diff --git a/README.md b/README.md index 5587f3c84..12d4f48b0 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,22 @@ -# Security Onion Hybrid Hunter Tech Preview 1.0.6 +# Security Onion Hybrid Hunter Tech Preview 1.0.7 -### About -Hybrid Hunter is a brand new Security Onion platform with the following characteristics: -- Move from Ubuntu DEB packages to Docker images -- Support both Ubuntu 16.04 and RedHat/CentOS 7 -- Higher performance -- More centralized configuration +### Changes: +- Suricata 4.1.3 +- Updated Influxdb to 1.7.5 +- Updated Telegraf to 1.10.1 +- Grafana is now 6.0.2 +- Added support for TheHive!!! See the docs -> +- You are now forced to select interfaces during setup. If you skipped this test the install was not happy [#26](https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/26) +- Reduced the RAM usage for ES in Eval mode [#25](https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/26) +- Eval Mode setup is now choose your own adventure style +- Fresh dockers for all the things to bring everything to 1.0.7 +- New utility docker called SOctopus +- New html landing page now in dark mode + + +### Notes: +- Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release. +- If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master. ### Warnings and Disclaimers diff --git a/salt/common/init.sls b/salt/common/init.sls index 74735a185..9ae72d360 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -103,7 +103,7 @@ nginxtmp: # Start the core docker so-core: docker_container.running: - - image: soshybridhunter/so-core:HH1.0.5 + - image: soshybridhunter/so-core:HH1.0.7 - hostname: so-core - user: socore - binds: @@ -114,6 +114,7 @@ so-core: - /opt/so/tmp/nginx/:/run:rw - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro + - /opt/so/conf/fleet/packages:/opt/socore/html/packages - cap_add: NET_BIND_SERVICE - port_bindings: - 80:80 @@ -156,7 +157,7 @@ tgrafconf: so-telegraf: docker_container.running: - - image: soshybridhunter/so-telegraf:HH1.0.4 + - image: soshybridhunter/so-telegraf:HH1.0.7 - environment: - HOST_PROC=/host/proc - HOST_ETC=/host/etc @@ -211,7 +212,7 @@ influxdbconf: so-influxdb: docker_container.running: - - image: soshybridhunter/so-influxdb:HH1.0.4 + - image: soshybridhunter/so-influxdb:HH1.0.7 - hostname: influxdb - environment: - INFLUXDB_HTTP_LOG_ENABLED=false @@ -368,7 +369,7 @@ dashboard-{{ SN }}: # Install the docker. This needs to be behind nginx at some point so-grafana: docker_container.running: - - image: soshybridhunter/so-grafana:HH1.0.4 + - image: soshybridhunter/so-grafana:HH1.0.7 - hostname: grafana - user: socore - binds: diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index f3a844ff3..9986d40a9 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -30,6 +30,16 @@ fleetlogdir: - user: 939 - group: 939 - makedirs: True + +fleetsetupscript: + file.managed: + - name: /opt/so/conf/fleet/so-fleet-setup.sh + - source: salt://fleet/so-fleet-setup.sh + +osquerypackageswebpage: + file.managed: + - name: /opt/so/conf/fleet/packages/index.html + - source: salt://fleet/osquery-packages.html fleetdb: mysql_database.present: diff --git a/salt/fleet/osquery-packages.html b/salt/fleet/osquery-packages.html new file mode 100644 index 000000000..c94ba89b9 --- /dev/null +++ b/salt/fleet/osquery-packages.html @@ -0,0 +1,113 @@ + + + +Security Onion - Hybrid Hunter + + + + + + + + +
+ Kibana + Grafana + Fleet + TheHive + Osquery Binaries + FAQ + Security Onion Solutions + Blog +
+ +
+ +

Osquery Packages


+ +

Notes

+ +

Downloads

+ + +

Known Issues

+ +

+
+ + + + diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh new file mode 100644 index 000000000..64d7fe435 --- /dev/null +++ b/salt/fleet/so-fleet-setup.sh @@ -0,0 +1,35 @@ +#so-fleet-setup.sh $MasterIP $FleetEmail + +if [ ! "$(docker ps -q -f name=so-fleet)" ]; then + echo "so-fleet container not running... Exiting..." + exit 1 +fi + +initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo) + +docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify +docker exec so-fleet fleetctl setup --email $2 --password $initpw + +docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml +docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml +docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml +docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml + +esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret) + +#Concat fleet.crt & ca.crt - this is required for launcher connectivity +cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/fleet-launcher.crt + +#Create the output directory +mkdir /opt/so/conf/fleet/packages + +docker run \ + --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \ + --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/launcher.crt \ + defensivedepth/hh-launcher "$esecret" "$1":8080 + +#Update timestamp on packages webpage +sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html + +echo "Fleet Setup Complete - Login here: https://$1" +echo "Your username is $2 and your password is $initpw" diff --git a/salt/hive/init.sls b/salt/hive/init.sls index d0af62fc3..371e790de 100644 --- a/salt/hive/init.sls +++ b/salt/hive/init.sls @@ -78,3 +78,8 @@ so-thehive: - /opt/so/conf/hive/etc/application.conf:/opt/thehive/conf/application.conf:ro - port_bindings: - 0.0.0.0:9000:9000 + +hivescript: + cmd.script: + - source: salt://hive/thehive/scripts/hive_init.sh + - template: jinja diff --git a/salt/hive/thehive/scripts/hive_init.sh b/salt/hive/thehive/scripts/hive_init.sh new file mode 100755 index 000000000..cb901e36b --- /dev/null +++ b/salt/hive/thehive/scripts/hive_init.sh @@ -0,0 +1,37 @@ +#!/bin/bash +{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set HIVEUSER = salt['pillar.get']('static:hiveuser', '') %} +{%- set HIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %} +{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} + +hive_init(){ + sleep 60 + HIVE_IP="{{MASTERIP}}" + HIVE_USER="{{HIVEUSER}}" + HIVE_PASSWORD="{{HIVEPASSWORD}}" + SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf" + + # Migrate DB + curl -v -k -XPOST "https://$HIVE_IP:/thehive/api/maintenance/migrate" + + # Generate unique ID for apikey + HIVE_KEY="{{HIVEKEY}}" + + # Create intial TheHive user + curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" + + # Update SOCtopus config with apikey value + #sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG + + # Check for correct authentication + #curl -v -k -H "Authorization: Bearer $HIVE_KEY" "https://$HIVE_IP/thehive/api/user/$USER" + + touch /opt/so/state/thehive.txt + +} + +if [ -f /opt/so/state/thehive.txt ]; then + exit 0 +else + hive_init +fi diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 3b5037336..050582c82 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -57,7 +57,7 @@ synckibanacustom: # Start the kibana docker so-kibana: docker_container.running: - - image: soshybridhunter/so-kibana:HH1.0.6 + - image: soshybridhunter/so-kibana:HH1.0.7 - hostname: kibana - user: kibana - environment: diff --git a/salt/master/init.sls b/salt/master/init.sls index 35f6c5254..8f20ef69f 100644 --- a/salt/master/init.sls +++ b/salt/master/init.sls @@ -49,7 +49,7 @@ acngcopyconf: # Install the apt-cacher-ng container so-aptcacherng: docker_container.running: - - image: soshybridhunter/so-acng:HH1.0.5 + - image: soshybridhunter/so-acng:HH1.0.7 - hostname: so-acng - port_bindings: - 0.0.0.0:3142:3142 diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index af80030ee..b1e875578 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -50,7 +50,7 @@ mysqldatadir: so-mysql: docker_container.running: - - image: soshybridhunter/so-mysql:HH1.0.5 + - image: soshybridhunter/so-mysql:HH1.0.7 - hostname: so-mysql - user: socore - port_bindings: diff --git a/salt/redis/init.sls b/salt/redis/init.sls index cd982a137..6dfbb473d 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -49,7 +49,7 @@ toosmooth/so-redis:test2: so-redis: docker_container.running: - - image: soshybridhunter/so-redis:HH1.0.5 + - image: soshybridhunter/so-redis:HH1.0.7 - hostname: so-redis - user: socore - port_bindings: diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index 3ce772082..1a48ad92f 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -1,4 +1,5 @@ {%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} [es] es_url = http://{{ip}}:9200 @@ -20,14 +21,14 @@ grr_pass = YOURGRRPASS [hive] hive_url = https://{{ip}}/thehive/ -hive_key = YOURHIVEKEY +hive_key = {{ HIVEKEY }} hive_tlp = 3 hive_verifycert = False [misp] misp_url = YOURMISPURL misp_key = YOURMISPKEY -misp_verifycert = False +misp_verifycert = False distrib = 0 threat = 4 analysis = 0 diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index a2d2b613f..841fc32ff 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,4 +1,5 @@ {% set master = salt['grains.get']('master') %} +{%- set masterip = salt['pillar.get']('static:masterip', '') -%} # Trust the CA @@ -109,6 +110,7 @@ fbcrtlink: x509.certificate_managed: - signing_private_key: /etc/pki/fleet.key - CN: {{ master }} + - subjectAltName: DNS:{{ master }},IP:{{ masterip }} - days_remaining: 0 - days_valid: 3650 - backup: True diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index ea29c69a0..48106a83a 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -72,7 +72,7 @@ suriconfigsync: so-suricata: docker_container.running: - - image: soshybridhunter/so-suricata:HH1.0.6 + - image: soshybridhunter/so-suricata:HH1.0.7 - privileged: True - environment: - INTERFACE={{ interface }} diff --git a/salt/top.sls b/salt/top.sls index bd917428e..2a34c7548 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -44,6 +44,7 @@ base: - filebeat - utility - schedule + - soctopus 'G@role:so-master': @@ -64,6 +65,7 @@ base: - utility - schedule - fleet + - soctopus # Storage node logic diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index ac05f1984..4e5c136b5 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -58,7 +58,7 @@ wazuhagentregister: so-wazuh: docker_container.running: - - image: soshybridhunter/so-wazuh:HH1.0.5 + - image: soshybridhunter/so-wazuh:HH1.0.7 - hostname: {{HOSTNAME}}-wazuh-manager - name: so-wazuh - detach: True diff --git a/so-setup-network.sh b/so-setup-network.sh index 1643d3e42..dde654eb3 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -427,6 +427,7 @@ generate_passwords(){ # Generate Random Passwords for Things MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) + HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) } get_filesystem_nsm(){ @@ -588,6 +589,9 @@ master_static() { echo " broversion: $BROVERSION" >> /opt/so/saltstack/pillar/static.sls echo " ids: $NIDS" >> /opt/so/saltstack/pillar/static.sls echo " masterip: $MAINIP" >> /opt/so/saltstack/pillar/static.sls + echo " hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls + echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls + echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls if [[ $MASTERUPDATES == 'MASTER' ]]; then echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls else