CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-04-26 22:47:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix annotations and defaults for logstash

Browse Source
This commit is contained in:
Mike Reeves
2023-05-03 13:37:06 -04:00
parent 3d10a60502 b4b84038ed
commit d5c4a2887e
53 changed files with 2527 additions and 1080 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/allowed_states.map.jinja
+3
View File
@@ -119,6 +119,7 @@
'soc', 'soc',
'kratos', 'kratos',
'elasticfleet', 'elasticfleet',
'elastic-fleet-package-registry',
'firewall', 'firewall',
'idstools', 'idstools',
'suricata.manager', 'suricata.manager',
@@ -137,6 +138,7 @@
'influxdb', 'influxdb',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet-package-registry',
'elasticfleet', 'elasticfleet',
'firewall', 'firewall',
'manager', 'manager',
@@ -166,6 +168,7 @@
'influxdb', 'influxdb',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet-package-registry',
'elasticfleet', 'elasticfleet',
'firewall', 'firewall',
'idstools', 'idstools',
salt/common/tools/sbin/so-image-common
+2
View File
@@ -38,6 +38,7 @@ container_list() {
"so-zeek" "so-zeek"
"so-elastic-agent" "so-elastic-agent"
"so-elastic-agent-builder" "so-elastic-agent-builder"
"so-elastic-fleet-package-registry"
) )
elif [ $MANAGERCHECK != 'so-helix' ]; then elif [ $MANAGERCHECK != 'so-helix' ]; then
TRUSTED_CONTAINERS=( TRUSTED_CONTAINERS=(
@@ -45,6 +46,7 @@ container_list() {
"so-elastalert" "so-elastalert"
"so-elastic-agent" "so-elastic-agent"
"so-elastic-agent-builder" "so-elastic-agent-builder"
"so-elastic-fleet-package-registry"
"so-elasticsearch" "so-elasticsearch"
"so-idh" "so-idh"
"so-idstools" "so-idstools"
salt/docker/defaults.yaml
+1
View File
@@ -54,6 +54,7 @@ docker:
port_bindings: port_bindings:
- 80:80 - 80:80
- 443:443 - 443:443
- 8443:8443
'so-playbook': 'so-playbook':
final_octet: 32 final_octet: 32
port_bindings: port_bindings:
salt/elasticfleet/artifact_registry.sls
+11
View File
@@ -0,0 +1,11 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
fleetartifactdir:
file.directory:
- name: /nsm/elastic-fleet/artifacts
- user: 947
- group: 939
- makedirs: True
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
+28 -7
View File
@@ -17,18 +17,39 @@ FLEETHOST="{{ GLOBALS.manager_ip }}"
#FLEETHOST=$1 #FLEETHOST=$1
#ENROLLMENTOKEN=$2 #ENROLLMENTOKEN=$2
CONTAINERGOOS=( "linux" "darwin" "windows" ) TARGETOS=( "linux" "darwin" "windows" )
#rm -rf /tmp/elastic-agent-workspace printf "\n### Get rid of any previous runs\n"
#mkdir -p /tmp/elastic-agent-workspace rm -rf /tmp/elastic-agent-workspace
mkdir -p /tmp/elastic-agent-workspace
for OS in "${CONTAINERGOOS[@]}" printf "\n### Extract outer tarball and then each individual tarball/zip\n"
tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-{{ GLOBALS.so_version }}.tar.gz -C /tmp/elastic-agent-workspace/
unzip /tmp/elastic-agent-workspace/elastic-agent-*.zip -d /tmp/elastic-agent-workspace/
for archive in /tmp/elastic-agent-workspace/*.tar.gz
do
tar xf "$archive" -C /tmp/elastic-agent-workspace/
done
printf "\n### Strip out unused components"
find /tmp/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -regex '.*fleet.*\|.*packet.*\|.*apm*.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete
printf "\n### Tar everything up again"
for OS in "${TARGETOS[@]}"
do
rm -rf /tmp/elastic-agent-workspace/elastic-agent
mv /tmp/elastic-agent-workspace/elastic-agent-*-$OS-x86_64 /tmp/elastic-agent-workspace/elastic-agent
tar -czvf /tmp/elastic-agent-workspace/$OS.tar.gz -C /tmp/elastic-agent-workspace elastic-agent
done
printf "\n### Generate OS packages using the cleaned up tarballs"
for OS in "${TARGETOS[@]}"
do do
printf "\n\nGenerating $OS Installer..." printf "\n\n### Generating $OS Installer...\n"
#cp /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz
docker run -e CGO_ENABLED=0 -e GOOS=$OS \ docker run -e CGO_ENABLED=0 -e GOOS=$OS \
--mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \
--mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \
--mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \ --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \
{{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS
printf "\n $OS Installer Generated..." printf "\n### $OS Installer Generated...\n"
done done
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
+9
View File
@@ -62,6 +62,15 @@ elastic_fleet_policy_create "so-grid-nodes" "SO Grid Node Policy" "false"
# Load Integrations for default policies # Load Integrations for default policies
so-elastic-fleet-integration-policy-load so-elastic-fleet-integration-policy-load
# Set Elastic Agent Artifact Registry URL
JSON_STRING=$( jq -n \
--arg NAME "FleetServer_{{ GLOBALS.hostname }}" \
--arg URL "http://{{ GLOBALS.url_base }}/artifacts/" \
'{"name":$NAME,"host":$URL,"is_default":true}'
)
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_download_sources" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
### Finalization ### ### Finalization ###
# Query for Enrollment Tokens for default policies # Query for Enrollment Tokens for default policies
salt/firewall/assigned_hostgroups.map.yaml
-607
View File
@@ -1,607 +0,0 @@
{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
{% import_yaml 'firewall/ports/ports.yaml' as portgroups %}
{% set portgroups = portgroups.firewall.ports %}
{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
role:
eval:
chain:
DOCKER-USER:
hostgroups:
eval:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
fleet:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
standalone:
portgroups:
- {{ portgroups.salt_manager }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
manager:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.docker_registry }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
{% if ISAIRGAP is sameas true %}
- {{ portgroups.agrules }}
{% endif %}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
self:
portgroups:
- {{ portgroups.syslog}}
syslog:
portgroups:
- {{ portgroups.syslog }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
managersearch:
chain:
DOCKER-USER:
hostgroups:
managersearch:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.docker_registry }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
standalone:
chain:
DOCKER-USER:
hostgroups:
localhost:
portgroups:
- {{ portgroups.all }}
standalone:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.docker_registry }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.beats_5056 }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
- {{ portgroups.endgame }}
- {{ portgroups.strelka_frontend }}
fleet:
portgroups:
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.beats_5056 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
sensors:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.beats_5056 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
searchnodes:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
fleet:
portgroups:
- {{ portgroups.salt_manager }}
localhost:
portgroups:
- {{ portgroups.all }}
standalone:
portgroups:
- {{ portgroups.salt_manager }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
searchnode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
dockernet:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
searchnodes:
portgroups:
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
sensor:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups:
- {{ portgroups.syslog}}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
heavynode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
dockernet:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
self:
portgroups:
- {{ portgroups.syslog}}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
import:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elastic_agent_control }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
receiver:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups:
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.beats_5644 }}
self:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.syslog}}
- {{ portgroups.beats_5644 }}
syslog:
portgroups:
- {{ portgroups.syslog }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
endgame:
portgroups:
- {{ portgroups.endgame }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
idh:
chain:
INPUT:
hostgroups:
anywhere:
portgroups:
{% for service in IDH_PORTGROUPS.keys() %}
{% if service != 'openssh' %}
- {{ IDH_PORTGROUPS[service] }}
{% endif %}
{% endfor %}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
manager:
portgroups:
- {{ IDH_PORTGROUPS.openssh }}
standalone:
portgroups:
- {{ IDH_PORTGROUPS.openssh }}
salt/firewall/defaults.yaml
+1225
View File
File diff suppressed because it is too large Load Diff
salt/firewall/hostgroups/analyst
View File
salt/firewall/hostgroups/analyst_workstations
View File
salt/firewall/hostgroups/anywhere
-1
View File
@@ -1 +0,0 @@
0.0.0.0/0
salt/firewall/hostgroups/beats_endpoint
View File
salt/firewall/hostgroups/beats_endpoint_ssl
View File
salt/firewall/hostgroups/dockernet
-2
View File
@@ -1,2 +0,0 @@
{% from 'docker/docker.map.jinja' import DOCKER -%}
{{ DOCKER.sorange }}
salt/firewall/hostgroups/elastic_agent_endpoint
View File
salt/firewall/hostgroups/elasticsearch_rest
View File
salt/firewall/hostgroups/endgame
View File
salt/firewall/hostgroups/eval
View File
salt/firewall/hostgroups/fleet
View File
salt/firewall/hostgroups/heavynodes
View File
salt/firewall/hostgroups/idh
View File
salt/firewall/hostgroups/localhost
-1
View File
@@ -1 +0,0 @@
127.0.0.1
salt/firewall/hostgroups/manager
View File
salt/firewall/hostgroups/receivers
View File
salt/firewall/hostgroups/searchnodes
View File
salt/firewall/hostgroups/self
-2
View File
@@ -1,2 +0,0 @@
{% from 'vars/globals.map.jinja' import GLOBALS -%}
{{ GLOBALS.node_ip }}
salt/firewall/hostgroups/sensors
View File
salt/firewall/hostgroups/standalone
View File
salt/firewall/hostgroups/strelka_frontend
View File
salt/firewall/hostgroups/syslog
View File
salt/firewall/iptables.jinja
+18 -22
View File
@@ -1,7 +1,9 @@
{% from 'docker/docker.map.jinja' import DOCKER -%} {%- from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%} {%- from 'docker/docker.map.jinja' import DOCKER %}
{% from 'firewall/map.jinja' import hostgroups with context -%} {%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
{% from 'firewall/map.jinja' import assigned_hostgroups with context -%} {%- set role = GLOBALS.role.split('-')[1] %}
{%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
{%- set PR = [] %} {%- set PR = [] %}
{%- set D1 = [] %} {%- set D1 = [] %}
{%- set D2 = [] %} {%- set D2 = [] %}
@@ -70,24 +72,18 @@ COMMIT
:DOCKER-USER - [0:0] :DOCKER-USER - [0:0]
:LOGGING - [0:0] :LOGGING - [0:0]
{%- set count = namespace(value=0) %} {%- for chn, hostgroups in FIREWALL_MERGED.role[role].chain.items() %}
{%- for chain, hg in assigned_hostgroups.chain.items() %} {%- for hostgroup, portgroups in hostgroups['hostgroups'].items() %}
{%- for hostgroup, portgroups in assigned_hostgroups.chain[chain].hostgroups.items() %} {%- for ip in FIREWALL_MERGED.hostgroups[hostgroup] %}
{%- for action in ['insert', 'delete' ] %} {%- for groupname in portgroups['portgroups'] %}
{%- if hostgroups[hostgroup].ips[action] %} {%- for proto, ports in FIREWALL_MERGED['portgroups'][groupname].items() %}
{%- for ip in hostgroups[hostgroup].ips[action] %} {%- for port in ports %}
{%- for portgroup in portgroups.portgroups %} -A {{chn}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
{%- for proto, ports in portgroup.items() %} {%- endfor %}
{%- for port in ports %} {%- endfor %}
{%- set count.value = count.value + 1 %} {%- endfor %}
-A {{chain}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT {%- endfor %}
{%- endfor %} {%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- endfor %}
{%- endfor %} {%- endfor %}
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
salt/firewall/map.jinja
+15 -56
View File
@@ -1,62 +1,21 @@
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% set role = grains.id.split('_') | last %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% set translated_pillar_assigned_hostgroups = {} %} {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} {# add our ip to self #}
{% set default_portgroups = default_portgroups.firewall.ports %} {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
{% import_yaml 'firewall/ports/ports.local.yaml' as local_portgroups %} {# add dockernet range #}
{% if local_portgroups.firewall.ports %} {% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.sorange) %}
{% set local_portgroups = local_portgroups.firewall.ports %}
{% else %}
{% set local_portgroups = {} %}
{% endif %}
{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
{% set defined_portgroups = portgroups %}
{% if GLOBALS.role == 'so-idh' %} {% if GLOBALS.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %} {% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
{% do salt['defaults.merge'](defined_portgroups, IDH_PORTGROUPS, in_place=True) %} {% do salt['defaults.merge'](FIREWALL_DEFAULT.firewall.portgroups, IDH_PORTGROUPS, in_place=True) %}
{% for pg in IDH_PORTGROUPS.keys() %}
{# idh service ports start with _idh. this prevents adding openssh to allow from anywhere #}
{% if pg.split('_')[0] == 'idh' %}
{% do FIREWALL_DEFAULT.firewall.role.idh.chain.INPUT.hostgroups.anywhere.portgroups.append(pg) %}
{% endif %}
{% endfor %}
{% endif %} {% endif %}
{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %} {% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}
{% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %}
{% for hg in hostgroup_list %}
{% import_text hg as hg_ips %}
{% do local_hostgroups.firewall.hostgroups.update({hg.split('/')[2]: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %}
{% endfor %}
{% set hostgroups = local_hostgroups.firewall.hostgroups %}
{# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}
{% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %}
{% set translated_pillar_assigned_hostgroups = {'chain': {}} %}
{% for chain, hg in salt['pillar.get']('firewall:assigned_hostgroups:chain').items() %}
{% for pillar_hostgroup, pillar_portgroups in salt['pillar.get']('firewall:assigned_hostgroups:chain')[chain].hostgroups.items() %}
{% if translated_pillar_assigned_hostgroups.chain[chain] is defined %}
{% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups.update({pillar_hostgroup: {"portgroups": []}}) %}
{% else %}
{% do translated_pillar_assigned_hostgroups.chain.update({chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}) %}
{% endif %}
{% for pillar_portgroup in pillar_portgroups.portgroups %}
{% set pillar_portgroup = pillar_portgroup.split('.') | last %}
{% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups[pillar_hostgroup].portgroups.append(defined_portgroups[pillar_portgroup]) %}
{% endfor %}
{% endfor %}
{% endfor %}
{% endif %}
{% import_yaml 'firewall/assigned_hostgroups.map.yaml' as default_assigned_hostgroups %}
{% import_yaml 'firewall/assigned_hostgroups.local.map.yaml' as local_assigned_hostgroups %}
{% if local_assigned_hostgroups.role.get(role, False) %}
{% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups.role[role], default_assigned_hostgroups.role[role], merge_lists=False, in_place=False) %}
{% else %}
{% set assigned_hostgroups = default_assigned_hostgroups.role[role] %}
{% endif %}
{% if translated_pillar_assigned_hostgroups %}
{% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %}
{% endif %}
salt/firewall/ports/ports.yaml
-81
View File
@@ -1,81 +0,0 @@
firewall:
ports:
all:
tcp:
- '0:65535'
udp:
- '0:65535'
agrules:
tcp:
- 7788
beats_5044:
tcp:
- 5044
beats_5644:
tcp:
- 5644
beats_5066:
tcp:
- 5066
beats_5056:
tcp:
- 5056
docker_registry:
tcp:
- 5000
elasticsearch_node:
tcp:
- 9300
elasticsearch_rest:
tcp:
- 9200
elastic_agent_control:
tcp:
- 8220
elastic_agent_data:
tcp:
- 5055
endgame:
tcp:
- 3765
influxdb:
tcp:
- 8086
kibana:
tcp:
- 5601
mysql:
tcp:
- 3306
nginx:
tcp:
- 80
- 443
playbook:
tcp:
- 3000
redis:
tcp:
- 6379
- 9696
salt_manager:
tcp:
- 4505
- 4506
sensoroni:
tcp:
- 443
ssh:
tcp:
- 22
strelka_frontend:
tcp:
- 57314
syslog:
tcp:
- 514
udp:
- 514
yum:
tcp:
- 443
salt/firewall/soc/defaults_soc_firewall.yaml
-136
View File
@@ -1,136 +0,0 @@
firewall:
custom_groups:
groups:
description: List of group names to create.
multiline: True
forcedType: "[]string"
global: True
title: Custom Firewall Groups
helpLink: firewall.html#host-groups
hostgroups:
analyst_workstations:
description: List of IP addresses or CIDR blocks to allow analyst workstations.
file: True
global: True
title: Analyst Workstations
helpLink: firewall.html#host-groups
analyst:
description: List of IP addresses or CIDR blocks to allow analyst connections.
file: True
global: True
title: Analyst
helpLink: firewall.html#host-groups
beats_endpoint:
description: List of IP addresses or CIDR blocks of standard beats without encryption.
file: True
global: True
title: Beats Endpoints
helpLink: firewall.html#host-groups
beats_endpoint_ssl:
description: List of IP addresses or CIDR blocks of standard beats with encryption.
file: True
global: True
title: Beats Endpoints SSL
helpLink: firewall.html#host-groups
elastic_agent_endpoint:
description: List of IP addresses or CIDR blocks for Elastic Agent connections.
file: True
global: True
title: Elastic Agents
helpLink: firewall.html#host-groups
elasticsearch_rest:
description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch.
file: True
global: True
title: Elasticsearch Rest
advanced: True
helpLink: firewall.html#host-groups
endgame:
description: List of IP addresses or CIDR blocks to allow Endgame access.
file: True
global: True
title: Endgame
advanced: True
helpLink: firewall.html#host-groups
strelka_frontend:
description: List of IP addresses or CIDR blocks to allow access to the Strelka front end.
file: True
global: True
title: Strelka Frontend
advanced: True
helpLink: firewall.html#host-groups
syslog:
description: List of IP addresses or CIDR blocks to allow syslog.
file: True
global: True
title: Syslog Endpoint Traffic
helpLink: firewall.html#host-groups
standalone:
description: List of IP addresses or CIDR blocks to allow standalone connections.
file: True
global: True
title: Standalone
advanced: True
helpLink: firewall.html#host-groups
eval:
description: List of IP addresses or CIDR blocks to allow eval connections.
file: True
global: True
title: Eval
advanced: True
helpLink: firewall.html#host-groups
idh:
description: List of IP addresses or CIDR blocks to allow idh connections.
file: True
global: True
title: IDH Nodes
helpLink: firewall.html#host-groups
manager:
description: List of IP addresses or CIDR blocks to allow manager connections.
file: True
global: True
title: Manager
advanced: True
helpLink: firewall.html#host-groups
heavynodes:
description: List of IP addresses or CIDR blocks to allow heavynode connections.
file: True
global: True
title: Heavy Nodes
helpLink: firewall.html#host-groups
searchnodes:
description: List of IP addresses or CIDR blocks to allow searchnode connections.
file: True
global: True
title: Search Nodes
helpLink: firewall.html#host-groups
sensors:
description: List of IP addresses or CIDR blocks to allow Sensor connections.
file: True
global: True
title: Sensors
helpLink: firewall.html#host-groups
receivers:
description: List of IP addresses or CIDR blocks to allow receiver connections.
file: True
global: True
title: Receivers
helpLink: firewall.html#host-groups
portgroups:
portgroups__yaml:
description: Port Groups
file: True
global: True
advanced: True
title: Port Groups
syntax: yaml
helpLink: firewall.html#function
ports:
ports__yaml:
description: Ports in YAML.
file: True
global: True
advanced: True
title: Ports
syntax: yaml
helpLink: firewall.html#port-groups
salt/firewall/soc/init.sls
-5
View File
@@ -1,5 +0,0 @@
soc_firewall_yaml:
file.managed:
- name: /opt/so/saltstack/default/salt/firewall/soc_firewall.yaml
- source: salt://firewall/soc/soc_firewall.yaml.jinja
- template: jinja
salt/firewall/soc/soc.map.jinja
-9
View File
@@ -1,9 +0,0 @@
{% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %}
{% set PILLAR_SOC_FIREWALL_GROUPS = salt['pillar.get']('firewall:custom_groups:groups', {}) %}
{% set SOC_FIREWALL = DEFAULT_SOC_FIREWALL %}
{% for group in PILLAR_SOC_FIREWALL_GROUPS %}
{% set description = 'List of IP addresses or CIDR blocks to allow for ' ~ group ~ ' hostgroup.' %}
{% set title = group[0]|upper ~ group[1:] %}
{% do SOC_FIREWALL.firewall.hostgroups.update({group:{'description': description, 'file': 'True', 'global': 'True', 'title': title, 'helpLink': 'firewall.html#host-groups'}}) %}
{% endfor %}
salt/firewall/soc/soc_firewall.yaml.jinja
-2
View File
@@ -1,2 +0,0 @@
{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL -%}
{{ SOC_FIREWALL | yaml(False) }}
salt/firewall/soc_firewall.yaml
+966
View File
@@ -0,0 +1,966 @@
firewall:
hostgroups:
analyst: &hostgroupsettings
description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string"
helplink: firewall.html
multiline: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
anywhere: &hostgroupsettingsadv
description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string"
helplink: firewall.html
multiline: True
advanced: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
beats_endpoint: *hostgroupsettings
beats_endpoint_ssl: *hostgroupsettings
dockernet: &ROhostgroupsettingsadv
description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string"
helplink: firewall.html
multiline: True
advanced: True
readonly: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
elastic_agent_endpoint: *hostgroupsettings
elasticsearch_rest: *hostgroupsettingsadv
endgame: *hostgroupsettingsadv
eval: *hostgroupsettings
fleet: *hostgroupsettings
heavynode: *hostgroupsettings
idh: *hostgroupsettings
import: *hostgroupsettings
localhost: *ROhostgroupsettingsadv
manager: *hostgroupsettings
managersearch: *hostgroupsettings
receiver: *hostgroupsettings
searchnode: *hostgroupsettings
securityonion_desktop: *hostgroupsettings
self: *ROhostgroupsettingsadv
sensor: *hostgroupsettings
standalone: *hostgroupsettings
strelka_frontend: *hostgroupsettings
syslog: *hostgroupsettings
customhostgroup0: &customhostgroupsettings
description: List of IP or CIDR blocks to allow to this hostgroup.
forcedType: "[]string"
helpLink: firewall.html
advanced: True
multiline: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
customhostgroup1: *customhostgroupsettings
customhostgroup2: *customhostgroupsettings
customhostgroup3: *customhostgroupsettings
customhostgroup4: *customhostgroupsettings
customhostgroup5: *customhostgroupsettings
customhostgroup6: *customhostgroupsettings
customhostgroup7: *customhostgroupsettings
customhostgroup8: *customhostgroupsettings
customhostgroup9: *customhostgroupsettings
portgroups:
all:
tcp: &tcpsettings
description: List of TCP ports for this port group.
forcedType: "[]string"
helplink: firewall.html
advanced: True
multiline: True
udp: &udpsettings
description: List of UDP ports for this port group.
forcedType: "[]string"
helplink: firewall.html
advanced: True
multiline: True
agrules:
tcp: *tcpsettings
udp: *udpsettings
beats_5044:
tcp: *tcpsettings
udp: *udpsettings
beats_5644:
tcp: *tcpsettings
udp: *udpsettings
beats_5066:
tcp: *tcpsettings
udp: *udpsettings
beats_5056:
tcp: *tcpsettings
udp: *udpsettings
docker_registry:
tcp: *tcpsettings
udp: *udpsettings
elasticsearch_node:
tcp: *tcpsettings
udp: *udpsettings
elasticsearch_rest:
tcp: *tcpsettings
udp: *udpsettings
elastic_agent_control:
tcp: *tcpsettings
udp: *udpsettings
elastic_agent_data:
tcp: *tcpsettings
udp: *udpsettings
elastic_agent_update:
tcp: *tcpsettings
udp: *udpsettings
endgame:
tcp: *tcpsettings
udp: *udpsettings
influxdb:
tcp: *tcpsettings
udp: *udpsettings
kibana:
tcp: *tcpsettings
udp: *udpsettings
mysql:
tcp: *tcpsettings
udp: *udpsettings
nginx:
tcp: *tcpsettings
udp: *udpsettings
playbook:
tcp: *tcpsettings
udp: *udpsettings
redis:
tcp: *tcpsettings
udp: *udpsettings
salt_manager:
tcp: *tcpsettings
udp: *udpsettings
sensoroni:
tcp: *tcpsettings
udp: *udpsettings
ssh:
tcp: *tcpsettings
udp: *udpsettings
strelka_frontend:
tcp: *tcpsettings
udp: *udpsettings
syslog:
tcp: *tcpsettings
udp: *udpsettings
yum:
tcp: *tcpsettings
udp: *udpsettings
customportgroup0:
tcp: *tcpsettings
udp: *udpsettings
customportgroup1:
tcp: *tcpsettings
udp: *udpsettings
customportgroup2:
tcp: *tcpsettings
udp: *udpsettings
customportgroup3:
tcp: *tcpsettings
udp: *udpsettings
customportgroup4:
tcp: *tcpsettings
udp: *udpsettings
customportgroup5:
tcp: *tcpsettings
udp: *udpsettings
customportgroup6:
tcp: *tcpsettings
udp: *udpsettings
customportgroup7:
tcp: *tcpsettings
udp: *udpsettings
customportgroup8:
tcp: *tcpsettings
udp: *udpsettings
customportgroup9:
tcp: *tcpsettings
udp: *udpsettings
role:
eval:
chain:
DOCKER-USER:
hostgroups:
eval:
portgroups: &portgroupsdocker
description: Portgroups to add access to the docker containers for this role.
advanced: True
multiline: True
helpLink: firewall.html
sensor:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
heavynode:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
strelka_frontend:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: &portgroupshost
description: Portgroups to add access to the host.
advanced: True
multiline: True
helpLink: firewall.html
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
fleet:
chain:
DOCKER-USER:
hostgroups:
sensor:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupsdocker
standalone:
portgroups: *portgroupshost
sensor:
portgroups: *portgroupshost
searchnode:
portgroups: *portgroupshost
heavynode:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
manager:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups: *portgroupsdocker
sensor:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
heavynode:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
endgame:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
sensor:
portgroups: *portgroupshost
searchnode:
portgroups: *portgroupshost
heavynode:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
managersearch:
chain:
DOCKER-USER:
hostgroups:
managersearch:
portgroups: *portgroupsdocker
sensor:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
heavynode:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
endgame:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
sensor:
portgroups: *portgroupshost
searchnode:
portgroups: *portgroupshost
heavynode:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
standalone:
chain:
DOCKER-USER:
hostgroups:
localhost:
portgroups: *portgroupsdocker
standalone:
portgroups: *portgroupsdocker
fleet:
portgroups: *portgroupsdocker
sensor:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
heavynode:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
endgame:
portgroups: *portgroupsdocker
strelka_frontend:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
fleet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
standalone:
portgroups: *portgroupshost
sensor:
portgroups: *portgroupshost
searchnode:
portgroups: *portgroupshost
heavynode:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
searchnode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups: *portgroupsdocker
dockernet:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
sensor:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups: *portgroupsdocker
strelka_frontend:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
heavynode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups: *portgroupsdocker
dockernet:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
strelka_frontend:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
import:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups: *portgroupsdocker
sensor:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
receiver:
chain:
DOCKER-USER:
hostgroups:
sensor:
portgroups: *portgroupsdocker
searchnode:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
endgame:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
idh:
chain:
DOCKER-USER:
hostgroups:
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
manager:
portgroups: *portgroupshost
managersearch:
portgroups: *portgroupshost
standalone:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
salt/idstools/soc_idstools.yaml
+16 -6
View File
@@ -1,12 +1,14 @@
idstools: idstools:
config: config:
oinkcode: oinkcode:
description: Enter your registration code for paid rulesets. description: Enter your registration/oink code for paid NIDS rulesets.
title: registraion code
global: True global: True
helpLink: rules.html helpLink: rules.html
ruleset: ruleset:
description: Define the ruleset you want to run. Options are ETOPEN or ETPRO. description: Defines the ruleset you want to run. Options are ETOPEN or ETPRO.
global: True global: True
regex: ETPRO\b|ETOPEN\b
helpLink: rules.html helpLink: rules.html
urls: urls:
description: This is a list of additional rule download locations. description: This is a list of additional rule download locations.
@@ -14,20 +16,28 @@ idstools:
helpLink: rules.html helpLink: rules.html
sids: sids:
disabled: disabled:
description: List of SIDS that you want to disable. description: Contains the list of NIDS rules manually disabled across the grid. To disable a rule, add its signature ID (SID) to the Current Grid Value box, one entry per line. To disable multiple rules, you can use regular expressions.
global: True global: True
multiline: True
forcedType: "[]string"
regex: \d*|re:.*
helpLink: managing-alerts.html helpLink: managing-alerts.html
enabled: enabled:
description: List of SIDS that are disabled by the rule source that you want to enable. description: Contains the list of NIDS rules manually enabled across the grid. To enable a rule, add its signature ID (SID) to the Current Grid Value box, one entry per line. To enable multiple rules, you can use regular expressions.
global: True global: True
multiline: True
forcedType: "[]string"
regex: \d*|re:.*
helpLink: managing-alerts.html helpLink: managing-alerts.html
modify: modify:
description: List of SIDS that you want to modify. description: Contains the list of NIDS rules that were modified from their default values. Entries must adhere to the following format - SID "REGEX_SEARCH_TERM" "REGEX_REPLACE_TERM"
global: True global: True
multiline: True
forcedType: "[]string"
helpLink: managing-alerts.html helpLink: managing-alerts.html
rules: rules:
local__rules: local__rules:
description: This is where custom Suricata rules are entered. description: Contains the list of custom NIDS rules applied to the grid. To add custom NIDS rules to the grid, enter one rule per line in the Current Grid Value box.
file: True file: True
global: True global: True
advanced: True advanced: True
salt/kibana/config.map.jinja
+1
View File
@@ -7,6 +7,7 @@
{% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %}
{% do KIBANACONFIG.kibana.config.xpack.fleet.update({'registryUrl': 'http://' ~ GLOBALS.manager_ip ~ ':8080'}) %}
{% if salt['pillar.get']('kibana:secrets') %} {% if salt['pillar.get']('kibana:secrets') %}
{% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %} {% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %}
salt/kibana/defaults.yaml
+3 -1
View File
@@ -30,4 +30,6 @@ kibana:
secureCookies: true secureCookies: true
reporting: reporting:
kibanaServer: kibanaServer:
hostname: localhost hostname: localhost
fleet:
registryUrl: ""
salt/kratos/defaults.yaml
+1
View File
@@ -16,6 +16,7 @@ kratos:
issuer: Security Onion issuer: Security Onion
flows: flows:
settings: settings:
privileged_session_max_age: 5m
ui_url: https://URL_BASE/?r=/settings ui_url: https://URL_BASE/?r=/settings
required_aal: highest_available required_aal: highest_available
verification: verification:
salt/kratos/soc_kratos.yaml
+4 -1
View File
@@ -23,7 +23,6 @@ kratos:
haveibeenpwned_enabled: haveibeenpwned_enabled:
description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled. description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
global: True global: True
advanced: True
helpLink: kratos.html helpLink: kratos.html
totp: totp:
enabled: enabled:
@@ -39,6 +38,10 @@ kratos:
helpLink: kratos.html helpLink: kratos.html
flows: flows:
settings: settings:
privileged_session_max_age:
description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change.
global: True
helpLink: kratos.html
ui_url: ui_url:
description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation. description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation.
global: True global: True
salt/manager/tools/sbin/so-firewall
+133 -90
View File
@@ -1,104 +1,147 @@
#!/usr/bin/bash #!/usr/bin/env python3
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # Copyright 2014-2023 Security Onion Solutions, LLC
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at #
# https://securityonion.net/license; you may not use this file except in compliance with the # This program is free software: you can redistribute it and/or modify
# Elastic License 2.0. # it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common import os
import subprocess
import sys
import time
import yaml
if [[ $# -lt 1 ]]; then lockFile = "/tmp/so-firewall.lock"
echo "Usage: $0 --role=<ROLE> --ip=<IP ADDRESS> --apply=<true|false>" hostgroupsFilename = "/opt/so/saltstack/local/pillar/firewall/soc_firewall.sls"
echo "" defaultsFilename = "/opt/so/saltstack/default/salt/firewall/defaults.yaml"
echo " Example: so-firewall --role=sensor --ip=192.168.254.100 --apply=true"
echo ""
exit 1
fi
for i in "$@"; do def showUsage(options, args):
case $i in print('Usage: {} [OPTIONS] <COMMAND> [ARGS...]'.format(sys.argv[0]))
-r=*|--role=*) print(' Options:')
ROLE="${i#*=}" print(' --apply - After updating the firewall configuration files, apply the new firewall state')
shift print('')
;; print(' General commands:')
-i=*|--ip=*) print(' help - Prints this usage information.')
IP="${i#*=}" print(' apply - Apply the firewall state.')
shift print('')
;; print(' Host commands:')
-a=*|--apply*) print(' includehost - Includes the given IP in the given group. Args: <GROUP_NAME> <IP>')
APPLY="${i#*=}" print(' addhostgroup - Adds a new, custom host group. Args: <GROUP_NAME>')
shift print('')
;; print(' Where:')
-*|--*) print(' GROUP_NAME - The name of an alias group (Ex: analyst)')
echo "Unknown option $i" print(' IP - Either a single IP address (Ex: 8.8.8.8) or a CIDR block (Ex: 10.23.0.0/16).')
exit 1 sys.exit(1)
;;
*)
;;
esac
done
ROLE=${ROLE,,} def checkApplyOption(options):
APPLY=${APPLY,,} if "--apply" in options:
return apply(None, None)
function rolecall() { def loadYaml(filename):
THEROLE=$1 file = open(filename, "r")
THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval fleet heavynodes idh manager managersearch receivers searchnodes sensors standalone strelka_frontend syslog" content = file.read()
return yaml.safe_load(content)
for AROLE in $THEROLES; do def writeYaml(filename, content):
if [ "$AROLE" = "$THEROLE" ]; then file = open(filename, "w")
return 0 return yaml.dump(content, file)
fi
done
return 1
}
# Make sure the required options are specified def addIp(name, ip):
if [ -z "$ROLE" ]; then content = loadYaml(hostgroupsFilename)
echo "Please specify a role with --role=" defaults = loadYaml(defaultsFilename)
exit 1 allowedHostgroups = defaults['firewall']['hostgroups']
fi unallowedHostgroups = ['anywhere', 'dockernet', 'localhost', 'self']
if [ -z "$IP" ]; then for hg in unallowedHostgroups:
echo "Please specify an IP address with --ip=" allowedHostgroups.pop(hg)
exit 1 if not content:
fi content = {'firewall': {'hostgroups': {name: []}}}
if name in allowedHostgroups:
if name not in content['firewall']['hostgroups']:
hostgroup = content['firewall']['hostgroups'].update({name: [ip]})
else:
hostgroup = content['firewall']['hostgroups'][name]
else:
print('Host group not defined in salt/firewall/defaults.yaml or hostgroup name is unallowed.', file=sys.stderr)
return 4
ips = hostgroup
if ips is None:
ips = []
hostgroup = ips
if ip not in ips:
ips.append(ip)
else:
print('Already exists', file=sys.stderr)
return 3
writeYaml(hostgroupsFilename, content)
return 0
# Are we dealing with a role that this script supports? def includehost(options, args):
if rolecall "$ROLE"; then if len(args) != 2:
echo "$ROLE is a supported role" print('Missing host group name or ip argument', file=sys.stderr)
else showUsage(options, args)
echo "This is not a supported role" result = addIp(args[0], args[1])
exit 1 code = result
fi if code == 0:
code = checkApplyOption(options)
return code
# Are we dealing with an IP? def apply(options, args):
if verify_ip4 "$IP"; then proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True'])
echo "$IP is a valid IP or CIDR" return proc.returncode
else
echo "$IP is not a valid IP or CIDR"
exit 1
fi
local_salt_dir=/opt/so/saltstack/local/salt/firewall def main():
options = []
args = sys.argv[1:]
for option in args:
if option.startswith("--"):
options.append(option)
args.remove(option)
# Let's see if the file exists and if it does, let's see if the IP exists. if len(args) == 0:
if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then showUsage(options, None)
if grep -q $IP "$local_salt_dir/hostgroups/$ROLE"; then
echo "Host already exists"
exit 0
fi
fi
# If you have reached this part of your quest then let's add the IP commands = {
echo "Adding $IP to the $ROLE role" "help": showUsage,
echo "$IP" >> $local_salt_dir/hostgroups/$ROLE "includehost": includehost,
"apply": apply
}
# Check to see if we are applying this right away. code=1
if [ "$APPLY" = "true" ]; then
echo "Applying the firewall rules" try:
salt-call state.apply firewall queue=True lockAttempts = 0
echo "Firewall rules have been applied... Review logs further if there were errors." maxAttempts = 30
echo "" while lockAttempts < maxAttempts:
else lockAttempts = lockAttempts + 1
echo "Firewall rules will be applied next salt run" try:
fi f = open(lockFile, "x")
f.close()
break
except:
time.sleep(2)
if lockAttempts == maxAttempts:
print("Lock file (" + lockFile + ") could not be created; proceeding without lock.")
cmd = commands.get(args[0], showUsage)
code = cmd(options, args[1:])
finally:
try:
os.remove(lockFile)
except:
print("Lock file (" + lockFile + ") already removed")
sys.exit(code)
if __name__ == "__main__":
main()
salt/manager/tools/sbin/so-firewall-minion
+27 -27
View File
@@ -49,34 +49,34 @@ fi
case "$ROLE" in case "$ROLE" in
'MANAGER') 'MANAGER')
so-firewall --role=manager --ip="$IP" so-firewall includehost manager "$IP"
;; ;;
'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') 'MANAGERSEARCH')
so-firewall --role=manager --ip="$IP" so-firewall includehost manager "$IP"
so-firewall --role=sensors --ip="$IP" so-firewall includehost searchnode "$IP" --apply
so-firewall --apply=true --role=searchnodes --ip="$IP"
;; ;;
'FLEET' | 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER') 'EVAL' | 'STANDALONE' | 'IMPORT')
case "$ROLE" in so-firewall includehost manager "$IP"
'FLEET') so-firewall includehost sensor "$IP"
so-firewall --apply=true --role=fleet --ip="$IP" so-firewall includehost searchnode "$IP" --apply
;; ;;
'SENSOR') 'FLEET')
so-firewall --apply=true --role=sensors --ip="$IP" so-firewall includehost fleet "$IP" --apply
;; ;;
'SEARCHNODE') 'SENSOR')
so-firewall --apply=true --role=searchnodes --ip="$IP" so-firewall includehost sensor "$IP" --apply
;; ;;
'HEAVYNODE') 'SEARCHNODE')
so-firewall --role=sensors --ip="$IP" so-firewall includehost searchnode "$IP" --apply
so-firewall --apply=true --role=heavynodes --ip="$IP" ;;
;; 'HEAVYNODE')
'IDH') so-firewall includehost sensor "$IP"
so-firewall --apply=true --role=sensors --ip="$IP" so-firewall includehost heavynode "$IP" --apply
;; ;;
'RECEIVER') 'IDH')
so-firewall --apply=true --role=receivers --ip="$IP" so-firewall includehost sensor "$IP" --apply
;; ;;
esac 'RECEIVER')
so-firewall includehost receiver "$IP" --apply
;; ;;
esac esac
salt/nginx/etc/nginx.conf
+16
View File
@@ -43,6 +43,22 @@ http {
return 307 https://{{ GLOBALS.url_base }}$request_uri; return 307 https://{{ GLOBALS.url_base }}$request_uri;
} }
server {
listen 8443;
server_name {{ GLOBALS.url_base }};
root /opt/socore/html;
location /artifacts/ {
try_files $uri =206;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server { server {
listen 443 ssl http2 default_server; listen 443 ssl http2 default_server;
server_name _; server_name _;
salt/nginx/init.sls
+1
View File
@@ -96,6 +96,7 @@ so-nginx:
- /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/var/lib/nginx:rw
- /opt/so/tmp/nginx/:/run:rw - /opt/so/tmp/nginx/:/run:rw
- /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/:/opt/socore/html/packages - /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/:/opt/socore/html/packages
- /nsm/elastic-fleet/artifacts/:/opt/socore/html/artifacts
{% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %}
- /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro
- /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro
salt/top.sls
+1
View File
@@ -176,6 +176,7 @@ base:
- redis - redis
{%- endif %} {%- endif %}
{%- if KIBANA %} {%- if KIBANA %}
- elastic-fleet-package-registry
- kibana.so_savedobjects_defaults - kibana.so_savedobjects_defaults
{%- endif %} {%- endif %}
- pcap - pcap
salt/zeek/files/node.cfg.jinja
+3 -3
View File
@@ -16,10 +16,10 @@ type=worker
host=localhost host=localhost
interface=af_packet::{{ NODE.interface }} interface=af_packet::{{ NODE.interface }}
lb_method=custom lb_method=custom
{%- if NODE.lb_procs %} {%- if NODE.pins %}
lb_procs={{ NODE.lb_procs }}
{%- else %}
lb_procs={{ NODE.pins | length }} lb_procs={{ NODE.pins | length }}
{%- else %}
lb_procs={{ NODE.lb_procs }}
{%- endif %} {%- endif %}
{%- if NODE.pins %} {%- if NODE.pins %}
pin_cpus={{ NODE.pins | join(", ") }} pin_cpus={{ NODE.pins | join(", ") }}
salt/zeek/soc_zeek.yaml
+12 -6
View File
@@ -6,30 +6,36 @@ zeek:
config: config:
local: local:
load: load:
description: List of Zeek policies to load description: Contains a list of policies and scripts loaded by Zeek. Values in the Current Grid Value dialog box apply to every instance of Zeek. Values in a dialog box for a specific node will only apply to that node.
forcedType: "[]string" forcedType: "[]string"
helpLink: zeek.html helpLink: zeek.html
load-sigs: load-sigs:
description: List of Zeek signatures to load description: Contains a list of signatures loaded by Zeek. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
forcedType: "[]string" forcedType: "[]string"
helpLink: zeek.html helpLink: zeek.html
redef: redef:
description: List of Zeek variables to redefine description: List of Zeek variables to redefine. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
forcedType: "[]string" forcedType: "[]string"
advanced: True advanced: True
helpLink: zeek.html helpLink: zeek.html
node: node:
lb_procs: lb_procs:
description: This is the number of CPUs to use for Zeek. This setting is ignored if you are using pins. description: Contains the number of CPU cores or workers used by Zeek. This setting should only be applied to individual nodes and will be ignored if CPU affinity is enabled.
title: workers
helpLink: zeek.html helpLink: zeek.html
node: True node: True
pins_enabled: pins_enabled:
description: Enabling this setting allows you to pin Zeek to specific CPUs. description: Enabling this setting allows you to pin Zeek to specific CPUs.
title: cpu affinity enabled
forcedType: bool
helpLink: zeek.html helpLink: zeek.html
node: True node: True
advanced: True advanced: True
pins: pins:
description: This is a list of CPUs you want to pin Zeek to. description: Contains a list of specific CPU cores pinned to Zeek workers. To set the CPU affinity, enter the processor ID number in the dialog box for the desired node. To retrieve the processor ID numbers, run the command "cat /proc/cpuinfo | grep processor" on the desired node. Please note that this setting should only be applied to individual nodes.
title: cpu affinity
multiline: True
forcedType: "[]string"
helpLink: zeek.html helpLink: zeek.html
node: True node: True
advanced: True advanced: True
@@ -47,5 +53,5 @@ zeek:
global: True global: True
advanced: True advanced: True
file_extraction: file_extraction:
description: This is a list of MIME types that Zeek will extract from the network streams. description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENTION"}
helpLink: zeek.html helpLink: zeek.html
setup/so-functions
+27 -14
View File
@@ -917,17 +917,19 @@ create_repo() {
logCmd "createrepo /nsm/repo" logCmd "createrepo /nsm/repo"
} }
detect_cloud() {
info "Testing if setup is running on a cloud instance..."
if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || \
( curl --fail -s -m 5 -H "X-aws-ec2-metadata-token: $(curl -s -X PUT -m 5 'http://169.254.169.254/latest/api/token' -H 'X-aws-ec2-metadata-token-ttl-seconds: 30')" http://169.254.169.254/latest/meta-data/instance-id > /dev/null) || \
(dmidecode -s bios-vendor | grep -q Google > /dev/null) || \
[ -f /var/log/waagent.log ]; then
info "Detected a cloud installation..." && export is_cloud="true"; detect_cloud() {
else info "Testing if setup is running on a cloud instance..."
info "This does not appear to be a cloud installation." if dmidecode -s bios-version | grep -q amazon || \
fi dmidecode -s bios-vendor | grep -q Amazon || \
dmidecode -s bios-vendor | grep -q Google || \
[ -f /var/log/waagent.log ]; then
info "Detected a cloud installation..."
export is_cloud="true"
else
info "This does not appear to be a cloud installation."
fi
} }
detect_os() { detect_os() {
@@ -962,6 +964,17 @@ detect_os() {
} }
download_elastic_agent_artifacts() {
#TODO - ISO
logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
logCmd "curl --retry 5 --retry-delay 60 https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz"
logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
}
installer_progress_loop() { installer_progress_loop() {
local i=0 local i=0
local msg="${1:-Performing background actions...}" local msg="${1:-Performing background actions...}"
@@ -2312,18 +2325,18 @@ set_initial_firewall_policy() {
case "$install_type" in case "$install_type" in
'EVAL' | 'MANAGER' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') 'EVAL' | 'MANAGER' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true $default_salt_dir/salt/common/tools/sbin/so-firewall includehost $minion_type $MAINIP --apply
;; ;;
esac esac
} }
set_initial_firewall_access() { set_initial_firewall_access() {
if [[ ! -z "$ALLOW_CIDR" ]]; then if [[ ! -z "$ALLOW_CIDR" ]]; then
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true $default_salt_dir/salt/common/tools/sbin/so-firewall includehost analyst $ALLOW_CIDR --apply
fi fi
if [[ ! -z "$MINION_CIDR" ]]; then if [[ ! -z "$MINION_CIDR" ]]; then
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=sensors --ip=$MINION_CIDR --apply=false $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensors $MINION_CIDR
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=searchnodes --ip=$MINION_CIDR --apply=true $default_salt_dir/salt/common/tools/sbin/so-firewall includehost searchnodes $MINION_CIDR --apply
fi fi
} }
setup/so-setup
+3
View File
@@ -607,6 +607,9 @@ if ! [[ -f $install_opt_file ]]; then
securityonion_repo securityonion_repo
# Update existing packages # Update existing packages
update_packages update_packages
# Download Elastic Agent Artifacts
title "Downloading Elastic Agent Artifacts"
download_elastic_agent_artifacts
# Install salt # Install salt
saltify saltify
# Start the master service # Start the master service
setup/so-whiptail
+1 -1
View File
@@ -471,7 +471,7 @@ whiptail_gauge_post_setup() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \ idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \
"\nBy default, the IDH services selected in the previous screen will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \ "\nBy default, IDH services will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \
"$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 ) "$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 )
local exitstatus=$? local exitstatus=$?