merge with dev, resolve conflicts

This commit is contained in:
m0duspwnens
2021-04-28 10:19:01 -04:00
49 changed files with 280 additions and 330 deletions

View File

@@ -0,0 +1,2 @@
{%- set VERSION = salt['pillar.get']('global:soversion') -%}
{{ VERSION }}

6
salt/common/files/vimrc Normal file
View File

@@ -0,0 +1,6 @@
" Activates filetype detection
filetype plugin indent on
" Sets .sls files to use YAML syntax highlighting
autocmd BufNewFile,BufRead *.sls set syntax=yaml
set number

View File

@@ -69,6 +69,13 @@ salttmp:
- group: 939
- makedirs: True
# VIM config
vimconfig:
file.managed:
- name: /root/.vimrc
- source: salt://common/files/vimrc
- replace: False
# Install common packages
{% if grains['os'] != 'CentOS' %}
commonpkgs:
@@ -95,6 +102,7 @@ commonpkgs:
- python3-mysqldb
- python3-packaging
- git
- vim
heldpackages:
pkg.installed:
@@ -134,6 +142,7 @@ commonpkgs:
- lvm2
- openssl
- git
- vim-enhanced
heldpackages:
pkg.installed:
@@ -269,6 +278,14 @@ backupdir:
- daymonth: '*'
- month: '*'
- dayweek: '*'
{% else %}
soversionfile:
file.managed:
- name: /etc/soversion
- source: salt://common/files/soversion
- mode: 644
- template: jinja
{% endif %}
# Manager daemon.json

View File

@@ -122,6 +122,10 @@ check_elastic_license() {
fi
}
disable_fastestmirror() {
sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
}
elastic_license() {
read -r -d '' message <<- EOM

View File

@@ -19,6 +19,6 @@
# Check to see if we are already running
IS_RUNNING=$(ps aux | pgrep -f "so-playbook-sync" | wc -l)
[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0
[ "$IS_RUNNING" -gt 3 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0
docker exec so-soctopus python3 playbook_play-sync.py

View File

@@ -116,7 +116,7 @@ clean() {
# Check to see if we are already running
IS_RUNNING=$(ps aux | pgrep -f "so-sensor-clean" | wc -l)
[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0
[ "$IS_RUNNING" -gt 3 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0
if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; do

View File

@@ -453,18 +453,18 @@ up_2.3.3X_to_2.3.50_repo() {
if [[ "$OS" == "centos" ]]; then
# Import GPG Keys
gpg_rpm_import
echo "Disabling fastestmirror."
disable_fastestmirror
echo "Deleting unneeded repo files."
DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh')
for DELREPO in "${DELREPOS[@]}"; do
if [[ -f "/etc/yum.repos.d/$DELREPO.repo" ]]; then
echo "Deleting $DELREPO.repo"
rm -f "/etc/yum.repos.d/$DELREPO.repo"
fi
done
if [ $is_airgap -eq 1 ]; then
echo "Deleting unneeded repo files."
DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh')
for DELREPO in "${DELREPOS[@]}"; do
if [[ -f "/etc/yum.repos.d/$DELREPO.repo" ]]; then
echo "Deleting $DELREPO.repo"
rm -f "/etc/yum.repos.d/$DELREPO.repo"
fi
done
# Copy the new repo file if not airgap
cp $UPDATE_DIR/salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
yum clean all
@@ -474,6 +474,34 @@ up_2.3.3X_to_2.3.50_repo() {
}
up_2.3.3X_to_2.3.50() {
cat <<EOF > /tmp/supersed.txt
/so-zeek:/ {
p;
n;
/shards:/ {
p;
n;
/warm:/ {
p;
n;
/close:/ {
s/close: 365/close: 45/;
p;
n;
/delete:/ {
s/delete: 45/delete: 365/;
p;
d;
}
}
}
}
}
p;
EOF
sed -n -i -f /tmp/supersed.txt /opt/so/saltstack/local/pillar/global.sls
rm /tmp/supersed.txt
INSTALLEDVERSION=2.3.50
}
@@ -687,6 +715,9 @@ echo ""
echo "Updating dockers to $NEWVERSION."
if [ $is_airgap -eq 0 ]; then
airgap_update_dockers
update_centos_repo
yum clean all
check_os_updates
else
update_registry
update_docker_containers "soup"
@@ -708,10 +739,6 @@ preupgrade_changes_2.3.50_repo
if [ "$UPGRADESALT" == "1" ]; then
echo "Upgrading Salt"
# Update the repo files so it can actually upgrade
if [ $is_airgap -eq 0 ]; then
update_centos_repo
yum clean all
fi
upgrade_salt
fi
@@ -796,13 +823,12 @@ unmount_update
thehive_maint
if [ "$UPGRADESALT" == "1" ]; then
echo ""
echo "Upgrading Salt on the remaining Security Onion nodes from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
if [ $is_airgap -eq 0 ]; then
salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone' cmd.run "yum clean all"
echo ""
echo "Cleaning repos on remote Security Onion nodes."
salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all"
echo ""
fi
salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone' -b $BATCHSIZE state.apply salt.minion queue=True
echo ""
fi
check_sudoers

View File

@@ -4322,139 +4322,6 @@
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "InfluxDB",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 6,
"w": 8,
"x": 16,
"y": 31
},
"hiddenSeries": false,
"id": 76,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": false,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"nullPointMode": "connected",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "7.3.4",
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"alias": "EPS",
"groupBy": [
{
"params": [
"$__interval"
],
"type": "time"
},
{
"params": [
"null"
],
"type": "fill"
}
],
"measurement": "esteps",
"orderByTime": "ASC",
"policy": "default",
"queryType": "randomWalk",
"refId": "A",
"resultFormat": "time_series",
"select": [
[
{
"params": [
"eps"
],
"type": "field"
},
{
"params": [],
"type": "mean"
}
]
],
"tags": [
{
"key": "host",
"operator": "=",
"value": "{{ SERVERNAME }}"
}
]
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "{{ SERVERNAME }} - Estimated EPS",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": "EPS",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
}
],
"refresh": false,

View File

@@ -5157,7 +5157,7 @@
"type": "fill"
}
],
"measurement": "esteps",
"measurement": "consumptioneps",
"orderByTime": "ASC",
"policy": "default",
"queryType": "randomWalk",

View File

@@ -5562,7 +5562,7 @@
"type": "fill"
}
],
"measurement": "esteps",
"measurement": "consumptioneps",
"orderByTime": "ASC",
"policy": "default",
"queryType": "randomWalk",

View File

@@ -90,3 +90,7 @@ PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirr
# MaxDlSpeed: 500
# MaxInresponsiveDlSize: 64000
# BadRedirDetectMime: text/html
{% set proxy = salt['pillar.get']('manager:proxy') -%}
{% if proxy -%}
Proxy: {{ proxy }}
{% endif -%}

View File

@@ -18,7 +18,6 @@
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
{% set managerproxy = salt['pillar.get']('global:managerupdate', '0') %}
{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
socore_own_saltstack:
@@ -35,8 +34,6 @@ socore_own_saltstack:
- mode: 750
- replace: False
{% if managerproxy == 1 %}
# Create the directories for apt-cacher-ng
aptcacherconfdir:
file.directory:
@@ -60,11 +57,12 @@ aptcacherlogdir:
- makedirs: true
# Copy the config
acngcopyconf:
file.managed:
- name: /opt/so/conf/aptcacher-ng/etc/acng.conf
- source: salt://manager/files/acng/acng.conf
- template: jinja
- show_changes: False
# Install the apt-cacher-ng container
so-aptcacherng:
@@ -84,8 +82,6 @@ append_so-aptcacherng_so-status.conf:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-aptcacherng
{% endif %}
strelka_yara_update_old_1:
cron.absent:
- user: root

View File

@@ -12,7 +12,7 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
clean_requirements_on_remove=1
{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', '0') -%}
{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import']) and ( salt['pillar.get']('global:managerupdate', '0') or salt['pillar.get']('patch:os:source', 'direct') == 'manager' ) -%}
proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142
{% elif proxy -%}
proxy={{ proxy }}

View File

@@ -16,8 +16,9 @@ airgap_repo:
pkgrepo.managed:
- humanname: Airgap Repo
- baseurl: https://{{ MANAGER }}/repo
- gpgcheck: 1
- gpgcheck: 0
- sslverify: 0
{% endif %}
# from airgap and common
@@ -63,6 +64,7 @@ yumconf:
- source: salt://repo/client/files/centos/yum.conf.jinja
- mode: 644
- template: jinja
- show_changes: False
{% endif %}
cleanyum:

View File

@@ -3,13 +3,15 @@
{% if grains.os == 'Ubuntu' %}
{% set SPLITCHAR = '+' %}
{% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep salt-* ; echo $?', python_shell=True) %}
{% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep -q salt ; echo $?', python_shell=True) %}
{% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion'] %}
{% set SALT_STATE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/states' %}
{% set SALT_MODULE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/modules' %}
{% set PYTHON3INFLUX= 'python3-influxdb' %}
{% else %}
{% set SPLITCHAR = '-' %}
{% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep salt-* ; echo $?', python_shell=True) %}
{% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %}
{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion'] %}
{% set SALT_STATE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/states' %}
{% set SALT_MODULE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/modules' %}
{% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %}
@@ -19,9 +21,9 @@
{% if grains.saltversion|string != SALTVERSION|string %}
{% if grains.os|lower in ['centos', 'redhat'] %}
{% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*"' %}
{% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION %}
{% elif grains.os|lower == 'ubuntu' %}
{% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion' %}
{% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION %}
{% endif %}
{% else %}
{% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}

View File

@@ -2,6 +2,7 @@
{% from 'salt/map.jinja' import SALTVERSION %}
{% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}
{% from 'salt/map.jinja' import SALTNOTHELD %}
{% from 'salt/map.jinja' import SALTPACKAGES %}
{% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %}
{% set service_start_delay = SALTMINION.salt.minion.service_start_delay %}
@@ -12,11 +13,14 @@ include:
{% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}
{% if SALTNOTHELD == 0 %}
{% if SALTNOTHELD | int == 0 %}
unhold_salt_packages:
module.run:
- pkg.unhold:
- name: 'salt-*'
- pkgs:
{% for package in SALTPACKAGES %}
- {{ package }}
{% endfor %}
{% endif %}
install_salt_minion:
@@ -30,11 +34,14 @@ install_salt_minion:
{% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
{% if SALTNOTHELD == 1 %}
{% if SALTNOTHELD | int == 1 %}
hold_salt_packages:
module.run:
- pkg.hold:
- name: 'salt-*'
- pkgs:
{% for package in SALTPACKAGES %}
- {{ package }}
{% endfor %}
{% endif %}
set_log_levels:

View File

@@ -1,6 +1,6 @@
## Getting Started
New to Security Onion 2? Check out the [Online Help](/docs/) and [Cheatsheet](/docs/cheatsheet.pdf) to learn how to best utilize Security Onion to hunt for evil! Find them in the upper-right menu.
New to Security Onion 2? Check out the [Online Help](/docs/) and [Cheatsheet](/docs/cheatsheet.pdf) to learn how to best utilize Security Onion to hunt for evil! Find them in the upper-right menu. Also, watch our free Security Onion 2 Essentials online course, available on our [Training](https://securityonionsolutions.com/training) website.
If you're ready to dive-in, take a look at the [Alerts](/#/alerts) interface to see what Security Onion has detected so far. Or navigate to the [Hunt](/#/hunt) interface to hunt for evil that the alerts might have missed!
@@ -10,16 +10,18 @@ The release notes have moved to the upper-right menu. Click on the [What's New](
## Customize This Space
Make this area your own by customizing the content. The content is stored in the `motd.md` file, which uses the common Markdown (.md) format. Visit [mardownguide.org](https://www.markdownguide.org/) to learn more about the simple Markdown format.
Make this area your own by customizing the content. The content is stored in the `motd.md` file, which uses the common Markdown (.md) format. Visit [markdownguide.org](https://www.markdownguide.org/) to learn more about the simple Markdown format.
To customize this content, login to the manager via SSH and execute the following command:
```bash
cp -f /opt/so/saltstack/default/salt/soc/files/soc/motd.md /opt/so/saltstack/local/salt/soc/files/soc/motd.md
sudo cp /opt/so/saltstack/default/salt/soc/files/soc/motd.md /opt/so/saltstack/local/salt/soc/files/soc/
```
Now, edit the new file as desired. Finally, run this command:
and edit the new file as desired.
Finally, run this command:
```bash
salt-call state.apply soc queue=True
sudo so-soc-restart
```

View File

@@ -132,8 +132,9 @@ influxkeyperms:
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 30
- retry: 5
- interval: 30
- retry:
attempts: 5
interval: 30
rediskeyperms:
file.managed:
@@ -325,8 +326,9 @@ miniokeyperms:
- x509: /etc/pki/elasticsearch.crt
{%- endif %}
- timeout: 30
- retry: 5
- interval: 30
- retry:
attempts: 5
interval: 30
/etc/pki/elasticsearch.crt:
x509.certificate_managed:

View File

@@ -615,29 +615,18 @@
# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
{% if TRUE_CLUSTER %}
{% if grains.role == 'so-manager' %}
[[inputs.elasticsearch]]
servers = ["https://{{ MANAGER }}:9200"]
insecure_skip_verify = true
local = false
cluster_health = true
cluster_stats = true
{% endif %}
{% else %}
# # Read stats from one or more Elasticsearch servers or clusters
{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %}
{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %}
[[inputs.elasticsearch]]
servers = ["https://{{ MANAGER }}:9200"]
insecure_skip_verify = true
{% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %}
{% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %}
[[inputs.elasticsearch]]
servers = ["https://{{ NODEIP }}:9200"]
insecure_skip_verify = true
{% endif %}
{% endif %}
#
# ## Timeout for HTTP requests to the elastic search server(s)
# http_timeout = "5s"