Merge pull request #3 from defensivedepth/launcher

Adds HH Launcher  - osquery packaging

README.md

@@ -1,11 +1,22 @@
-# Security Onion Hybrid Hunter Tech Preview 1.0.6
+# Security Onion Hybrid Hunter Tech Preview 1.0.7
 
-### About
+### Changes:
-Hybrid Hunter is a brand new Security Onion platform with the following characteristics:
+- Suricata 4.1.3
-- Move from Ubuntu DEB packages to Docker images
+- Updated Influxdb to 1.7.5
-- Support both Ubuntu 16.04 and RedHat/CentOS 7
+- Updated Telegraf to 1.10.1
-- Higher performance
+- Grafana is now 6.0.2
-- More centralized configuration
+- Added support for TheHive!!! See the docs ->
+- You are now forced to select interfaces during setup. If you skipped this test the install was not happy [#26](https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/26)
+- Reduced the RAM usage for ES in Eval mode [#25](https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/26)
+- Eval Mode setup is now choose your own adventure style
+- Fresh dockers for all the things to bring everything to 1.0.7
+- New utility docker called SOctopus
+- New html landing page now in dark mode
+
+
+### Notes:
+- Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release.
+- If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master.
 
 ### Warnings and Disclaimers
 

salt/common/init.sls

@@ -103,7 +103,7 @@ nginxtmp:
 # Start the core docker
 so-core:
   docker_container.running:
-    - image: soshybridhunter/so-core:HH1.0.5
+    - image: soshybridhunter/so-core:HH1.0.7
     - hostname: so-core
     - user: socore
     - binds:
@@ -114,6 +114,7 @@ so-core:
       - /opt/so/tmp/nginx/:/run:rw
       - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
       - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
+      - /opt/so/conf/fleet/packages:/opt/socore/html/packages
     - cap_add: NET_BIND_SERVICE
     - port_bindings:
       - 80:80
@@ -156,7 +157,7 @@ tgrafconf:
 
 so-telegraf:
   docker_container.running:
-    - image: soshybridhunter/so-telegraf:HH1.0.4
+    - image: soshybridhunter/so-telegraf:HH1.0.7
     - environment:
       - HOST_PROC=/host/proc
       - HOST_ETC=/host/etc
@@ -211,7 +212,7 @@ influxdbconf:
 
 so-influxdb:
   docker_container.running:
-    - image: soshybridhunter/so-influxdb:HH1.0.4
+    - image: soshybridhunter/so-influxdb:HH1.0.7
     - hostname: influxdb
     - environment:
       - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -368,7 +369,7 @@ dashboard-{{ SN }}:
 # Install the docker. This needs to be behind nginx at some point
 so-grafana:
   docker_container.running:
-    - image: soshybridhunter/so-grafana:HH1.0.4
+    - image: soshybridhunter/so-grafana:HH1.0.7
     - hostname: grafana
     - user: socore
     - binds:

salt/fleet/init.sls

@@ -30,6 +30,16 @@ fleetlogdir:
     - user: 939
     - group: 939
     - makedirs: True
+    
+fleetsetupscript:
+  file.managed:
+    - name: /opt/so/conf/fleet/so-fleet-setup.sh
+    - source: salt://fleet/so-fleet-setup.sh
+    
+osquerypackageswebpage:
+  file.managed:
+    - name: /opt/so/conf/fleet/packages/index.html
+    - source: salt://fleet/osquery-packages.html
 
 fleetdb:
   mysql_database.present:

salt/fleet/osquery-packages.html

@@ -0,0 +1,113 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<title>Security Onion - Hybrid Hunter</title>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
+<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
+<style>
+* {
+  box-sizing: border-box;
+  font-family: Arial, Helvetica, sans-serif;
+	padding-left: 30px;
+	padding right: 30px;
+}
+
+body {
+  font-family: Arial, Helvetica, sans-serif;
+	background-color: #2a2a2a;
+
+}
+a {
+	color: #f2f2f2;
+	text-align: left;
+	padding: 0px;
+}
+/* Style the top navigation bar */
+.topnav {
+  overflow: hidden;
+  background-color: #333;
+	width: 1080px;
+}
+
+/* Style the topnav links */
+.topnav a {
+  float: left;
+  display: block;
+  color: #f2f2f2;
+  text-align: center;
+  padding: 14px 16px;
+  text-decoration: none;
+}
+
+/* Change color on hover */
+.topnav a:hover {
+  background-color: #ddd;
+  color: black;
+}
+
+/* Style the content */
+.content {
+  background-color: #2a2a2a;
+  padding: 10px;
+	padding-top: 20px;
+	padding-left: 60px;
+	color: #E3DBCC;
+	width: 1080px;
+}
+
+/* Style the footer */
+.footer {
+  background-color: #2a2a2a;
+  padding: 60px;
+	color: #E3DBCC;
+	width: 1080px;
+}
+</style>
+</head>
+<body>
+
+<div class="topnav">
+  <a href="/kibana/" target="_blank">Kibana</a>
+  <a href="/grafana/" target="_blank">Grafana</a>
+  <a href="/fleet/" target="_blank">Fleet</a>
+	<a href="/thehive/" target="_blank">TheHive</a>
+	<a href="/packages/" target="_blank">Osquery Binaries</a>
+	<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
+	<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
+	<a href="https://blog.securityonion.net" target="_blank">Blog</a>
+</div>
+
+<div class="content">
+
+	<p><center><h1>Osquery Packages</h1></center><br>
+
+              <h2>Notes</h2>
+                <ul>
+                        <li>These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from <a href="https://osquery.io/downloads">osquery.io</a></li>
+                        <li>Packages are not signed.</li>
+	       	</ul>
+		<BR> <h2>Downloads</h2>
+                <ul>
+
+Generated: N/A
+                       <BR><BR>Packages:
+			<li><a href="/packages/launcher.msi" download="msi-launcher.msi">MSI (Windows)</a></li>
+                        <li><a href="/packages/launcher.deb" download="deb-launcher.deb">DEB (Debian)</a></li>
+                        <li><a href="/packages/launcher.rpm" download="rpm-launcher.rpm">RPM (RPM)</a></li>
+			<BR><BR>Config Files:
+	                <li><a href="/packages/launcher.flags" download="launcher.flags.txt">RPM & DEB Flag File</a></li>
+			 <li><a href="/packages/launcher-msi.flags" download="launcher-msi.flags.txt">MSI Flag File</a></li>
+		</ul>
+
+		<BR><h2>Known Issues</h2>
+		<ul>
+			<li>None</li>
+		</ul>
+	</p>
+</div>
+
+
+</body>
+</html>

salt/fleet/so-fleet-setup.sh

@@ -0,0 +1,35 @@
+#so-fleet-setup.sh $MasterIP $FleetEmail
+
+if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
+        echo "so-fleet container not running... Exiting..."
+        exit 1 
+fi
+
+initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
+
+docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify        
+docker exec so-fleet fleetctl setup --email $2 --password $initpw
+
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
+
+esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret)
+
+#Concat fleet.crt & ca.crt  - this is required for launcher connectivity
+cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/fleet-launcher.crt
+
+#Create the output directory
+mkdir /opt/so/conf/fleet/packages
+
+docker run \
+  --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
+  --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/launcher.crt \
+  defensivedepth/hh-launcher "$esecret" "$1":8080
+
+#Update timestamp on packages webpage
+sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
+
+echo "Fleet Setup Complete - Login here: https://$1"
+echo "Your username is $2 and your password is $initpw"

salt/hive/init.sls

@@ -78,3 +78,8 @@ so-thehive:
       - /opt/so/conf/hive/etc/application.conf:/opt/thehive/conf/application.conf:ro
     - port_bindings:
       - 0.0.0.0:9000:9000
+
+hivescript:
+  cmd.script:
+    - source: salt://hive/thehive/scripts/hive_init.sh
+    - template: jinja

salt/hive/thehive/scripts/hive_init.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{%- set HIVEUSER = salt['pillar.get']('static:hiveuser', '') %}
+{%- set HIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %}
+{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %}
+
+hive_init(){
+    sleep 60
+    HIVE_IP="{{MASTERIP}}"
+    HIVE_USER="{{HIVEUSER}}"
+    HIVE_PASSWORD="{{HIVEPASSWORD}}"
+    SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf"
+
+    # Migrate DB
+    curl -v -k -XPOST "https://$HIVE_IP:/thehive/api/maintenance/migrate"
+
+    # Generate unique ID for apikey
+    HIVE_KEY="{{HIVEKEY}}"
+
+    # Create intial TheHive user
+    curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}"
+
+    # Update SOCtopus config with apikey value
+    #sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG
+
+    # Check for correct authentication
+    #curl -v -k -H "Authorization: Bearer $HIVE_KEY" "https://$HIVE_IP/thehive/api/user/$USER"
+
+    touch /opt/so/state/thehive.txt
+
+}
+
+if [ -f /opt/so/state/thehive.txt ]; then
+    exit 0
+else
+    hive_init
+fi

salt/kibana/init.sls

@@ -57,7 +57,7 @@ synckibanacustom:
 # Start the kibana docker
 so-kibana:
   docker_container.running:
-    - image: soshybridhunter/so-kibana:HH1.0.6
+    - image: soshybridhunter/so-kibana:HH1.0.7
     - hostname: kibana
     - user: kibana
     - environment:

salt/master/init.sls

@@ -49,7 +49,7 @@ acngcopyconf:
 # Install the apt-cacher-ng container
 so-aptcacherng:
   docker_container.running:
-    - image: soshybridhunter/so-acng:HH1.0.5
+    - image: soshybridhunter/so-acng:HH1.0.7
     - hostname: so-acng
     - port_bindings:
       - 0.0.0.0:3142:3142

salt/mysql/init.sls

@@ -50,7 +50,7 @@ mysqldatadir:
 
 so-mysql:
   docker_container.running:
-    - image: soshybridhunter/so-mysql:HH1.0.5
+    - image: soshybridhunter/so-mysql:HH1.0.7
     - hostname: so-mysql
     - user: socore
     - port_bindings:

salt/redis/init.sls

@@ -49,7 +49,7 @@ toosmooth/so-redis:test2:
 
 so-redis:
   docker_container.running:
-    - image: soshybridhunter/so-redis:HH1.0.5
+    - image: soshybridhunter/so-redis:HH1.0.7
     - hostname: so-redis
     - user: socore
     - port_bindings:

salt/soctopus/files/SOCtopus.conf

@@ -1,4 +1,5 @@
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
+{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %}
 
 [es]
 es_url = http://{{ip}}:9200
@@ -20,14 +21,14 @@ grr_pass = YOURGRRPASS
 
 [hive]
 hive_url = https://{{ip}}/thehive/
-hive_key = YOURHIVEKEY
+hive_key = {{ HIVEKEY }}
 hive_tlp = 3
 hive_verifycert = False
 
 [misp]
 misp_url = YOURMISPURL
 misp_key = YOURMISPKEY
-misp_verifycert = False 
+misp_verifycert = False
 distrib = 0
 threat = 4
 analysis = 0

salt/ssl/init.sls

@@ -1,4 +1,5 @@
 {% set master = salt['grains.get']('master') %}
+{%- set masterip = salt['pillar.get']('static:masterip', '') -%}
 
 # Trust the CA
 
@@ -109,6 +110,7 @@ fbcrtlink:
   x509.certificate_managed:
     - signing_private_key: /etc/pki/fleet.key
     - CN: {{ master }}
+    - subjectAltName: DNS:{{ master }},IP:{{ masterip }}
     - days_remaining: 0
     - days_valid: 3650
     - backup: True

salt/suricata/init.sls

@@ -72,7 +72,7 @@ suriconfigsync:
 
 so-suricata:
   docker_container.running:
-    - image: soshybridhunter/so-suricata:HH1.0.6
+    - image: soshybridhunter/so-suricata:HH1.0.7
     - privileged: True
     - environment:
       - INTERFACE={{ interface }}

salt/top.sls

@@ -44,6 +44,7 @@ base:
     - filebeat
     - utility
     - schedule
+    - soctopus
 
 
   'G@role:so-master':
@@ -64,6 +65,7 @@ base:
     - utility
     - schedule
     - fleet
+    - soctopus
 
   # Storage node logic
 

salt/wazuh/init.sls

@@ -58,7 +58,7 @@ wazuhagentregister:
 
 so-wazuh:
   docker_container.running:
-    - image: soshybridhunter/so-wazuh:HH1.0.5
+    - image: soshybridhunter/so-wazuh:HH1.0.7
     - hostname: {{HOSTNAME}}-wazuh-manager
     - name: so-wazuh
     - detach: True

so-setup-network.sh

@@ -427,6 +427,7 @@ generate_passwords(){
   # Generate Random Passwords for Things
   MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
   FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
+  HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
 }
 
 get_filesystem_nsm(){
@@ -588,6 +589,9 @@ master_static() {
   echo "  broversion: $BROVERSION" >> /opt/so/saltstack/pillar/static.sls
   echo "  ids: $NIDS" >> /opt/so/saltstack/pillar/static.sls
   echo "  masterip: $MAINIP" >> /opt/so/saltstack/pillar/static.sls
+  echo "  hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls
+  echo "  hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls
+  echo "  hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls
   if [[ $MASTERUPDATES == 'MASTER' ]]; then
     echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
   else