}:
{% if salt['pillar.get']('nodestab', False) %} {% if salt['pillar.get']('nodestab', False) %}
{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
dashboard-{{ SN }}: dashboardsearch-{{ SN }}:
file.managed: file.managed:
- name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes/{{ SN }}-Node.json - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
- user: 939 - user: 939
- group: 939 - group: 939
- template: jinja - template: jinja
- source: salt://common/grafana/grafana_dashboards/storage_nodes/storage.json - source: salt://common/grafana/grafana_dashboards/search_nodes/searchnode.json
- defaults: - defaults:
SERVERNAME: {{ SN }} SERVERNAME: {{ SN }}
MANINT: {{ SNDATA.manint }} MANINT: {{ SNDATA.manint }}
@@ -400,14 +383,9 @@ dashboard-{{ SN }}:
{% endfor %} {% endfor %}
{% endif %} {% endif %}
# Install the docker. This needs to be behind nginx at some point
so-grafanaimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-grafana:HH1.1.0
so-grafana: so-grafana:
docker_container.running: docker_container.running:
- image: docker.io/soshybridhunter/so-grafana:HH1.1.0 - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }}
- hostname: grafana - hostname: grafana
- user: socore - user: socore
- binds: - binds:

82
salt/common/nginx/nginx.conf.so-eval
View File

@@ -58,9 +58,9 @@ http {
# } # }
#} #}
server { server {
listen 80 default_server; listen 80 default_server;
server_name _; server_name _;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
@@ -88,8 +88,8 @@ http {
# } # }
location /grafana/ { location /grafana/ {
rewrite /grafana/(.*) /$1 break; rewrite /grafana/(.*) /$1 break;
proxy_pass http://{{ masterip }}:3000/; proxy_pass http://{{ masterip }}:3000/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -100,10 +100,9 @@ http {
} }
location /kibana/ { location /kibana/ {
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd; rewrite /kibana/(.*) /$1 break;
rewrite /kibana/(.*) /$1 break; proxy_pass http://{{ masterip }}:5601/;
proxy_pass http://{{ masterip }}:5601/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -114,7 +113,7 @@ http {
} }
location /playbook/ { location /playbook/ {
proxy_pass http://{{ masterip }}:3200/playbook/; proxy_pass http://{{ masterip }}:3200/playbook/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -126,9 +125,8 @@ http {
location /navigator/ { location /navigator/ {
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd; proxy_pass http://{{ masterip }}:4200/navigator/;
proxy_pass http://{{ masterip }}:4200/navigator/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -139,7 +137,7 @@ http {
} }
location /api/ { location /api/ {
proxy_pass https://{{ masterip }}:8080/api/; proxy_pass https://{{ masterip }}:8080/api/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
@@ -152,7 +150,7 @@ http {
} }
location /fleet/ { location /fleet/ {
proxy_pass https://{{ masterip }}:8080/fleet/; proxy_pass https://{{ masterip }}:8080/fleet/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -163,10 +161,10 @@ http {
} }
location /thehive/ { location /thehive/ {
proxy_pass http://{{ masterip }}:9000/thehive/; proxy_pass http://{{ masterip }}:9000/thehive/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -175,10 +173,10 @@ http {
} }
location /cortex/ { location /cortex/ {
proxy_pass http://{{ masterip }}:9001/cortex/; proxy_pass http://{{ masterip }}:9001/cortex/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -186,20 +184,8 @@ http {
} }
location /cyberchef/ {
proxy_pass http://{{ masterip }}:9080/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /soctopus/ { location /soctopus/ {
proxy_pass http://{{ masterip }}:7000/; proxy_pass http://{{ masterip }}:7000/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -210,17 +196,16 @@ http {
} }
location /sensoroni/ { location /sensoroni/ {
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd; proxy_pass http://{{ masterip }}:9822/;
proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy ""; proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
} }
@@ -237,15 +222,34 @@ http {
} }
location /sensoroniagents/ { location /sensoroniagents/ {
proxy_pass http://{{ masterip }}:9822/; proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy ""; proxy_set_header Proxy "";
} }
location /so-auth/loginpage/ {
proxy_pass http://{{ masterip }}:4242/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /so-auth/api/ {
proxy_pass http://{{ masterip }}:5656/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
}
error_page 401 = @error401;
location @error401 {
add_header Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/;Max-Age=60000";
return 302 http://{{ masterip }}/so-auth/loginpage/;
}
error_page 404 /404.html; error_page 404 /404.html;
location = /40x.html { location = /40x.html {
} }

89
salt/common/nginx/nginx.conf.so-heavynode Normal file
View File

@@ -0,0 +1,89 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}

50
salt/common/nginx/nginx.conf.so-master
View File

@@ -88,7 +88,7 @@ http {
# } # }
location /grafana/ { location /grafana/ {
rewrite /grafana/(.*) /$1 break; rewrite /grafana/(.*) /$1 break;
proxy_pass http://{{ masterip }}:3000/; proxy_pass http://{{ masterip }}:3000/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
@@ -100,9 +100,8 @@ http {
} }
location /kibana/ { location /kibana/ {
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd; rewrite /kibana/(.*) /$1 break;
rewrite /kibana/(.*) /$1 break;
proxy_pass http://{{ masterip }}:5601/; proxy_pass http://{{ masterip }}:5601/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
@@ -125,8 +124,7 @@ http {
} }
location /navigator/ { location /navigator/ {
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
proxy_pass http://{{ masterip }}:4200/navigator/; proxy_pass http://{{ masterip }}:4200/navigator/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
@@ -151,9 +149,8 @@ http {
} }
location /fleet/ { location /fleet/ {
rewrite /fleet/(.*) /$1 break; rewrite /fleet/(.*) /$1 break;
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
proxy_pass https://{{ masterip }}:8080/; proxy_pass https://{{ masterip }}:8080/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
@@ -188,18 +185,6 @@ http {
} }
location /cyberchef/ {
proxy_pass http://{{ masterip }}:9080/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /soctopus/ { location /soctopus/ {
proxy_pass http://{{ masterip }}:7000/; proxy_pass http://{{ masterip }}:7000/;
proxy_read_timeout 90; proxy_read_timeout 90;
@@ -212,8 +197,7 @@ http {
} }
location /sensoroni/ { location /sensoroni/ {
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
proxy_pass http://{{ masterip }}:9822/; proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
@@ -250,6 +234,26 @@ http {
} }
location /so-auth/loginpage/ {
proxy_pass http://{{ masterip }}:4242/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /so-auth/api/ {
proxy_pass http://{{ masterip }}:5656/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
}
error_page 401 = @error401;
location @error401 {
add_header Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/;Max-Age=60000";
return 302 http://{{ masterip }}/so-auth/loginpage/;
}
error_page 404 /404.html; error_page 404 /404.html;
location = /40x.html { location = /40x.html {
} }

278
salt/common/nginx/nginx.conf.so-mastersearch Normal file
View File

@@ -0,0 +1,278 @@
{%- set masterip = salt['pillar.get']('master:mainip', '') %}
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
#server {
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name _;
# root /opt/socore/html;
# index index.html;
# Load configuration files for the default server block.
#include /etc/nginx/default.d/*.conf;
# location / {
# }
# error_page 404 /404.html;
# location = /40x.html {
# }
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
#}
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# Settings for a TLS enabled server.
server {
listen 443 ssl http2 default_server;
#listen [::]:443 ssl http2 default_server;
server_name _;
root /opt/socore/html;
index index.html;
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
#include /etc/nginx/default.d/*.conf;
#location / {
# try_files $uri $uri.html /index.html;
# }
location /grafana/ {
rewrite /grafana/(.*) /$1 break;
proxy_pass http://{{ masterip }}:3000/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /kibana/ {
auth_request /so-auth/api/auth/;
rewrite /kibana/(.*) /$1 break;
proxy_pass http://{{ masterip }}:5601/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /playbook/ {
proxy_pass http://{{ masterip }}:3200/playbook/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /navigator/ {
auth_request /so-auth/api/auth/;
proxy_pass http://{{ masterip }}:4200/navigator/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /api/ {
proxy_pass https://{{ masterip }}:8080/api/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /fleet/ {
rewrite /fleet/(.*) /$1 break;
auth_request /so-auth/api/auth/;
proxy_pass https://{{ masterip }}:8080/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /thehive/ {
proxy_pass http://{{ masterip }}:9000/thehive/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /cortex/ {
proxy_pass http://{{ masterip }}:9001/cortex/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /cyberchef/ {
proxy_pass http://{{ masterip }}:9080/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /soctopus/ {
proxy_pass http://{{ masterip }}:7000/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /sensoroni/ {
auth_request /so-auth/api/auth/;
proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
location /kibana/app/sensoroni/ {
rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent;
}
location /kibana/app/fleet/ {
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
}
location /kibana/app/soctopus/ {
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
}
location /sensoroniagents/ {
proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /so-auth/loginpage/ {
proxy_pass http://{{ masterip }}:4242/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /so-auth/api/ {
proxy_pass http://{{ masterip }}:5656/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
}
error_page 401 = @error401;
location @error401 {
add_header Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/;Max-Age=60000";
return 302 http://{{ masterip }}/so-auth/loginpage/;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}

0
salt/common/scripts/dockernet.sh Normal file → Executable file
View File

58
salt/common/telegraf/etc/telegraf.conf
View File

@@ -15,6 +15,7 @@
{%- set MASTER = grains['master'] %} {%- set MASTER = grains['master'] %}
{% set NODEIP = salt['pillar.get']('node:mainip', '') %} {% set NODEIP = salt['pillar.get']('node:mainip', '') %}
{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
# Global tags can be specified here in key="value" format. # Global tags can be specified here in key="value" format.
@@ -86,6 +87,7 @@
############################################################################### ###############################################################################
# Configuration for sending metrics to InfluxDB # Configuration for sending metrics to InfluxDB
{% if grains['role'] != 'so-helix' %}
[[outputs.influxdb]] [[outputs.influxdb]]
## The full HTTP or UDP URL for your InfluxDB instance. ## The full HTTP or UDP URL for your InfluxDB instance.
## ##
@@ -148,7 +150,52 @@
## integer values. Enabling this option will result in field type errors if ## integer values. Enabling this option will result in field type errors if
## existing data has been written. ## existing data has been written.
# influx_uint_support = false # influx_uint_support = false
{% else %}
# A plugin that can transmit metrics over HTTP
[[outputs.http]]
## URL is the address to send metrics to
url = "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
## Timeout for HTTP message
# timeout = "5s"
## HTTP method, one of: "POST" or "PUT"
method = "POST"
## HTTP Basic Auth credentials
# username = "username"
# password = "pa$$word"
## OAuth2 Client Credentials Grant
# client_id = "clientid"
# client_secret = "secret"
# token_url = "https://indentityprovider/oauth2/v1/token"
# scopes = ["urn:opc:idm:__myscopes__"]
## Optional TLS Config
# tls_ca = "/etc/telegraf/ca.pem"
# tls_cert = "/etc/telegraf/cert.pem"
# tls_key = "/etc/telegraf/key.pem"
## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Data format to output.
## Each data format has it's own unique set of configuration options, read
## more about them here:
## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md
data_format = "json"
## HTTP Content-Encoding for write request body, can be set to "gzip" to
## compress body or "identity" to apply no encoding.
content_encoding = "gzip"
## Additional HTTP headers
[outputs.http.headers]
# # Should be set manually to "application/json" for json data_format
Content-Type = "application/json; charset=utf-8"
Authorization = "{{ HELIX_API_KEY }}"
{% endif %}
############################################################################### ###############################################################################
# PROCESSOR PLUGINS # # PROCESSOR PLUGINS #
############################################################################### ###############################################################################
@@ -647,6 +694,17 @@
"/scripts/influxdbsize.sh" "/scripts/influxdbsize.sh"
] ]
data_format = "influx" data_format = "influx"
{% elif grains['role'] == 'so-helix' %}
[[inputs.exec]]
commands = [
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
"/scripts/broloss.sh",
"/scripts/oldpcap.sh",
"/scripts/helixeps.sh"
]
data_format = "influx"
{% endif %} {% endif %}
# #

4
salt/common/telegraf/scripts/broloss.sh
View File

@@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
BROLOG=$(tac /host/nsm/bro/logs/packetloss.log | head -2) ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
declare RESULT=($BROLOG) declare RESULT=($ZEEKLOG)
CURRENTDROP=${RESULT[3]} CURRENTDROP=${RESULT[3]}
PASTDROP=${RESULT[9]} PASTDROP=${RESULT[9]}
DROPPED=$(($CURRENTDROP - $PASTDROP)) DROPPED=$(($CURRENTDROP - $PASTDROP))

25
salt/common/telegraf/scripts/helixeps.sh Normal file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
PREVCOUNTFILE='/tmp/helixevents.txt'
EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')"
if [ ! -z "$EVENTCOUNTCURRENT" ]; then
if [ -f "$PREVCOUNTFILE" ]; then
EVENTCOUNTPREVIOUS=`cat $PREVCOUNTFILE`
else
echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
exit 0
fi
echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
EVENTS=$(((EVENTCOUNTCURRENT - EVENTCOUNTPREVIOUS)/30))
if [ "$EVENTS" -lt 0 ]; then
EVENTS=0
fi
echo "helixeps eps=${EVENTS%%.*}"
fi
exit 0

123
salt/common/tools/sbin/so-allow Normal file → Executable file
View File

@@ -1,42 +1,101 @@
#!/bin/bash #!/bin/bash
got_root() {
# Make sure you are root # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
if [ "$(id -u)" -ne 0 ]; then #
echo "This script must be run using sudo!" # This program is free software: you can redistribute it and/or modify
exit 1 # it under the terms of the GNU General Public License as published by
fi # the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
} . /usr/sbin/so-common
got_root SKIP=0
echo "This program allows you to add a firewall rule to allow connections from a new IP address." while getopts "abowi:" OPTION
echo "" do
echo "Choose the role for the IP or Range you would like to add" case $OPTION in
echo ""
echo "[a] - Analyst - ports 80/tcp and 443/tcp" h)
echo "[b] - Logstash Beat - port 5044/tcp" usage
echo "[o] - Osquery endpoint - port 8080/tcp" exit 0
echo "[w] - Wazuh endpoint - port 1514" ;;
echo "" a)
echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):" FULLROLE="analyst"
read ROLE SKIP=1
echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):" ;;
read IP b)
FULLROLE="beats_endpoint"
SKIP=1
;;
i) IP=$OPTARG
;;
o)
FULLROLE="osquery_endpoint"
SKIP=1
;;
w)
FULLROLE="wazuh_endpoint"
SKIP=1
;;
esac
done
if [ "$SKIP" -eq 0 ]; then
echo "This program allows you to add a firewall rule to allow connections from a new IP address."
echo ""
echo "Choose the role for the IP or Range you would like to add"
echo ""
echo "[a] - Analyst - ports 80/tcp and 443/tcp"
echo "[b] - Logstash Beat - port 5044/tcp"
echo "[o] - Osquery endpoint - port 8080/tcp"
echo "[w] - Wazuh endpoint - port 1514"
echo ""
echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
read ROLE
echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
read IP
if [ "$ROLE" == "a" ]; then
FULLROLE=analyst
elif [ "$ROLE" == "b" ]; then
FULLROLE=beats_endpoint
elif [ "$ROLE" == "o" ]; then
FULLROLE=osquery_endpoint
elif [ "$ROLE" == "w" ]; then
FULLROLE=wazuh_endpoint
else
echo "I don't recognize that role"
exit 1
fi
if [ "$ROLE" == "a" ]; then
FULLROLE=analyst
elif [ "$ROLE" == "b" ]; then
FULLROLE=beats_endpoint
elif [ "$ROLE" == "o" ]; then
FULLROLE=osquery_endpoint
elif [ "$ROLE" == "w" ]; then
FULLROLE=wazuh_endpoint
else
echo "I don't recognize that role"
exit 1
fi fi
echo "Adding $IP to the $FULLROLE role. This can take a few seconds" echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP /opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
# Check if Wazuh enabled
if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
# If analyst, add to Wazuh AR whitelist
if [ "$FULLROLE" == "analyst" ]; then
WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
DATE=`date`
sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n <global>\n <white_list>$IP</white_list>\n </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
echo
echo "Restarting OSSEC Server..."
/usr/sbin/so-wazuh-restart
fi
fi
fi

21
salt/common/tools/sbin/so-auth-restart Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart auth $1

20
salt/common/tools/sbin/so-auth-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start auth $1

20
salt/common/tools/sbin/so-auth-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop auth $1

37
salt/common/tools/sbin/so-bpf-compile Executable file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# Copyright 2014 Google Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
if [ "$#" -lt 2 ]; then
cat 1>&2 <<EOF
$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
Its first argument is the interface (link type is required) and all other arguments
are passed to TCPDump.
Examples:
$0 eth0 dst port 80
$0 eth0 udp port 53
EOF
exit 1
fi
interface="$1"
shift
sudo tcpdump -i $interface -ddd $@ | tail -n+2 |
while read line; do
cols=( $line )
printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]}
done
echo ""

0
salt/common/tools/sbin/so-bro-logs Normal file → Executable file
View File

21
salt/common/tools/sbin/so-checkin Normal file → Executable file
View File

@@ -1 +1,20 @@
sudo salt-call state.highstate #!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
salt-call state.highstate

30
salt/common/tools/sbin/so-common Executable file
View File

@@ -0,0 +1,30 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Check for prerequisites
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
# Define a banner to separate sections
banner="========================================================================="
header() {
echo
printf '%s\n' "$banner" "$*" "$banner"
}

20
salt/common/tools/sbin/so-cortex-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart cortex $1

20
salt/common/tools/sbin/so-cortex-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start cortex $1

20
salt/common/tools/sbin/so-cortex-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop cortex $1

20
salt/common/tools/sbin/so-curator-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart curator $1

20
salt/common/tools/sbin/so-curator-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start curator $1

20
salt/common/tools/sbin/so-curator-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop curator $1

1000
salt/common/tools/sbin/so-elastalert-create Executable file
View File

File diff suppressed because it is too large Load Diff

20
salt/common/tools/sbin/so-elastalert-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart elastalert $1

20
salt/common/tools/sbin/so-elastalert-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start elastalert $1

20
salt/common/tools/sbin/so-elastalert-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop elastalert $1

142
salt/common/tools/sbin/so-elastalert-test Executable file
View File

@@ -0,0 +1,142 @@
#!/bin/bash
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Originally written by Bryant Treacle
# https://raw.githubusercontent.com/bryant-treacle/so-elastalert-test-rule/master/so-elastalert-test
# Modified by Doug Burks and Wes Lambert
#
# Purpose: This script will allow you to test your elastalert rule without entering the Docker container.
. /usr/sbin/so-elastic-common
OPTIONS=""
SKIP=0
RESULTS_TO_LOG="n"
RULE_NAME=""
FILE_SAVE_LOCATION=""
usage()
{
cat <<EOF
Test Elastalert Rule
Options:
-h This message
-a Trigger real alerts instead of the debug alert
-l <path_to_file> Write results to specified log file
-o '<options>' Specify Elastalert options ( Ex. --schema-only , --count-only, --days N )
-r <rule_name> Specify path/name of rule to test
EOF
}
while getopts "hal:o:r:" OPTION
do
case $OPTION in
h)
usage
exit 0
;;
a)
OPTIONS="--alert"
;;
l)
RESULTS_TO_LOG="y"
FILE_SAVE_LOCATION=$OPTARG
;;
o)
OPTIONS=$OPTARG
;;
r)
RULE_NAME=$OPTARG
SKIP=1
;;
*)
usage
exit 0
;;
esac
done
docker_exec(){
if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS" > $FILE_SAVE_LOCATION
else
docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS"
fi
}
rule_prompt(){
CURRENT_RULES=$(find /opt/so/rules/elastalert -name "*.yaml")
echo
echo "This script will allow you to test an Elastalert rule."
echo
echo "Below is a list of active Elastalert rules:"
echo
echo "-----------------------------------"
echo
echo "$CURRENT_RULES"
echo
echo "-----------------------------------"
echo
echo "Note: To test a rule it must be accessible by the Elastalert Docker container."
echo
echo "Make sure to swap the local path (/opt/so/rules/elastalert/) for the docker path (/etc/elastalert/rules/)"
echo "Example: /opt/so/rules/elastalert/nids2hive.yaml would be /etc/elastalert/rules/nids2hive.yaml"
echo
while [ -z $RULE_NAME ]; do
echo "Please enter the file path and rule name you want to test."
read -e RULE_NAME
done
}
log_save_prompt(){
RESULTS_TO_LOG=""
while [ -z $RESULTS_TO_LOG ]; do
echo "The results can be rather long. Would you like to write the results to a file? (Y/N)"
read RESULTS_TO_LOG
done
}
log_path_prompt(){
while [ -z $FILE_SAVE_LOCATION ]; do
echo "Please enter the file path and file name."
read -e FILE_SAVE_LOCATION
done
echo "Depending on the rule this may take a while."
}
if [ $SKIP -eq 0 ]; then
rule_prompt
log_save_prompt
if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
log_path_prompt
fi
fi
docker_exec
if [ $? -eq 0 ]; then
echo "Test completed successfully!"
else
echo "Something went wrong..."
fi
echo

80
salt/common/tools/sbin/so-elastic-clear Executable file
View File

@@ -0,0 +1,80 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
. /usr/sbin/so-common
SKIP=0
#########################################
# Options
#########################################
usage()
{
cat <<EOF
Security Onion Elastic Clear
Options:
-h This message
-y Skip interactive mode
EOF
}
while getopts "h:y" OPTION
do
case $OPTION in
h)
usage
exit 0
;;
y)
SKIP=1
;;
*)
usage
exit 0
;;
esac
done
if [ $SKIP -ne 1 ]; then
# List indices
echo
curl {{ MASTERIP }}:9200/_cat/indices?v&pretty
echo
# Inform user we are about to delete all data
echo
echo "This script will delete all data (documents, indices, etc.) in the Elasticsearch database."
echo
echo "If you would like to proceed, please type "AGREE" and hit ENTER."
echo
# Read user input
read INPUT
if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
fi
/usr/sbin/so-filebeat-stop
/usr/sbin/so-logstash-stop
# Delete data
echo "Deleting data..."
INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert' | awk '{ print $3 }')
for INDX in ${INDXS}
do
curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1
done
/usr/sbin/so-logstash-start
/usr/sbin/so-filebeat-start

33
salt/common/tools/sbin/so-elastic-diagnose Executable file
View File

@@ -0,0 +1,33 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Source common settings
. /usr/sbin/so-common
# Check for log files
for FILE in /opt/so/log/elasticsearch/*.log /opt/so/log/logstash/*.log /opt/so/log/kibana/*.log /opt/so/log/elastalert/*.log /opt/so/log/curator/*.log /opt/so/log/freqserver/*.log /opt/so/log/nginx/*.log; do
# If file exists, then look for errors or warnings
if [ -f $FILE ]; then
MESSAGE=`grep -i 'ERROR\|FAIL\|WARN' $FILE`
if [ ! -z "$MESSAGE" ]; then
header $FILE
echo $MESSAGE | sed 's/WARN/\nWARN/g' | sed 's/WARNING/\nWARNING/g' | sed 's/ERROR/\nERROR/g' | sort | uniq -c | sort -nr
echo
fi
fi
done

46
salt/common/tools/sbin/so-elastic-download Executable file
View File

@@ -0,0 +1,46 @@
#!/bin/bash
MASTER=MASTER
VERSION="HH1.1.4"
TRUSTED_CONTAINERS=( \
"so-auth-api:$VERSION" \
"so-auth-ui:$VERSION" \
"so-core:$VERSION" \
"so-thehive-cortex:$VERSION" \
"so-curator:$VERSION" \
"so-domainstats:$VERSION" \
"so-elastalert:$VERSION" \
"so-elasticsearch:$VERSION" \
"so-filebeat:$VERSION" \
"so-fleet:$VERSION" \
"so-fleet-launcher:$VERSION" \
"so-freqserver:$VERSION" \
"so-grafana:$VERSION" \
"so-idstools:$VERSION" \
"so-influxdb:$VERSION" \
"so-kibana:$VERSION" \
"so-logstash:$VERSION" \
"so-mysql:$VERSION" \
"so-navigator:$VERSION" \
"so-playbook:$VERSION" \
"so-redis:$VERSION" \
"so-sensoroni:$VERSION" \
"so-soctopus:$VERSION" \
"so-steno:$VERSION" \
#"so-strelka:$VERSION" \
"so-suricata:$VERSION" \
"so-telegraf:$VERSION" \
"so-thehive:$VERSION" \
"so-thehive-es:$VERSION" \
"so-wazuh:$VERSION" \
"so-zeek:$VERSION" )
for i in "${TRUSTED_CONTAINERS[@]}"
do
# Pull down the trusted docker image
echo "Downloading $i"
docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
# Tag it with the new registry destination
docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i
docker push $MASTER:5000/soshybridhunter/$i
docker rmi soshybridhunter/$i
done

20
salt/common/tools/sbin/so-elasticsearch-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart elasticsearch $1

20
salt/common/tools/sbin/so-elasticsearch-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start elasticsearch $1

20
salt/common/tools/sbin/so-elasticsearch-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop elasticsearch $1

42
salt/common/tools/sbin/so-features-enable Executable file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
# Modify static.sls to enable Features
sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls
SUFFIX="-features"
TRUSTED_CONTAINERS=( \
"so-elasticsearch:$VERSION$SUFFIX" \
"so-filebeat:$VERSION$SUFFIX" \
"so-kibana:$VERSION$SUFFIX" \
"so-logstash:$VERSION$SUFFIX" )
for i in "${TRUSTED_CONTAINERS[@]}"
do
# Pull down the trusted docker image
echo "Downloading $i"
docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
# Tag it with the new registry destination
docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
docker push $HOSTNAME:5000/soshybridhunter/$i
done
for i in "${TRUSTED_CONTAINERS[@]}"
do
echo "Removing $i locally"
docker rmi soshybridhunter/$i
done

31
salt/common/tools/sbin/so-filebeat-restart Normal file → Executable file
View File

@@ -1,17 +1,20 @@
#!/bin/bash #!/bin/bash
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# This program is free software: you can redistribute it and/or modify . /usr/sbin/so-common
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or /usr/sbin/so-restart filebeat $1
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
docker stop so-filebeat && sudo docker rm so-filebeat && salt-call state.apply filebeat

31
salt/common/tools/sbin/so-filebeat-start Normal file → Executable file
View File

@@ -1,17 +1,20 @@
#!/bin/bash #!/bin/bash
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# This program is free software: you can redistribute it and/or modify . /usr/sbin/so-common
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or /usr/sbin/so-start filebeat $1
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
docker rm so-filebeat && salt-call state.apply filebeat

31
salt/common/tools/sbin/so-filebeat-stop Normal file → Executable file
View File

@@ -1,17 +1,20 @@
#!/bin/bash #!/bin/bash
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# This program is free software: you can redistribute it and/or modify . /usr/sbin/so-common
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or /usr/sbin/so-stop filebeat $1
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
docker stop so-filebeat

20
salt/common/tools/sbin/so-fleet-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart fleet $1

20
salt/common/tools/sbin/so-fleet-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start fleet $1

20
salt/common/tools/sbin/so-fleet-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop fleet $1

1
salt/common/tools/sbin/so-get-parsed
View File

@@ -1 +0,0 @@
sudo docker exec -it so-redis redis-cli llen logstash:unparsed

1
salt/common/tools/sbin/so-get-unparsed
View File

@@ -1 +0,0 @@
sudo docker exec -it so-redis redis-cli llen logstash:unparsed

20
salt/common/tools/sbin/so-grafana-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart grafana $1

20
salt/common/tools/sbin/so-grafana-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start grafana $1

20
salt/common/tools/sbin/so-grafana-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop grafana $1

0
salt/common/tools/sbin/so-helix-apikey Normal file → Executable file
View File

18
salt/common/tools/sbin/so-index-list Executable file
View File

@@ -0,0 +1,18 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
curl -X GET "localhost:9200/_cat/indices?v"

20
salt/common/tools/sbin/so-kibana-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart kibana $1

20
salt/common/tools/sbin/so-kibana-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start kibana $1

20
salt/common/tools/sbin/so-kibana-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop kibana $1

1
salt/common/tools/sbin/so-list-index
View File

@@ -1 +0,0 @@
curl -X GET "localhost:9200/_cat/indices?v"

20
salt/common/tools/sbin/so-logstash-get-parsed Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
docker exec -it so-redis redis-cli llen logstash:unparsed

20
salt/common/tools/sbin/so-logstash-get-unparsed Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
docker exec -it so-redis redis-cli llen logstash:unparsed

20
salt/common/tools/sbin/so-logstash-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart logstash $1

20
salt/common/tools/sbin/so-logstash-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start logstash $1

20
salt/common/tools/sbin/so-logstash-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop logstash $1

20
salt/common/tools/sbin/so-mysql-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart mysql $1

20
salt/common/tools/sbin/so-mysql-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start mysql $1

20
salt/common/tools/sbin/so-mysql-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop mysql $1

76
salt/common/tools/sbin/so-nsm-clear Executable file
View File

@@ -0,0 +1,76 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
SKIP=0
#########################################
# Options
#########################################
usage()
{
cat <<EOF
Security Onion NSM Data Deletion
Options:
-h This message
-y Skip interactive mode
EOF
}
while getopts "h:y" OPTION
do
case $OPTION in
h)
usage
exit 0
;;
y)
SKIP=1
;;
*)
usage
exit 0
;;
esac
done
if [ $SKIP -ne 1 ]; then
# Inform user we are about to delete all data
echo
echo "This script will delete all NIDS data (PCAP, Suricata, Zeek)"
echo "If you would like to proceed, please type "AGREE" and hit ENTER."
echo
# Read user input
read INPUT
if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
fi
delete_pcap() {
PCAP_DATA="/nsm/pcap/"
[ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
}
delete_suricata() {
SURI_LOG="/opt/so/log/suricata/eve.json"
[ -f $SURI_LOG ] && so-suricata-stop && rm -f $SURI_LOG && so-suricata-start
}
delete_zeek() {
ZEEK_LOG="/nsm/zeek/logs/"
[ -d $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
}
delete_pcap
delete_suricata
delete_zeek

20
salt/common/tools/sbin/so-pcap-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart steno $1

20
salt/common/tools/sbin/so-pcap-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start steno $1

20
salt/common/tools/sbin/so-pcap-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop steno $1

20
salt/common/tools/sbin/so-playbook-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart playbook $1

21
salt/common/tools/sbin/so-playbook-ruleupdate Normal file → Executable file
View File

@@ -1 +1,20 @@
sudo docker exec so-soctopus python3 playbook_bulk-update.py #!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
docker exec so-soctopus python3 playbook_bulk-update.py

20
salt/common/tools/sbin/so-playbook-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start playbook $1

20
salt/common/tools/sbin/so-playbook-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop playbook $1

21
salt/common/tools/sbin/so-playbook-sync Normal file → Executable file
View File

@@ -1 +1,20 @@
sudo docker exec so-soctopus python3 playbook_play-sync.py #!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
docker exec so-soctopus python3 playbook_play-sync.py

21
salt/common/tools/sbin/so-redis-count Normal file → Executable file
View File

@@ -1 +1,20 @@
sudo docker exec -it so-redis redis-cli llen logstash:unparsed #!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
docker exec -it so-redis redis-cli llen logstash:unparsed

20
salt/common/tools/sbin/so-redis-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart redis $1

20
salt/common/tools/sbin/so-redis-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start redis $1

20
salt/common/tools/sbin/so-redis-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop redis $1

37
salt/common/tools/sbin/so-restart Executable file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Usage: so-restart filebeat | kibana | playbook | thehive
. /usr/sbin/so-common
echo $banner
printf "Restarting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
echo $banner
if [ "$2" = "--force" ]
then
printf "\nForce-stopping all Salt jobs before proceeding\n\n"
salt-call saltutil.kill_all_jobs
fi
case $1 in
"cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
"steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
"auth") docker stop so-auth-api; docker stop so-auth-ui; salt-call state.apply auth queue=True;;
*) docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
esac

0
salt/common/tools/sbin/so-rule-update Normal file → Executable file
View File

25
salt/common/tools/sbin/so-salt-start Executable file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
echo $banner
printf "Starting local Salt Minion...\n"
echo $banner
service salt-minion start
service salt-minion status

25
salt/common/tools/sbin/so-salt-stop Executable file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
echo $banner
printf "Stopping local Salt Minion...\n"
echo $banner
service salt-minion stop
service salt-minion status

20
salt/common/tools/sbin/so-soctopus-restart Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart soctopus $1

20
salt/common/tools/sbin/so-soctopus-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start soctopus $1

20
salt/common/tools/sbin/so-soctopus-stop Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop soctopus $1

48
salt/common/tools/sbin/so-start Normal file → Executable file
View File

@@ -1 +1,47 @@
sudo salt-call state.highstate #!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Usage: so-start all | filebeat | kibana | playbook | thehive
. /usr/sbin/so-common
echo $banner
printf "Starting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
echo $banner
if [ "$2" = "--force" ]
then
printf "\nForce-stopping all Salt jobs before proceeding\n\n"
salt-call saltutil.kill_all_jobs
fi
case $1 in
"all") salt-call state.highstate queue=True;;
"steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;;
"auth")
if docker ps | grep -q so-auth-api; then
if docker ps | grep -q so-auth-ui; then
printf "\n$1 is already running!\n\n"
else
docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
fi
else
docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
fi
;;
*) if docker ps | grep -q so-$1; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;;
esac

206
salt/common/tools/sbin/so-status Executable file
View File

@@ -0,0 +1,206 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set pillar_suffix = ':containers' -%}
{%- if (salt['grains.get']('role') == 'so-mastersearch') -%}
{%- set pillar_val = 'master_search' -%}
{%- elif (salt['grains.get']('role') == 'so-master') -%}
{%- set pillar_val = 'master' -%}
{%- elif (salt['grains.get']('role') == 'so-heavynode') -%}
{%- set pillar_val = 'heavy_node' -%}
{%- elif (salt['grains.get']('role') == 'so-sensor') -%}
{%- set pillar_val = 'sensor' -%}
{%- elif (salt['grains.get']('role') == 'so-eval') -%}
{%- set pillar_val = 'eval' -%}
{%- elif (salt['grains.get']('role') == 'so-helix') -%}
{%- set pillar_val = 'helix' -%}
{%- elif (salt['grains.get']('role') == 'so-node') -%}
{%- if (salt['pillar.get']('node:node_type') == 'parser') -%}
{%- set pillar_val = 'parser_node' -%}
{%- elif (salt['pillar.get']('node:node_type') == 'hot') -%}
{%- set pillar_val = 'hot_node' -%}
{%- elif (salt['pillar.get']('node:node_type') == 'warm') -%}
{%- set pillar_val = 'warm_node' -%}
{%- elif (salt['pillar.get']('node:node_type') == 'search') -%}
{%- set pillar_val = 'search_node' -%}
{%- endif -%}
{%- endif -%}
{%- set pillar_name = pillar_val ~ pillar_suffix -%}
{%- set container_list = salt['pillar.get'](pillar_name) %}
if ! [ "$(id -u)" = 0 ]; then
echo "This command must be run as root"
exit 1
fi
# Constants
ERROR_STRING="ERROR"
SUCCESS_STRING="OK"
PENDING_STRING="PENDING"
MISSING_STRING='MISSING'
declare -a BAD_STATUSES=("removing" "paused" "exited" "dead")
declare -a PENDING_STATUSES=("paused" "created" "restarting")
declare -a GOOD_STATUSES=("running")
declare -a temp_container_name_list=()
declare -a temp_container_state_list=()
declare -a container_name_list=()
declare -a container_state_list=()
declare -a expected_container_list=()
# {% raw %}
compare_lists() {
local found=0
create_expected_container_list
if [[ ${#expected_container_list[@]} = 0 ]]; then
container_name_list="${temp_container_name_list[*]}"
container_state_list="${temp_container_state_list[*]}"
return 1
fi
for intended_item in "${expected_container_list[@]}"; do
found=0
for i in "${!temp_container_name_list[@]}"; do
[[ ${temp_container_name_list[$i]} = "$intended_item" ]] \
&& found=1 \
&& container_name_list+=("${temp_container_name_list[$i]}") \
&& container_state_list+=("${temp_container_state_list[$i]}") \
&& break
done
if [[ $found = 0 ]]; then
container_name_list+=("$intended_item")
container_state_list+=("missing")
fi
done
}
# {% endraw %}
create_expected_container_list() {
{% for item in container_list%}
expected_container_list+=("{{ item }}")
{% endfor %}
}
populate_container_lists() {
systemctl is-active --quiet docker
if [[ $? = 0 ]]; then
mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/containers/json?all=1 \
| jq -c '.[] | { Name: .Names[0], State: .State }' \
| tr -d '/{"}')
else
exit 1
fi
local container_name=""
local container_state=""
for line in "${docker_raw_list[@]}"; do
container_name="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\1/' )" # Get value in the first search group (container names)
container_state="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\2/' )" # Get value in the second search group (container states)
temp_container_name_list+=( "${container_name}" )
temp_container_state_list+=( "${container_state}" )
done
compare_lists
}
parse_status() {
local container_state=${1}
[[ $container_state = "missing" ]] && printf $MISSING_STRING && return 1
for state in "${GOOD_STATUSES[@]}"; do
[[ $container_state = "$state" ]] && printf $SUCCESS_STRING && return 0
done
for state in "${PENDING_STATUSES[@]}"; do
[[ $container_state = "$state" ]] && printf $PENDING_STRING && return 0
done
# This is technically not needed since the default is error state
for state in "${BAD_STATUSES[@]}"; do
[[ $container_state = "$state" ]] && printf $ERROR_STRING && return 1
done
printf $ERROR_STRING && return 1
}
# {% raw %}
print_line() {
local service_name=${1}
local service_state="$( parse_status ${2} )"
local columns=$(tput cols)
local state_color="\e[0m"
local PADDING_CONSTANT=14
if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then
state_color="\e[1;31m"
elif [[ $service_state = "$SUCCESS_STRING" ]]; then
state_color="\e[1;32m"
elif [[ $service_state = "$PENDING_STRING" ]]; then
state_color="\e[1;33m"
fi
printf " $service_name "
for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
printf "-"
done
printf " [ "
printf "${state_color}%b\e[0m" "$service_state"
printf "%s \n" " ]"
}
main() {
local focus_color="\e[1;34m"
printf "\n"
printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
systemctl is-active --quiet docker
if [[ $? = 0 ]]; then
print_line "Docker" "running"
else
print_line "Docker" "exited"
fi
populate_container_lists
printf "\n"
printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
local num_containers=${#container_name_list[@]}
for i in $(seq 0 $(($num_containers - 1 ))); do
print_line ${container_name_list[$i]} ${container_state_list[$i]}
done
printf "\n"
}
# {% endraw %}
main

30
salt/common/tools/sbin/so-stop Executable file
View File

@@ -0,0 +1,30 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Usage: so-stop filebeat | kibana | playbook | thehive
. /usr/sbin/so-common
echo $banner
printf "Stopping $1...\n"
echo $banner
case $1 in
"auth") docker stop so-auth-api; docker rm so-auth-api; docker stop so-auth-ui; docker rm so-auth-ui ;;
*) docker stop so-$1 ; docker rm so-$1 ;;
esac

31
salt/common/tools/sbin/so-suricata-restart Normal file → Executable file
View File

@@ -1,17 +1,20 @@
#!/bin/bash #!/bin/bash
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# #
# This program is distributed in the hope that it will be useful, # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # This program is free software: you can redistribute it and/or modify
# along with this program. If not, see <http://www.gnu.org/licenses/>. # it under the terms of the GNU General Public License as published by
docker stop so-suricata && sudo docker rm so-suricata && salt-call state.apply suricata # the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart suricata $1

31
salt/common/tools/sbin/so-suricata-start Normal file → Executable file
View File

@@ -1,17 +1,20 @@
#!/bin/bash #!/bin/bash
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# #
# This program is distributed in the hope that it will be useful, # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # This program is free software: you can redistribute it and/or modify
# along with this program. If not, see <http://www.gnu.org/licenses/>. # it under the terms of the GNU General Public License as published by
docker rm so-suricata && salt-call state.apply suricata # the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start suricata $1

Some files were not shown because too many files have changed in this diff Show More