CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-26 22:42:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix annotations and defaults for logstash

Browse Source
This commit is contained in:
Mike Reeves
2023-05-03 13:37:06 -04:00
parent 3d10a60502 b4b84038ed
commit d5c4a2887e
53 changed files with 2527 additions and 1080 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
salt/allowed_states.map.jinja
View File

@@ -119,6 +119,7 @@
'soc',
'kratos',
'elasticfleet',
'elastic-fleet-package-registry',
'firewall',
'idstools',
'suricata.manager',
@@ -137,6 +138,7 @@
'influxdb',
'soc',
'kratos',
'elastic-fleet-package-registry',
'elasticfleet',
'firewall',
'manager',
@@ -166,6 +168,7 @@
'influxdb',
'soc',
'kratos',
'elastic-fleet-package-registry',
'elasticfleet',
'firewall',
'idstools',

2
salt/common/tools/sbin/so-image-common
View File

@@ -38,6 +38,7 @@ container_list() {
"so-zeek"
"so-elastic-agent"
"so-elastic-agent-builder"
"so-elastic-fleet-package-registry"
)
elif [ $MANAGERCHECK != 'so-helix' ]; then
TRUSTED_CONTAINERS=(
@@ -45,6 +46,7 @@ container_list() {
"so-elastalert"
"so-elastic-agent"
"so-elastic-agent-builder"
"so-elastic-fleet-package-registry"
"so-elasticsearch"
"so-idh"
"so-idstools"

1
salt/docker/defaults.yaml
View File

@@ -54,6 +54,7 @@ docker:
port_bindings:
- 80:80
- 443:443
- 8443:8443
'so-playbook':
final_octet: 32
port_bindings:

11
salt/elasticfleet/artifact_registry.sls Normal file
View File

@@ -0,0 +1,11 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
fleetartifactdir:
file.directory:
- name: /nsm/elastic-fleet/artifacts
- user: 947
- group: 939
- makedirs: True

35
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
View File

@@ -17,18 +17,39 @@ FLEETHOST="{{ GLOBALS.manager_ip }}"
#FLEETHOST=$1
#ENROLLMENTOKEN=$2
CONTAINERGOOS=( "linux" "darwin" "windows" )
TARGETOS=( "linux" "darwin" "windows" )
#rm -rf /tmp/elastic-agent-workspace
#mkdir -p /tmp/elastic-agent-workspace
printf "\n### Get rid of any previous runs\n"
rm -rf /tmp/elastic-agent-workspace
mkdir -p /tmp/elastic-agent-workspace
for OS in "${CONTAINERGOOS[@]}"
printf "\n### Extract outer tarball and then each individual tarball/zip\n"
tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-{{ GLOBALS.so_version }}.tar.gz -C /tmp/elastic-agent-workspace/
unzip /tmp/elastic-agent-workspace/elastic-agent-*.zip -d /tmp/elastic-agent-workspace/
for archive in /tmp/elastic-agent-workspace/*.tar.gz
do
tar xf "$archive" -C /tmp/elastic-agent-workspace/
done
printf "\n### Strip out unused components"
find /tmp/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -regex '.*fleet.*\|.*packet.*\|.*apm*.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete
printf "\n### Tar everything up again"
for OS in "${TARGETOS[@]}"
do
rm -rf /tmp/elastic-agent-workspace/elastic-agent
mv /tmp/elastic-agent-workspace/elastic-agent-*-$OS-x86_64 /tmp/elastic-agent-workspace/elastic-agent
tar -czvf /tmp/elastic-agent-workspace/$OS.tar.gz -C /tmp/elastic-agent-workspace elastic-agent
done
printf "\n### Generate OS packages using the cleaned up tarballs"
for OS in "${TARGETOS[@]}"
do
printf "\n\nGenerating $OS Installer..."
#cp /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz
printf "\n\n### Generating $OS Installer...\n"
docker run -e CGO_ENABLED=0 -e GOOS=$OS \
--mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \
--mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \
--mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \
{{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS
printf "\n $OS Installer Generated..."
printf "\n### $OS Installer Generated...\n"
done

9
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
View File

@@ -62,6 +62,15 @@ elastic_fleet_policy_create "so-grid-nodes" "SO Grid Node Policy" "false"
# Load Integrations for default policies
so-elastic-fleet-integration-policy-load
# Set Elastic Agent Artifact Registry URL
JSON_STRING=$( jq -n \
--arg NAME "FleetServer_{{ GLOBALS.hostname }}" \
--arg URL "http://{{ GLOBALS.url_base }}/artifacts/" \
'{"name":$NAME,"host":$URL,"is_default":true}'
)
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_download_sources" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
### Finalization ###
# Query for Enrollment Tokens for default policies

607
salt/firewall/assigned_hostgroups.map.yaml
View File

@@ -1,607 +0,0 @@
{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
{% import_yaml 'firewall/ports/ports.yaml' as portgroups %}
{% set portgroups = portgroups.firewall.ports %}
{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
role:
eval:
chain:
DOCKER-USER:
hostgroups:
eval:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
fleet:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
standalone:
portgroups:
- {{ portgroups.salt_manager }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
manager:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.docker_registry }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
{% if ISAIRGAP is sameas true %}
- {{ portgroups.agrules }}
{% endif %}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
self:
portgroups:
- {{ portgroups.syslog}}
syslog:
portgroups:
- {{ portgroups.syslog }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
managersearch:
chain:
DOCKER-USER:
hostgroups:
managersearch:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.docker_registry }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
standalone:
chain:
DOCKER-USER:
hostgroups:
localhost:
portgroups:
- {{ portgroups.all }}
standalone:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.docker_registry }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.beats_5056 }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
- {{ portgroups.endgame }}
- {{ portgroups.strelka_frontend }}
fleet:
portgroups:
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.beats_5056 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
sensors:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.beats_5056 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
searchnodes:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
fleet:
portgroups:
- {{ portgroups.salt_manager }}
localhost:
portgroups:
- {{ portgroups.all }}
standalone:
portgroups:
- {{ portgroups.salt_manager }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
searchnode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
dockernet:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
searchnodes:
portgroups:
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
sensor:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups:
- {{ portgroups.syslog}}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
heavynode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
dockernet:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
self:
portgroups:
- {{ portgroups.syslog}}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
import:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elastic_agent_control }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
receiver:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups:
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.beats_5644 }}
self:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.syslog}}
- {{ portgroups.beats_5644 }}
syslog:
portgroups:
- {{ portgroups.syslog }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
endgame:
portgroups:
- {{ portgroups.endgame }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
idh:
chain:
INPUT:
hostgroups:
anywhere:
portgroups:
{% for service in IDH_PORTGROUPS.keys() %}
{% if service != 'openssh' %}
- {{ IDH_PORTGROUPS[service] }}
{% endif %}
{% endfor %}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
manager:
portgroups:
- {{ IDH_PORTGROUPS.openssh }}
standalone:
portgroups:
- {{ IDH_PORTGROUPS.openssh }}

1225
salt/firewall/defaults.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

0
salt/firewall/hostgroups/analyst
View File

0
salt/firewall/hostgroups/analyst_workstations
View File

1
salt/firewall/hostgroups/anywhere
View File

@@ -1 +0,0 @@
0.0.0.0/0

0
salt/firewall/hostgroups/beats_endpoint
View File

0
salt/firewall/hostgroups/beats_endpoint_ssl
View File

2
salt/firewall/hostgroups/dockernet
View File

@@ -1,2 +0,0 @@
{% from 'docker/docker.map.jinja' import DOCKER -%}
{{ DOCKER.sorange }}

0
salt/firewall/hostgroups/elastic_agent_endpoint
View File

0
salt/firewall/hostgroups/elasticsearch_rest
View File

0
salt/firewall/hostgroups/endgame
View File

0
salt/firewall/hostgroups/eval
View File

0
salt/firewall/hostgroups/fleet
View File

0
salt/firewall/hostgroups/heavynodes
View File

0
salt/firewall/hostgroups/idh
View File

1
salt/firewall/hostgroups/localhost
View File

@@ -1 +0,0 @@
127.0.0.1

0
salt/firewall/hostgroups/manager
View File

0
salt/firewall/hostgroups/receivers
View File

0
salt/firewall/hostgroups/searchnodes
View File

2
salt/firewall/hostgroups/self
View File

@@ -1,2 +0,0 @@
{% from 'vars/globals.map.jinja' import GLOBALS -%}
{{ GLOBALS.node_ip }}

0
salt/firewall/hostgroups/sensors
View File

0
salt/firewall/hostgroups/standalone
View File

0
salt/firewall/hostgroups/strelka_frontend
View File

0
salt/firewall/hostgroups/syslog
View File

40
salt/firewall/iptables.jinja
View File

@@ -1,7 +1,9 @@
{% from 'docker/docker.map.jinja' import DOCKER -%}
{% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%}
{% from 'firewall/map.jinja' import hostgroups with context -%}
{% from 'firewall/map.jinja' import assigned_hostgroups with context -%}
{%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'docker/docker.map.jinja' import DOCKER %}
{%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
{%- set role = GLOBALS.role.split('-')[1] %}
{%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
{%- set PR = [] %}
{%- set D1 = [] %}
{%- set D2 = [] %}
@@ -70,24 +72,18 @@ COMMIT
:DOCKER-USER - [0:0]
:LOGGING - [0:0]
{%- set count = namespace(value=0) %}
{%- for chain, hg in assigned_hostgroups.chain.items() %}
{%- for hostgroup, portgroups in assigned_hostgroups.chain[chain].hostgroups.items() %}
{%- for action in ['insert', 'delete' ] %}
{%- if hostgroups[hostgroup].ips[action] %}
{%- for ip in hostgroups[hostgroup].ips[action] %}
{%- for portgroup in portgroups.portgroups %}
{%- for proto, ports in portgroup.items() %}
{%- for port in ports %}
{%- set count.value = count.value + 1 %}
-A {{chain}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- endfor %}
{%- for chn, hostgroups in FIREWALL_MERGED.role[role].chain.items() %}
{%- for hostgroup, portgroups in hostgroups['hostgroups'].items() %}
{%- for ip in FIREWALL_MERGED.hostgroups[hostgroup] %}
{%- for groupname in portgroups['portgroups'] %}
{%- for proto, ports in FIREWALL_MERGED['portgroups'][groupname].items() %}
{%- for port in ports %}
-A {{chn}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

71
salt/firewall/map.jinja
View File

@@ -1,62 +1,21 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% set role = grains.id.split('_') | last %}
{% set translated_pillar_assigned_hostgroups = {} %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %}
{% set default_portgroups = default_portgroups.firewall.ports %}
{% import_yaml 'firewall/ports/ports.local.yaml' as local_portgroups %}
{% if local_portgroups.firewall.ports %}
{% set local_portgroups = local_portgroups.firewall.ports %}
{% else %}
{% set local_portgroups = {} %}
{% endif %}
{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
{% set defined_portgroups = portgroups %}
{# add our ip to self #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
{# add dockernet range #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.sorange) %}
{% if GLOBALS.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
{% do salt['defaults.merge'](defined_portgroups, IDH_PORTGROUPS, in_place=True) %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
{% do salt['defaults.merge'](FIREWALL_DEFAULT.firewall.portgroups, IDH_PORTGROUPS, in_place=True) %}
{% for pg in IDH_PORTGROUPS.keys() %}
{# idh service ports start with _idh. this prevents adding openssh to allow from anywhere #}
{% if pg.split('_')[0] == 'idh' %}
{% do FIREWALL_DEFAULT.firewall.role.idh.chain.INPUT.hostgroups.anywhere.portgroups.append(pg) %}
{% endif %}
{% endfor %}
{% endif %}
{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %}
{% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %}
{% for hg in hostgroup_list %}
{% import_text hg as hg_ips %}
{% do local_hostgroups.firewall.hostgroups.update({hg.split('/')[2]: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %}
{% endfor %}
{% set hostgroups = local_hostgroups.firewall.hostgroups %}
{# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}
{% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %}
{% set translated_pillar_assigned_hostgroups = {'chain': {}} %}
{% for chain, hg in salt['pillar.get']('firewall:assigned_hostgroups:chain').items() %}
{% for pillar_hostgroup, pillar_portgroups in salt['pillar.get']('firewall:assigned_hostgroups:chain')[chain].hostgroups.items() %}
{% if translated_pillar_assigned_hostgroups.chain[chain] is defined %}
{% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups.update({pillar_hostgroup: {"portgroups": []}}) %}
{% else %}
{% do translated_pillar_assigned_hostgroups.chain.update({chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}) %}
{% endif %}
{% for pillar_portgroup in pillar_portgroups.portgroups %}
{% set pillar_portgroup = pillar_portgroup.split('.') | last %}
{% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups[pillar_hostgroup].portgroups.append(defined_portgroups[pillar_portgroup]) %}
{% endfor %}
{% endfor %}
{% endfor %}
{% endif %}
{% import_yaml 'firewall/assigned_hostgroups.map.yaml' as default_assigned_hostgroups %}
{% import_yaml 'firewall/assigned_hostgroups.local.map.yaml' as local_assigned_hostgroups %}
{% if local_assigned_hostgroups.role.get(role, False) %}
{% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups.role[role], default_assigned_hostgroups.role[role], merge_lists=False, in_place=False) %}
{% else %}
{% set assigned_hostgroups = default_assigned_hostgroups.role[role] %}
{% endif %}
{% if translated_pillar_assigned_hostgroups %}
{% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %}
{% endif %}
{% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}

81
salt/firewall/ports/ports.yaml
View File

@@ -1,81 +0,0 @@
firewall:
ports:
all:
tcp:
- '0:65535'
udp:
- '0:65535'
agrules:
tcp:
- 7788
beats_5044:
tcp:
- 5044
beats_5644:
tcp:
- 5644
beats_5066:
tcp:
- 5066
beats_5056:
tcp:
- 5056
docker_registry:
tcp:
- 5000
elasticsearch_node:
tcp:
- 9300
elasticsearch_rest:
tcp:
- 9200
elastic_agent_control:
tcp:
- 8220
elastic_agent_data:
tcp:
- 5055
endgame:
tcp:
- 3765
influxdb:
tcp:
- 8086
kibana:
tcp:
- 5601
mysql:
tcp:
- 3306
nginx:
tcp:
- 80
- 443
playbook:
tcp:
- 3000
redis:
tcp:
- 6379
- 9696
salt_manager:
tcp:
- 4505
- 4506
sensoroni:
tcp:
- 443
ssh:
tcp:
- 22
strelka_frontend:
tcp:
- 57314
syslog:
tcp:
- 514
udp:
- 514
yum:
tcp:
- 443

136
salt/firewall/soc/defaults_soc_firewall.yaml
View File

@@ -1,136 +0,0 @@
firewall:
custom_groups:
groups:
description: List of group names to create.
multiline: True
forcedType: "[]string"
global: True
title: Custom Firewall Groups
helpLink: firewall.html#host-groups
hostgroups:
analyst_workstations:
description: List of IP addresses or CIDR blocks to allow analyst workstations.
file: True
global: True
title: Analyst Workstations
helpLink: firewall.html#host-groups
analyst:
description: List of IP addresses or CIDR blocks to allow analyst connections.
file: True
global: True
title: Analyst
helpLink: firewall.html#host-groups
beats_endpoint:
description: List of IP addresses or CIDR blocks of standard beats without encryption.
file: True
global: True
title: Beats Endpoints
helpLink: firewall.html#host-groups
beats_endpoint_ssl:
description: List of IP addresses or CIDR blocks of standard beats with encryption.
file: True
global: True
title: Beats Endpoints SSL
helpLink: firewall.html#host-groups
elastic_agent_endpoint:
description: List of IP addresses or CIDR blocks for Elastic Agent connections.
file: True
global: True
title: Elastic Agents
helpLink: firewall.html#host-groups
elasticsearch_rest:
description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch.
file: True
global: True
title: Elasticsearch Rest
advanced: True
helpLink: firewall.html#host-groups
endgame:
description: List of IP addresses or CIDR blocks to allow Endgame access.
file: True
global: True
title: Endgame
advanced: True
helpLink: firewall.html#host-groups
strelka_frontend:
description: List of IP addresses or CIDR blocks to allow access to the Strelka front end.
file: True
global: True
title: Strelka Frontend
advanced: True
helpLink: firewall.html#host-groups
syslog:
description: List of IP addresses or CIDR blocks to allow syslog.
file: True
global: True
title: Syslog Endpoint Traffic
helpLink: firewall.html#host-groups
standalone:
description: List of IP addresses or CIDR blocks to allow standalone connections.
file: True
global: True
title: Standalone
advanced: True
helpLink: firewall.html#host-groups
eval:
description: List of IP addresses or CIDR blocks to allow eval connections.
file: True
global: True
title: Eval
advanced: True
helpLink: firewall.html#host-groups
idh:
description: List of IP addresses or CIDR blocks to allow idh connections.
file: True
global: True
title: IDH Nodes
helpLink: firewall.html#host-groups
manager:
description: List of IP addresses or CIDR blocks to allow manager connections.
file: True
global: True
title: Manager
advanced: True
helpLink: firewall.html#host-groups
heavynodes:
description: List of IP addresses or CIDR blocks to allow heavynode connections.
file: True
global: True
title: Heavy Nodes
helpLink: firewall.html#host-groups
searchnodes:
description: List of IP addresses or CIDR blocks to allow searchnode connections.
file: True
global: True
title: Search Nodes
helpLink: firewall.html#host-groups
sensors:
description: List of IP addresses or CIDR blocks to allow Sensor connections.
file: True
global: True
title: Sensors
helpLink: firewall.html#host-groups
receivers:
description: List of IP addresses or CIDR blocks to allow receiver connections.
file: True
global: True
title: Receivers
helpLink: firewall.html#host-groups
portgroups:
portgroups__yaml:
description: Port Groups
file: True
global: True
advanced: True
title: Port Groups
syntax: yaml
helpLink: firewall.html#function
ports:
ports__yaml:
description: Ports in YAML.
file: True
global: True
advanced: True
title: Ports
syntax: yaml
helpLink: firewall.html#port-groups

5
salt/firewall/soc/init.sls
View File

@@ -1,5 +0,0 @@
soc_firewall_yaml:
file.managed:
- name: /opt/so/saltstack/default/salt/firewall/soc_firewall.yaml
- source: salt://firewall/soc/soc_firewall.yaml.jinja
- template: jinja

9
salt/firewall/soc/soc.map.jinja
View File

@@ -1,9 +0,0 @@
{% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %}
{% set PILLAR_SOC_FIREWALL_GROUPS = salt['pillar.get']('firewall:custom_groups:groups', {}) %}
{% set SOC_FIREWALL = DEFAULT_SOC_FIREWALL %}
{% for group in PILLAR_SOC_FIREWALL_GROUPS %}
{% set description = 'List of IP addresses or CIDR blocks to allow for ' ~ group ~ ' hostgroup.' %}
{% set title = group[0]|upper ~ group[1:] %}
{% do SOC_FIREWALL.firewall.hostgroups.update({group:{'description': description, 'file': 'True', 'global': 'True', 'title': title, 'helpLink': 'firewall.html#host-groups'}}) %}
{% endfor %}

2
salt/firewall/soc/soc_firewall.yaml.jinja
View File

@@ -1,2 +0,0 @@
{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL -%}
{{ SOC_FIREWALL | yaml(False) }}

966
salt/firewall/soc_firewall.yaml Normal file
View File

@@ -0,0 +1,966 @@
firewall:
hostgroups:
analyst: &hostgroupsettings
description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string"
helplink: firewall.html
multiline: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
anywhere: &hostgroupsettingsadv
description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string"
helplink: firewall.html
multiline: True
advanced: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
beats_endpoint: *hostgroupsettings
beats_endpoint_ssl: *hostgroupsettings
dockernet: &ROhostgroupsettingsadv
description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string"
helplink: firewall.html
multiline: True
advanced: True
readonly: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
elastic_agent_endpoint: *hostgroupsettings
elasticsearch_rest: *hostgroupsettingsadv
endgame: *hostgroupsettingsadv
eval: *hostgroupsettings
fleet: *hostgroupsettings
heavynode: *hostgroupsettings
idh: *hostgroupsettings
import: *hostgroupsettings
localhost: *ROhostgroupsettingsadv
manager: *hostgroupsettings
managersearch: *hostgroupsettings
receiver: *hostgroupsettings
searchnode: *hostgroupsettings
securityonion_desktop: *hostgroupsettings
self: *ROhostgroupsettingsadv
sensor: *hostgroupsettings
standalone: *hostgroupsettings
strelka_frontend: *hostgroupsettings
syslog: *hostgroupsettings
customhostgroup0: &customhostgroupsettings
description: List of IP or CIDR blocks to allow to this hostgroup.
forcedType: "[]string"
helpLink: firewall.html
advanced: True
multiline: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
customhostgroup1: *customhostgroupsettings
customhostgroup2: *customhostgroupsettings
customhostgroup3: *customhostgroupsettings
customhostgroup4: *customhostgroupsettings
customhostgroup5: *customhostgroupsettings
customhostgroup6: *customhostgroupsettings
customhostgroup7: *customhostgroupsettings
customhostgroup8: *customhostgroupsettings
customhostgroup9: *customhostgroupsettings
portgroups:
all:
tcp: &tcpsettings
description: List of TCP ports for this port group.
forcedType: "[]string"
helplink: firewall.html
advanced: True
multiline: True
udp: &udpsettings
description: List of UDP ports for this port group.
forcedType: "[]string"
helplink: firewall.html
advanced: True
multiline: True
agrules:
tcp: *tcpsettings
udp: *udpsettings
beats_5044:
tcp: *tcpsettings
udp: *udpsettings
beats_5644:
tcp: *tcpsettings
udp: *udpsettings
beats_5066:
tcp: *tcpsettings
udp: *udpsettings
beats_5056:
tcp: *tcpsettings
udp: *udpsettings
docker_registry:
tcp: *tcpsettings
udp: *udpsettings
elasticsearch_node:
tcp: *tcpsettings
udp: *udpsettings
elasticsearch_rest:
tcp: *tcpsettings
udp: *udpsettings
elastic_agent_control:
tcp: *tcpsettings
udp: *udpsettings
elastic_agent_data:
tcp: *tcpsettings
udp: *udpsettings
elastic_agent_update:
tcp: *tcpsettings
udp: *udpsettings
endgame:
tcp: *tcpsettings
udp: *udpsettings
influxdb:
tcp: *tcpsettings
udp: *udpsettings
kibana:
tcp: *tcpsettings
udp: *udpsettings
mysql:
tcp: *tcpsettings
udp: *udpsettings
nginx:
tcp: *tcpsettings
udp: *udpsettings
playbook:
tcp: *tcpsettings
udp: *udpsettings
redis:
tcp: *tcpsettings
udp: *udpsettings
salt_manager:
tcp: *tcpsettings
udp: *udpsettings
sensoroni:
tcp: *tcpsettings
udp: *udpsettings
ssh:
tcp: *tcpsettings
udp: *udpsettings
strelka_frontend:
tcp: *tcpsettings
udp: *udpsettings
syslog:
tcp: *tcpsettings
udp: *udpsettings
yum:
tcp: *tcpsettings
udp: *udpsettings
customportgroup0:
tcp: *tcpsettings
udp: *udpsettings
customportgroup1:
tcp: *tcpsettings
udp: *udpsettings
customportgroup2:
tcp: *tcpsettings
udp: *udpsettings
customportgroup3:
tcp: *tcpsettings
udp: *udpsettings
customportgroup4:
tcp: *tcpsettings
udp: *udpsettings
customportgroup5:
tcp: *tcpsettings
udp: *udpsettings
customportgroup6:
tcp: *tcpsettings
udp: *udpsettings
customportgroup7:
tcp: *tcpsettings
udp: *udpsettings
customportgroup8:
tcp: *tcpsettings
udp: *udpsettings
customportgroup9:
tcp: *tcpsettings
udp: *udpsettings
role:
eval:
chain:
DOCKER-USER:
hostgroups:
eval:
portgroups: &portgroupsdocker
description: Portgroups to add access to the docker containers for this role.
advanced: True
multiline: True
helpLink: firewall.html
sensor:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
heavynode:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
strelka_frontend:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: &portgroupshost
description: Portgroups to add access to the host.
advanced: True
multiline: True
helpLink: firewall.html
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
fleet:
chain:
DOCKER-USER:
hostgroups:
sensor:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupsdocker
standalone:
portgroups: *portgroupshost
sensor:
portgroups: *portgroupshost
searchnode:
portgroups: *portgroupshost
heavynode:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
manager:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups: *portgroupsdocker
sensor:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
heavynode:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
endgame:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
sensor:
portgroups: *portgroupshost
searchnode:
portgroups: *portgroupshost
heavynode:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
managersearch:
chain:
DOCKER-USER:
hostgroups:
managersearch:
portgroups: *portgroupsdocker
sensor:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
heavynode:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
endgame:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
sensor:
portgroups: *portgroupshost
searchnode:
portgroups: *portgroupshost
heavynode:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
standalone:
chain:
DOCKER-USER:
hostgroups:
localhost:
portgroups: *portgroupsdocker
standalone:
portgroups: *portgroupsdocker
fleet:
portgroups: *portgroupsdocker
sensor:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
heavynode:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
endgame:
portgroups: *portgroupsdocker
strelka_frontend:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
fleet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
standalone:
portgroups: *portgroupshost
sensor:
portgroups: *portgroupshost
searchnode:
portgroups: *portgroupshost
heavynode:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
searchnode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups: *portgroupsdocker
dockernet:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
sensor:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups: *portgroupsdocker
strelka_frontend:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
heavynode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups: *portgroupsdocker
dockernet:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
strelka_frontend:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
import:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups: *portgroupsdocker
sensor:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
receiver:
chain:
DOCKER-USER:
hostgroups:
sensor:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
endgame:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
idh:
chain:
DOCKER-USER:
hostgroups:
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
manager:
portgroups: *portgroupshost
managersearch:
portgroups: *portgroupshost
standalone:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost

22
salt/idstools/soc_idstools.yaml
View File

@@ -1,12 +1,14 @@
idstools:
config:
oinkcode:
description: Enter your registration code for paid rulesets.
description: Enter your registration/oink code for paid NIDS rulesets.
title: registraion code
global: True
helpLink: rules.html
ruleset:
description: Define the ruleset you want to run. Options are ETOPEN or ETPRO.
description: Defines the ruleset you want to run. Options are ETOPEN or ETPRO.
global: True
regex: ETPRO\b|ETOPEN\b
helpLink: rules.html
urls:
description: This is a list of additional rule download locations.
@@ -14,20 +16,28 @@ idstools:
helpLink: rules.html
sids:
disabled:
description: List of SIDS that you want to disable.
description: Contains the list of NIDS rules manually disabled across the grid. To disable a rule, add its signature ID (SID) to the Current Grid Value box, one entry per line. To disable multiple rules, you can use regular expressions.
global: True
multiline: True
forcedType: "[]string"
regex: \d*|re:.*
helpLink: managing-alerts.html
enabled:
description: List of SIDS that are disabled by the rule source that you want to enable.
description: Contains the list of NIDS rules manually enabled across the grid. To enable a rule, add its signature ID (SID) to the Current Grid Value box, one entry per line. To enable multiple rules, you can use regular expressions.
global: True
multiline: True
forcedType: "[]string"
regex: \d*|re:.*
helpLink: managing-alerts.html
modify:
description: List of SIDS that you want to modify.
description: Contains the list of NIDS rules that were modified from their default values. Entries must adhere to the following format - SID "REGEX_SEARCH_TERM" "REGEX_REPLACE_TERM"
global: True
multiline: True
forcedType: "[]string"
helpLink: managing-alerts.html
rules:
local__rules:
description: This is where custom Suricata rules are entered.
description: Contains the list of custom NIDS rules applied to the grid. To add custom NIDS rules to the grid, enter one rule per line in the Current Grid Value box.
file: True
global: True
advanced: True

1
salt/kibana/config.map.jinja
View File

@@ -7,6 +7,7 @@
{% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %}
{% do KIBANACONFIG.kibana.config.xpack.fleet.update({'registryUrl': 'http://' ~ GLOBALS.manager_ip ~ ':8080'}) %}
{% if salt['pillar.get']('kibana:secrets') %}
{% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %}

4
salt/kibana/defaults.yaml
View File

@@ -30,4 +30,6 @@ kibana:
secureCookies: true
reporting:
kibanaServer:
hostname: localhost
hostname: localhost
fleet:
registryUrl: ""

1
salt/kratos/defaults.yaml
View File

@@ -16,6 +16,7 @@ kratos:
issuer: Security Onion
flows:
settings:
privileged_session_max_age: 5m
ui_url: https://URL_BASE/?r=/settings
required_aal: highest_available
verification:

5
salt/kratos/soc_kratos.yaml
View File

@@ -23,7 +23,6 @@ kratos:
haveibeenpwned_enabled:
description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
global: True
advanced: True
helpLink: kratos.html
totp:
enabled:
@@ -39,6 +38,10 @@ kratos:
helpLink: kratos.html
flows:
settings:
privileged_session_max_age:
description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change.
global: True
helpLink: kratos.html
ui_url:
description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation.
global: True

223
salt/manager/tools/sbin/so-firewall
View File

@@ -1,104 +1,147 @@
#!/usr/bin/bash
#!/usr/bin/env python3
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
# Copyright 2014-2023 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
import os
import subprocess
import sys
import time
import yaml
if [[ $# -lt 1 ]]; then
echo "Usage: $0 --role=<ROLE> --ip=<IP ADDRESS> --apply=<true|false>"
echo ""
echo " Example: so-firewall --role=sensor --ip=192.168.254.100 --apply=true"
echo ""
exit 1
fi
lockFile = "/tmp/so-firewall.lock"
hostgroupsFilename = "/opt/so/saltstack/local/pillar/firewall/soc_firewall.sls"
defaultsFilename = "/opt/so/saltstack/default/salt/firewall/defaults.yaml"
for i in "$@"; do
case $i in
-r=*|--role=*)
ROLE="${i#*=}"
shift
;;
-i=*|--ip=*)
IP="${i#*=}"
shift
;;
-a=*|--apply*)
APPLY="${i#*=}"
shift
;;
-*|--*)
echo "Unknown option $i"
exit 1
;;
*)
;;
esac
done
def showUsage(options, args):
print('Usage: {} [OPTIONS] <COMMAND> [ARGS...]'.format(sys.argv[0]))
print(' Options:')
print(' --apply - After updating the firewall configuration files, apply the new firewall state')
print('')
print(' General commands:')
print(' help - Prints this usage information.')
print(' apply - Apply the firewall state.')
print('')
print(' Host commands:')
print(' includehost - Includes the given IP in the given group. Args: <GROUP_NAME> <IP>')
print(' addhostgroup - Adds a new, custom host group. Args: <GROUP_NAME>')
print('')
print(' Where:')
print(' GROUP_NAME - The name of an alias group (Ex: analyst)')
print(' IP - Either a single IP address (Ex: 8.8.8.8) or a CIDR block (Ex: 10.23.0.0/16).')
sys.exit(1)
ROLE=${ROLE,,}
APPLY=${APPLY,,}
def checkApplyOption(options):
if "--apply" in options:
return apply(None, None)
function rolecall() {
THEROLE=$1
THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval fleet heavynodes idh manager managersearch receivers searchnodes sensors standalone strelka_frontend syslog"
def loadYaml(filename):
file = open(filename, "r")
content = file.read()
return yaml.safe_load(content)
for AROLE in $THEROLES; do
if [ "$AROLE" = "$THEROLE" ]; then
return 0
fi
done
return 1
}
def writeYaml(filename, content):
file = open(filename, "w")
return yaml.dump(content, file)
# Make sure the required options are specified
if [ -z "$ROLE" ]; then
echo "Please specify a role with --role="
exit 1
fi
if [ -z "$IP" ]; then
echo "Please specify an IP address with --ip="
exit 1
fi
def addIp(name, ip):
content = loadYaml(hostgroupsFilename)
defaults = loadYaml(defaultsFilename)
allowedHostgroups = defaults['firewall']['hostgroups']
unallowedHostgroups = ['anywhere', 'dockernet', 'localhost', 'self']
for hg in unallowedHostgroups:
allowedHostgroups.pop(hg)
if not content:
content = {'firewall': {'hostgroups': {name: []}}}
if name in allowedHostgroups:
if name not in content['firewall']['hostgroups']:
hostgroup = content['firewall']['hostgroups'].update({name: [ip]})
else:
hostgroup = content['firewall']['hostgroups'][name]
else:
print('Host group not defined in salt/firewall/defaults.yaml or hostgroup name is unallowed.', file=sys.stderr)
return 4
ips = hostgroup
if ips is None:
ips = []
hostgroup = ips
if ip not in ips:
ips.append(ip)
else:
print('Already exists', file=sys.stderr)
return 3
writeYaml(hostgroupsFilename, content)
return 0
# Are we dealing with a role that this script supports?
if rolecall "$ROLE"; then
echo "$ROLE is a supported role"
else
echo "This is not a supported role"
exit 1
fi
def includehost(options, args):
if len(args) != 2:
print('Missing host group name or ip argument', file=sys.stderr)
showUsage(options, args)
result = addIp(args[0], args[1])
code = result
if code == 0:
code = checkApplyOption(options)
return code
# Are we dealing with an IP?
if verify_ip4 "$IP"; then
echo "$IP is a valid IP or CIDR"
else
echo "$IP is not a valid IP or CIDR"
exit 1
fi
def apply(options, args):
proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True'])
return proc.returncode
local_salt_dir=/opt/so/saltstack/local/salt/firewall
def main():
options = []
args = sys.argv[1:]
for option in args:
if option.startswith("--"):
options.append(option)
args.remove(option)
# Let's see if the file exists and if it does, let's see if the IP exists.
if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then
if grep -q $IP "$local_salt_dir/hostgroups/$ROLE"; then
echo "Host already exists"
exit 0
fi
fi
if len(args) == 0:
showUsage(options, None)
# If you have reached this part of your quest then let's add the IP
echo "Adding $IP to the $ROLE role"
echo "$IP" >> $local_salt_dir/hostgroups/$ROLE
commands = {
"help": showUsage,
"includehost": includehost,
"apply": apply
}
# Check to see if we are applying this right away.
if [ "$APPLY" = "true" ]; then
echo "Applying the firewall rules"
salt-call state.apply firewall queue=True
echo "Firewall rules have been applied... Review logs further if there were errors."
echo ""
else
echo "Firewall rules will be applied next salt run"
fi
code=1
try:
lockAttempts = 0
maxAttempts = 30
while lockAttempts < maxAttempts:
lockAttempts = lockAttempts + 1
try:
f = open(lockFile, "x")
f.close()
break
except:
time.sleep(2)
if lockAttempts == maxAttempts:
print("Lock file (" + lockFile + ") could not be created; proceeding without lock.")
cmd = commands.get(args[0], showUsage)
code = cmd(options, args[1:])
finally:
try:
os.remove(lockFile)
except:
print("Lock file (" + lockFile + ") already removed")
sys.exit(code)
if __name__ == "__main__":
main()

54
salt/manager/tools/sbin/so-firewall-minion
View File

@@ -49,34 +49,34 @@ fi
case "$ROLE" in
'MANAGER')
so-firewall --role=manager --ip="$IP"
so-firewall includehost manager "$IP"
;;
'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
so-firewall --role=manager --ip="$IP"
so-firewall --role=sensors --ip="$IP"
so-firewall --apply=true --role=searchnodes --ip="$IP"
'MANAGERSEARCH')
so-firewall includehost manager "$IP"
so-firewall includehost searchnode "$IP" --apply
;;
'FLEET' | 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER')
case "$ROLE" in
'FLEET')
so-firewall --apply=true --role=fleet --ip="$IP"
;;
'SENSOR')
so-firewall --apply=true --role=sensors --ip="$IP"
;;
'SEARCHNODE')
so-firewall --apply=true --role=searchnodes --ip="$IP"
;;
'HEAVYNODE')
so-firewall --role=sensors --ip="$IP"
so-firewall --apply=true --role=heavynodes --ip="$IP"
;;
'IDH')
so-firewall --apply=true --role=sensors --ip="$IP"
;;
'RECEIVER')
so-firewall --apply=true --role=receivers --ip="$IP"
;;
esac
'EVAL' | 'STANDALONE' | 'IMPORT')
so-firewall includehost manager "$IP"
so-firewall includehost sensor "$IP"
so-firewall includehost searchnode "$IP" --apply
;;
'FLEET')
so-firewall includehost fleet "$IP" --apply
;;
'SENSOR')
so-firewall includehost sensor "$IP" --apply
;;
'SEARCHNODE')
so-firewall includehost searchnode "$IP" --apply
;;
'HEAVYNODE')
so-firewall includehost sensor "$IP"
so-firewall includehost heavynode "$IP" --apply
;;
'IDH')
so-firewall includehost sensor "$IP" --apply
;;
'RECEIVER')
so-firewall includehost receiver "$IP" --apply
;;
esac

16
salt/nginx/etc/nginx.conf
View File

@@ -43,6 +43,22 @@ http {
return 307 https://{{ GLOBALS.url_base }}$request_uri;
}
server {
listen 8443;
server_name {{ GLOBALS.url_base }};
root /opt/socore/html;
location /artifacts/ {
try_files $uri =206;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443 ssl http2 default_server;
server_name _;

1
salt/nginx/init.sls
View File

@@ -96,6 +96,7 @@ so-nginx:
- /opt/so/tmp/nginx/:/var/lib/nginx:rw
- /opt/so/tmp/nginx/:/run:rw
- /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/:/opt/socore/html/packages
- /nsm/elastic-fleet/artifacts/:/opt/socore/html/artifacts
{% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %}
- /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro
- /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro

1
salt/top.sls
View File

@@ -176,6 +176,7 @@ base:
- redis
{%- endif %}
{%- if KIBANA %}
- elastic-fleet-package-registry
- kibana.so_savedobjects_defaults
{%- endif %}
- pcap

6
salt/zeek/files/node.cfg.jinja
View File

@@ -16,10 +16,10 @@ type=worker
host=localhost
interface=af_packet::{{ NODE.interface }}
lb_method=custom
{%- if NODE.lb_procs %}
lb_procs={{ NODE.lb_procs }}
{%- else %}
{%- if NODE.pins %}
lb_procs={{ NODE.pins | length }}
{%- else %}
lb_procs={{ NODE.lb_procs }}
{%- endif %}
{%- if NODE.pins %}
pin_cpus={{ NODE.pins | join(", ") }}

18
salt/zeek/soc_zeek.yaml
View File

@@ -6,30 +6,36 @@ zeek:
config:
local:
load:
description: List of Zeek policies to load
description: Contains a list of policies and scripts loaded by Zeek. Values in the Current Grid Value dialog box apply to every instance of Zeek. Values in a dialog box for a specific node will only apply to that node.
forcedType: "[]string"
helpLink: zeek.html
load-sigs:
description: List of Zeek signatures to load
description: Contains a list of signatures loaded by Zeek. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
forcedType: "[]string"
helpLink: zeek.html
redef:
description: List of Zeek variables to redefine
description: List of Zeek variables to redefine. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
forcedType: "[]string"
advanced: True
helpLink: zeek.html
node:
lb_procs:
description: This is the number of CPUs to use for Zeek. This setting is ignored if you are using pins.
description: Contains the number of CPU cores or workers used by Zeek. This setting should only be applied to individual nodes and will be ignored if CPU affinity is enabled.
title: workers
helpLink: zeek.html
node: True
pins_enabled:
description: Enabling this setting allows you to pin Zeek to specific CPUs.
title: cpu affinity enabled
forcedType: bool
helpLink: zeek.html
node: True
advanced: True
pins:
description: This is a list of CPUs you want to pin Zeek to.
description: Contains a list of specific CPU cores pinned to Zeek workers. To set the CPU affinity, enter the processor ID number in the dialog box for the desired node. To retrieve the processor ID numbers, run the command "cat /proc/cpuinfo | grep processor" on the desired node. Please note that this setting should only be applied to individual nodes.
title: cpu affinity
multiline: True
forcedType: "[]string"
helpLink: zeek.html
node: True
advanced: True
@@ -47,5 +53,5 @@ zeek:
global: True
advanced: True
file_extraction:
description: This is a list of MIME types that Zeek will extract from the network streams.
description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENTION"}
helpLink: zeek.html

41
setup/so-functions
View File

@@ -917,17 +917,19 @@ create_repo() {
logCmd "createrepo /nsm/repo"
}
detect_cloud() {
info "Testing if setup is running on a cloud instance..."
if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || \
( curl --fail -s -m 5 -H "X-aws-ec2-metadata-token: $(curl -s -X PUT -m 5 'http://169.254.169.254/latest/api/token' -H 'X-aws-ec2-metadata-token-ttl-seconds: 30')" http://169.254.169.254/latest/meta-data/instance-id > /dev/null) || \
(dmidecode -s bios-vendor | grep -q Google > /dev/null) || \
[ -f /var/log/waagent.log ]; then
info "Detected a cloud installation..." && export is_cloud="true";
else
info "This does not appear to be a cloud installation."
fi
detect_cloud() {
info "Testing if setup is running on a cloud instance..."
if dmidecode -s bios-version | grep -q amazon || \
dmidecode -s bios-vendor | grep -q Amazon || \
dmidecode -s bios-vendor | grep -q Google || \
[ -f /var/log/waagent.log ]; then
info "Detected a cloud installation..."
export is_cloud="true"
else
info "This does not appear to be a cloud installation."
fi
}
detect_os() {
@@ -962,6 +964,17 @@ detect_os() {
}
download_elastic_agent_artifacts() {
#TODO - ISO
logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
logCmd "curl --retry 5 --retry-delay 60 https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz"
logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
}
installer_progress_loop() {
local i=0
local msg="${1:-Performing background actions...}"
@@ -2312,18 +2325,18 @@ set_initial_firewall_policy() {
case "$install_type" in
'EVAL' | 'MANAGER' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost $minion_type $MAINIP --apply
;;
esac
}
set_initial_firewall_access() {
if [[ ! -z "$ALLOW_CIDR" ]]; then
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost analyst $ALLOW_CIDR --apply
fi
if [[ ! -z "$MINION_CIDR" ]]; then
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=sensors --ip=$MINION_CIDR --apply=false
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=searchnodes --ip=$MINION_CIDR --apply=true
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensors $MINION_CIDR
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost searchnodes $MINION_CIDR --apply
fi
}

3
setup/so-setup
View File

@@ -607,6 +607,9 @@ if ! [[ -f $install_opt_file ]]; then
securityonion_repo
# Update existing packages
update_packages
# Download Elastic Agent Artifacts
title "Downloading Elastic Agent Artifacts"
download_elastic_agent_artifacts
# Install salt
saltify
# Start the master service

2
setup/so-whiptail
View File

@@ -471,7 +471,7 @@ whiptail_gauge_post_setup() {
[ -n "$TESTING" ] && return
idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \
"\nBy default, the IDH services selected in the previous screen will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \
"\nBy default, IDH services will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \
"$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 )
local exitstatus=$?