CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 17:52:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

merge with dev, resolve conflicts

Browse Source
This commit is contained in:
m0duspwnens
2021-04-28 10:19:01 -04:00
parent 28982e0e0b bd454c7f25
commit d9cb018a7d
49 changed files with 280 additions and 330 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -1,6 +1,6 @@
## Security Onion 2.3.40
## Security Onion 2.3.50
Security Onion 2.3.40 is here!
Security Onion 2.3.50 is here!
## Screenshots

23
VERIFY_ISO.md
View File

@@ -1,16 +1,17 @@
### 2.3.40 ISO image built on 2021/03/22
### 2.3.50 ISO image built on 2021/04/27
### Download and Verify
2.3.40 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.3.40.iso
2.3.50 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso
MD5: FB72C0675F262A714B287BB33CE82504
SHA1: E8F5A9AA23990DF794611F9A178D88414F5DA81C
SHA256: DB125D6E770F75C3FD35ABE3F8A8B21454B7A7618C2B446D11B6AC8574601070
MD5: C39CEA68B5A8AFC5CFFB2481797C0374
SHA1: 00AD9F29ABE3AB495136989E62EBB8FA00DA82C6
SHA256: D77AE370D7863837A989F6735413D1DD46B866D8D135A4C363B0633E3990387E
Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.40.iso.sig
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig
Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS
@@ -24,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
Download the signature file for the ISO:
```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.40.iso.sig
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig
```
Download the ISO image:
```
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.40.iso
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso
```
Verify the downloaded ISO image using the signature file:
```
gpg --verify securityonion-2.3.40.iso.sig securityonion-2.3.40.iso
gpg --verify securityonion-2.3.50.iso.sig securityonion-2.3.50.iso
```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
```
gpg: Signature made Mon 22 Mar 2021 09:35:50 AM EDT using RSA key ID FE507013
gpg: Signature made Tue 27 Apr 2021 02:17:25 PM EDT using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

2
salt/common/files/soversion Normal file
View File

@@ -0,0 +1,2 @@
{%- set VERSION = salt['pillar.get']('global:soversion') -%}
{{ VERSION }}

6
salt/common/files/vimrc Normal file
View File

@@ -0,0 +1,6 @@
" Activates filetype detection
filetype plugin indent on
" Sets .sls files to use YAML syntax highlighting
autocmd BufNewFile,BufRead *.sls set syntax=yaml
set number

17
salt/common/init.sls
View File

@@ -69,6 +69,13 @@ salttmp:
- group: 939
- makedirs: True
# VIM config
vimconfig:
file.managed:
- name: /root/.vimrc
- source: salt://common/files/vimrc
- replace: False
# Install common packages
{% if grains['os'] != 'CentOS' %}
commonpkgs:
@@ -95,6 +102,7 @@ commonpkgs:
- python3-mysqldb
- python3-packaging
- git
- vim
heldpackages:
pkg.installed:
@@ -134,6 +142,7 @@ commonpkgs:
- lvm2
- openssl
- git
- vim-enhanced
heldpackages:
pkg.installed:
@@ -269,6 +278,14 @@ backupdir:
- daymonth: '*'
- month: '*'
- dayweek: '*'
{% else %}
soversionfile:
file.managed:
- name: /etc/soversion
- source: salt://common/files/soversion
- mode: 644
- template: jinja
{% endif %}
# Manager daemon.json

4
salt/common/tools/sbin/so-common
View File

@@ -122,6 +122,10 @@ check_elastic_license() {
fi
}
disable_fastestmirror() {
sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
}
elastic_license() {
read -r -d '' message <<- EOM

2
salt/common/tools/sbin/so-playbook-sync
View File

@@ -19,6 +19,6 @@
# Check to see if we are already running
IS_RUNNING=$(ps aux | pgrep -f "so-playbook-sync" | wc -l)
[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0
[ "$IS_RUNNING" -gt 3 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0
docker exec so-soctopus python3 playbook_play-sync.py

2
salt/common/tools/sbin/so-sensor-clean
View File

@@ -116,7 +116,7 @@ clean() {
# Check to see if we are already running
IS_RUNNING=$(ps aux | pgrep -f "so-sensor-clean" | wc -l)
[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0
[ "$IS_RUNNING" -gt 3 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0
if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; do

64
salt/common/tools/sbin/soup
View File

@@ -453,18 +453,18 @@ up_2.3.3X_to_2.3.50_repo() {
if [[ "$OS" == "centos" ]]; then
# Import GPG Keys
gpg_rpm_import
echo "Disabling fastestmirror."
disable_fastestmirror
echo "Deleting unneeded repo files."
DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh')
for DELREPO in "${DELREPOS[@]}"; do
if [[ -f "/etc/yum.repos.d/$DELREPO.repo" ]]; then
echo "Deleting $DELREPO.repo"
rm -f "/etc/yum.repos.d/$DELREPO.repo"
fi
done
if [ $is_airgap -eq 1 ]; then
echo "Deleting unneeded repo files."
DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh')
for DELREPO in "${DELREPOS[@]}"; do
if [[ -f "/etc/yum.repos.d/$DELREPO.repo" ]]; then
echo "Deleting $DELREPO.repo"
rm -f "/etc/yum.repos.d/$DELREPO.repo"
fi
done
# Copy the new repo file if not airgap
cp $UPDATE_DIR/salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
yum clean all
@@ -474,6 +474,34 @@ up_2.3.3X_to_2.3.50_repo() {
}
up_2.3.3X_to_2.3.50() {
cat <<EOF > /tmp/supersed.txt
/so-zeek:/ {
p;
n;
/shards:/ {
p;
n;
/warm:/ {
p;
n;
/close:/ {
s/close: 365/close: 45/;
p;
n;
/delete:/ {
s/delete: 45/delete: 365/;
p;
d;
}
}
}
}
}
p;
EOF
sed -n -i -f /tmp/supersed.txt /opt/so/saltstack/local/pillar/global.sls
rm /tmp/supersed.txt
INSTALLEDVERSION=2.3.50
}
@@ -687,6 +715,9 @@ echo ""
echo "Updating dockers to $NEWVERSION."
if [ $is_airgap -eq 0 ]; then
airgap_update_dockers
update_centos_repo
yum clean all
check_os_updates
else
update_registry
update_docker_containers "soup"
@@ -708,10 +739,6 @@ preupgrade_changes_2.3.50_repo
if [ "$UPGRADESALT" == "1" ]; then
echo "Upgrading Salt"
# Update the repo files so it can actually upgrade
if [ $is_airgap -eq 0 ]; then
update_centos_repo
yum clean all
fi
upgrade_salt
fi
@@ -796,13 +823,12 @@ unmount_update
thehive_maint
if [ "$UPGRADESALT" == "1" ]; then
echo ""
echo "Upgrading Salt on the remaining Security Onion nodes from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
if [ $is_airgap -eq 0 ]; then
salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone' cmd.run "yum clean all"
echo ""
echo "Cleaning repos on remote Security Onion nodes."
salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all"
echo ""
fi
salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone' -b $BATCHSIZE state.apply salt.minion queue=True
echo ""
fi
check_sudoers

133
salt/grafana/dashboards/manager/manager.json
View File

@@ -4322,139 +4322,6 @@
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "InfluxDB",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 6,
"w": 8,
"x": 16,
"y": 31
},
"hiddenSeries": false,
"id": 76,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": false,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"nullPointMode": "connected",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "7.3.4",
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"alias": "EPS",
"groupBy": [
{
"params": [
"$__interval"
],
"type": "time"
},
{
"params": [
"null"
],
"type": "fill"
}
],
"measurement": "esteps",
"orderByTime": "ASC",
"policy": "default",
"queryType": "randomWalk",
"refId": "A",
"resultFormat": "time_series",
"select": [
[
{
"params": [
"eps"
],
"type": "field"
},
{
"params": [],
"type": "mean"
}
]
],
"tags": [
{
"key": "host",
"operator": "=",
"value": "{{ SERVERNAME }}"
}
]
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "{{ SERVERNAME }} - Estimated EPS",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": "EPS",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
}
],
"refresh": false,

2
salt/grafana/dashboards/managersearch/managersearch.json
View File

@@ -5157,7 +5157,7 @@
"type": "fill"
}
],
"measurement": "esteps",
"measurement": "consumptioneps",
"orderByTime": "ASC",
"policy": "default",
"queryType": "randomWalk",

2
salt/grafana/dashboards/standalone/standalone.json
View File

@@ -5562,7 +5562,7 @@
"type": "fill"
}
],
"measurement": "esteps",
"measurement": "consumptioneps",
"orderByTime": "ASC",
"policy": "default",
"queryType": "randomWalk",

4
salt/manager/files/acng/acng.conf
View File

@@ -90,3 +90,7 @@ PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirr
# MaxDlSpeed: 500
# MaxInresponsiveDlSize: 64000
# BadRedirDetectMime: text/html
{% set proxy = salt['pillar.get']('manager:proxy') -%}
{% if proxy -%}
Proxy: {{ proxy }}
{% endif -%}

8
salt/manager/init.sls
View File

@@ -18,7 +18,6 @@
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
{% set managerproxy = salt['pillar.get']('global:managerupdate', '0') %}
{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
socore_own_saltstack:
@@ -35,8 +34,6 @@ socore_own_saltstack:
- mode: 750
- replace: False
{% if managerproxy == 1 %}
# Create the directories for apt-cacher-ng
aptcacherconfdir:
file.directory:
@@ -60,11 +57,12 @@ aptcacherlogdir:
- makedirs: true
# Copy the config
acngcopyconf:
file.managed:
- name: /opt/so/conf/aptcacher-ng/etc/acng.conf
- source: salt://manager/files/acng/acng.conf
- template: jinja
- show_changes: False
# Install the apt-cacher-ng container
so-aptcacherng:
@@ -84,8 +82,6 @@ append_so-aptcacherng_so-status.conf:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-aptcacherng
{% endif %}
strelka_yara_update_old_1:
cron.absent:
- user: root

2
salt/repo/client/files/centos/yum.conf.jinja
View File

@@ -12,7 +12,7 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
clean_requirements_on_remove=1
{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', '0') -%}
{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import']) and ( salt['pillar.get']('global:managerupdate', '0') or salt['pillar.get']('patch:os:source', 'direct') == 'manager' ) -%}
proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142
{% elif proxy -%}
proxy={{ proxy }}

4
salt/repo/client/init.sls
View File

@@ -16,8 +16,9 @@ airgap_repo:
pkgrepo.managed:
- humanname: Airgap Repo
- baseurl: https://{{ MANAGER }}/repo
- gpgcheck: 1
- gpgcheck: 0
- sslverify: 0
{% endif %}
# from airgap and common
@@ -63,6 +64,7 @@ yumconf:
- source: salt://repo/client/files/centos/yum.conf.jinja
- mode: 644
- template: jinja
- show_changes: False
{% endif %}
cleanyum:

10
salt/salt/map.jinja
View File

@@ -3,13 +3,15 @@
{% if grains.os == 'Ubuntu' %}
{% set SPLITCHAR = '+' %}
{% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep salt-* ; echo $?', python_shell=True) %}
{% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep -q salt ; echo $?', python_shell=True) %}
{% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion'] %}
{% set SALT_STATE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/states' %}
{% set SALT_MODULE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/modules' %}
{% set PYTHON3INFLUX= 'python3-influxdb' %}
{% else %}
{% set SPLITCHAR = '-' %}
{% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep salt-* ; echo $?', python_shell=True) %}
{% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %}
{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion'] %}
{% set SALT_STATE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/states' %}
{% set SALT_MODULE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/modules' %}
{% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %}
@@ -19,9 +21,9 @@
{% if grains.saltversion|string != SALTVERSION|string %}
{% if grains.os|lower in ['centos', 'redhat'] %}
{% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*"' %}
{% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION %}
{% elif grains.os|lower == 'ubuntu' %}
{% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion' %}
{% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION %}
{% endif %}
{% else %}
{% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}

15
salt/salt/minion.sls
View File

@@ -2,6 +2,7 @@
{% from 'salt/map.jinja' import SALTVERSION %}
{% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}
{% from 'salt/map.jinja' import SALTNOTHELD %}
{% from 'salt/map.jinja' import SALTPACKAGES %}
{% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %}
{% set service_start_delay = SALTMINION.salt.minion.service_start_delay %}
@@ -12,11 +13,14 @@ include:
{% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}
{% if SALTNOTHELD == 0 %}
{% if SALTNOTHELD | int == 0 %}
unhold_salt_packages:
module.run:
- pkg.unhold:
- name: 'salt-*'
- pkgs:
{% for package in SALTPACKAGES %}
- {{ package }}
{% endfor %}
{% endif %}
install_salt_minion:
@@ -30,11 +34,14 @@ install_salt_minion:
{% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
{% if SALTNOTHELD == 1 %}
{% if SALTNOTHELD | int == 1 %}
hold_salt_packages:
module.run:
- pkg.hold:
- name: 'salt-*'
- pkgs:
{% for package in SALTPACKAGES %}
- {{ package }}
{% endfor %}
{% endif %}
set_log_levels:

12
salt/soc/files/soc/motd.md
View File

@@ -1,6 +1,6 @@
## Getting Started
New to Security Onion 2? Check out the [Online Help](/docs/) and [Cheatsheet](/docs/cheatsheet.pdf) to learn how to best utilize Security Onion to hunt for evil! Find them in the upper-right menu.
New to Security Onion 2? Check out the [Online Help](/docs/) and [Cheatsheet](/docs/cheatsheet.pdf) to learn how to best utilize Security Onion to hunt for evil! Find them in the upper-right menu. Also, watch our free Security Onion 2 Essentials online course, available on our [Training](https://securityonionsolutions.com/training) website.
If you're ready to dive-in, take a look at the [Alerts](/#/alerts) interface to see what Security Onion has detected so far. Or navigate to the [Hunt](/#/hunt) interface to hunt for evil that the alerts might have missed!
@@ -10,16 +10,18 @@ The release notes have moved to the upper-right menu. Click on the [What's New](
## Customize This Space
Make this area your own by customizing the content. The content is stored in the `motd.md` file, which uses the common Markdown (.md) format. Visit [mardownguide.org](https://www.markdownguide.org/) to learn more about the simple Markdown format.
Make this area your own by customizing the content. The content is stored in the `motd.md` file, which uses the common Markdown (.md) format. Visit [markdownguide.org](https://www.markdownguide.org/) to learn more about the simple Markdown format.
To customize this content, login to the manager via SSH and execute the following command:
```bash
cp -f /opt/so/saltstack/default/salt/soc/files/soc/motd.md /opt/so/saltstack/local/salt/soc/files/soc/motd.md
sudo cp /opt/so/saltstack/default/salt/soc/files/soc/motd.md /opt/so/saltstack/local/salt/soc/files/soc/
```
Now, edit the new file as desired. Finally, run this command:
and edit the new file as desired.
Finally, run this command:
```bash
salt-call state.apply soc queue=True
sudo so-soc-restart
```

10
salt/ssl/init.sls
View File

@@ -132,8 +132,9 @@ influxkeyperms:
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 30
- retry: 5
- interval: 30
- retry:
attempts: 5
interval: 30
rediskeyperms:
file.managed:
@@ -325,8 +326,9 @@ miniokeyperms:
- x509: /etc/pki/elasticsearch.crt
{%- endif %}
- timeout: 30
- retry: 5
- interval: 30
- retry:
attempts: 5
interval: 30
/etc/pki/elasticsearch.crt:
x509.certificate_managed:

17
salt/telegraf/etc/telegraf.conf
View File

@@ -615,29 +615,18 @@
# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
{% if TRUE_CLUSTER %}
{% if grains.role == 'so-manager' %}
[[inputs.elasticsearch]]
servers = ["https://{{ MANAGER }}:9200"]
insecure_skip_verify = true
local = false
cluster_health = true
cluster_stats = true
{% endif %}
{% else %}
# # Read stats from one or more Elasticsearch servers or clusters
{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %}
{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %}
[[inputs.elasticsearch]]
servers = ["https://{{ MANAGER }}:9200"]
insecure_skip_verify = true
{% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %}
{% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %}
[[inputs.elasticsearch]]
servers = ["https://{{ NODEIP }}:9200"]
insecure_skip_verify = true
{% endif %}
{% endif %}
#
# ## Timeout for HTTP requests to the elastic search server(s)
# http_timeout = "5s"

1
setup/automation/distributed-airgap-manager
View File

@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/distributed-ami-manager
View File

@@ -41,7 +41,6 @@ install_type=MANAGER
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/distributed-iso-manager
View File

@@ -41,7 +41,6 @@ install_type=MANAGER
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/distributed-net-centos-manager
View File

@@ -41,7 +41,6 @@ install_type=MANAGER
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/distributed-net-ubuntu-manager
View File

@@ -41,7 +41,6 @@ install_type=MANAGER
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/distributed-net-ubuntu-suricata-manager
View File

@@ -41,7 +41,6 @@ install_type=MANAGER
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/eval-airgap
View File

@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/eval-ami
View File

@@ -41,7 +41,6 @@ install_type=EVAL
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/eval-iso
View File

@@ -41,7 +41,6 @@ install_type=EVAL
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/eval-net-centos
View File

@@ -41,7 +41,6 @@ install_type=EVAL
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=0
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/eval-net-ubuntu
View File

@@ -41,7 +41,6 @@ install_type=EVAL
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/import-airgap
View File

@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=0
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/import-ami
View File

@@ -41,7 +41,6 @@ install_type=IMPORT
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=0
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/import-iso
View File

@@ -41,7 +41,6 @@ install_type=IMPORT
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=0
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/import-net-centos
View File

@@ -41,7 +41,6 @@ install_type=IMPORT
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=0
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/import-net-ubuntu
View File

@@ -41,7 +41,6 @@ install_type=IMPORT
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/standalone-airgap
View File

@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/standalone-ami
View File

@@ -41,7 +41,6 @@ install_type=STANDALONE
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/standalone-iso
View File

@@ -41,7 +41,6 @@ install_type=STANDALONE
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/standalone-iso-suricata
View File

@@ -41,7 +41,6 @@ install_type=STANDALONE
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/standalone-net-centos
View File

@@ -41,7 +41,6 @@ install_type=STANDALONE
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/standalone-net-centos-proxy
View File

@@ -41,7 +41,6 @@ install_type=STANDALONE
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

1
setup/automation/standalone-net-ubuntu
View File

@@ -41,7 +41,6 @@ install_type=STANDALONE
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=

58
setup/so-functions
View File

@@ -478,6 +478,19 @@ collect_mtu() {
done
}
collect_net_method() {
whiptail_net_method
if [[ "$network_traffic" == *"_MANAGER" ]]; then
whiptail_manager_updates_warning
MANAGERUPDATES=1
fi
if [[ "$network_traffic" == "PROXY"* ]]; then
collect_proxy no_ask
fi
}
collect_node_es_heap() {
whiptail_node_es_heap "$ES_HEAP_SIZE"
}
@@ -580,7 +593,9 @@ collect_patch_schedule_name_import() {
collect_proxy() {
[[ -n $TESTING ]] && return
collect_proxy_details || return
local ask=${1:-true}
collect_proxy_details "$ask" || return
while ! proxy_validate; do
if whiptail_invalid_proxy; then
collect_proxy_details no_ask
@@ -1654,7 +1669,6 @@ manager_global() {
" fleet_ip: 'N/A'"\
" sensoronikey: '$SENSORONIKEY'"\
" wazuh: $WAZUH"\
" managerupdate: $MANAGERUPDATES"\
" imagerepo: '$IMAGEREPO'"\
" pipeline: 'redis'"\
"sensoroni:"\
@@ -1850,9 +1864,16 @@ patch_pillar() {
local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls
if [[ $MANAGERUPDATES == 1 ]]; then
local source="manager"
else
local source="direct"
fi
printf '%s\n'\
"patch:"\
" os:"\
" source: '$source'"\
" schedule_name: '$PATCHSCHEDULENAME'"\
" enabled: True"\
" splay: 300"\
@@ -2306,24 +2327,25 @@ secrets_pillar(){
securityonion_repo() {
# Remove all the current repos
if [[ "$OS" == "centos" ]]; then
if [[ "$INTERWEBS" == "AIRGAP" ]]; then
echo "This is airgap I don't need to add this repo"
if [[ "$INTERWEBS" == "AIRGAP" ]]; then
echo "This is airgap I don't need to add this repo"
else
mkdir -p /root/oldrepos
mv -v /etc/yum.repos.d/* /root/oldrepos/
mkdir -p /root/oldrepos
mv -v /etc/yum.repos.d/* /root/oldrepos/
ls -la /etc/yum.repos.d/
rm -rf /etc/yum.repos.d
rm -rf /etc/yum.repos.d
yum clean all
yum repolist all
mkdir -p /etc/yum.repos.d
if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then
cp -f ../salt/repo/client/files/centos/securityonioncache.repo /etc/yum.repos.d/
else
cp -f ../salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
fi
if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then
cp -f ../salt/repo/client/files/centos/securityonioncache.repo /etc/yum.repos.d/
else
cp -f ../salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
fi
yum repolist all
fi
else
echo "This is Ubuntu"
echo "This is Ubuntu"
fi
}
@@ -2669,10 +2691,12 @@ set_redirect() {
set_updates() {
if [ "$MANAGERUPDATES" = '1' ]; then
if [ "$OS" = 'centos' ]; then
if [[ ! $is_airgap ]]; then
if ! grep -q "$MSRV" /etc/yum.conf; then
echo "proxy=http://$MSRV:3142" >> /etc/yum.conf
fi
if [[ ! $is_airgap ]] && ! ( grep -q "$MSRV" /etc/yum.conf); then
if grep -q "proxy=" /etc/yum.conf; then
sed -i "s/proxy=.*/proxy=http:\/\/$MSRV:3142/" /etc/yum.conf
else
echo "proxy=http://$MSRV:3142" >> /etc/yum.conf
fi
fi
else
# Set it up so the updates roll through the manager

3
setup/so-preflight
View File

@@ -46,8 +46,7 @@ check_new_repos() {
if [[ $OS == 'centos' ]]; then
local repo_arr=(
"https://download.docker.com/linux/centos/docker-ce.repo"
"https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3003/SALTSTACK-GPG-KEY.pub"
"https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3003/SALTSTACK-GPG-KEY.pub"
"https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub"
"https://download.docker.com/linux/ubuntu/gpg"
"https://packages.wazuh.com/key/GPG-KEY-WAZUH"
"https://packages.wazuh.com/3.x/yum/"

46
setup/so-setup
View File

@@ -203,16 +203,13 @@ if ! [[ -f $install_opt_file ]]; then
if [[ $option == "CONFIGURENETWORK" ]]; then
collect_hostname
network_init_whiptail
whiptail_management_interface_setup
whiptail_network_init_notice
network_init
printf '%s\n' \
"MNIC=$MNIC" \
"HOSTNAME=$HOSTNAME" > "$net_init_file"
set_main_ip >> $setup_log 2>&1
compare_main_nic_ip
reset_proxy
collect_proxy
[[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1
whiptail_net_setup_complete
else
true
@@ -263,19 +260,19 @@ elif [ "$install_type" = 'ANALYST' ]; then
is_analyst=true
fi
# Check if this is an airgap install
if [[ $is_iso || $is_minion ]]; then
whiptail_airgap
if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
is_airgap=true
fi
fi
if [[ $is_manager || $is_import ]]; then
check_elastic_license
fi
if ! [[ -f $install_opt_file ]]; then
# Check if this is an airgap install
if [[ ( $is_manager || $is_import || $is_minion ) && $is_iso ]]; then
whiptail_airgap
if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
is_airgap=true
fi
fi
if [[ $is_manager && $is_sensor ]]; then
check_requirements "standalone"
elif [[ $is_fleet_standalone ]]; then
@@ -302,11 +299,8 @@ if ! [[ -f $install_opt_file ]]; then
source "$net_init_file"
fi
if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then
whiptail_management_interface_setup
fi
if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then
whiptail_network_init_notice
network_init
fi
@@ -315,19 +309,17 @@ if ! [[ -f $install_opt_file ]]; then
if [[ $is_minion ]]; then
collect_mngr_hostname
add_mngr_ip_to_hosts
fi
reset_proxy
if [[ -z $is_airgap ]]; then
collect_proxy
collect_net_method
[[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1
fi
if [[ $is_minion ]]; then
add_mngr_ip_to_hosts
fi
if [[ $is_minion ]]; then
whiptail_ssh_key_copy_notice
copy_ssh_key >> $setup_log 2>&1
fi
@@ -339,6 +331,7 @@ if ! [[ -f $install_opt_file ]]; then
"HOSTNAME=$HOSTNAME" \
"MSRV=$MSRV" \
"MSRVIP=$MSRVIP" \
"is_airgap=$is_airgap" \
"NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file"
[[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file"
download_repo_tarball
@@ -428,7 +421,7 @@ fi
if [[ $is_airgap ]]; then
PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual}
MANAGERUPDATES=${MANAGERUPDATES:-0}
[[ ! $is_minion ]] && MANAGERUPDATES=${MANAGERUPDATES:-0} || MANAGERUPDATES=${MANAGERUPDATES:-1}
fi
# Start user prompts
@@ -499,13 +492,6 @@ if [[ $is_manager || $is_import ]]; then
get_redirect
fi
if [[ ! $is_airgap && ( $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ) ]]; then
whiptail_manager_updates
if [[ $setup_type == 'network' && $MANAGERUPDATES == 1 ]]; then
whiptail_manager_updates_warning
fi
fi
if [[ $is_distmanager ]]; then
collect_soremote_inputs
fi
@@ -648,6 +634,8 @@ echo "1" > /root/accept_changes
set_progress_str 2 'Updating packages'
# Import the gpg keys
gpg_rpm_import >> $setup_log 2>&1
info "Disabling fastestmirror"
[[ $OS == 'centos' ]] && disable_fastestmirror
if [[ ! $is_airgap ]]; then
securityonion_repo >> $setup_log 2>&1
update_packages >> $setup_log 2>&1

137
setup/so-whiptail
View File

@@ -616,7 +616,14 @@ whiptail_end_settings() {
fi
fi
whiptail --title "The following options have been set, would you like to proceed?" --yesno "$end_msg" 24 75 --scrolltext
local msg
read -r -d '' msg <<-EOM
$end_msg
Press TAB to select yes or no.
EOM
whiptail --title "The following options have been set, would you like to proceed?" --yesno "$msg" 24 75 --scrolltext
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -987,44 +994,65 @@ whiptail_management_nic() {
}
whiptail_management_interface_setup() {
whiptail_net_method() {
[ -n "$TESTING" ] && return
local minion_msg
local msg
local line_count
local pkg_mngr
if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
read -r -d '' options_msg <<- EOM
"Direct" - Internet requests connect directly to the Internet.
EOM
local options=(
" Direct " ""
)
local proxy_desc="proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment."
if [[ $is_minion ]]; then
line_count=11
minion_msg="copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ECDSA certificate and enter the password for soremote"
read -r -d '' options_msg <<- EOM
${options_msg}
"Direct + Manager" - all traffic passes to the Internet normally, but ${pkg_mngr} updates will instead be pulled from ${mngr_article} manager.
"Proxy" - ${proxy_desc}
"Proxy + Manager" - proxy all traffic from the "Proxy" option except ${pkg_mngr} updates, which will instead pull from the manager.
EOM
options+=(
" Direct + Manager " ""
" Proxy " ""
" Proxy + Manager " ""
)
local height=25
else
line_count=9
minion_msg=""
read -r -d '' options_msg <<- EOM
${options_msg}
"Proxy" - ${proxy_desc}
EOM
options+=(
" Proxy " ""
)
local height=17
fi
if [[ $is_iso ]]; then
if [[ $minion_msg != "" ]]; then
if [[ -f $net_init_file ]]; then
msg=$minion_msg
else
msg="initialize networking and $minion_msg"
fi
else
msg="initialize networking"
fi
else
msg=$minion_msg
fi
local msg
read -r -d '' msg <<- EOM
How would you like to connect to the Internet?
read -r -d '' message <<- EOM
Setup will now $msg.
Select OK to continue.
$options_msg
EOM
whiptail --title "Security Onion Setup" --msgbox "$message" $line_count 75
local option_count=$(( ${#options[@]} / 2 ))
network_traffic=$(whiptail --title "Security Onion Setup" --menu "$msg" $height 75 $option_count "${options[@]}" 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
network_traffic=$(echo "${network_traffic^^}" | tr -d ' ' | tr '+' '_')
}
whiptail_net_setup_complete() {
@@ -1035,6 +1063,20 @@ whiptail_net_setup_complete() {
exit 0
}
whiptail_network_init_notice() {
[ -n "$TESTING" ] && return
read -r -d '' message <<- EOM
Setup will now initialize networking.
Select OK to continue.
EOM
whiptail --title "Security Onion Setup" --msgbox "$message" 9 75
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_management_server() {
[ -n "$TESTING" ] && return
@@ -1161,29 +1203,6 @@ whiptail_manager_error() {
whiptail --title "Security Onion Setup" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1
}
whiptail_manager_updates() {
[ -n "$TESTING" ] && return
local update_string
update_string=$(whiptail --title "Security Onion Setup" --radiolist \
"How would you like to download OS package updates for your grid?" 20 75 4 \
"MANAGER" "Manager node is proxy for updates" ON \
"OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 )
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
case "$update_string" in
'MANAGER')
export MANAGERUPDATES='1'
;;
*)
export MANAGERUPDATES='0'
;;
esac
}
whiptail_manager_updates_warning() {
[ -n "$TESTING" ] && return
@@ -1485,7 +1504,9 @@ whiptail_patch_schedule_select_hours() {
whiptail_proxy_ask() {
[ -n "$TESTING" ] && return
whiptail --title "Security Onion Setup" --yesno "Do you want to set a proxy server for this installation?" 7 60 --defaultno
local pkg_mngr
if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
whiptail --title "Security Onion Setup" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno
}
whiptail_proxy_addr() {
@@ -1718,6 +1739,20 @@ whiptail_so_allow() {
whiptail_check_exitstatus $exitstatus
}
whiptail_ssh_key_copy_notice() {
[ -n "$TESTING" ] && return
read -r -d '' message <<- EOM
Setup will now copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ED25519 certificate and enter the password for soremote.
Select OK to continue.
EOM
whiptail --title "Security Onion Setup" --msgbox "$message" 11 75
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whitpail_ssh_warning() {
[ -n "$TESTING" ] && return

BIN
sigs/securityonion-2.3.50.iso.sig Normal file
View File

Binary file not shown.