From 8c8e0bf0e453adb430074622e530699ea359b49e Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 13 May 2020 16:15:41 -0400 Subject: [PATCH 1/4] [fix] Set hostname correctly so salt picks it up before reboot --- setup/so-functions | 10 ++++------ setup/so-whiptail | 2 ++ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d769e72ad..7a6463a89 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1282,12 +1282,9 @@ set_hostname() { set_hostname_iso - HOSTNAME=$(cat /etc/hostname) if [[ ! $install_type =~ ^(MASTER|EVAL|HELIXSENSOR|MASTERSEARCH)$ ]]; then - if [[ $TESTHOST = *"not found"* ]] || [ -z "$TESTHOST" ] || [[ $TESTHOST = *"connection timed out"* ]]; then - if ! grep -q "$MSRVIP" /etc/hosts; then - echo "$MSRVIP $MSRV" >> /etc/hosts - fi + if ! getent hosts "$MSRV"; then + echo "$MSRVIP $MSRV" >> /etc/hosts fi fi @@ -1297,9 +1294,10 @@ set_hostname_iso() { hostnamectl set-hostname --static "$HOSTNAME" echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts - echo "::1 $HOSTNAME $HOSTNAME localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts + echo "::1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts echo "$HOSTNAME" > /etc/hostname + hostname -F /etc/hostname } diff --git a/setup/so-whiptail b/setup/so-whiptail index 6de8e6fdd..fe9c4c7b1 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -905,6 +905,8 @@ whiptail_set_hostname() { [ -n "$TESTING" ] && return + HOSTNAME=$(cat /etc/hostname) + HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter the Hostname you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) From d7f5246dc40372671c352347d4805fe3554b3f86 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 13 May 2020 16:19:06 -0400 Subject: [PATCH 2/4] [feat] Add quiet flag to wget --- setup/so-functions | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 7a6463a89..08a940ef3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1028,9 +1028,9 @@ saltify() { yum -y install sqlite argon2 curl mariadb-devel >> "$setup_log" 2>&1 # Download Ubuntu Keys in case master updates = 1 mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1 set_progress_str 7 'Installing salt-master' yum -y install salt-master-2019.2.4 >> "$setup_log" 2>&1 @@ -1097,7 +1097,7 @@ saltify() { if [ "$OSVER" != "xenial" ]; then local py_ver_url_path="/py3"; else local py_ver_url_path="/apt"; fi # Add saltstack repo(s) - wget --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list # Add Docker repo @@ -1106,9 +1106,9 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/"$ubuntu_version"/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/"$ubuntu_version"/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 # Get key and install wazuh curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - >> "$setup_log" 2>&1 From 6e4ee26a58c7cb9b24d233aade9e4fd745adc3be Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 13 May 2020 16:34:35 -0400 Subject: [PATCH 3/4] Elastalert --> TheHive fixes --- salt/elastalert/files/elastalert_config.yaml | 2 +- salt/elastalert/files/rules/so/nids2hive.yaml | 6 +++--- salt/elastalert/init.sls | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/elastalert/files/elastalert_config.yaml b/salt/elastalert/files/elastalert_config.yaml index e71f41bf8..2ecf08ffa 100644 --- a/salt/elastalert/files/elastalert_config.yaml +++ b/salt/elastalert/files/elastalert_config.yaml @@ -2,7 +2,7 @@ {% set esport = salt['pillar.get']('master:es_port', '') %} # This is the folder that contains the rule yaml files # Any .yaml file will be loaded as a rule -rules_folder: /etc/elastalert/rules/ +rules_folder: /opt/elastalert/rules/ # Sets whether or not ElastAlert should recursively descend # the rules directory - true or false diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml index b7593b1d2..ee17cce38 100644 --- a/salt/elastalert/files/rules/so/nids2hive.yaml +++ b/salt/elastalert/files/rules/so/nids2hive.yaml @@ -23,13 +23,13 @@ filter: query_string: query: "event.module: suricata" -alert: modules.so.thehive.TheHiveAlerter +alert: hivealerter hive_connection: hive_host: http://{{hivehost}} - hive_port: 9000 + hive_port: 9000/thehive hive_apikey: {{hivekey}} - + hive_proxies: http: '' https: '' diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 83e7b5655..08cb0836d 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -118,7 +118,7 @@ so-elastalert: - user: elastalert - detach: True - binds: - - /opt/so/rules/elastalert:/opt/rules/:ro + - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro - /opt/so/log/elastalert:/var/log/elastalert:rw - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/config/elastalert_config.yaml:ro From c3627c38e3fc3145a3cc629e07c80b450d620010 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 13 May 2020 17:03:14 -0400 Subject: [PATCH 4/4] Elastalert - NIDS fix --- salt/elastalert/files/rules/so/nids2hive.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml index ee17cce38..dc67119e4 100644 --- a/salt/elastalert/files/rules/so/nids2hive.yaml +++ b/salt/elastalert/files/rules/so/nids2hive.yaml @@ -15,7 +15,7 @@ timeframe: buffer_time: minutes: 10 allow_buffer_time_overlap: true -query_key: ["rule.signature_id"] +query_key: ["rule.uuid"] realert: days: 1 filter: @@ -40,7 +40,7 @@ hive_alert_config: source: 'SecurityOnion' description: "`NIDS Dashboard:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" severity: 2 - tags: ['{match[rule][signature_id]}','{match[source][ip]}','{match[destination][ip]}'] + tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}'] tlp: 3 status: 'New' follow: True