From 9df8ccac7b395289f8b1567c01bd088375d35c6e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 26 Mar 2019 20:26:57 -0400 Subject: [PATCH 01/19] Add masterhostname & masterip to fleet.crt as SAN --- salt/ssl/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index a2d2b613f..841fc32ff 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,4 +1,5 @@ {% set master = salt['grains.get']('master') %} +{%- set masterip = salt['pillar.get']('static:masterip', '') -%} # Trust the CA @@ -109,6 +110,7 @@ fbcrtlink: x509.certificate_managed: - signing_private_key: /etc/pki/fleet.key - CN: {{ master }} + - subjectAltName: DNS:{{ master }},IP:{{ masterip }} - days_remaining: 0 - days_valid: 3650 - backup: True From d19d541e325e392899205ca560bdb1e510661eba Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 27 Mar 2019 08:39:59 -0400 Subject: [PATCH 02/19] Copy over so-fleet-setup.sh --- salt/fleet/init.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index f3a844ff3..6f2e298a0 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -30,6 +30,11 @@ fleetlogdir: - user: 939 - group: 939 - makedirs: True + +fleetsetupscript: + file.managed: + - name: /opt/so/conf/fleet/so-fleet-setup.sh + - source: salt://fleet/so-fleet-setup.sh fleetdb: mysql_database.present: From b84b356c226179f008d212ecba158871b2004043 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 27 Mar 2019 08:40:35 -0400 Subject: [PATCH 03/19] Create so-fleet-setup.sh --- salt/fleet/so-fleet-setup.sh | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 salt/fleet/so-fleet-setup.sh diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh new file mode 100644 index 000000000..41fdf854a --- /dev/null +++ b/salt/fleet/so-fleet-setup.sh @@ -0,0 +1,27 @@ +#so-fleet-setup.sh $MasterIP $FleetEmail + +initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo) + +docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify +docker exec so-fleet fleetctl setup --email $2 --password $initpw + +docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml +docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml +docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml +docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml + +esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret) + +#Concat fleet.crt & ca.crt - this is required for launcher connectivity +cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/fleet-launcher.crt + +#Create the output directory +mkdir /opt/so/osquery + +docker run \ + --mount type=bind,source=/opt/so/osquery,target=/output \ + --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/fleet-launcher.crt \ + defensivedepth/soq-launcher "$esecret" "$1" + +echo "Fleet Setup Complete - Login here: https://$1" +echo "Your username is $2 and your password is $initpw" From 4f15e14cc2ba15ebfe2a3ae9266f43321ec08bd1 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 28 Mar 2019 14:24:17 +0000 Subject: [PATCH 04/19] TheHive: Add initial user --- salt/hive/thehive/files/hive_init.sh | 37 ++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100755 salt/hive/thehive/files/hive_init.sh diff --git a/salt/hive/thehive/files/hive_init.sh b/salt/hive/thehive/files/hive_init.sh new file mode 100755 index 000000000..d1893e200 --- /dev/null +++ b/salt/hive/thehive/files/hive_init.sh @@ -0,0 +1,37 @@ +#!/bin/bash +{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set HIVEUSER = salt['pillar.get']('static:hiveuser', '') %} +{%- set HIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %} +{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} + +hive_init(){ + + HIVE_IP="{{MASTERIP}}" + HIVE_USER="{{HIVEUSER}}" + HIVE_PASSWORD="{{HIVEPASSWORD}}" + SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf" + + # Migrate DB + curl -v -k -XPOST "https://$HIVE_IP:/thehive/api/maintenance/migrate" + + # Generate unique ID for apikey + HIVE_KEY="{{HIVEKEY}}" + + # Create intial TheHive user + curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_$USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" + + # Update SOCtopus config with apikey value + sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG + + # Check for correct authentication + #curl -v -k -H "Authorization: Bearer $HIVE_KEY" "https://$HIVE_IP/thehive/api/user/$USER" + + touch /opt/so/state/thehive.txt + +} + +if [ -f /opt/so/state/thehive.txt ]; then + exit 0 +else + hive_init +fi From fce80236de55ee4577eebc5a0747c0c73f54bfe1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Mar 2019 10:40:29 -0400 Subject: [PATCH 05/19] The Hive - Wes Mods --- salt/hive/thehive/{files => scripts}/hive_init.sh | 8 ++++---- salt/soctopus/files/SOCtopus.conf | 5 +++-- so-setup-network.sh | 4 ++++ 3 files changed, 11 insertions(+), 6 deletions(-) rename salt/hive/thehive/{files => scripts}/hive_init.sh (93%) diff --git a/salt/hive/thehive/files/hive_init.sh b/salt/hive/thehive/scripts/hive_init.sh similarity index 93% rename from salt/hive/thehive/files/hive_init.sh rename to salt/hive/thehive/scripts/hive_init.sh index d1893e200..255bf0502 100755 --- a/salt/hive/thehive/files/hive_init.sh +++ b/salt/hive/thehive/scripts/hive_init.sh @@ -5,7 +5,7 @@ {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} hive_init(){ - + sleep 60 HIVE_IP="{{MASTERIP}}" HIVE_USER="{{HIVEUSER}}" HIVE_PASSWORD="{{HIVEPASSWORD}}" @@ -16,16 +16,16 @@ hive_init(){ # Generate unique ID for apikey HIVE_KEY="{{HIVEKEY}}" - + # Create intial TheHive user curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_$USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" # Update SOCtopus config with apikey value - sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG + #sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG # Check for correct authentication #curl -v -k -H "Authorization: Bearer $HIVE_KEY" "https://$HIVE_IP/thehive/api/user/$USER" - + touch /opt/so/state/thehive.txt } diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index 3ce772082..1a48ad92f 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -1,4 +1,5 @@ {%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} [es] es_url = http://{{ip}}:9200 @@ -20,14 +21,14 @@ grr_pass = YOURGRRPASS [hive] hive_url = https://{{ip}}/thehive/ -hive_key = YOURHIVEKEY +hive_key = {{ HIVEKEY }} hive_tlp = 3 hive_verifycert = False [misp] misp_url = YOURMISPURL misp_key = YOURMISPKEY -misp_verifycert = False +misp_verifycert = False distrib = 0 threat = 4 analysis = 0 diff --git a/so-setup-network.sh b/so-setup-network.sh index 1643d3e42..dde654eb3 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -427,6 +427,7 @@ generate_passwords(){ # Generate Random Passwords for Things MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) + HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) } get_filesystem_nsm(){ @@ -588,6 +589,9 @@ master_static() { echo " broversion: $BROVERSION" >> /opt/so/saltstack/pillar/static.sls echo " ids: $NIDS" >> /opt/so/saltstack/pillar/static.sls echo " masterip: $MAINIP" >> /opt/so/saltstack/pillar/static.sls + echo " hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls + echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls + echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls if [[ $MASTERUPDATES == 'MASTER' ]]; then echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls else From fd027cb95465aebd97c90e301b647f1de7b192bd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Mar 2019 10:55:32 -0400 Subject: [PATCH 06/19] The Hive - Fix the user creation script --- salt/hive/thehive/scripts/hive_init.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/hive/thehive/scripts/hive_init.sh b/salt/hive/thehive/scripts/hive_init.sh index 255bf0502..54c658474 100755 --- a/salt/hive/thehive/scripts/hive_init.sh +++ b/salt/hive/thehive/scripts/hive_init.sh @@ -18,7 +18,7 @@ hive_init(){ HIVE_KEY="{{HIVEKEY}}" # Create intial TheHive user - curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_$USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" + curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" # Update SOCtopus config with apikey value #sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG From 77c90ce752bdbe4168c2304f8d1213216f2d0d84 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Mar 2019 11:23:06 -0400 Subject: [PATCH 07/19] The Hive - Just scripted filed left --- salt/hive/init.sls | 5 +++++ salt/hive/thehive/scripts/hive_init.sh | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/hive/init.sls b/salt/hive/init.sls index d0af62fc3..371e790de 100644 --- a/salt/hive/init.sls +++ b/salt/hive/init.sls @@ -78,3 +78,8 @@ so-thehive: - /opt/so/conf/hive/etc/application.conf:/opt/thehive/conf/application.conf:ro - port_bindings: - 0.0.0.0:9000:9000 + +hivescript: + cmd.script: + - source: salt://hive/thehive/scripts/hive_init.sh + - template: jinja diff --git a/salt/hive/thehive/scripts/hive_init.sh b/salt/hive/thehive/scripts/hive_init.sh index 54c658474..cb901e36b 100755 --- a/salt/hive/thehive/scripts/hive_init.sh +++ b/salt/hive/thehive/scripts/hive_init.sh @@ -18,7 +18,7 @@ hive_init(){ HIVE_KEY="{{HIVEKEY}}" # Create intial TheHive user - curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" + curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" # Update SOCtopus config with apikey value #sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG From 87fde50eb148bdbc557dad411cd5ca22cbf80d47 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Mar 2019 14:46:20 -0400 Subject: [PATCH 08/19] Top.sls - Add SOCtopus as default docker to get loaded --- salt/top.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/top.sls b/salt/top.sls index bd917428e..2a34c7548 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -44,6 +44,7 @@ base: - filebeat - utility - schedule + - soctopus 'G@role:so-master': @@ -64,6 +65,7 @@ base: - utility - schedule - fleet + - soctopus # Storage node logic From 2dd6558826897b526d5aa1e6cf0411539c774146 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 1 Apr 2019 11:10:44 -0400 Subject: [PATCH 09/19] Suricata Module - Suricata 4.1.3 --- salt/suricata/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index ea29c69a0..48106a83a 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -72,7 +72,7 @@ suriconfigsync: so-suricata: docker_container.running: - - image: soshybridhunter/so-suricata:HH1.0.6 + - image: soshybridhunter/so-suricata:HH1.0.7 - privileged: True - environment: - INTERFACE={{ interface }} From 139f0cd281f941b87e5edad810d3b024751b67de Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 1 Apr 2019 17:22:22 -0400 Subject: [PATCH 10/19] 1.0.7 Upgrade --- salt/common/init.sls | 8 ++++---- salt/kibana/init.sls | 2 +- salt/master/init.sls | 2 +- salt/mysql/init.sls | 2 +- salt/redis/init.sls | 2 +- salt/wazuh/init.sls | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 74735a185..eadf4f142 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -103,7 +103,7 @@ nginxtmp: # Start the core docker so-core: docker_container.running: - - image: soshybridhunter/so-core:HH1.0.5 + - image: soshybridhunter/so-core:HH1.0.7 - hostname: so-core - user: socore - binds: @@ -156,7 +156,7 @@ tgrafconf: so-telegraf: docker_container.running: - - image: soshybridhunter/so-telegraf:HH1.0.4 + - image: soshybridhunter/so-telegraf:HH1.0.7 - environment: - HOST_PROC=/host/proc - HOST_ETC=/host/etc @@ -211,7 +211,7 @@ influxdbconf: so-influxdb: docker_container.running: - - image: soshybridhunter/so-influxdb:HH1.0.4 + - image: soshybridhunter/so-influxdb:HH1.0.7 - hostname: influxdb - environment: - INFLUXDB_HTTP_LOG_ENABLED=false @@ -368,7 +368,7 @@ dashboard-{{ SN }}: # Install the docker. This needs to be behind nginx at some point so-grafana: docker_container.running: - - image: soshybridhunter/so-grafana:HH1.0.4 + - image: soshybridhunter/so-grafana:HH1.0.7 - hostname: grafana - user: socore - binds: diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 3b5037336..050582c82 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -57,7 +57,7 @@ synckibanacustom: # Start the kibana docker so-kibana: docker_container.running: - - image: soshybridhunter/so-kibana:HH1.0.6 + - image: soshybridhunter/so-kibana:HH1.0.7 - hostname: kibana - user: kibana - environment: diff --git a/salt/master/init.sls b/salt/master/init.sls index 35f6c5254..8f20ef69f 100644 --- a/salt/master/init.sls +++ b/salt/master/init.sls @@ -49,7 +49,7 @@ acngcopyconf: # Install the apt-cacher-ng container so-aptcacherng: docker_container.running: - - image: soshybridhunter/so-acng:HH1.0.5 + - image: soshybridhunter/so-acng:HH1.0.7 - hostname: so-acng - port_bindings: - 0.0.0.0:3142:3142 diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index af80030ee..b1e875578 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -50,7 +50,7 @@ mysqldatadir: so-mysql: docker_container.running: - - image: soshybridhunter/so-mysql:HH1.0.5 + - image: soshybridhunter/so-mysql:HH1.0.7 - hostname: so-mysql - user: socore - port_bindings: diff --git a/salt/redis/init.sls b/salt/redis/init.sls index cd982a137..6dfbb473d 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -49,7 +49,7 @@ toosmooth/so-redis:test2: so-redis: docker_container.running: - - image: soshybridhunter/so-redis:HH1.0.5 + - image: soshybridhunter/so-redis:HH1.0.7 - hostname: so-redis - user: socore - port_bindings: diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index ac05f1984..4e5c136b5 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -58,7 +58,7 @@ wazuhagentregister: so-wazuh: docker_container.running: - - image: soshybridhunter/so-wazuh:HH1.0.5 + - image: soshybridhunter/so-wazuh:HH1.0.7 - hostname: {{HOSTNAME}}-wazuh-manager - name: so-wazuh - detach: True From 2bbd31c9549101b4aebf02c0b3c774ccd94a343a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 2 Apr 2019 11:21:57 -0400 Subject: [PATCH 11/19] Core Module - Update packages mapping --- salt/common/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index eadf4f142..22e36d1d2 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -114,6 +114,7 @@ so-core: - /opt/so/tmp/nginx/:/run:rw - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro + - /opt/so/conf/fleet/packages:/opt/so/html/packages - cap_add: NET_BIND_SERVICE - port_bindings: - 80:80 From d9b8bc08c25dbe5cb5078a7f502d55b868896482 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 3 Apr 2019 12:28:58 -0400 Subject: [PATCH 12/19] update so-fleet-setup.sh for new hh-launcher docker --- salt/fleet/so-fleet-setup.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh index 41fdf854a..d459df8e3 100644 --- a/salt/fleet/so-fleet-setup.sh +++ b/salt/fleet/so-fleet-setup.sh @@ -16,12 +16,12 @@ esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret) cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/fleet-launcher.crt #Create the output directory -mkdir /opt/so/osquery +mkdir /opt/so/conf/fleet/packages docker run \ - --mount type=bind,source=/opt/so/osquery,target=/output \ - --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/fleet-launcher.crt \ - defensivedepth/soq-launcher "$esecret" "$1" + --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \ + --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/launcher.crt \ + defensivedepth/hh-launcher "$esecret" "$1":8080 echo "Fleet Setup Complete - Login here: https://$1" echo "Your username is $2 and your password is $initpw" From 1d0ab687e46b7ce9c474d41b96302195fa541322 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 3 Apr 2019 14:20:45 -0400 Subject: [PATCH 13/19] 1.0.7 - Update readme --- README.md | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 5587f3c84..12d4f48b0 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,22 @@ -# Security Onion Hybrid Hunter Tech Preview 1.0.6 +# Security Onion Hybrid Hunter Tech Preview 1.0.7 -### About -Hybrid Hunter is a brand new Security Onion platform with the following characteristics: -- Move from Ubuntu DEB packages to Docker images -- Support both Ubuntu 16.04 and RedHat/CentOS 7 -- Higher performance -- More centralized configuration +### Changes: +- Suricata 4.1.3 +- Updated Influxdb to 1.7.5 +- Updated Telegraf to 1.10.1 +- Grafana is now 6.0.2 +- Added support for TheHive!!! See the docs -> +- You are now forced to select interfaces during setup. If you skipped this test the install was not happy [#26](https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/26) +- Reduced the RAM usage for ES in Eval mode [#25](https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/26) +- Eval Mode setup is now choose your own adventure style +- Fresh dockers for all the things to bring everything to 1.0.7 +- New utility docker called SOctopus +- New html landing page now in dark mode + + +### Notes: +- Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release. +- If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master. ### Warnings and Disclaimers From c16209532788dd003c39f53177818df29875796f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 3 Apr 2019 20:35:50 -0400 Subject: [PATCH 14/19] Core Module - Fix html path for osquery binaires --- salt/common/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 22e36d1d2..9ae72d360 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -114,7 +114,7 @@ so-core: - /opt/so/tmp/nginx/:/run:rw - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro - - /opt/so/conf/fleet/packages:/opt/so/html/packages + - /opt/so/conf/fleet/packages:/opt/socore/html/packages - cap_add: NET_BIND_SERVICE - port_bindings: - 80:80 From b11668b6010444e081f58c688fc70d7419b7007a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 4 Apr 2019 06:06:35 -0400 Subject: [PATCH 15/19] Update timestamp on packages webpage --- salt/fleet/so-fleet-setup.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh index d459df8e3..4fe2527d8 100644 --- a/salt/fleet/so-fleet-setup.sh +++ b/salt/fleet/so-fleet-setup.sh @@ -23,5 +23,8 @@ docker run \ --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/launcher.crt \ defensivedepth/hh-launcher "$esecret" "$1":8080 +#Update timestamp on packages webpage +sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html + echo "Fleet Setup Complete - Login here: https://$1" echo "Your username is $2 and your password is $initpw" From ca8a774c19130b0fe20e756fd9eb608d6b12b214 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 4 Apr 2019 06:12:34 -0400 Subject: [PATCH 16/19] Create osquery-packages.html --- salt/fleet/osquery-packages.html | 113 +++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 salt/fleet/osquery-packages.html diff --git a/salt/fleet/osquery-packages.html b/salt/fleet/osquery-packages.html new file mode 100644 index 000000000..b30cd1343 --- /dev/null +++ b/salt/fleet/osquery-packages.html @@ -0,0 +1,113 @@ + + + +Security Onion - Hybrid Hunter + + + + + + + + +
+ Kibana + Grafana + Fleet + TheHive + Osquery Binaries + FAQ + Security Onion Solutions + Blog +
+ +
+ +

Osquery Packages


+ +

Notes

+
    +
  • These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from osquery.io
    • +
  • Packages are not signed.
    • +
+

Downloads

+ + +

Known Issues

+
    +
  • None
    • +
+

+
+ + + + From 55fcb930cddd67314bcd58cb03ecf74c0ab6c6f8 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 4 Apr 2019 06:15:09 -0400 Subject: [PATCH 17/19] Add osquery-packages.html --- salt/fleet/init.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 6f2e298a0..9986d40a9 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -35,6 +35,11 @@ fleetsetupscript: file.managed: - name: /opt/so/conf/fleet/so-fleet-setup.sh - source: salt://fleet/so-fleet-setup.sh + +osquerypackageswebpage: + file.managed: + - name: /opt/so/conf/fleet/packages/index.html + - source: salt://fleet/osquery-packages.html fleetdb: mysql_database.present: From 7607739fca7bc3b5e2a8d7c4dd2463459dde28d5 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 4 Apr 2019 07:52:12 -0400 Subject: [PATCH 18/19] Update osquery-packages.html --- salt/fleet/osquery-packages.html | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/fleet/osquery-packages.html b/salt/fleet/osquery-packages.html index b30cd1343..c94ba89b9 100644 --- a/salt/fleet/osquery-packages.html +++ b/salt/fleet/osquery-packages.html @@ -91,14 +91,14 @@ a {

Downloads


Known Issues

From 91d814f4eb8b13bc378cbc6530d3a34028ef1d66 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 4 Apr 2019 08:03:34 -0400 Subject: [PATCH 19/19] added pre-flight check (is so-fleet running?) --- salt/fleet/so-fleet-setup.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh index 4fe2527d8..64d7fe435 100644 --- a/salt/fleet/so-fleet-setup.sh +++ b/salt/fleet/so-fleet-setup.sh @@ -1,5 +1,10 @@ #so-fleet-setup.sh $MasterIP $FleetEmail +if [ ! "$(docker ps -q -f name=so-fleet)" ]; then + echo "so-fleet container not running... Exiting..." + exit 1 +fi + initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo) docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify