Merge pull request #3 from defensivedepth/launcher

Adds HH Launcher - osquery packaging
2025-12-06 09:12:45 +01:00 · 2019-04-08 13:15:13 -04:00
parent 5d2097cf77 91d814f4eb
commit e3e05133fe
17 changed files with 240 additions and 19 deletions
--- a/README.md
+++ b/README.md
@@ -1,11 +1,22 @@
-# Security Onion Hybrid Hunter Tech Preview 1.0.6
+# Security Onion Hybrid Hunter Tech Preview 1.0.7

-### About
-Hybrid Hunter is a brand new Security Onion platform with the following characteristics:
- Move from Ubuntu DEB packages to Docker images
- Support both Ubuntu 16.04 and RedHat/CentOS 7
- Higher performance
- More centralized configuration
+### Changes:
+- Suricata 4.1.3
+- Updated Influxdb to 1.7.5
+- Updated Telegraf to 1.10.1
+- Grafana is now 6.0.2
+- Added support for TheHive!!! See the docs ->
+- You are now forced to select interfaces during setup. If you skipped this test the install was not happy [#26](https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/26)
+- Reduced the RAM usage for ES in Eval mode [#25](https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/26)
+- Eval Mode setup is now choose your own adventure style
+- Fresh dockers for all the things to bring everything to 1.0.7
+- New utility docker called SOctopus
+- New html landing page now in dark mode
+
+
+### Notes:
+- Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release.
+- If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master.

 ### Warnings and Disclaimers

--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -103,7 +103,7 @@ nginxtmp:
 # Start the core docker
 so-core:
  docker_container.running:
-    - image: soshybridhunter/so-core:HH1.0.5
+    - image: soshybridhunter/so-core:HH1.0.7
    - hostname: so-core
    - user: socore
    - binds:
@@ -114,6 +114,7 @@ so-core:
      - /opt/so/tmp/nginx/:/run:rw
      - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
      - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
+      - /opt/so/conf/fleet/packages:/opt/socore/html/packages
    - cap_add: NET_BIND_SERVICE
    - port_bindings:
      - 80:80
@@ -156,7 +157,7 @@ tgrafconf:

 so-telegraf:
  docker_container.running:
-    - image: soshybridhunter/so-telegraf:HH1.0.4
+    - image: soshybridhunter/so-telegraf:HH1.0.7
    - environment:
      - HOST_PROC=/host/proc
      - HOST_ETC=/host/etc
@@ -211,7 +212,7 @@ influxdbconf:

 so-influxdb:
  docker_container.running:
-    - image: soshybridhunter/so-influxdb:HH1.0.4
+    - image: soshybridhunter/so-influxdb:HH1.0.7
    - hostname: influxdb
    - environment:
      - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -368,7 +369,7 @@ dashboard-{{ SN }}:
 # Install the docker. This needs to be behind nginx at some point
 so-grafana:
  docker_container.running:
-    - image: soshybridhunter/so-grafana:HH1.0.4
+    - image: soshybridhunter/so-grafana:HH1.0.7
    - hostname: grafana
    - user: socore
    - binds:
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -31,6 +31,16 @@ fleetlogdir:
    - group: 939
    - makedirs: True
    
+fleetsetupscript:
+  file.managed:
+    - name: /opt/so/conf/fleet/so-fleet-setup.sh
+    - source: salt://fleet/so-fleet-setup.sh
+    
+osquerypackageswebpage:
+  file.managed:
+    - name: /opt/so/conf/fleet/packages/index.html
+    - source: salt://fleet/osquery-packages.html
+
 fleetdb:
  mysql_database.present:
    - name: fleet
--- a/salt/fleet/osquery-packages.html
+++ b/salt/fleet/osquery-packages.html
@@ -0,0 +1,113 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<title>Security Onion - Hybrid Hunter</title>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
+<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
+<style>
+* {
+  box-sizing: border-box;
+  font-family: Arial, Helvetica, sans-serif;
+	padding-left: 30px;
+	padding right: 30px;
+}
+
+body {
+  font-family: Arial, Helvetica, sans-serif;
+	background-color: #2a2a2a;
+
+}
+a {
+	color: #f2f2f2;
+	text-align: left;
+	padding: 0px;
+}
+/* Style the top navigation bar */
+.topnav {
+  overflow: hidden;
+  background-color: #333;
+	width: 1080px;
+}
+
+/* Style the topnav links */
+.topnav a {
+  float: left;
+  display: block;
+  color: #f2f2f2;
+  text-align: center;
+  padding: 14px 16px;
+  text-decoration: none;
+}
+
+/* Change color on hover */
+.topnav a:hover {
+  background-color: #ddd;
+  color: black;
+}
+
+/* Style the content */
+.content {
+  background-color: #2a2a2a;
+  padding: 10px;
+	padding-top: 20px;
+	padding-left: 60px;
+	color: #E3DBCC;
+	width: 1080px;
+}
+
+/* Style the footer */
+.footer {
+  background-color: #2a2a2a;
+  padding: 60px;
+	color: #E3DBCC;
+	width: 1080px;
+}
+</style>
+</head>
+<body>
+
+<div class="topnav">
+  <a href="/kibana/" target="_blank">Kibana</a>
+  <a href="/grafana/" target="_blank">Grafana</a>
+  <a href="/fleet/" target="_blank">Fleet</a>
+	<a href="/thehive/" target="_blank">TheHive</a>
+	<a href="/packages/" target="_blank">Osquery Binaries</a>
+	<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
+	<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
+	<a href="https://blog.securityonion.net" target="_blank">Blog</a>
+</div>
+
+<div class="content">
+
+	<p><center><h1>Osquery Packages</h1></center><br>
+
+              <h2>Notes</h2>
+                <ul>
+                        <li>These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from <a href="https://osquery.io/downloads">osquery.io</a></li>
+                        <li>Packages are not signed.</li>
+	       	</ul>
+		<BR> <h2>Downloads</h2>
+                <ul>
+
+Generated: N/A
+                       <BR><BR>Packages:
+			<li><a href="/packages/launcher.msi" download="msi-launcher.msi">MSI (Windows)</a></li>
+                        <li><a href="/packages/launcher.deb" download="deb-launcher.deb">DEB (Debian)</a></li>
+                        <li><a href="/packages/launcher.rpm" download="rpm-launcher.rpm">RPM (RPM)</a></li>
+			<BR><BR>Config Files:
+	                <li><a href="/packages/launcher.flags" download="launcher.flags.txt">RPM & DEB Flag File</a></li>
+			 <li><a href="/packages/launcher-msi.flags" download="launcher-msi.flags.txt">MSI Flag File</a></li>
+		</ul>
+
+		<BR><h2>Known Issues</h2>
+		<ul>
+			<li>None</li>
+		</ul>
+	</p>
+</div>
+
+
+</body>
+</html>
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -0,0 +1,35 @@
+#so-fleet-setup.sh $MasterIP $FleetEmail
+
+if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
+        echo "so-fleet container not running... Exiting..."
+        exit 1 
+fi
+
+initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
+
+docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify        
+docker exec so-fleet fleetctl setup --email $2 --password $initpw
+
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
+
+esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret)
+
+#Concat fleet.crt & ca.crt  - this is required for launcher connectivity
+cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/fleet-launcher.crt
+
+#Create the output directory
+mkdir /opt/so/conf/fleet/packages
+
+docker run \
+  --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
+  --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/launcher.crt \
+  defensivedepth/hh-launcher "$esecret" "$1":8080
+
+#Update timestamp on packages webpage
+sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
+
+echo "Fleet Setup Complete - Login here: https://$1"
+echo "Your username is $2 and your password is $initpw"
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -78,3 +78,8 @@ so-thehive:
      - /opt/so/conf/hive/etc/application.conf:/opt/thehive/conf/application.conf:ro
    - port_bindings:
      - 0.0.0.0:9000:9000
+
+hivescript:
+  cmd.script:
+    - source: salt://hive/thehive/scripts/hive_init.sh
+    - template: jinja
--- a/salt/hive/thehive/scripts/hive_init.sh
+++ b/salt/hive/thehive/scripts/hive_init.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{%- set HIVEUSER = salt['pillar.get']('static:hiveuser', '') %}
+{%- set HIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %}
+{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %}
+
+hive_init(){
+    sleep 60
+    HIVE_IP="{{MASTERIP}}"
+    HIVE_USER="{{HIVEUSER}}"
+    HIVE_PASSWORD="{{HIVEPASSWORD}}"
+    SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf"
+
+    # Migrate DB
+    curl -v -k -XPOST "https://$HIVE_IP:/thehive/api/maintenance/migrate"
+
+    # Generate unique ID for apikey
+    HIVE_KEY="{{HIVEKEY}}"
+
+    # Create intial TheHive user
+    curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}"
+
+    # Update SOCtopus config with apikey value
+    #sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG
+
+    # Check for correct authentication
+    #curl -v -k -H "Authorization: Bearer $HIVE_KEY" "https://$HIVE_IP/thehive/api/user/$USER"
+
+    touch /opt/so/state/thehive.txt
+
+}
+
+if [ -f /opt/so/state/thehive.txt ]; then
+    exit 0
+else
+    hive_init
+fi
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -57,7 +57,7 @@ synckibanacustom:
 # Start the kibana docker
 so-kibana:
  docker_container.running:
-    - image: soshybridhunter/so-kibana:HH1.0.6
+    - image: soshybridhunter/so-kibana:HH1.0.7
    - hostname: kibana
    - user: kibana
    - environment:
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -49,7 +49,7 @@ acngcopyconf:
 # Install the apt-cacher-ng container
 so-aptcacherng:
  docker_container.running:
-    - image: soshybridhunter/so-acng:HH1.0.5
+    - image: soshybridhunter/so-acng:HH1.0.7
    - hostname: so-acng
    - port_bindings:
      - 0.0.0.0:3142:3142
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -50,7 +50,7 @@ mysqldatadir:

 so-mysql:
  docker_container.running:
-    - image: soshybridhunter/so-mysql:HH1.0.5
+    - image: soshybridhunter/so-mysql:HH1.0.7
    - hostname: so-mysql
    - user: socore
    - port_bindings:
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -49,7 +49,7 @@ toosmooth/so-redis:test2:

 so-redis:
  docker_container.running:
-    - image: soshybridhunter/so-redis:HH1.0.5
+    - image: soshybridhunter/so-redis:HH1.0.7
    - hostname: so-redis
    - user: socore
    - port_bindings:
--- a/salt/soctopus/files/SOCtopus.conf
+++ b/salt/soctopus/files/SOCtopus.conf
@@ -1,4 +1,5 @@
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
+{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %}

 [es]
 es_url = http://{{ip}}:9200
@@ -20,7 +21,7 @@ grr_pass = YOURGRRPASS

 [hive]
 hive_url = https://{{ip}}/thehive/
-hive_key = YOURHIVEKEY
+hive_key = {{ HIVEKEY }}
 hive_tlp = 3
 hive_verifycert = False

--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -1,4 +1,5 @@
 {% set master = salt['grains.get']('master') %}
+{%- set masterip = salt['pillar.get']('static:masterip', '') -%}

 # Trust the CA

@@ -109,6 +110,7 @@ fbcrtlink:
  x509.certificate_managed:
    - signing_private_key: /etc/pki/fleet.key
    - CN: {{ master }}
+    - subjectAltName: DNS:{{ master }},IP:{{ masterip }}
    - days_remaining: 0
    - days_valid: 3650
    - backup: True
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -72,7 +72,7 @@ suriconfigsync:

 so-suricata:
  docker_container.running:
-    - image: soshybridhunter/so-suricata:HH1.0.6
+    - image: soshybridhunter/so-suricata:HH1.0.7
    - privileged: True
    - environment:
      - INTERFACE={{ interface }}
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -44,6 +44,7 @@ base:
    - filebeat
    - utility
    - schedule
+    - soctopus


  'G@role:so-master':
@@ -64,6 +65,7 @@ base:
    - utility
    - schedule
    - fleet
+    - soctopus

  # Storage node logic

--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -58,7 +58,7 @@ wazuhagentregister:

 so-wazuh:
  docker_container.running:
-    - image: soshybridhunter/so-wazuh:HH1.0.5
+    - image: soshybridhunter/so-wazuh:HH1.0.7
    - hostname: {{HOSTNAME}}-wazuh-manager
    - name: so-wazuh
    - detach: True
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -427,6 +427,7 @@ generate_passwords(){
  # Generate Random Passwords for Things
  MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
  FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
+  HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
 }

 get_filesystem_nsm(){
@@ -588,6 +589,9 @@ master_static() {
  echo "  broversion: $BROVERSION" >> /opt/so/saltstack/pillar/static.sls
  echo "  ids: $NIDS" >> /opt/so/saltstack/pillar/static.sls
  echo "  masterip: $MAINIP" >> /opt/so/saltstack/pillar/static.sls
+  echo "  hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls
+  echo "  hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls
+  echo "  hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls
  if [[ $MASTERUPDATES == 'MASTER' ]]; then
    echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
  else