CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 09:42:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8804 from Security-Onion-Solutions/funstuff

Browse Source 
Firewall and More
This commit is contained in:
Mike Reeves
2022-09-23 14:00:51 -04:00
committed by GitHub
parent 49dace66de d26be44df1
commit e3f4a58989
41 changed files with 1012 additions and 811 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
files/firewall/assigned_hostgroups.local.map.yaml
View File

@@ -1,8 +1,8 @@
{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
{% set default_portgroups = default_portgroups.firewall.aliases.ports %}
{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %}
{% set default_portgroups = default_portgroups.firewall.ports %}
{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
{% if local_portgroups.firewall.aliases.ports %}
{% set local_portgroups = local_portgroups.firewall.aliases.ports %}
{% if local_portgroups.firewall.ports %}
{% set local_portgroups = local_portgroups.firewall.ports %}
{% else %}
{% set local_portgroups = {} %}
{% endif %}

4
files/firewall/hostgroups.local.yaml
View File

@@ -40,10 +40,6 @@ firewall:
ips:
delete:
insert:
minion:
ips:
delete:
insert:
node:
ips:
delete:

1
files/firewall/portgroups.local.yaml
View File

@@ -1,3 +1,2 @@
firewall:
aliases:
ports:

3
salt/bpf/soc_bpf.yaml
View File

@@ -1,7 +1,10 @@
bpf:
pcap:
description: List of BPF filters to apply to PCAP.
helpLink: bpf.html
suricata:
description: List of BPF filters to apply to Suricata.
helpLink: bpf.html
zeek:
description: List of BPF filters to apply to Zeek.
helpLink: bpf.html

139
salt/common/tools/sbin/so-allow
View File

@@ -1,142 +1,11 @@
#!/usr/bin/env python3
#!/usr/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
import ipaddress
import textwrap
import os
import subprocess
import sys
import argparse
import re
from lxml import etree as ET
from datetime import datetime as dt
from datetime import timezone as tz
LOCAL_SALT_DIR='/opt/so/saltstack/local'
VALID_ROLES = {
'a': { 'role': 'analyst','desc': 'Analyst - 80/tcp, 443/tcp' },
'b': { 'role': 'beats_endpoint', 'desc': 'Logstash Beat - 5044/tcp' },
'e': { 'role': 'elasticsearch_rest', 'desc': 'Elasticsearch REST API - 9200/tcp' },
'f': { 'role': 'strelka_frontend', 'desc': 'Strelka frontend - 57314/tcp' },
's': { 'role': 'syslog', 'desc': 'Syslog device - 514/tcp/udp' },
't': { 'role': 'elastic_agent_endpoint', 'desc': 'Elastic Agent endpoint - 8220/tcp,5055/tcp' }
}
def validate_ip_cidr(ip_cidr: str) -> bool:
try:
ipaddress.ip_address(ip_cidr)
except ValueError:
try:
ipaddress.ip_network(ip_cidr)
except ValueError:
return False
return True
def role_prompt() -> str:
print()
print('Choose the role for the IP or Range you would like to allow')
print()
for role in VALID_ROLES:
print(f'[{role}] - {VALID_ROLES[role]["desc"]}')
print()
role = input('Please enter your selection: ')
if role in VALID_ROLES.keys():
return VALID_ROLES[role]['role']
else:
print(f'Invalid role \'{role}\', please try again.', file=sys.stderr)
sys.exit(1)
def ip_prompt() -> str:
ip = input('Enter a single ip address or range to allow (ex: 10.10.10.10 or 10.10.0.0/16): ')
if validate_ip_cidr(ip):
return ip
else:
print(f'Invalid IP address or CIDR block \'{ip}\', please try again.', file=sys.stderr)
sys.exit(1)
def apply(role: str, ip: str) -> int:
firewall_cmd = ['so-firewall', 'includehost', role, ip]
salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', 'firewall', 'queue=True']
print(f'Adding {ip} to the {role} role. This can take a few seconds...')
cmd = subprocess.run(firewall_cmd)
if cmd.returncode == 0:
cmd = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL)
else:
return cmd.returncode
def main():
if os.geteuid() != 0:
print('You must run this script as root', file=sys.stderr)
sys.exit(1)
main_parser = argparse.ArgumentParser(
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=textwrap.dedent(f'''\
additional information:
To use this script in interactive mode call it with no arguments
'''
))
group = main_parser.add_argument_group(title='roles')
group.add_argument('-a', dest='roles', action='append_const', const=VALID_ROLES['a']['role'], help="Analyst - 80/tcp, 443/tcp")
group.add_argument('-b', dest='roles', action='append_const', const=VALID_ROLES['b']['role'], help="Logstash Beat - 5044/tcp")
group.add_argument('-e', dest='roles', action='append_const', const=VALID_ROLES['e']['role'], help="Elasticsearch REST API - 9200/tcp")
group.add_argument('-f', dest='roles', action='append_const', const=VALID_ROLES['f']['role'], help="Strelka frontend - 57314/tcp")
group.add_argument('-s', dest='roles', action='append_const', const=VALID_ROLES['s']['role'], help="Syslog device - 514/tcp/udp")
group.add_argument('-t', dest='roles', action='append_const', const=VALID_ROLES['t']['role'], help="Elastic Agent endpoint - 8220/tcp,5055/tcp")
ip_g = main_parser.add_argument_group(title='allow')
ip_g.add_argument('-i', help="IP or CIDR block to disallow connections from, requires at least one role argument", metavar='', dest='ip')
args = main_parser.parse_args(sys.argv[1:])
if args.roles is None:
role = role_prompt()
ip = ip_prompt()
try:
return_code = apply(role, ip)
except Exception as e:
print(f'Unexpected exception occurred: {e}', file=sys.stderr)
return_code = e.errno
sys.exit(return_code)
elif args.roles is not None and args.ip is None:
if os.environ.get('IP') is None:
main_parser.print_help()
sys.exit(1)
else:
args.ip = os.environ['IP']
if validate_ip_cidr(args.ip):
try:
for role in args.roles:
return_code = apply(role, args.ip)
if return_code > 0:
break
except Exception as e:
print(f'Unexpected exception occurred: {e}', file=sys.stderr)
return_code = e.errno
else:
print(f'Invalid IP address or CIDR block \'{args.ip}\', please try again.', file=sys.stderr)
return_code = 1
sys.exit(return_code)
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
sys.exit(1)
echo "Please use the Configuration section in SOC to allow hosts"
echo ""
echo "If you need command line options on adding hosts please run so-firewall"

12
salt/common/tools/sbin/so-common
View File

@@ -507,6 +507,18 @@ valid_hostname() {
[[ $hostname =~ ^[a-zA-Z0-9\-]+$ ]] && [[ $hostname != 'localhost' ]] && return 0 || return 1
}
verify_ip4() {
local ip=$1
# Is this an IP or CIDR?
if grep -qP "^[^/]+/[^/]+$" <<< $ip; then
# Looks like a CIDR
valid_ip4_cidr_mask "$ip"
else
# We know this is not a CIDR - Is it an IP?
valid_ip4 "$ip"
fi
}
valid_ip4() {
local ip=$1

465
salt/common/tools/sbin/so-firewall
View File

@@ -1,401 +1,102 @@
#!/usr/bin/env python3
#!/usr/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
import os
import re
import subprocess
import sys
import time
import yaml
if [[ $# -lt 1 ]]; then
echo "Usage: $0 --role=<ROLE> --ip=<IP ADDRESS> --apply=<true|false>"
echo ""
echo " Example: so-firewall --role=sensor --ip=192.168.254.100 --apply=true"
echo ""
exit 1
fi
lockFile = "/tmp/so-firewall.lock"
hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yaml"
portgroupsFilename = "/opt/so/saltstack/local/salt/firewall/portgroups.local.yaml"
defaultPortgroupsFilename = "/opt/so/saltstack/default/salt/firewall/portgroups.yaml"
supportedProtocols = ['tcp', 'udp']
readonly = False
for i in "$@"; do
case $i in
-r=*|--role=*)
ROLE="${i#*=}"
shift
;;
-i=*|--ip=*)
IP="${i#*=}"
shift
;;
-a=*|--apply*)
APPLY="${i#*=}"
shift
;;
-*|--*)
echo "Unknown option $i"
exit 1
;;
*)
;;
esac
done
def showUsage(options, args):
print('Usage: {} [OPTIONS] <COMMAND> [ARGS...]'.format(sys.argv[0]))
print(' Options:')
print(' --apply - After updating the firewall configuration files, apply the new firewall state')
print(' --defaultports - Read port groups from default configuration files instead of local configuration.')
print('')
print(' General commands:')
print(' help - Prints this usage information.')
print(' apply - Apply the firewall state.')
print('')
print(' Host commands:')
print(' listhostgroups - Lists the known host groups.')
print(' includedhosts - Lists the IPs included in the given group. Args: <GROUP_NAME>')
print(' excludedhosts - Lists the IPs excluded from the given group. Args: <GROUP_NAME>')
print(' includehost - Includes the given IP in the given group. Args: <GROUP_NAME> <IP>')
print(' excludehost - Excludes the given IP from the given group. Args: <GROUP_NAME> <IP>')
print(' removehost - Removes an excluded IP from the given group. Args: <GROUP_NAME> <IP>')
print(' addhostgroup - Adds a new, custom host group. Args: <GROUP_NAME>')
print('')
print(' Port commands:')
print(' listportgroups - Lists the known port groups.')
print(' listports - Lists ports in the given group and protocol. Args: <GROUP_NAME> <PORT_PROTOCOL>')
print(' addport - Adds a PORT to the given group. Args: <GROUP_NAME> <PORT_PROTOCOL> <PORT>')
print(' removeport - Removes a PORT from the given group. Args: <GROUP_NAME> <PORT_PROTOCOL> <PORT>')
print(' addportgroup - Adds a new, custom port group. Args: <GROUP_NAME>')
print('')
print(' Where:')
print(' GROUP_NAME - The name of an alias group (Ex: analyst)')
print(' IP - Either a single IP address (Ex: 8.8.8.8) or a CIDR block (Ex: 10.23.0.0/16).')
print(' PORT_PROTOCOL - Must be one of the following: ' + str(supportedProtocols))
print(' PORT - Either a single numeric port (Ex: 443), or a port range (Ex: 8000:8002).')
sys.exit(1)
ROLE=${ROLE,,}
APPLY=${APPLY,,}
def checkDefaultPortsOption(options):
global portgroupsFilename
if "--defaultports" in options:
portgroupsFilename = defaultPortgroupsFilename
function rolecall() {
THEROLE=$1
THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval heavynodes idh manager receivers searchnodes sensors standalone strelka_frontend syslog"
def checkApplyOption(options):
if "--apply" in options:
return apply(None, None)
def loadYaml(filename):
global readonly
file = open(filename, "r")
content = file.read()
# Remove Jinja templating (for read-only operations)
if "{%" in content or "{{" in content:
content = content.replace("{{ ssh_port }}", "22")
pattern = r'.*({%|{{|}}|%}).*'
content = re.sub(pattern, "", content)
readonly = True
return yaml.safe_load(content)
def writeYaml(filename, content):
global readonly
if readonly:
raise Exception("Cannot write yaml file that has been flagged as read-only")
file = open(filename, "w")
return yaml.dump(content, file)
def listHostGroups():
content = loadYaml(hostgroupsFilename)
hostgroups = content['firewall']['hostgroups']
if hostgroups is not None:
for group in hostgroups:
print(group)
for AROLE in $THEROLES; do
if [ "$AROLE" = "$THEROLE" ]; then
return 0
def listIps(name, mode):
content = loadYaml(hostgroupsFilename)
if name not in content['firewall']['hostgroups']:
print('Host group does not exist', file=sys.stderr)
return 4
hostgroup = content['firewall']['hostgroups'][name]
ips = hostgroup['ips'][mode]
if ips is not None:
for ip in ips:
print(ip)
return 0
def addIp(name, ip, mode):
content = loadYaml(hostgroupsFilename)
if name not in content['firewall']['hostgroups']:
print('Host group does not exist', file=sys.stderr)
return 4
hostgroup = content['firewall']['hostgroups'][name]
ips = hostgroup['ips'][mode]
if ips is None:
ips = []
hostgroup['ips'][mode] = ips
if ip not in ips:
ips.append(ip)
else:
print('Already exists', file=sys.stderr)
return 3
writeYaml(hostgroupsFilename, content)
return 0
def removeIp(name, ip, mode, silence = False):
content = loadYaml(hostgroupsFilename)
if name not in content['firewall']['hostgroups']:
print('Host group does not exist', file=sys.stderr)
return 4
hostgroup = content['firewall']['hostgroups'][name]
ips = hostgroup['ips'][mode]
if ips is None:
ips = []
hostgroup['ips'][mode] = ips
if ip in ips:
ips.remove(ip)
else:
if not silence:
print('IP does not exist', file=sys.stderr)
return 3
writeYaml(hostgroupsFilename, content)
return 0
def createProtocolMap():
map = {}
for protocol in supportedProtocols:
map[protocol] = []
return map
def listPortGroups():
content = loadYaml(portgroupsFilename)
portgroups = content['firewall']['aliases']['ports']
if portgroups is not None:
for group in portgroups:
print(group)
return 0
def addhostgroup(options, args):
if len(args) != 1:
print('Missing host group name argument', file=sys.stderr)
showUsage(options, args)
name = args[0]
content = loadYaml(hostgroupsFilename)
if name in content['firewall']['hostgroups']:
print('Already exists', file=sys.stderr)
return 3
content['firewall']['hostgroups'][name] = { 'ips': { 'insert': [], 'delete': [] }}
writeYaml(hostgroupsFilename, content)
return 0
def listportgroups(options, args):
if len(args) != 0:
print('Unexpected arguments', file=sys.stderr)
showUsage(options, args)
checkDefaultPortsOption(options)
return listPortGroups()
def addportgroup(options, args):
if len(args) != 1:
print('Missing port group name argument', file=sys.stderr)
showUsage(options, args)
name = args[0]
content = loadYaml(portgroupsFilename)
ports = content['firewall']['aliases']['ports']
if ports is None:
ports = {}
content['firewall']['aliases']['ports'] = ports
if name in ports:
print('Already exists', file=sys.stderr)
return 3
ports[name] = createProtocolMap()
writeYaml(portgroupsFilename, content)
return 0
def listports(options, args):
if len(args) != 2:
print('Missing port group name or port protocol', file=sys.stderr)
showUsage(options, args)
checkDefaultPortsOption(options)
name = args[0]
protocol = args[1]
if protocol not in supportedProtocols:
print('Port protocol is not supported', file=sys.stderr)
return 5
content = loadYaml(portgroupsFilename)
ports = content['firewall']['aliases']['ports']
if ports is None:
ports = {}
content['firewall']['aliases']['ports'] = ports
if name not in ports:
print('Port group does not exist', file=sys.stderr)
return 3
if protocol not in ports[name]:
print('Port group does not contain protocol', file=sys.stderr)
return 3
ports = ports[name][protocol]
if ports is not None:
for port in ports:
print(port)
return 0
def addport(options, args):
if len(args) != 3:
print('Missing port group name or port protocol, or port argument', file=sys.stderr)
showUsage(options, args)
name = args[0]
protocol = args[1]
port = args[2]
if protocol not in supportedProtocols:
print('Port protocol is not supported', file=sys.stderr)
return 5
content = loadYaml(portgroupsFilename)
ports = content['firewall']['aliases']['ports']
if ports is None:
ports = {}
content['firewall']['aliases']['ports'] = ports
if name not in ports:
print('Port group does not exist', file=sys.stderr)
return 3
ports = ports[name][protocol]
if ports is None:
ports = []
content['firewall']['aliases']['ports'][name][protocol] = ports
if port in ports:
print('Already exists', file=sys.stderr)
return 3
ports.append(port)
writeYaml(portgroupsFilename, content)
code = checkApplyOption(options)
return code
def removeport(options, args):
if len(args) != 3:
print('Missing port group name or port protocol, or port argument', file=sys.stderr)
showUsage(options, args)
name = args[0]
protocol = args[1]
port = args[2]
if protocol not in supportedProtocols:
print('Port protocol is not supported', file=sys.stderr)
return 5
content = loadYaml(portgroupsFilename)
ports = content['firewall']['aliases']['ports']
if ports is None:
ports = {}
content['firewall']['aliases']['ports'] = ports
if name not in ports:
print('Port group does not exist', file=sys.stderr)
return 3
ports = ports[name][protocol]
if ports is None or port not in ports:
print('Port does not exist', file=sys.stderr)
return 3
ports.remove(port)
writeYaml(portgroupsFilename, content)
code = checkApplyOption(options)
return code
def listhostgroups(options, args):
if len(args) != 0:
print('Unexpected arguments', file=sys.stderr)
showUsage(options, args)
return listHostGroups()
def includedhosts(options, args):
if len(args) != 1:
print('Missing host group name argument', file=sys.stderr)
showUsage(options, args)
return listIps(args[0], 'insert')
def excludedhosts(options, args):
if len(args) != 1:
print('Missing host group name argument', file=sys.stderr)
showUsage(options, args)
return listIps(args[0], 'delete')
def includehost(options, args):
if len(args) != 2:
print('Missing host group name or ip argument', file=sys.stderr)
showUsage(options, args)
result = addIp(args[0], args[1], 'insert')
if result == 0:
removeIp(args[0], args[1], 'delete', True)
code = result
if code == 0:
code = checkApplyOption(options)
return code
def excludehost(options, args):
if len(args) != 2:
print('Missing host group name or ip argument', file=sys.stderr)
showUsage(options, args)
result = addIp(args[0], args[1], 'delete')
if result == 0:
removeIp(args[0], args[1], 'insert', True)
code = result
if code == 0:
code = checkApplyOption(options)
return code
def removehost(options, args):
if len(args) != 2:
print('Missing host group name or ip argument', file=sys.stderr)
showUsage(options, args)
code = removeIp(args[0], args[1], 'delete')
if code == 0:
code = checkApplyOption(options)
return code
def apply(options, args):
proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True'])
return proc.returncode
def main():
options = []
args = sys.argv[1:]
for option in args:
if option.startswith("--"):
options.append(option)
args.remove(option)
if len(args) == 0:
showUsage(options, None)
commands = {
"help": showUsage,
"listhostgroups": listhostgroups,
"includedhosts": includedhosts,
"excludedhosts": excludedhosts,
"includehost": includehost,
"excludehost": excludehost,
"removehost": removehost,
"listportgroups": listportgroups,
"listports": listports,
"addport": addport,
"removeport": removeport,
"addhostgroup": addhostgroup,
"addportgroup": addportgroup,
"apply": apply
fi
done
return 1
}
code=1
# Make sure the required options are specified
if [ -z "$ROLE" ]; then
echo "Please specify a role with --role="
exit 1
fi
if [ -z "$IP" ]; then
echo "Please specify an IP address with --ip="
exit 1
fi
try:
lockAttempts = 0
maxAttempts = 30
while lockAttempts < maxAttempts:
lockAttempts = lockAttempts + 1
try:
f = open(lockFile, "x")
f.close()
break
except:
time.sleep(2)
# Are we dealing with a role that this script supports?
if rolecall "$ROLE"; then
echo "$ROLE is a supported role"
else
echo "This is not a supported role"
exit 1
fi
if lockAttempts == maxAttempts:
print("Lock file (" + lockFile + ") could not be created; proceeding without lock.")
# Are we dealing with an IP?
if verify_ip4 "$IP"; then
echo "$IP is a valid IP or CIDR"
else
echo "$IP is not a valid IP or CIDR"
exit 1
fi
cmd = commands.get(args[0], showUsage)
code = cmd(options, args[1:])
finally:
try:
os.remove(lockFile)
except:
print("Lock file (" + lockFile + ") already removed")
local_salt_dir=/opt/so/saltstack/local/salt/firewall
sys.exit(code)
# Let's see if the file exists and if it does, let's see if the IP exists.
if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then
if grep -q $IP "$local_salt_dir/hostgroups/$ROLE"; then
echo "Host already exists"
exit 0
fi
fi
if __name__ == "__main__":
main()
# If you have reached this part of your quest then let's add the IP
echo "Adding $IP to the $ROLE role"
echo "$IP" >> $local_salt_dir/hostgroups/$ROLE
# Check to see if we are applying this right away.
if [ "$APPLY" = "true" ]; then
echo "Applying the firewall rules"
salt-call state.apply firewall queue=True
else
echo "Firewall rules will be applied next salt run"
fi

9
salt/elastalert/soc_elastalert.yaml
View File

@@ -3,32 +3,41 @@ elastalert:
disable_rules_on_error:
description: Disable rules on failure.
global: True
helpLink: elastalert.html
run_every:
minutes:
description: Amount of time in minutes between searches.
global: True
helpLink: elastalert.html
buffer_time:
minutes:
description: Amount of time in minutes to look through.
global: True
helpLink: elastalert.html
old_query_limit:
minutes:
description: Amount of time in minutes between queries to start at the most recently run query.
global: True
helpLink: elastalert.html
es_conn_timeout:
description: Timeout in seconds for connecting to and reading from Elasticsearch.
global: True
helpLink: elastalert.html
max_query_size:
description: The maximum number of documents that will be downloaded from Elasticsearch in a single query.
global: True
helpLink: elastalert.html
alert_time_limit:
days:
description: The retry window for failed alerts.
global: True
helpLink: elastalert.html
index_settings:
shards:
description: The amount of shards to use for elastalert.
global: True
helpLink: elastalert.html
replicas:
description: The amount of replicas for the Elastalert index.
global: True
helpLink: elastalert.html

15
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -5,43 +5,54 @@ elasticsearch:
description: The name of the Security Onion Elasticsearch cluster, for identification purposes.
readonly: True
global: True
helpLink: elasticsearch.html
routing:
allocation:
disk:
threshold_enabled:
description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster.
helpLink: elasticsearch.html
watermark:
low:
description: The lower percentage of used disk space representing a healthy node.
helpLink: elasticsearch.html
high:
description: The higher percentage of used disk space representing an unhealthy node.
helpLink: elasticsearch.html
flood_stage:
description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events.
helpLink: elasticsearch.html
script:
max_compilations_rate:
description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources.
global: True
helpLink: elasticsearch.html
indices:
query:
bool:
max_clause_count:
description: Max number of boolean clauses per query.
global: True
helpLink: elasticsearch.html
index_settings:
so-aws: &indexSettings
warm:
description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch.
global: True
helpLink: elasticsearch.html
close:
description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index.
global: True
helpLink: elasticsearch.html
delete:
description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable.
global: True
helpLink: elasticsearch.html
index_sorting:
description: Sorts the index by event time, at the cost of additional processing resource consumption.
global: True
helpLink: elasticsearch.html
index_template:
template:
settings:
@@ -51,15 +62,19 @@ elasticsearch:
limit:
description: Max number of fields that can exist on a single index. Larger values will consume more resources.
global: True
helpLink: elasticsearch.html
refresh_interval:
description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
global: True
helpLink: elasticsearch.html
number_of_shards:
description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
global: True
helpLink: elasticsearch.html
number_of_replicas:
description: Number of replicas required for this index. Multiple replicas protects against data loss, while also increasing storage costs.
global: True
helpLink: elasticsearch.html
so-azure: *indexSettings
so-barracuda: *indexSettings
so-beats: *indexSettings

154
salt/firewall/assigned_hostgroups.map.yaml
View File

@@ -1,7 +1,7 @@
{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
{% import_yaml 'firewall/portgroups.yaml' as portgroups %}
{% set portgroups = portgroups.firewall.aliases.ports %}
{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %}
{% import_yaml 'firewall/ports/ports.yaml' as portgroups %}
{% set portgroups = portgroups.firewall.ports %}
{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %}
role:
eval:
@@ -14,32 +14,20 @@ role:
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
sensor:
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
heavy_node:
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
@@ -77,9 +65,6 @@ role:
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
manager:
chain:
DOCKER-USER:
@@ -90,39 +75,24 @@ role:
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
{% if ISAIRGAP is sameas true %}
- {{ portgroups.agrules }}
{% endif %}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
{% if ISAIRGAP is sameas true %}
- {{ portgroups.yum }}
{% endif %}
sensor:
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
heavy_node:
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
self:
@@ -157,9 +127,6 @@ role:
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
managersearch:
chain:
DOCKER-USER:
@@ -170,33 +137,20 @@ role:
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
sensor:
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
heavy_node:
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
@@ -234,46 +188,53 @@ role:
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
standalone:
chain:
DOCKER-USER:
hostgroups:
manager:
standalone:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
minion:
- {{ portgroups.docker_registry }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
- {{ portgroups.endgame }}
- {{ portgroups.strelka_frontend }}
sensors:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
sensor:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
heavy_node:
heavynodes:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
@@ -314,7 +275,16 @@ role:
localhost:
portgroups:
- {{ portgroups.all }}
minion:
standalone:
portgroups:
- {{ portgroups.salt_manager }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
helixsensor:
@@ -328,22 +298,13 @@ role:
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
sensor:
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
@@ -367,9 +328,6 @@ role:
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
searchnode:
chain:
DOCKER-USER:
@@ -386,7 +344,7 @@ role:
portgroups:
- {{ portgroups.elasticsearch_rest }}
{% if TRUE_CLUSTER %}
search_node:
searchnodes:
portgroups:
- {{ portgroups.elasticsearch_node }}
{% endif %}
@@ -468,15 +426,11 @@ role:
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
minion:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.sensoroni }}
sensor:
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
@@ -503,18 +457,14 @@ role:
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
receiver:
chain:
DOCKER-USER:
hostgroups:
sensor:
sensors:
portgroups:
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.beats_5644 }}

0
salt/firewall/portgroups/analyst → salt/firewall/hostgroups/beats_endpoint
View File

0
salt/firewall/portgroups/analyst_workstations → salt/firewall/hostgroups/beats_endpoint_ssl
View File

0
salt/firewall/portgroups/eval → salt/firewall/hostgroups/elastic_agent_endpoint
View File

0
salt/firewall/portgroups/heavynodes → salt/firewall/hostgroups/elasticsearch_rest
View File

0
salt/firewall/portgroups/idh → salt/firewall/hostgroups/endgame
View File

0
salt/firewall/portgroups/manager → salt/firewall/hostgroups/strelka_frontend
View File

0
salt/firewall/portgroups/receivers → salt/firewall/hostgroups/syslog
View File

36
salt/firewall/map.jinja
View File

@@ -1,11 +1,11 @@
{% set role = grains.id.split('_') | last %}
{% set translated_pillar_assigned_hostgroups = {} %}
{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
{% set default_portgroups = default_portgroups.firewall.aliases.ports %}
{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %}
{% set default_portgroups = default_portgroups.firewall.ports %}
{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
{% if local_portgroups.firewall.aliases.ports %}
{% set local_portgroups = local_portgroups.firewall.aliases.ports %}
{% if local_portgroups.firewall.ports %}
{% set local_portgroups = local_portgroups.firewall.ports %}
{% else %}
{% set local_portgroups = {} %}
{% endif %}
@@ -13,7 +13,33 @@
{% set defined_portgroups = portgroups %}
{% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %}
{% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %}
{#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#}
{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %}
{% set hostgroup_list = [
'analyst',
'analyst_workstations',
'eval',
'heavynodes',
'idh',
'manager',
'receivers',
'searchnodes',
'sensors',
'standalone',
'beats_endpoint',
'beats_endpoint_ssl',
'elasticsearch_rest',
'elastic_agent_endpoint',
'endgame',
'strelka_frontend',
'syslog'
]
%}
{% for hg in hostgroup_list %}
{% import_text 'firewall/hostgroups/' ~ hg as hg_ips %}
{% do local_hostgroups.firewall.hostgroups.update({hg: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %}
{% endfor %}
{% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %}
{# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}

116
salt/firewall/portgroups.yaml
View File

@@ -1,116 +0,0 @@
{% if grains.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
{% from 'idh/openssh/map.jinja' import openssh_map %}
{% set idh_services = salt['pillar.get']('idh:services', []) %}
{% set ssh_port = openssh_map.config.port %}
{% else %}
{% set ssh_port = 22 %}
{% endif %}
firewall:
aliases:
ports:
all:
tcp:
- '0:65535'
udp:
- '0:65535'
acng:
tcp:
- 3142
agrules:
tcp:
- 7788
beats_5044:
tcp:
- 5044
beats_5644:
tcp:
- 5644
beats_5066:
tcp:
- 5066
cortex:
tcp:
- 9001
cortex_es_node:
tcp:
- 9500
cortex_es_rest:
tcp:
- 9400
docker_registry:
tcp:
- 5000
elasticsearch_node:
tcp:
- 9300
elasticsearch_rest:
tcp:
- 9200
elastic_agent_control:
tcp:
- 8220
elastic_agent_data:
tcp:
- 5055
endgame:
tcp:
- 3765
influxdb:
tcp:
- 8086
kibana:
tcp:
- 5601
minio:
tcp:
- 9595
mysql:
tcp:
- 3306
nginx:
tcp:
- 80
- 443
playbook:
tcp:
- 3200
redis:
tcp:
- 6379
- 9696
salt_manager:
tcp:
- 4505
- 4506
sensoroni:
tcp:
- 443
ssh:
tcp:
- {{ ssh_port }}
strelka_frontend:
tcp:
- 57314
syslog:
tcp:
- 514
udp:
- 514
yum:
tcp:
- 443
{% if idh_services is defined %}
{% for service in idh_services %}
{% if service in ["smnp","ntp", "tftp"] %}
{% set proto = 'udp' %}
{% else %}
{% set proto = 'tcp' %}
{% endif %}
idh_{{service}}:
{{proto}}:
- {{ OPENCANARYCONFIG[service~'.port'] }}
{% endfor %}
{% endif %}

552
salt/firewall/portgroups/portgroups.yaml Normal file
View File

@@ -0,0 +1,552 @@
role:
eval:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- playbook
- mysql
- kibana
- redis
- minio
- influxdb
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- influxdb
- sensoroni
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- minio
- elasticsearch_node
heavy_node:
portgroups:
- redis
- minio
- elasticsearch_node
self:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
elastic_agent_endpoint:
portgroups:
- elastic_agent_control
- elastic_agent_data
strelka_frontend:
portgroups:
- strelka_frontend
syslog:
portgroups:
- syslog
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
manager:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- playbook
- mysql
- kibana
- redis
- minio
- influxdb
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- influxdb
- sensoroni
- yum
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- minio
- elasticsearch_node
- beats_5644
heavy_node:
portgroups:
- redis
- minio
- elasticsearch_node
- beats_5644
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
endgame:
portgroups:
- endgame
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
managersearch:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- playbook
- mysql
- kibana
- redis
- minio
- influxdb
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- influxdb
- sensoroni
- yum
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- minio
- elasticsearch_node
heavy_node:
portgroups:
- redis
- minio
- elasticsearch_node
self:
portgroups:
- syslog}}
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
elastic_agent_endpoint:
portgroups:
- elastic_agent_control
- elastic_agent_data
endgame:
portgroups:
- endgame
syslog:
portgroups:
- syslog
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
standalone:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- playbook
- mysql
- kibana
- redis
- minio
- influxdb
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- influxdb
- sensoroni
- yum
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- minio
- elasticsearch_node
heavy_node:
portgroups:
- redis
- minio
- elasticsearch_node
self:
portgroups:
- syslog}}
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
elastic_agent_endpoint:
portgroups:
- elastic_agent_control
- elastic_agent_data
endgame:
portgroups:
- endgame
strelka_frontend:
portgroups:
- strelka_frontend
syslog:
portgroups:
- syslog
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
helixsensor:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- playbook
- mysql
- kibana
- redis
- influxdb
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- influxdb
- sensoroni
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- elasticsearch_node
self:
portgroups:
- syslog}}
beats_endpoint:
portgroups:
- beats_5044
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
searchnode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- elasticsearch_node
- elasticsearch_rest
dockernet:
portgroups:
- elasticsearch_node
- elasticsearch_rest
elasticsearch_rest:
portgroups:
- elasticsearch_rest
search_node:
portgroups:
- elasticsearch_node
self:
portgroups:
- syslog
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
sensor:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups:
- syslog
strelka_frontend:
portgroups:
- strelka_frontend
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
heavynode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- elasticsearch_node
- elasticsearch_rest
dockernet:
portgroups:
- elasticsearch_node
- elasticsearch_rest
elasticsearch_rest:
portgroups:
- elasticsearch_rest
self:
portgroups:
- syslog
strelka_frontend:
portgroups:
- strelka_frontend
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
import:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- kibana
- redis
- influxdb
- elasticsearch_rest
- elasticsearch_node
minion:
portgroups:
- docker_registry
- sensoroni
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- elasticsearch_node
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
receiver:
chain:
DOCKER-USER:
hostgroups:
sensor:
portgroups:
- beats_5644
search_node:
portgroups:
- redis
- beats_5644
self:
portgroups:
- redis
- syslog
- beats_5644
syslog:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
endgame:
portgroups:
- endgame
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
idh:
chain:
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
manager:
portgroups:
- ssh

0
salt/firewall/portgroups/searchnodes
View File

0
salt/firewall/portgroups/sensors
View File

19
salt/firewall/portgroups/standalone
View File

@@ -1,19 +0,0 @@
playbook
mysql
kibana
redis
influxdb
elasticsearch_rest
elasticsearch_node
docker_registry
yum
sensoroni
beats_5044
beats_5644
elastic_agent_control
elastic_agent_data
elasticsearch_rest
endgame
strelka_frontend
syslog
nginx

79
salt/firewall/soc_firewall.yaml
View File

@@ -5,73 +5,124 @@ firewall:
file: True
global: True
title: Analyst Workstations
helpLink: firewall.html#host-groups
analyst:
description: List of IP Addresses or CIDR blocks to allow analyst connections.
file: True
global: True
title: Analysts
title: Analyst
helpLink: firewall.html#host-groups
beats_endpoint:
description: List of IP Addresses or CIDR blocks of standard beats without encryption.
file: True
global: True
title: Beats Endpoints
helpLink: firewall.html#host-groups
beats_endpoint_ssl:
description: List of IP Addresses or CIDR blocks of standard beats with encryption.
file: True
global: True
title: Beats Endpoints SSL
helplink: firewall.html#host-groups
elastic_agent_endpoint:
description: List of IP Addresses or CIDR blocks for Elastic Agent connections.
file: True
global: True
title: Elastic Agents
helplink: firewall.html#host-groups
elasticsearch_rest:
description: List of IP Addresses or CIDR blocks to allow access directly to Elasticsearch.
file: True
global: True
title: Elasticsearch Rest
advanced: True
helplink: firewall.html#host-groups
endgame:
description: List of IP Addresses or CIDR blocks to allow endgame access.
file: True
global: True
title: Endgame
advanced: True
helplink: firewall.html#host-groups
strelka_frontend:
description: List of IP Addresses or CIDR blocks to allow access to the Strelka front end.
file: True
global: True
title: Strelka Frontend
advanced: True
helplink: firewall.html#host-groups
syslog:
description: List of IP Addresses or CIDR blocks to allow syslog.
file: True
global: True
title: Syslog Endpoint Traffic
helplink: firewall.html#host-groups
standalone:
description: List of IP Addresses or CIDR blocks to allow standalone connections.
file: True
global: True
title: Standalone
advanced: True
helpLink: firewall.html#host-groups
eval:
description: List of IP Addresses or CIDR blocks to allow eval connections.
file: True
global: True
title: Eval
advanced: True
helpLink: firewall.html#host-groups
idh:
description: List of IP Addresses or CIDR blocks to allow idh connections.
file: True
global: True
title: IDH Nodes
helpLink: firewall.html#host-groups
manager:
description: List of IP Addresses or CIDR blocks to allow manager connections.
file: True
global: True
title: Manager
advanced: True
helpLink: firewall.html#host-groups
heavynodes:
description: List of IP Addresses or CIDR blocks to allow heavynode connections.
file: True
global: True
title: Heavy Nodes
helpLink: firewall.html#host-groups
searchnodes:
description: List of IP Addresses or CIDR blocks to allow searchnode connections.
file: True
global: True
title: Search Nodes
helpLink: firewall.html#host-groups
sensors:
description: List of IP Addresses or CIDR blocks to allow Sensor connections.
file: True
global: True
title: Sensors
helpLink: firewall.html#host-groups
receivers:
description: List of IP Addresses or CIDR blocks to allow receiver connections.
file: True
global: True
title: Receivers
helpLink: firewall.html#host-groups
portgroups:
analyst:
description: List of ports for use with Analyst connections.
portgroups__yaml:
description: Port Groups
file: True
global: True
title: Analyst Ports
analyst_workstations:
description: List of ports for use with analyst workstations.
file: True
global: True
title: Analyst Workstation Ports
standalone:
description: List of ports for use with Standalone.
file: True
global: True
title: Standalone
advanced: True
title: Port Groups
syntax: yaml
helpLink: firewall.html#function
ports:
ports__yaml:
description: Ports in YAML.
file: True
global: True
advanced: True
title: Ports
syntax: yaml
helpLink: firewall.html#port-groups

11
salt/grafana/soc_grafana.yaml
View File

@@ -4,35 +4,46 @@ grafana:
enabled:
description: Enable the sending of emails from Grafana.
global: True
helpLink: grafana.html
host:
description: Hostname of the SMTP server.
global: True
helpLink: grafana.html
user:
description: User used to authenticate SMTP.
global: True
helpLink: grafana.html
password:
description: Password used to authenticate SMTP.
global: True
sensitive: True
helpLink: grafana.html
cert_file:
description: Location of cert file for SMTP.
global: True
helpLink: grafana.html
key_file:
description: Location of key file for SMTP.
global: True
helpLink: grafana.html
skip_verify:
description: Verify SSL certificates.
global: True
helpLink: grafana.html
from_address:
description: The email address you would like in the from field.
global: True
helpLink: grafana.html
from_name:
description: The name displayed for the from email address.
global: True
helpLink: grafana.html
ehlo_identity:
description: Used with servers with SMTP service extensions.
global: True
helpLink: grafana.html
enterprise:
license_path:
description: Path to enterprise license key.
global: True
helpLink: grafana.html

9
salt/idstools/soc_idstools.yaml
View File

@@ -3,22 +3,28 @@ idstools:
oinkcode:
description: Enter your registration code for paid rulesets.
global: True
helpLink: managing-alerts.html
ruleset:
description: Define the ruleset you want to run. Options are ETOPEN or ETPRO.
global: True
helpLink: managing-alerts.html
urls:
description: This is a list of additional rule download locations.
global: True
helpLink: managing-alerts.html
sids:
disabled:
description: List of disables SIDS.
global: True
helpLink: managing-alerts.html
enabled:
description: List of SIDS that are disabled by the rule source that you want to enable.
global: True
helpLink: managing-alerts.html
modify:
description: List of SIDS that are modified.
global: True
helpLink: managing-alerts.html
rules:
local__rules:
description: This is where custom Suricata rules are entered.
@@ -26,15 +32,18 @@ idstools:
global: True
advanced: True
title: Local Rules
helpLink: managing-alerts.html
filters__rules:
description: You can set custom filters for Suricata when using it for meta data creation.
file: True
global: True
advanced: True
title: Filter Rules
helpLink: managing-alerts.html
extraction__rules:
description: This is a list of mime types for file extraction when Suricata is used for meta data creation.
file: True
global: True
advanced: True
title: Extraction Rules
helpLink: managing-alerts.html

10
salt/influxdb/soc_influxdb.yaml
View File

@@ -3,14 +3,24 @@ influxdb:
so_short_term:
duration:
description: Amount of time to keep short term data.
global: True
helpLink: grafana.html#data
shard_duration:
description: Time range
global: True
helpLink: grafana.html#data
so_long_term:
duration:
description: Amount of time to keep long term downsampled data.
global: True
helpLink: grafana.html#data
shard_duration:
description: Amount of the time range covered by the shard group.
global: True
helpLink: grafana.html#data
downsample:
so_long_term:
resolution:
description: Amount of time to turn into a single data point.
global: True
helpLink: grafana.html#data

2
salt/kibana/soc_kibana.yaml
View File

@@ -3,3 +3,5 @@ kibana:
elasticsearch:
requestTimeout:
description: Request timeout length.
global: True
helpLink: kibana.html

2
salt/nginx/config/ssl.key
View File

@@ -1 +1 @@
# Replace this text with the text from the .crt
# Replace this text with the text from the .key

3
salt/nginx/soc_nginx.yaml
View File

@@ -5,15 +5,18 @@ nginx:
global: True
advanced: True
title: Replace Default Cert
helpLink: nginx.html
ssl__key:
description: Paste your .key file here
file: True
title: SSL Key File
advanced: True
global: True
helpLink: nginx.html
ssl__crt:
description: Paste your .crt file here
file: True
title: SSL Cert File
advanced: True
global: True
helpLink: nginx.html

1
salt/ntp/soc_ntp.yaml
View File

@@ -3,3 +3,4 @@ ntp:
servers:
description: NTP Server List
title: NTP Servers
helpLink: ntp.html

11
salt/pcap/soc_pcap.yaml
View File

@@ -1,24 +1,35 @@
pcap:
enabled:
description: Enable or Disable Stenographer on all sensors or a single sensor
helpLink: pcap.html
config:
maxdirectoryfiles:
description: The maximum number of packet/index files to create before deleting old files. The default is about 8 days regardless of free space.
helpLink: pcap.html
diskfreepercentage:
description: The disk space percent to always keep free for pcap
helpLink: pcap.html
blocks:
description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this.
advanced: True
helpLink: pcap.html
preallocate_file_mb:
description: File size to pre-allocate for individual pcap files. You shouldn't need to change this.
advanced: True
helpLink: pcap.html
aiops:
description: The max number of async writes to allow at once.
advanced: True
helpLink: pcap.html
pin_to_cpu:
description: Enable CPU pinning for PCAP.
advanced: True
helpLink: pcap.html
cpus_to_pin_to:
description: CPU to pin PCAP to. Currently only a single CPU is supported
advanced: True
helpLink: pcap.html
disks:
description: List of disks to use for PCAP. This is currently not used.
advanced: True
helpLink: pcap.html

4
salt/soc/soc_soc.yaml
View File

@@ -7,21 +7,25 @@ soc:
file: True
global: True
syntax: md
helpLink: soc.html
motd__md:
title: Overview Page
description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the users' browser.
file: True
global: True
syntax: md
helpLink: soc.html
custom__js:
title: Custom Javascript
description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades.
file: True
global: True
advanced: True
helpLink: soc.html
custom_roles:
title: Custom Roles
description: Customize role and permission mappings. Changes to this setting requires a complete understanding of the SOC RBAC system.
file: True
global: True
advanced: True
helpLink: soc.html

60
salt/suricata/soc_suricata.yaml
View File

@@ -1,123 +1,183 @@
suricata:
thresholding:
sids__yaml:
description: Threshold SIDS List
file: True
syntax: yaml
title: SIDS
helpLink: suricata.html
config:
vars:
address-groups:
HOME_NET:
description: List of hosts or netowrks.
helpLink: suricata.html
EXTERNAL_NET:
description: List of hosts or netowrks.
helpLink: suricata.html
HTTP_SERVERS:
description: List of hosts or netowrks.
helpLink: suricata.html
SMTP_SERVERS:
description: List of hosts or netowrks.
helpLink: suricata.html
SQL_SERVERS:
description: List of hosts or netowrks.
helpLink: suricata.html
DNS_SERVERS:
description: List of hosts or netowrks.
helpLink: suricata.html
TELNET_SERVERS:
description: List of hosts or netowrks.
helpLink: suricata.html
AIM_SERVERS:
description: List of hosts or netowrks.
helpLink: suricata.html
DC_SERVERS:
description: List of hosts or netowrks.
helpLink: suricata.html
DNP3_SERVER:
description: List of hosts or netowrks.
helpLink: suricata.html
DNP3_CLIENT:
description: List of hosts or netowrks.
helpLink: suricata.html
MODBUS_CLIENT:
description: List of hosts or netowrks.
helpLink: suricata.html
MODBUS_SERVER:
description: List of hosts or netowrks.
helpLink: suricata.html
ENIP_CLIENT:
description: List of hosts or netowrks.
helpLink: suricata.html
ENIP_SERVER:
description: List of hosts or netowrks.
helpLink: suricata.html
port-groups:
HTTP_PORTS:
description: List of HTTP ports to look for HTTP traffic on.
helpLink: suricata.html
SHELLCODE_PORTS:
description: List of SHELLCODE ports to look for SHELLCODE traffic on.
helpLink: suricata.html
ORACLE_PORTS:
description: List of ORACLE ports to look for ORACLE traffic on.
helpLink: suricata.html
SSH_PORTS:
description: List of SSH ports to look for SSH traffic on.
helpLink: suricata.html
DNP3_PORTS:
description: List of DNP3 ports to look for DNP3 traffic on.
helpLink: suricata.html
MODBUS_PORTS:
description: List of MODBUS ports to look for MODBUS traffic on.
helpLink: suricata.html
FILE_DATA_PORTS:
description: List of FILE_DATA ports to look for FILE_DATA traffic on.
helpLink: suricata.html
FTP_PORTS:
description: List of FTP ports to look for FTP traffic on.
helpLink: suricata.html
VXLAN_PORTS:
description: List of VXLAN ports to look for VXLAN traffic on.
helpLink: suricata.html
TEREDO_PORTS:
description: List of TEREDO ports to look for TEREDO traffic on.
helpLink: suricata.html
outputs:
eve-log:
xff:
enabled:
description: Enable X-Forward-For support.
helpLink: suricata.html
mode:
description: Operation mode. This should always be extra-data if you use PCAP.
helpLink: suricata.html
deployment:
description: forward would use the first IP address and reverse would use the last.
helpLink: suricata.html
header:
description: Header name where the actual IP address will be reported.
helpLink: suricata.html
asn1-max-frames:
description: Maximum nuber of asn1 frames to decode.
helpLink: suricata.html
max-pending-packets:
description: Number of packets preallocated per thread.
helpLink: suricata.html
default-packet-size:
description: Preallocated size for each packet.
helpLink: suricata.html
pcre:
match-limit:
description: Match limit for PCRE.
helpLink: suricata.html
match-limit-recursion:
description: Recursion limit for PCRE.
helpLink: suricata.html
defrag:
memcap:
description: Max memory to use for defrag. You should only change this if you know what you are doing.
helpLink: suricata.html
hash-size:
description: Hash size
helpLink: suricata.html
trackers:
description: Number of defragmented flows to follow.
helpLink: suricata.html
max-frags:
description: Max number of fragments to keep
helpLink: suricata.html
prealloc:
description: Preallocate memory.
helpLink: suricata.html
timeout:
description: Timeout value.
helpLink: suricata.html
flow:
memcap:
description: Reserverd memory for flows.
helpLink: suricata.html
hash-size:
description: Determines the size of the hash used to identify flows inside the engine.
helpLink: suricata.html
prealloc:
description: Number of preallocated flows.
helpLink: suricata.html
stream:
memcap:
description: Can be specified in kb,mb,gb.
helpLink: suricata.html
checksum-validation:
description: Validate checksum of packets.
helpLink: suricata.html
reassembly:
memcap:
description: Can be specified in kb,mb,gb.
helpLink: suricata.html
host:
hash-size:
description: Hash size in bytes.
helpLink: suricata.html
prealloc:
description: How many streams to preallocate.
helpLink: suricata.html
memcap:
description: Memory settings for host.
helpLink: suricata.html
decoder:
teredo:
enabled:
description: Enable TEREDO capabilities
helpLink: suricata.html
ports:
description: Ports to listen for. This should be a variable.
helpLink: suricata.html
vxlan:
enabled:
description: Enable VXLAN capabilities.
helpLink: suricata.html
ports:
description: Ports to listen for. This should be a variable.
helpLink: suricata.html

44
salt/suricata/thresholding/sids.yaml Normal file
View File

@@ -0,0 +1,44 @@
thresholding:
sids:
99999999999999999:
- threshold:
gen_id: 1
type: threshold
track: by_src
count: 10
seconds: 10
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 100
seconds: 30
- rate_filter:
gen_id: 1
track: by_rule
count: 50
seconds: 30
new_action: alert
timeout: 30
- suppress:
gen_id: 1
track: by_either
ip: 10.10.3.7
99999999999999998:
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 10
seconds: 10
- rate_filter:
gen_id: 1
track: by_src
count: 50
seconds: 20
new_action: pass
timeout: 60
- suppress:
gen_id: 1
track: by_src
ip: 10.10.3.0/24

14
setup/so-functions
View File

@@ -2171,18 +2171,20 @@ set_initial_firewall_policy() {
case "$install_type" in
'MANAGER')
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP"
$default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost minion "$MAINIP"
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=manager --ip=$MAINIP --apply=true
;;
'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP"
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
$default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true
;;
esac
}
set_initial_firewall_access() {
if [[ ! -z "$ALLOW_CIDR" ]]; then
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true
fi
}
# Set up the management interface on the ISO
set_management_interface() {
title "Setting up the main interface"

9
setup/so-setup
View File

@@ -330,7 +330,6 @@ if ! [[ -f $install_opt_file ]]; then
calculate_useable_cores
collect_webuser_inputs
get_redirect
collect_ntp_servers
collect_so_allow
whiptail_end_settings
# Start the install
@@ -351,7 +350,6 @@ if ! [[ -f $install_opt_file ]]; then
calculate_useable_cores
collect_webuser_inputs
get_redirect
collect_ntp_servers
collect_so_allow
whiptail_end_settings
elif [[ $is_manager ]]; then
@@ -368,7 +366,6 @@ if ! [[ -f $install_opt_file ]]; then
calculate_useable_cores
collect_webuser_inputs
get_redirect
collect_ntp_servers
collect_so_allow
whiptail_end_settings
elif [[ $is_managersearch ]]; then
@@ -385,7 +382,6 @@ if ! [[ -f $install_opt_file ]]; then
calculate_useable_cores
collect_webuser_inputs
get_redirect
collect_ntp_servers
collect_so_allow
whiptail_end_settings
elif [[ $is_sensor ]]; then
@@ -460,10 +456,6 @@ if ! [[ -f $install_opt_file ]]; then
if [[ $monints ]]; then
configure_network_sensor
fi
# Configure NTP
info "Configuring NTP"
[[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1
# Reserve the ports that SO needs
info "Reserving ports"
reserve_ports
info "Setting Paths"
@@ -569,6 +561,7 @@ if ! [[ -f $install_opt_file ]]; then
title "Setting up Playbook"
logCmd "so-playbook-reset"
checkin_at_boot
set_initial_firewall_access
whiptail_setup_complete
else
es_heapsize

3
setup/so-variables
View File

@@ -80,6 +80,9 @@ whiptail_title="Security Onion Setup - $SOVERSION"
export whiptail_title
mkdir -p $local_salt_dir/pillar/minions
mkdir -p $local_salt_dir/salt/firewall/hostgroups
mkdir -p $local_salt_dir/salt/firewall/portgroups
mkdir -p $local_salt_dir/salt/firewall/ports
for THEDIR in bpf pcap elasticsearch ntp firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert
do

4
setup/so-whiptail
View File

@@ -1267,7 +1267,7 @@ whiptail_so_allow_yesno() {
[ -n "$TESTING" ] && return
whiptail --title "$whiptail_title" \
--yesno "Do you want to run so-allow to allow other machines to access this Security Onion installation via the web interface?" \
--yesno "Do you want to allow access to this Security Onion installation via the web interface?" \
8 75
}
@@ -1280,7 +1280,7 @@ whiptail_so_allow() {
10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
export ALLOW_ROLE='a'
export ALLOW_ROLE='analyst'
export ALLOW_CIDR
whiptail_check_exitstatus $exitstatus