diff --git a/files/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml index 3f30fc367..9a758161c 100644 --- a/files/firewall/assigned_hostgroups.local.map.yaml +++ b/files/firewall/assigned_hostgroups.local.map.yaml @@ -1,8 +1,8 @@ -{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %} -{% set default_portgroups = default_portgroups.firewall.aliases.ports %} +{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} +{% set default_portgroups = default_portgroups.firewall.ports %} {% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} -{% if local_portgroups.firewall.aliases.ports %} - {% set local_portgroups = local_portgroups.firewall.aliases.ports %} +{% if local_portgroups.firewall.ports %} + {% set local_portgroups = local_portgroups.firewall.ports %} {% else %} {% set local_portgroups = {} %} {% endif %} diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml index 5e16461a4..c4ebc3613 100644 --- a/files/firewall/hostgroups.local.yaml +++ b/files/firewall/hostgroups.local.yaml @@ -40,10 +40,6 @@ firewall: ips: delete: insert: - minion: - ips: - delete: - insert: node: ips: delete: @@ -67,4 +63,4 @@ firewall: syslog: ips: delete: - insert: \ No newline at end of file + insert: diff --git a/files/firewall/portgroups.local.yaml b/files/firewall/portgroups.local.yaml index 300d2ecda..8b37ee951 100644 --- a/files/firewall/portgroups.local.yaml +++ b/files/firewall/portgroups.local.yaml @@ -1,3 +1,2 @@ firewall: - aliases: - ports: \ No newline at end of file + ports: diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml index 62395830f..86e4c0ee8 100644 --- a/salt/bpf/soc_bpf.yaml +++ b/salt/bpf/soc_bpf.yaml @@ -1,7 +1,10 @@ bpf: pcap: description: List of BPF filters to apply to PCAP. + helpLink: bpf.html suricata: description: List of BPF filters to apply to Suricata. + helpLink: bpf.html zeek: description: List of BPF filters to apply to Zeek. + helpLink: bpf.html diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index 6738126df..146a4b644 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -1,142 +1,11 @@ -#!/usr/bin/env python3 +#!/usr/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - - -import ipaddress -import textwrap -import os -import subprocess -import sys -import argparse -import re -from lxml import etree as ET -from datetime import datetime as dt -from datetime import timezone as tz - - -LOCAL_SALT_DIR='/opt/so/saltstack/local' -VALID_ROLES = { - 'a': { 'role': 'analyst','desc': 'Analyst - 80/tcp, 443/tcp' }, - 'b': { 'role': 'beats_endpoint', 'desc': 'Logstash Beat - 5044/tcp' }, - 'e': { 'role': 'elasticsearch_rest', 'desc': 'Elasticsearch REST API - 9200/tcp' }, - 'f': { 'role': 'strelka_frontend', 'desc': 'Strelka frontend - 57314/tcp' }, - 's': { 'role': 'syslog', 'desc': 'Syslog device - 514/tcp/udp' }, - 't': { 'role': 'elastic_agent_endpoint', 'desc': 'Elastic Agent endpoint - 8220/tcp,5055/tcp' } -} - - -def validate_ip_cidr(ip_cidr: str) -> bool: - try: - ipaddress.ip_address(ip_cidr) - except ValueError: - try: - ipaddress.ip_network(ip_cidr) - except ValueError: - return False - return True - - -def role_prompt() -> str: - print() - print('Choose the role for the IP or Range you would like to allow') - print() - for role in VALID_ROLES: - print(f'[{role}] - {VALID_ROLES[role]["desc"]}') - print() - role = input('Please enter your selection: ') - if role in VALID_ROLES.keys(): - return VALID_ROLES[role]['role'] - else: - print(f'Invalid role \'{role}\', please try again.', file=sys.stderr) - sys.exit(1) - - -def ip_prompt() -> str: - ip = input('Enter a single ip address or range to allow (ex: 10.10.10.10 or 10.10.0.0/16): ') - if validate_ip_cidr(ip): - return ip - else: - print(f'Invalid IP address or CIDR block \'{ip}\', please try again.', file=sys.stderr) - sys.exit(1) - - -def apply(role: str, ip: str) -> int: - firewall_cmd = ['so-firewall', 'includehost', role, ip] - salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', 'firewall', 'queue=True'] - print(f'Adding {ip} to the {role} role. This can take a few seconds...') - cmd = subprocess.run(firewall_cmd) - if cmd.returncode == 0: - cmd = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL) - else: - return cmd.returncode - - -def main(): - if os.geteuid() != 0: - print('You must run this script as root', file=sys.stderr) - sys.exit(1) - - main_parser = argparse.ArgumentParser( - formatter_class=argparse.RawDescriptionHelpFormatter, - epilog=textwrap.dedent(f'''\ - additional information: - To use this script in interactive mode call it with no arguments - ''' - )) - - group = main_parser.add_argument_group(title='roles') - group.add_argument('-a', dest='roles', action='append_const', const=VALID_ROLES['a']['role'], help="Analyst - 80/tcp, 443/tcp") - group.add_argument('-b', dest='roles', action='append_const', const=VALID_ROLES['b']['role'], help="Logstash Beat - 5044/tcp") - group.add_argument('-e', dest='roles', action='append_const', const=VALID_ROLES['e']['role'], help="Elasticsearch REST API - 9200/tcp") - group.add_argument('-f', dest='roles', action='append_const', const=VALID_ROLES['f']['role'], help="Strelka frontend - 57314/tcp") - group.add_argument('-s', dest='roles', action='append_const', const=VALID_ROLES['s']['role'], help="Syslog device - 514/tcp/udp") - group.add_argument('-t', dest='roles', action='append_const', const=VALID_ROLES['t']['role'], help="Elastic Agent endpoint - 8220/tcp,5055/tcp") - - ip_g = main_parser.add_argument_group(title='allow') - ip_g.add_argument('-i', help="IP or CIDR block to disallow connections from, requires at least one role argument", metavar='', dest='ip') - - args = main_parser.parse_args(sys.argv[1:]) - - if args.roles is None: - role = role_prompt() - ip = ip_prompt() - try: - return_code = apply(role, ip) - except Exception as e: - print(f'Unexpected exception occurred: {e}', file=sys.stderr) - return_code = e.errno - sys.exit(return_code) - elif args.roles is not None and args.ip is None: - if os.environ.get('IP') is None: - main_parser.print_help() - sys.exit(1) - else: - args.ip = os.environ['IP'] - - if validate_ip_cidr(args.ip): - try: - for role in args.roles: - return_code = apply(role, args.ip) - if return_code > 0: - break - except Exception as e: - print(f'Unexpected exception occurred: {e}', file=sys.stderr) - return_code = e.errno - else: - print(f'Invalid IP address or CIDR block \'{args.ip}\', please try again.', file=sys.stderr) - return_code = 1 - - sys.exit(return_code) - - -if __name__ == '__main__': - try: - main() - except KeyboardInterrupt: - sys.exit(1) +echo "Please use the Configuration section in SOC to allow hosts" +echo "" +echo "If you need command line options on adding hosts please run so-firewall" diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index c0b028130..44ca007ff 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -507,6 +507,18 @@ valid_hostname() { [[ $hostname =~ ^[a-zA-Z0-9\-]+$ ]] && [[ $hostname != 'localhost' ]] && return 0 || return 1 } +verify_ip4() { + local ip=$1 + # Is this an IP or CIDR? + if grep -qP "^[^/]+/[^/]+$" <<< $ip; then + # Looks like a CIDR + valid_ip4_cidr_mask "$ip" + else + # We know this is not a CIDR - Is it an IP? + valid_ip4 "$ip" + fi +} + valid_ip4() { local ip=$1 diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 669d9597b..2a8aed0e7 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -1,401 +1,102 @@ -#!/usr/bin/env python3 +#!/usr/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +. /usr/sbin/so-common -import os -import re -import subprocess -import sys -import time -import yaml +if [[ $# -lt 1 ]]; then + echo "Usage: $0 --role= --ip= --apply=" + echo "" + echo " Example: so-firewall --role=sensor --ip=192.168.254.100 --apply=true" + echo "" + exit 1 +fi -lockFile = "/tmp/so-firewall.lock" -hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yaml" -portgroupsFilename = "/opt/so/saltstack/local/salt/firewall/portgroups.local.yaml" -defaultPortgroupsFilename = "/opt/so/saltstack/default/salt/firewall/portgroups.yaml" -supportedProtocols = ['tcp', 'udp'] -readonly = False +for i in "$@"; do + case $i in + -r=*|--role=*) + ROLE="${i#*=}" + shift + ;; + -i=*|--ip=*) + IP="${i#*=}" + shift + ;; + -a=*|--apply*) + APPLY="${i#*=}" + shift + ;; + -*|--*) + echo "Unknown option $i" + exit 1 + ;; + *) + ;; + esac +done -def showUsage(options, args): - print('Usage: {} [OPTIONS] [ARGS...]'.format(sys.argv[0])) - print(' Options:') - print(' --apply - After updating the firewall configuration files, apply the new firewall state') - print(' --defaultports - Read port groups from default configuration files instead of local configuration.') - print('') - print(' General commands:') - print(' help - Prints this usage information.') - print(' apply - Apply the firewall state.') - print('') - print(' Host commands:') - print(' listhostgroups - Lists the known host groups.') - print(' includedhosts - Lists the IPs included in the given group. Args: ') - print(' excludedhosts - Lists the IPs excluded from the given group. Args: ') - print(' includehost - Includes the given IP in the given group. Args: ') - print(' excludehost - Excludes the given IP from the given group. Args: ') - print(' removehost - Removes an excluded IP from the given group. Args: ') - print(' addhostgroup - Adds a new, custom host group. Args: ') - print('') - print(' Port commands:') - print(' listportgroups - Lists the known port groups.') - print(' listports - Lists ports in the given group and protocol. Args: ') - print(' addport - Adds a PORT to the given group. Args: ') - print(' removeport - Removes a PORT from the given group. Args: ') - print(' addportgroup - Adds a new, custom port group. Args: ') - print('') - print(' Where:') - print(' GROUP_NAME - The name of an alias group (Ex: analyst)') - print(' IP - Either a single IP address (Ex: 8.8.8.8) or a CIDR block (Ex: 10.23.0.0/16).') - print(' PORT_PROTOCOL - Must be one of the following: ' + str(supportedProtocols)) - print(' PORT - Either a single numeric port (Ex: 443), or a port range (Ex: 8000:8002).') - sys.exit(1) +ROLE=${ROLE,,} +APPLY=${APPLY,,} -def checkDefaultPortsOption(options): - global portgroupsFilename - if "--defaultports" in options: - portgroupsFilename = defaultPortgroupsFilename +function rolecall() { + THEROLE=$1 + THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval heavynodes idh manager receivers searchnodes sensors standalone strelka_frontend syslog" -def checkApplyOption(options): - if "--apply" in options: - return apply(None, None) + for AROLE in $THEROLES; do + if [ "$AROLE" = "$THEROLE" ]; then + return 0 + fi + done + return 1 +} -def loadYaml(filename): - global readonly +# Make sure the required options are specified +if [ -z "$ROLE" ]; then + echo "Please specify a role with --role=" + exit 1 +fi +if [ -z "$IP" ]; then + echo "Please specify an IP address with --ip=" + exit 1 +fi - file = open(filename, "r") - content = file.read() +# Are we dealing with a role that this script supports? +if rolecall "$ROLE"; then + echo "$ROLE is a supported role" +else + echo "This is not a supported role" + exit 1 +fi - # Remove Jinja templating (for read-only operations) - if "{%" in content or "{{" in content: - content = content.replace("{{ ssh_port }}", "22") - pattern = r'.*({%|{{|}}|%}).*' - content = re.sub(pattern, "", content) - readonly = True + # Are we dealing with an IP? +if verify_ip4 "$IP"; then + echo "$IP is a valid IP or CIDR" +else + echo "$IP is not a valid IP or CIDR" + exit 1 +fi - return yaml.safe_load(content) +local_salt_dir=/opt/so/saltstack/local/salt/firewall -def writeYaml(filename, content): - global readonly +# Let's see if the file exists and if it does, let's see if the IP exists. +if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then + if grep -q $IP "$local_salt_dir/hostgroups/$ROLE"; then + echo "Host already exists" + exit 0 + fi +fi - if readonly: - raise Exception("Cannot write yaml file that has been flagged as read-only") +# If you have reached this part of your quest then let's add the IP +echo "Adding $IP to the $ROLE role" +echo "$IP" >> $local_salt_dir/hostgroups/$ROLE - file = open(filename, "w") - return yaml.dump(content, file) - -def listHostGroups(): - content = loadYaml(hostgroupsFilename) - hostgroups = content['firewall']['hostgroups'] - if hostgroups is not None: - for group in hostgroups: - print(group) - return 0 - -def listIps(name, mode): - content = loadYaml(hostgroupsFilename) - if name not in content['firewall']['hostgroups']: - print('Host group does not exist', file=sys.stderr) - return 4 - hostgroup = content['firewall']['hostgroups'][name] - ips = hostgroup['ips'][mode] - if ips is not None: - for ip in ips: - print(ip) - return 0 - -def addIp(name, ip, mode): - content = loadYaml(hostgroupsFilename) - if name not in content['firewall']['hostgroups']: - print('Host group does not exist', file=sys.stderr) - return 4 - hostgroup = content['firewall']['hostgroups'][name] - ips = hostgroup['ips'][mode] - if ips is None: - ips = [] - hostgroup['ips'][mode] = ips - if ip not in ips: - ips.append(ip) - else: - print('Already exists', file=sys.stderr) - return 3 - writeYaml(hostgroupsFilename, content) - return 0 - -def removeIp(name, ip, mode, silence = False): - content = loadYaml(hostgroupsFilename) - if name not in content['firewall']['hostgroups']: - print('Host group does not exist', file=sys.stderr) - return 4 - hostgroup = content['firewall']['hostgroups'][name] - ips = hostgroup['ips'][mode] - if ips is None: - ips = [] - hostgroup['ips'][mode] = ips - if ip in ips: - ips.remove(ip) - else: - if not silence: - print('IP does not exist', file=sys.stderr) - return 3 - writeYaml(hostgroupsFilename, content) - return 0 - -def createProtocolMap(): - map = {} - for protocol in supportedProtocols: - map[protocol] = [] - return map - -def listPortGroups(): - content = loadYaml(portgroupsFilename) - portgroups = content['firewall']['aliases']['ports'] - if portgroups is not None: - for group in portgroups: - print(group) - return 0 - -def addhostgroup(options, args): - if len(args) != 1: - print('Missing host group name argument', file=sys.stderr) - showUsage(options, args) - - name = args[0] - content = loadYaml(hostgroupsFilename) - if name in content['firewall']['hostgroups']: - print('Already exists', file=sys.stderr) - return 3 - content['firewall']['hostgroups'][name] = { 'ips': { 'insert': [], 'delete': [] }} - writeYaml(hostgroupsFilename, content) - return 0 - -def listportgroups(options, args): - if len(args) != 0: - print('Unexpected arguments', file=sys.stderr) - showUsage(options, args) - checkDefaultPortsOption(options) - return listPortGroups() - -def addportgroup(options, args): - if len(args) != 1: - print('Missing port group name argument', file=sys.stderr) - showUsage(options, args) - - name = args[0] - content = loadYaml(portgroupsFilename) - ports = content['firewall']['aliases']['ports'] - if ports is None: - ports = {} - content['firewall']['aliases']['ports'] = ports - if name in ports: - print('Already exists', file=sys.stderr) - return 3 - ports[name] = createProtocolMap() - writeYaml(portgroupsFilename, content) - return 0 - -def listports(options, args): - if len(args) != 2: - print('Missing port group name or port protocol', file=sys.stderr) - showUsage(options, args) - - checkDefaultPortsOption(options) - name = args[0] - protocol = args[1] - if protocol not in supportedProtocols: - print('Port protocol is not supported', file=sys.stderr) - return 5 - - content = loadYaml(portgroupsFilename) - ports = content['firewall']['aliases']['ports'] - if ports is None: - ports = {} - content['firewall']['aliases']['ports'] = ports - if name not in ports: - print('Port group does not exist', file=sys.stderr) - return 3 - if protocol not in ports[name]: - print('Port group does not contain protocol', file=sys.stderr) - return 3 - ports = ports[name][protocol] - if ports is not None: - for port in ports: - print(port) - return 0 - -def addport(options, args): - if len(args) != 3: - print('Missing port group name or port protocol, or port argument', file=sys.stderr) - showUsage(options, args) - - name = args[0] - protocol = args[1] - port = args[2] - if protocol not in supportedProtocols: - print('Port protocol is not supported', file=sys.stderr) - return 5 - - content = loadYaml(portgroupsFilename) - ports = content['firewall']['aliases']['ports'] - if ports is None: - ports = {} - content['firewall']['aliases']['ports'] = ports - if name not in ports: - print('Port group does not exist', file=sys.stderr) - return 3 - ports = ports[name][protocol] - if ports is None: - ports = [] - content['firewall']['aliases']['ports'][name][protocol] = ports - if port in ports: - print('Already exists', file=sys.stderr) - return 3 - ports.append(port) - writeYaml(portgroupsFilename, content) - code = checkApplyOption(options) - return code - -def removeport(options, args): - if len(args) != 3: - print('Missing port group name or port protocol, or port argument', file=sys.stderr) - showUsage(options, args) - - name = args[0] - protocol = args[1] - port = args[2] - if protocol not in supportedProtocols: - print('Port protocol is not supported', file=sys.stderr) - return 5 - - content = loadYaml(portgroupsFilename) - ports = content['firewall']['aliases']['ports'] - if ports is None: - ports = {} - content['firewall']['aliases']['ports'] = ports - if name not in ports: - print('Port group does not exist', file=sys.stderr) - return 3 - ports = ports[name][protocol] - if ports is None or port not in ports: - print('Port does not exist', file=sys.stderr) - return 3 - ports.remove(port) - writeYaml(portgroupsFilename, content) - code = checkApplyOption(options) - return code - - -def listhostgroups(options, args): - if len(args) != 0: - print('Unexpected arguments', file=sys.stderr) - showUsage(options, args) - return listHostGroups() - -def includedhosts(options, args): - if len(args) != 1: - print('Missing host group name argument', file=sys.stderr) - showUsage(options, args) - return listIps(args[0], 'insert') - -def excludedhosts(options, args): - if len(args) != 1: - print('Missing host group name argument', file=sys.stderr) - showUsage(options, args) - return listIps(args[0], 'delete') - -def includehost(options, args): - if len(args) != 2: - print('Missing host group name or ip argument', file=sys.stderr) - showUsage(options, args) - result = addIp(args[0], args[1], 'insert') - if result == 0: - removeIp(args[0], args[1], 'delete', True) - code = result - if code == 0: - code = checkApplyOption(options) - return code - -def excludehost(options, args): - if len(args) != 2: - print('Missing host group name or ip argument', file=sys.stderr) - showUsage(options, args) - result = addIp(args[0], args[1], 'delete') - if result == 0: - removeIp(args[0], args[1], 'insert', True) - code = result - if code == 0: - code = checkApplyOption(options) - return code - -def removehost(options, args): - if len(args) != 2: - print('Missing host group name or ip argument', file=sys.stderr) - showUsage(options, args) - code = removeIp(args[0], args[1], 'delete') - if code == 0: - code = checkApplyOption(options) - return code - -def apply(options, args): - proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True']) - return proc.returncode - -def main(): - options = [] - args = sys.argv[1:] - for option in args: - if option.startswith("--"): - options.append(option) - args.remove(option) - - if len(args) == 0: - showUsage(options, None) - - commands = { - "help": showUsage, - "listhostgroups": listhostgroups, - "includedhosts": includedhosts, - "excludedhosts": excludedhosts, - "includehost": includehost, - "excludehost": excludehost, - "removehost": removehost, - "listportgroups": listportgroups, - "listports": listports, - "addport": addport, - "removeport": removeport, - "addhostgroup": addhostgroup, - "addportgroup": addportgroup, - "apply": apply - } - - code=1 - - try: - lockAttempts = 0 - maxAttempts = 30 - while lockAttempts < maxAttempts: - lockAttempts = lockAttempts + 1 - try: - f = open(lockFile, "x") - f.close() - break - except: - time.sleep(2) - - if lockAttempts == maxAttempts: - print("Lock file (" + lockFile + ") could not be created; proceeding without lock.") - - cmd = commands.get(args[0], showUsage) - code = cmd(options, args[1:]) - finally: - try: - os.remove(lockFile) - except: - print("Lock file (" + lockFile + ") already removed") - - sys.exit(code) - -if __name__ == "__main__": - main() +# Check to see if we are applying this right away. +if [ "$APPLY" = "true" ]; then + echo "Applying the firewall rules" + salt-call state.apply firewall queue=True +else + echo "Firewall rules will be applied next salt run" +fi diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 5d9e386e8..0e1d15c5a 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -3,32 +3,41 @@ elastalert: disable_rules_on_error: description: Disable rules on failure. global: True + helpLink: elastalert.html run_every: minutes: description: Amount of time in minutes between searches. global: True + helpLink: elastalert.html buffer_time: minutes: description: Amount of time in minutes to look through. global: True + helpLink: elastalert.html old_query_limit: minutes: description: Amount of time in minutes between queries to start at the most recently run query. global: True + helpLink: elastalert.html es_conn_timeout: description: Timeout in seconds for connecting to and reading from Elasticsearch. global: True + helpLink: elastalert.html max_query_size: description: The maximum number of documents that will be downloaded from Elasticsearch in a single query. global: True + helpLink: elastalert.html alert_time_limit: days: description: The retry window for failed alerts. global: True + helpLink: elastalert.html index_settings: shards: description: The amount of shards to use for elastalert. global: True + helpLink: elastalert.html replicas: description: The amount of replicas for the Elastalert index. global: True + helpLink: elastalert.html diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 0e8faf4a2..d82c4adfa 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -5,43 +5,54 @@ elasticsearch: description: The name of the Security Onion Elasticsearch cluster, for identification purposes. readonly: True global: True + helpLink: elasticsearch.html routing: allocation: disk: threshold_enabled: description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster. + helpLink: elasticsearch.html watermark: low: description: The lower percentage of used disk space representing a healthy node. + helpLink: elasticsearch.html high: description: The higher percentage of used disk space representing an unhealthy node. + helpLink: elasticsearch.html flood_stage: description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. + helpLink: elasticsearch.html script: max_compilations_rate: description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. global: True + helpLink: elasticsearch.html indices: query: bool: max_clause_count: description: Max number of boolean clauses per query. global: True + helpLink: elasticsearch.html index_settings: so-aws: &indexSettings warm: description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch. global: True + helpLink: elasticsearch.html close: description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index. global: True + helpLink: elasticsearch.html delete: description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable. global: True + helpLink: elasticsearch.html index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. global: True + helpLink: elasticsearch.html index_template: template: settings: @@ -51,15 +62,19 @@ elasticsearch: limit: description: Max number of fields that can exist on a single index. Larger values will consume more resources. global: True + helpLink: elasticsearch.html refresh_interval: description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. global: True + helpLink: elasticsearch.html number_of_shards: description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. global: True + helpLink: elasticsearch.html number_of_replicas: description: Number of replicas required for this index. Multiple replicas protects against data loss, while also increasing storage costs. global: True + helpLink: elasticsearch.html so-azure: *indexSettings so-barracuda: *indexSettings so-beats: *indexSettings diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 7f8c01910..e91859743 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -1,7 +1,7 @@ {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} -{% import_yaml 'firewall/portgroups.yaml' as portgroups %} -{% set portgroups = portgroups.firewall.aliases.ports %} -{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} +{% import_yaml 'firewall/ports/ports.yaml' as portgroups %} +{% set portgroups = portgroups.firewall.ports %} +{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %} role: eval: @@ -14,32 +14,20 @@ role: - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - heavy_node: + heavynodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} self: portgroups: @@ -77,9 +65,6 @@ role: localhost: portgroups: - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} manager: chain: DOCKER-USER: @@ -90,39 +75,24 @@ role: - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} {% if ISAIRGAP is sameas true %} - {{ portgroups.agrules }} {% endif %} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - {% if ISAIRGAP is sameas true %} - - {{ portgroups.yum }} - {% endif %} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} - heavy_node: + heavynodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} self: @@ -157,9 +127,6 @@ role: localhost: portgroups: - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} managersearch: chain: DOCKER-USER: @@ -170,33 +137,20 @@ role: - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - heavy_node: + heavynodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} self: portgroups: @@ -234,46 +188,53 @@ role: localhost: portgroups: - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} standalone: chain: DOCKER-USER: hostgroups: - manager: + standalone: portgroups: - {{ portgroups.playbook }} - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: + - {{ portgroups.docker_registry }} + - {{ portgroups.sensoroni }} + - {{ portgroups.yum }} + - {{ portgroups.beats_5044 }} + - {{ portgroups.beats_5644 }} + - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} + - {{ portgroups.endgame }} + - {{ portgroups.strelka_frontend }} + sensors: portgroups: - - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - sensor: - portgroups: + - {{ portgroups.yum }} - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: + - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} + - {{ portgroups.sensoroni }} + - {{ portgroups.yum }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - heavy_node: + heavynodes: portgroups: + - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} + - {{ portgroups.sensoroni }} + - {{ portgroups.yum }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} self: portgroups: @@ -314,7 +275,16 @@ role: localhost: portgroups: - {{ portgroups.all }} - minion: + standalone: + portgroups: + - {{ portgroups.salt_manager }} + sensors: + portgroups: + - {{ portgroups.salt_manager }} + searchnodes: + portgroups: + - {{ portgroups.salt_manager }} + heavynodes: portgroups: - {{ portgroups.salt_manager }} helixsensor: @@ -328,22 +298,13 @@ role: - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} @@ -367,9 +328,6 @@ role: localhost: portgroups: - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} searchnode: chain: DOCKER-USER: @@ -386,7 +344,7 @@ role: portgroups: - {{ portgroups.elasticsearch_rest }} {% if TRUE_CLUSTER %} - search_node: + searchnodes: portgroups: - {{ portgroups.elasticsearch_node }} {% endif %} @@ -468,15 +426,11 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - minion: - portgroups: - - {{ portgroups.docker_registry }} - - {{ portgroups.sensoroni }} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} @@ -503,18 +457,14 @@ role: localhost: portgroups: - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - receiver: chain: DOCKER-USER: hostgroups: - sensor: + sensors: portgroups: - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.beats_5644 }} diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml index 778912911..d34a4bc0d 100644 --- a/salt/firewall/hostgroups.yaml +++ b/salt/firewall/hostgroups.yaml @@ -20,4 +20,4 @@ firewall: ips: delete: insert: - - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} \ No newline at end of file + - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} diff --git a/salt/firewall/portgroups/analyst b/salt/firewall/hostgroups/beats_endpoint similarity index 100% rename from salt/firewall/portgroups/analyst rename to salt/firewall/hostgroups/beats_endpoint diff --git a/salt/firewall/portgroups/analyst_workstations b/salt/firewall/hostgroups/beats_endpoint_ssl similarity index 100% rename from salt/firewall/portgroups/analyst_workstations rename to salt/firewall/hostgroups/beats_endpoint_ssl diff --git a/salt/firewall/portgroups/eval b/salt/firewall/hostgroups/elastic_agent_endpoint similarity index 100% rename from salt/firewall/portgroups/eval rename to salt/firewall/hostgroups/elastic_agent_endpoint diff --git a/salt/firewall/portgroups/heavynodes b/salt/firewall/hostgroups/elasticsearch_rest similarity index 100% rename from salt/firewall/portgroups/heavynodes rename to salt/firewall/hostgroups/elasticsearch_rest diff --git a/salt/firewall/portgroups/idh b/salt/firewall/hostgroups/endgame similarity index 100% rename from salt/firewall/portgroups/idh rename to salt/firewall/hostgroups/endgame diff --git a/salt/firewall/portgroups/manager b/salt/firewall/hostgroups/strelka_frontend similarity index 100% rename from salt/firewall/portgroups/manager rename to salt/firewall/hostgroups/strelka_frontend diff --git a/salt/firewall/portgroups/receivers b/salt/firewall/hostgroups/syslog similarity index 100% rename from salt/firewall/portgroups/receivers rename to salt/firewall/hostgroups/syslog diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 1d6ba350f..42aad75c6 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -144,4 +144,4 @@ iptables_drop_all_the_things: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 2c7d03225..1ec3271c4 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -1,11 +1,11 @@ {% set role = grains.id.split('_') | last %} {% set translated_pillar_assigned_hostgroups = {} %} -{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %} -{% set default_portgroups = default_portgroups.firewall.aliases.ports %} +{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} +{% set default_portgroups = default_portgroups.firewall.ports %} {% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} -{% if local_portgroups.firewall.aliases.ports %} - {% set local_portgroups = local_portgroups.firewall.aliases.ports %} +{% if local_portgroups.firewall.ports %} + {% set local_portgroups = local_portgroups.firewall.ports %} {% else %} {% set local_portgroups = {} %} {% endif %} @@ -13,7 +13,33 @@ {% set defined_portgroups = portgroups %} {% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %} -{% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %} +{#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#} +{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %} +{% set hostgroup_list = [ + 'analyst', + 'analyst_workstations', + 'eval', + 'heavynodes', + 'idh', + 'manager', + 'receivers', + 'searchnodes', + 'sensors', + 'standalone', + 'beats_endpoint', + 'beats_endpoint_ssl', + 'elasticsearch_rest', + 'elastic_agent_endpoint', + 'endgame', + 'strelka_frontend', + 'syslog' + ] +%} +{% for hg in hostgroup_list %} +{% import_text 'firewall/hostgroups/' ~ hg as hg_ips %} +{% do local_hostgroups.firewall.hostgroups.update({hg: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %} +{% endfor %} + {% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %} {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #} diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml deleted file mode 100644 index a2780270d..000000000 --- a/salt/firewall/portgroups.yaml +++ /dev/null @@ -1,116 +0,0 @@ -{% if grains.role == 'so-idh' %} - {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} - {% from 'idh/openssh/map.jinja' import openssh_map %} - {% set idh_services = salt['pillar.get']('idh:services', []) %} - {% set ssh_port = openssh_map.config.port %} -{% else %} - {% set ssh_port = 22 %} -{% endif %} - -firewall: - aliases: - ports: - all: - tcp: - - '0:65535' - udp: - - '0:65535' - acng: - tcp: - - 3142 - agrules: - tcp: - - 7788 - beats_5044: - tcp: - - 5044 - beats_5644: - tcp: - - 5644 - beats_5066: - tcp: - - 5066 - cortex: - tcp: - - 9001 - cortex_es_node: - tcp: - - 9500 - cortex_es_rest: - tcp: - - 9400 - docker_registry: - tcp: - - 5000 - elasticsearch_node: - tcp: - - 9300 - elasticsearch_rest: - tcp: - - 9200 - elastic_agent_control: - tcp: - - 8220 - elastic_agent_data: - tcp: - - 5055 - endgame: - tcp: - - 3765 - influxdb: - tcp: - - 8086 - kibana: - tcp: - - 5601 - minio: - tcp: - - 9595 - mysql: - tcp: - - 3306 - nginx: - tcp: - - 80 - - 443 - playbook: - tcp: - - 3200 - redis: - tcp: - - 6379 - - 9696 - salt_manager: - tcp: - - 4505 - - 4506 - sensoroni: - tcp: - - 443 - ssh: - tcp: - - {{ ssh_port }} - strelka_frontend: - tcp: - - 57314 - syslog: - tcp: - - 514 - udp: - - 514 - yum: - tcp: - - 443 - -{% if idh_services is defined %} - {% for service in idh_services %} - {% if service in ["smnp","ntp", "tftp"] %} - {% set proto = 'udp' %} - {% else %} - {% set proto = 'tcp' %} - {% endif %} - idh_{{service}}: - {{proto}}: - - {{ OPENCANARYCONFIG[service~'.port'] }} - {% endfor %} -{% endif %} diff --git a/salt/firewall/portgroups/portgroups.yaml b/salt/firewall/portgroups/portgroups.yaml new file mode 100644 index 000000000..331b5e3f2 --- /dev/null +++ b/salt/firewall/portgroups/portgroups.yaml @@ -0,0 +1,552 @@ +role: + eval: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - influxdb + - sensoroni + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + self: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + elastic_agent_endpoint: + portgroups: + - elastic_agent_control + - elastic_agent_data + strelka_frontend: + portgroups: + - strelka_frontend + syslog: + portgroups: + - syslog + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + manager: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - influxdb + - sensoroni + - yum + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + - beats_5644 + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + - beats_5644 + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + endgame: + portgroups: + - endgame + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + managersearch: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - influxdb + - sensoroni + - yum + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + self: + portgroups: + - syslog}} + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + elastic_agent_endpoint: + portgroups: + - elastic_agent_control + - elastic_agent_data + endgame: + portgroups: + - endgame + syslog: + portgroups: + - syslog + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + standalone: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - influxdb + - sensoroni + - yum + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + self: + portgroups: + - syslog}} + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + elastic_agent_endpoint: + portgroups: + - elastic_agent_control + - elastic_agent_data + endgame: + portgroups: + - endgame + strelka_frontend: + portgroups: + - strelka_frontend + syslog: + portgroups: + - syslog + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + helixsensor: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - playbook + - mysql + - kibana + - redis + - influxdb + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - influxdb + - sensoroni + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - elasticsearch_node + self: + portgroups: + - syslog}} + beats_endpoint: + portgroups: + - beats_5044 + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + searchnode: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - elasticsearch_node + - elasticsearch_rest + dockernet: + portgroups: + - elasticsearch_node + - elasticsearch_rest + elasticsearch_rest: + portgroups: + - elasticsearch_rest + search_node: + portgroups: + - elasticsearch_node + self: + portgroups: + - syslog + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + sensor: + chain: + DOCKER-USER: + hostgroups: + self: + portgroups: + - syslog + strelka_frontend: + portgroups: + - strelka_frontend + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + heavynode: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - elasticsearch_node + - elasticsearch_rest + dockernet: + portgroups: + - elasticsearch_node + - elasticsearch_rest + elasticsearch_rest: + portgroups: + - elasticsearch_rest + self: + portgroups: + - syslog + strelka_frontend: + portgroups: + - strelka_frontend + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + import: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - kibana + - redis + - influxdb + - elasticsearch_rest + - elasticsearch_node + minion: + portgroups: + - docker_registry + - sensoroni + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - elasticsearch_node + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + + receiver: + chain: + DOCKER-USER: + hostgroups: + sensor: + portgroups: + - beats_5644 + search_node: + portgroups: + - redis + - beats_5644 + self: + portgroups: + - redis + - syslog + - beats_5644 + syslog: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + endgame: + portgroups: + - endgame + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + idh: + chain: + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + manager: + portgroups: + - ssh \ No newline at end of file diff --git a/salt/firewall/portgroups/searchnodes b/salt/firewall/portgroups/searchnodes deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/sensors b/salt/firewall/portgroups/sensors deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/standalone b/salt/firewall/portgroups/standalone deleted file mode 100644 index ea8f495f9..000000000 --- a/salt/firewall/portgroups/standalone +++ /dev/null @@ -1,19 +0,0 @@ -playbook -mysql -kibana -redis -influxdb -elasticsearch_rest -elasticsearch_node -docker_registry -yum -sensoroni -beats_5044 -beats_5644 -elastic_agent_control -elastic_agent_data -elasticsearch_rest -endgame -strelka_frontend -syslog -nginx \ No newline at end of file diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 02199bc79..e1e219913 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -5,73 +5,124 @@ firewall: file: True global: True title: Analyst Workstations + helpLink: firewall.html#host-groups analyst: description: List of IP Addresses or CIDR blocks to allow analyst connections. file: True global: True - title: Analysts + title: Analyst + helpLink: firewall.html#host-groups + beats_endpoint: + description: List of IP Addresses or CIDR blocks of standard beats without encryption. + file: True + global: True + title: Beats Endpoints + helpLink: firewall.html#host-groups + beats_endpoint_ssl: + description: List of IP Addresses or CIDR blocks of standard beats with encryption. + file: True + global: True + title: Beats Endpoints SSL + helplink: firewall.html#host-groups + elastic_agent_endpoint: + description: List of IP Addresses or CIDR blocks for Elastic Agent connections. + file: True + global: True + title: Elastic Agents + helplink: firewall.html#host-groups + elasticsearch_rest: + description: List of IP Addresses or CIDR blocks to allow access directly to Elasticsearch. + file: True + global: True + title: Elasticsearch Rest + advanced: True + helplink: firewall.html#host-groups + endgame: + description: List of IP Addresses or CIDR blocks to allow endgame access. + file: True + global: True + title: Endgame + advanced: True + helplink: firewall.html#host-groups + strelka_frontend: + description: List of IP Addresses or CIDR blocks to allow access to the Strelka front end. + file: True + global: True + title: Strelka Frontend + advanced: True + helplink: firewall.html#host-groups + syslog: + description: List of IP Addresses or CIDR blocks to allow syslog. + file: True + global: True + title: Syslog Endpoint Traffic + helplink: firewall.html#host-groups standalone: description: List of IP Addresses or CIDR blocks to allow standalone connections. file: True global: True title: Standalone advanced: True + helpLink: firewall.html#host-groups eval: description: List of IP Addresses or CIDR blocks to allow eval connections. file: True global: True title: Eval advanced: True + helpLink: firewall.html#host-groups idh: description: List of IP Addresses or CIDR blocks to allow idh connections. file: True global: True title: IDH Nodes + helpLink: firewall.html#host-groups manager: description: List of IP Addresses or CIDR blocks to allow manager connections. file: True global: True title: Manager advanced: True + helpLink: firewall.html#host-groups heavynodes: description: List of IP Addresses or CIDR blocks to allow heavynode connections. file: True global: True title: Heavy Nodes + helpLink: firewall.html#host-groups searchnodes: description: List of IP Addresses or CIDR blocks to allow searchnode connections. file: True global: True title: Search Nodes + helpLink: firewall.html#host-groups sensors: description: List of IP Addresses or CIDR blocks to allow Sensor connections. file: True global: True title: Sensors + helpLink: firewall.html#host-groups receivers: description: List of IP Addresses or CIDR blocks to allow receiver connections. file: True global: True title: Receivers + helpLink: firewall.html#host-groups portgroups: - analyst: - description: List of ports for use with Analyst connections. + portgroups__yaml: + description: Port Groups file: True global: True - title: Analyst Ports - analyst_workstations: - description: List of ports for use with analyst workstations. - file: True - global: True - title: Analyst Workstation Ports - standalone: - description: List of ports for use with Standalone. - file: True - global: True - title: Standalone + advanced: True + title: Port Groups + syntax: yaml + helpLink: firewall.html#function ports: ports__yaml: description: Ports in YAML. file: True global: True - title: Ports \ No newline at end of file + advanced: True + title: Ports + syntax: yaml + helpLink: firewall.html#port-groups diff --git a/salt/grafana/soc_grafana.yaml b/salt/grafana/soc_grafana.yaml index f9c291a74..5789f6c81 100644 --- a/salt/grafana/soc_grafana.yaml +++ b/salt/grafana/soc_grafana.yaml @@ -4,35 +4,46 @@ grafana: enabled: description: Enable the sending of emails from Grafana. global: True + helpLink: grafana.html host: description: Hostname of the SMTP server. global: True + helpLink: grafana.html user: description: User used to authenticate SMTP. global: True + helpLink: grafana.html password: description: Password used to authenticate SMTP. global: True sensitive: True + helpLink: grafana.html cert_file: description: Location of cert file for SMTP. global: True + helpLink: grafana.html key_file: description: Location of key file for SMTP. global: True + helpLink: grafana.html skip_verify: description: Verify SSL certificates. global: True + helpLink: grafana.html from_address: description: The email address you would like in the from field. global: True + helpLink: grafana.html from_name: description: The name displayed for the from email address. global: True + helpLink: grafana.html ehlo_identity: description: Used with servers with SMTP service extensions. global: True + helpLink: grafana.html enterprise: license_path: description: Path to enterprise license key. global: True + helpLink: grafana.html diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index 9f1867bb7..383f6b42d 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -3,22 +3,28 @@ idstools: oinkcode: description: Enter your registration code for paid rulesets. global: True + helpLink: managing-alerts.html ruleset: description: Define the ruleset you want to run. Options are ETOPEN or ETPRO. global: True + helpLink: managing-alerts.html urls: description: This is a list of additional rule download locations. global: True + helpLink: managing-alerts.html sids: disabled: description: List of disables SIDS. global: True + helpLink: managing-alerts.html enabled: description: List of SIDS that are disabled by the rule source that you want to enable. global: True + helpLink: managing-alerts.html modify: description: List of SIDS that are modified. global: True + helpLink: managing-alerts.html rules: local__rules: description: This is where custom Suricata rules are entered. @@ -26,15 +32,18 @@ idstools: global: True advanced: True title: Local Rules + helpLink: managing-alerts.html filters__rules: description: You can set custom filters for Suricata when using it for meta data creation. file: True global: True advanced: True title: Filter Rules + helpLink: managing-alerts.html extraction__rules: description: This is a list of mime types for file extraction when Suricata is used for meta data creation. file: True global: True advanced: True - title: Extraction Rules \ No newline at end of file + title: Extraction Rules + helpLink: managing-alerts.html \ No newline at end of file diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index 8e52e9b02..8bcd4b97a 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -3,14 +3,24 @@ influxdb: so_short_term: duration: description: Amount of time to keep short term data. + global: True + helpLink: grafana.html#data shard_duration: description: Time range + global: True + helpLink: grafana.html#data so_long_term: duration: description: Amount of time to keep long term downsampled data. + global: True + helpLink: grafana.html#data shard_duration: description: Amount of the time range covered by the shard group. + global: True + helpLink: grafana.html#data downsample: so_long_term: resolution: - description: Amount of time to turn into a single data point. \ No newline at end of file + description: Amount of time to turn into a single data point. + global: True + helpLink: grafana.html#data \ No newline at end of file diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml index dd0e87734..fe6c9525c 100644 --- a/salt/kibana/soc_kibana.yaml +++ b/salt/kibana/soc_kibana.yaml @@ -3,3 +3,5 @@ kibana: elasticsearch: requestTimeout: description: Request timeout length. + global: True + helpLink: kibana.html diff --git a/salt/nginx/config/ssl.key b/salt/nginx/config/ssl.key index 16878f704..909861578 100644 --- a/salt/nginx/config/ssl.key +++ b/salt/nginx/config/ssl.key @@ -1 +1 @@ -# Replace this text with the text from the .crt \ No newline at end of file +# Replace this text with the text from the .key \ No newline at end of file diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index d5811654e..54b57c22a 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -5,15 +5,18 @@ nginx: global: True advanced: True title: Replace Default Cert + helpLink: nginx.html ssl__key: description: Paste your .key file here file: True title: SSL Key File advanced: True global: True + helpLink: nginx.html ssl__crt: description: Paste your .crt file here file: True title: SSL Cert File advanced: True - global: True \ No newline at end of file + global: True + helpLink: nginx.html \ No newline at end of file diff --git a/salt/ntp/soc_ntp.yaml b/salt/ntp/soc_ntp.yaml index 01484d714..1b75099a1 100644 --- a/salt/ntp/soc_ntp.yaml +++ b/salt/ntp/soc_ntp.yaml @@ -3,3 +3,4 @@ ntp: servers: description: NTP Server List title: NTP Servers + helpLink: ntp.html diff --git a/salt/pcap/soc_pcap.yaml b/salt/pcap/soc_pcap.yaml index 321e93713..e25b1253b 100644 --- a/salt/pcap/soc_pcap.yaml +++ b/salt/pcap/soc_pcap.yaml @@ -1,24 +1,35 @@ pcap: enabled: description: Enable or Disable Stenographer on all sensors or a single sensor + helpLink: pcap.html config: maxdirectoryfiles: description: The maximum number of packet/index files to create before deleting old files. The default is about 8 days regardless of free space. + helpLink: pcap.html diskfreepercentage: description: The disk space percent to always keep free for pcap + helpLink: pcap.html blocks: description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. advanced: True + helpLink: pcap.html preallocate_file_mb: description: File size to pre-allocate for individual pcap files. You shouldn't need to change this. advanced: True + helpLink: pcap.html aiops: description: The max number of async writes to allow at once. advanced: True + helpLink: pcap.html pin_to_cpu: description: Enable CPU pinning for PCAP. + advanced: True + helpLink: pcap.html cpus_to_pin_to: description: CPU to pin PCAP to. Currently only a single CPU is supported + advanced: True + helpLink: pcap.html disks: description: List of disks to use for PCAP. This is currently not used. advanced: True + helpLink: pcap.html diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index f16f5da87..848fa7091 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -7,21 +7,25 @@ soc: file: True global: True syntax: md + helpLink: soc.html motd__md: title: Overview Page description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the users' browser. file: True global: True syntax: md + helpLink: soc.html custom__js: title: Custom Javascript description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades. file: True global: True advanced: True + helpLink: soc.html custom_roles: title: Custom Roles description: Customize role and permission mappings. Changes to this setting requires a complete understanding of the SOC RBAC system. file: True global: True - advanced: True \ No newline at end of file + advanced: True + helpLink: soc.html \ No newline at end of file diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 65cb69a35..6eae3b37d 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -1,123 +1,183 @@ suricata: + thresholding: + sids__yaml: + description: Threshold SIDS List + file: True + syntax: yaml + title: SIDS + helpLink: suricata.html config: vars: address-groups: HOME_NET: description: List of hosts or netowrks. + helpLink: suricata.html EXTERNAL_NET: description: List of hosts or netowrks. + helpLink: suricata.html HTTP_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html SMTP_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html SQL_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html DNS_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html TELNET_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html AIM_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html DC_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html DNP3_SERVER: description: List of hosts or netowrks. + helpLink: suricata.html DNP3_CLIENT: description: List of hosts or netowrks. + helpLink: suricata.html MODBUS_CLIENT: description: List of hosts or netowrks. + helpLink: suricata.html MODBUS_SERVER: description: List of hosts or netowrks. + helpLink: suricata.html ENIP_CLIENT: description: List of hosts or netowrks. + helpLink: suricata.html ENIP_SERVER: description: List of hosts or netowrks. + helpLink: suricata.html port-groups: HTTP_PORTS: description: List of HTTP ports to look for HTTP traffic on. + helpLink: suricata.html SHELLCODE_PORTS: description: List of SHELLCODE ports to look for SHELLCODE traffic on. + helpLink: suricata.html ORACLE_PORTS: description: List of ORACLE ports to look for ORACLE traffic on. + helpLink: suricata.html SSH_PORTS: description: List of SSH ports to look for SSH traffic on. + helpLink: suricata.html DNP3_PORTS: description: List of DNP3 ports to look for DNP3 traffic on. + helpLink: suricata.html MODBUS_PORTS: description: List of MODBUS ports to look for MODBUS traffic on. + helpLink: suricata.html FILE_DATA_PORTS: description: List of FILE_DATA ports to look for FILE_DATA traffic on. + helpLink: suricata.html FTP_PORTS: description: List of FTP ports to look for FTP traffic on. + helpLink: suricata.html VXLAN_PORTS: description: List of VXLAN ports to look for VXLAN traffic on. + helpLink: suricata.html TEREDO_PORTS: description: List of TEREDO ports to look for TEREDO traffic on. + helpLink: suricata.html outputs: eve-log: xff: enabled: description: Enable X-Forward-For support. + helpLink: suricata.html mode: description: Operation mode. This should always be extra-data if you use PCAP. + helpLink: suricata.html deployment: description: forward would use the first IP address and reverse would use the last. + helpLink: suricata.html header: description: Header name where the actual IP address will be reported. + helpLink: suricata.html asn1-max-frames: description: Maximum nuber of asn1 frames to decode. + helpLink: suricata.html max-pending-packets: description: Number of packets preallocated per thread. + helpLink: suricata.html default-packet-size: description: Preallocated size for each packet. + helpLink: suricata.html pcre: match-limit: description: Match limit for PCRE. + helpLink: suricata.html match-limit-recursion: description: Recursion limit for PCRE. + helpLink: suricata.html defrag: memcap: description: Max memory to use for defrag. You should only change this if you know what you are doing. + helpLink: suricata.html hash-size: description: Hash size + helpLink: suricata.html trackers: description: Number of defragmented flows to follow. + helpLink: suricata.html max-frags: description: Max number of fragments to keep + helpLink: suricata.html prealloc: description: Preallocate memory. + helpLink: suricata.html timeout: description: Timeout value. + helpLink: suricata.html flow: memcap: description: Reserverd memory for flows. + helpLink: suricata.html hash-size: description: Determines the size of the hash used to identify flows inside the engine. + helpLink: suricata.html prealloc: description: Number of preallocated flows. + helpLink: suricata.html stream: memcap: description: Can be specified in kb,mb,gb. + helpLink: suricata.html checksum-validation: description: Validate checksum of packets. + helpLink: suricata.html reassembly: memcap: description: Can be specified in kb,mb,gb. + helpLink: suricata.html host: hash-size: description: Hash size in bytes. + helpLink: suricata.html prealloc: description: How many streams to preallocate. + helpLink: suricata.html memcap: description: Memory settings for host. + helpLink: suricata.html decoder: teredo: enabled: description: Enable TEREDO capabilities + helpLink: suricata.html ports: description: Ports to listen for. This should be a variable. + helpLink: suricata.html vxlan: enabled: description: Enable VXLAN capabilities. + helpLink: suricata.html ports: - description: Ports to listen for. This should be a variable. \ No newline at end of file + description: Ports to listen for. This should be a variable. + helpLink: suricata.html \ No newline at end of file diff --git a/salt/suricata/thresholding/sids.yaml b/salt/suricata/thresholding/sids.yaml new file mode 100644 index 000000000..e9dc04e25 --- /dev/null +++ b/salt/suricata/thresholding/sids.yaml @@ -0,0 +1,44 @@ +thresholding: + sids: + 99999999999999999: + - threshold: + gen_id: 1 + type: threshold + track: by_src + count: 10 + seconds: 10 + - threshold: + gen_id: 1 + type: limit + track: by_dst + count: 100 + seconds: 30 + - rate_filter: + gen_id: 1 + track: by_rule + count: 50 + seconds: 30 + new_action: alert + timeout: 30 + - suppress: + gen_id: 1 + track: by_either + ip: 10.10.3.7 + 99999999999999998: + - threshold: + gen_id: 1 + type: limit + track: by_dst + count: 10 + seconds: 10 + - rate_filter: + gen_id: 1 + track: by_src + count: 50 + seconds: 20 + new_action: pass + timeout: 60 + - suppress: + gen_id: 1 + track: by_src + ip: 10.10.3.0/24 \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 20340436e..5a0e35be0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2171,18 +2171,20 @@ set_initial_firewall_policy() { case "$install_type" in 'MANAGER') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost minion "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall --role=manager --ip=$MAINIP --apply=true ;; 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true ;; esac } +set_initial_firewall_access() { + if [[ ! -z "$ALLOW_CIDR" ]]; then + $default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true + fi +} + # Set up the management interface on the ISO set_management_interface() { title "Setting up the main interface" diff --git a/setup/so-setup b/setup/so-setup index 8dba4676a..a114233d6 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -330,7 +330,6 @@ if ! [[ -f $install_opt_file ]]; then calculate_useable_cores collect_webuser_inputs get_redirect - collect_ntp_servers collect_so_allow whiptail_end_settings # Start the install @@ -351,7 +350,6 @@ if ! [[ -f $install_opt_file ]]; then calculate_useable_cores collect_webuser_inputs get_redirect - collect_ntp_servers collect_so_allow whiptail_end_settings elif [[ $is_manager ]]; then @@ -368,7 +366,6 @@ if ! [[ -f $install_opt_file ]]; then calculate_useable_cores collect_webuser_inputs get_redirect - collect_ntp_servers collect_so_allow whiptail_end_settings elif [[ $is_managersearch ]]; then @@ -385,7 +382,6 @@ if ! [[ -f $install_opt_file ]]; then calculate_useable_cores collect_webuser_inputs get_redirect - collect_ntp_servers collect_so_allow whiptail_end_settings elif [[ $is_sensor ]]; then @@ -460,10 +456,6 @@ if ! [[ -f $install_opt_file ]]; then if [[ $monints ]]; then configure_network_sensor fi - # Configure NTP - info "Configuring NTP" - [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 - # Reserve the ports that SO needs info "Reserving ports" reserve_ports info "Setting Paths" @@ -569,6 +561,7 @@ if ! [[ -f $install_opt_file ]]; then title "Setting up Playbook" logCmd "so-playbook-reset" checkin_at_boot + set_initial_firewall_access whiptail_setup_complete else es_heapsize diff --git a/setup/so-variables b/setup/so-variables index f29d9ae55..09f6cbd37 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -80,6 +80,9 @@ whiptail_title="Security Onion Setup - $SOVERSION" export whiptail_title mkdir -p $local_salt_dir/pillar/minions +mkdir -p $local_salt_dir/salt/firewall/hostgroups +mkdir -p $local_salt_dir/salt/firewall/portgroups +mkdir -p $local_salt_dir/salt/firewall/ports for THEDIR in bpf pcap elasticsearch ntp firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert do diff --git a/setup/so-whiptail b/setup/so-whiptail index 7b50a0b28..d7f3bd535 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1267,7 +1267,7 @@ whiptail_so_allow_yesno() { [ -n "$TESTING" ] && return whiptail --title "$whiptail_title" \ - --yesno "Do you want to run so-allow to allow other machines to access this Security Onion installation via the web interface?" \ + --yesno "Do you want to allow access to this Security Onion installation via the web interface?" \ 8 75 } @@ -1280,7 +1280,7 @@ whiptail_so_allow() { 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? - export ALLOW_ROLE='a' + export ALLOW_ROLE='analyst' export ALLOW_CIDR whiptail_check_exitstatus $exitstatus