CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion-saltstack into dev

Browse Source
This commit is contained in:
m0duspwnens
2020-04-06 13:41:18 -04:00
parent 304e43e2ae 0048ffde70
commit ed392ac4c2
25 changed files with 847 additions and 685 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pillar/firewall/fleet_nodes.sls
View File

@@ -1,3 +0,0 @@
fleet_nodes:
- 127.0.0.1

2
salt/common/tools/sbin/so-status
View File

@@ -107,7 +107,7 @@ populate_container_lists() {
systemctl is-active --quiet docker systemctl is-active --quiet docker
if [[ $? = 0 ]]; then if [[ $? = 0 ]]; then
mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/v2/containers/json?all=1 \ mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/v1.40/containers/json?all=1 \
| jq -c '.[] | { Name: .Names[0], State: .State }' \ | jq -c '.[] | { Name: .Names[0], State: .State }' \
| tr -d '/{"}') | tr -d '/{"}')
else else

1
salt/elasticsearch/files/ingest/ossec.alert
View File

@@ -33,6 +33,7 @@
{ "rename": { "field": "data.win.eventdata.user", "target_field": "user.name", "ignore_missing": true } }, { "rename": { "field": "data.win.eventdata.user", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "data.win.system.eventID", "target_field": "event.code", "ignore_missing": true } }, { "rename": { "field": "data.win.system.eventID", "target_field": "event.code", "ignore_missing": true } },
{ "rename": { "field": "predecoder.program_name", "target_field": "process.name", "ignore_missing": true } }, { "rename": { "field": "predecoder.program_name", "target_field": "process.name", "ignore_missing": true } },
{ "rename": { "field": "rule.description", "target_field": "rule.name", "ignore_missing": true } },
{ "set": { "if": "ctx.rule.level == 1", "field": "rule.category", "value": "None" } }, { "set": { "if": "ctx.rule.level == 1", "field": "rule.category", "value": "None" } },
{ "set": { "if": "ctx.rule.level == 2", "field": "rule.category", "value": "System low priority notification" } }, { "set": { "if": "ctx.rule.level == 2", "field": "rule.category", "value": "System low priority notification" } },
{ "set": { "if": "ctx.rule.level == 3", "field": "rule.category", "value": "Successful/authorized event" } }, { "set": { "if": "ctx.rule.level == 3", "field": "rule.category", "value": "Successful/authorized event" } },

2
salt/elasticsearch/files/ingest/strelka.file
View File

@@ -5,7 +5,7 @@
{ "rename": { "field": "message2.file", "target_field": "file", "ignore_missing": true } }, { "rename": { "field": "message2.file", "target_field": "file", "ignore_missing": true } },
{ "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } }, { "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } },
{ "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } }, { "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } },
{ "rename": { "field": "scan.hash", "target_field": "file.hash", "ignore_missing": true } }, { "rename": { "field": "scan.hash", "target_field": "hash", "ignore_missing": true } },
{ "remove": { "field": ["host", "path"], "ignore_missing": true } }, { "remove": { "field": ["host", "path"], "ignore_missing": true } },
{ "pipeline": { "name": "common" } } { "pipeline": { "name": "common" } }
] ]

6
salt/elasticsearch/files/ingest/zeek.dnp3
View File

@@ -3,9 +3,9 @@
"processors" : [ "processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } }, { "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.fc_request", "target_field": "fc_request", "ignore_missing": true } }, { "rename": { "field": "message2.fc_request", "target_field": "dnp3.fc_request", "ignore_missing": true } },
{ "rename": { "field": "message2.fc_reply", "target_field": "fc_reply", "ignore_missing": true } }, { "rename": { "field": "message2.fc_reply", "target_field": "dnp3.fc_reply", "ignore_missing": true } },
{ "rename": { "field": "message2.iin", "target_field": "iin", "ignore_missing": true } }, { "rename": { "field": "message2.iin", "target_field": "dnp3.iin", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } } { "pipeline": { "name": "zeek.common" } }
] ]
} }

4
salt/elasticsearch/files/ingest/zeek.files
View File

@@ -4,8 +4,8 @@
{ "remove": { "field": ["host"], "ignore_failure": true } }, { "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.rx_hosts", "target_field": "file.receive_ip", "ignore_missing": true } }, { "rename": { "field": "message2.rx_hosts", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.tx_hosts", "target_field": "file.transmit_ip", "ignore_missing": true } }, { "rename": { "field": "message2.tx_hosts", "target_field": "source.ip", "ignore_missing": true } },
{ "set": { "field": "server.ip", "value": "{{source.ip}}", "ignore_failure": true } }, { "set": { "field": "server.ip", "value": "{{source.ip}}", "ignore_failure": true } },
{ "set": { "field": "client.ip", "value": "{{destination.ip}}", "ignore_failure": true } }, { "set": { "field": "client.ip", "value": "{{destination.ip}}", "ignore_failure": true } },
{ "rename": { "field": "message2.conn_uids", "target_field": "log.id.uids", "ignore_missing": true } }, { "rename": { "field": "message2.conn_uids", "target_field": "log.id.uids", "ignore_missing": true } },

28
salt/elasticsearch/files/ingest/zeek.notice
View File

@@ -7,20 +7,20 @@
{ "rename": { "field": "message2.mime", "target_field": "file.mimetype", "ignore_missing": true } }, { "rename": { "field": "message2.mime", "target_field": "file.mimetype", "ignore_missing": true } },
{ "rename": { "field": "message2.desc", "target_field": "file.description", "ignore_missing": true } }, { "rename": { "field": "message2.desc", "target_field": "file.description", "ignore_missing": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } }, { "rename": { "field": "message2.note", "target_field": "notice.note", "ignore_missing": true } },
{ "rename": { "field": "message2.msg", "target_field": "msg", "ignore_missing": true } }, { "rename": { "field": "message2.msg", "target_field": "notice.message", "ignore_missing": true } },
{ "rename": { "field": "message2.sub", "target_field": "sub_msg", "ignore_missing": true } }, { "rename": { "field": "message2.sub", "target_field": "notice.sub_message", "ignore_missing": true } },
{ "rename": { "field": "message2.p", "target_field": "p", "ignore_missing": true } }, { "rename": { "field": "message2.p", "target_field": "notice.p", "ignore_missing": true } },
{ "rename": { "field": "message2.n", "target_field": "n", "ignore_missing": true } }, { "rename": { "field": "message2.n", "target_field": "notice.n", "ignore_missing": true } },
{ "rename": { "field": "message2.peer_descr", "target_field": "peer_description", "ignore_missing": true } }, { "rename": { "field": "message2.peer_descr", "target_field": "notice.peer_description", "ignore_missing": true } },
{ "rename": { "field": "message2.actions", "target_field": "action", "ignore_missing": true } }, { "rename": { "field": "message2.actions", "target_field": "notice.action", "ignore_missing": true } },
{ "rename": { "field": "message2.suppress_for", "target_field": "suppress_for", "ignore_missing": true } }, { "rename": { "field": "message2.suppress_for", "target_field": "notice.suppress_for", "ignore_missing": true } },
{ "rename": { "field": "message2.dropped", "target_field": "dropped", "ignore_missing": true } }, { "rename": { "field": "message2.dropped", "target_field": "notice.dropped", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_country_code", "target_field": "destination_country_code", "ignore_missing": true } }, { "rename": { "field": "message2.destination_country_code", "target_field": "geo.destination_country_code", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_region", "target_field": "destination_region", "ignore_missing": true } }, { "rename": { "field": "message2.destination_region", "target_field": "geo.destination_region", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_city", "target_field": "destination_city", "ignore_missing": true } }, { "rename": { "field": "message2.destination_city", "target_field": "geo.destination_city", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_latitude", "target_field": "destination_latitude", "ignore_missing": true } }, { "rename": { "field": "message2.destination_latitude", "target_field": "geo.destination_latitude", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_longitude", "target_field": "destination_longitude", "ignore_missing": true } }, { "rename": { "field": "message2.destination_longitude", "target_field": "geo.destination_longitude", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } } { "pipeline": { "name": "zeek.common" } }
] ]
} }

2
salt/elasticsearch/files/ingest/zeek.rfb
View File

@@ -8,7 +8,7 @@
{ "rename": { "field": "message2.server_major_version", "target_field": "rfb.server_major_version", "ignore_missing": true } }, { "rename": { "field": "message2.server_major_version", "target_field": "rfb.server_major_version", "ignore_missing": true } },
{ "rename": { "field": "message2.server_minor_version", "target_field": "rfb.server_minor_version", "ignore_missing": true } }, { "rename": { "field": "message2.server_minor_version", "target_field": "rfb.server_minor_version", "ignore_missing": true } },
{ "rename": { "field": "message2.authentication_method", "target_field": "rfb.authentication.method","ignore_missing": true } }, { "rename": { "field": "message2.authentication_method", "target_field": "rfb.authentication.method","ignore_missing": true } },
{ "rename": { "field": "message2.auth", "target_field": "rfb.authenticaiton.success", "ignore_missing": true } }, { "rename": { "field": "message2.auth", "target_field": "rfb.authentication.success", "ignore_missing": true } },
{ "rename": { "field": "message2.share_flag", "target_field": "rfb.share_flag", "ignore_missing": true } }, { "rename": { "field": "message2.share_flag", "target_field": "rfb.share_flag", "ignore_missing": true } },
{ "rename": { "field": "message2.desktop_name", "target_field": "rfb.desktop.name", "ignore_missing": true } }, { "rename": { "field": "message2.desktop_name", "target_field": "rfb.desktop.name", "ignore_missing": true } },
{ "rename": { "field": "message2.width", "target_field": "rfb.desktop.width", "ignore_missing": true } }, { "rename": { "field": "message2.width", "target_field": "rfb.desktop.width", "ignore_missing": true } },

4
salt/filebeat/etc/filebeat.yml
View File

@@ -7,8 +7,8 @@
{%- set HOSTNAME = salt['grains.get']('host', '') %} {%- set HOSTNAME = salt['grains.get']('host', '') %}
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %} {%- set WAZUHENABLED = salt['pillar.get']('master:wazuh_enabled', '0') %}
{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '1') %} {%- set STRELKAENABLED = salt['pillar.get']('master:strelka_enabled', '0') %}
{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
{%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}

18
salt/firewall/init.sls
View File

@@ -8,6 +8,8 @@
{%- elif grains['role'] == 'so-fleet' %} {%- elif grains['role'] == 'so-fleet' %}
{%- set ip = salt['pillar.get']('node:mainip', '') %} {%- set ip = salt['pillar.get']('node:mainip', '') %}
{%- endif %} {%- endif %}
{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
{%- set FLEET_NODE_IP = salt['pillar.get']('static:fleet_ip') %}
# Quick Fix for Docker being difficult # Quick Fix for Docker being difficult
iptables_fix_docker: iptables_fix_docker:
@@ -424,6 +426,22 @@ enable_forwardnode_sensoroni_9822_{{ip}}:
{% endfor %} {% endfor %}
# Allow Fleet Node to send its beats traffic
{% if FLEET_NODE %}
enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ FLEET_NODE_IP }}
- dport: 5644
- position: 1
- save: True
{% endif %}
{% for ip in pillar.get('search_nodes') %} {% for ip in pillar.get('search_nodes') %}
enable_searchnode_redis_6379_{{ip}}: enable_searchnode_redis_6379_{{ip}}:

2
salt/fleet/event_gen-packages.sls
View File

@@ -1,4 +1,4 @@
{% set ENROLLSECRET = salt['pillar.get']('auth:fleet_enroll-secret') %} {% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %}
so/fleet: so/fleet:
event.send: event.send:

31
salt/fleet/files/dedicated-index.html
View File

@@ -86,40 +86,9 @@ a {
<p> <p>
<div style="text-align: center;"> <div style="text-align: center;">
<h1>Security Onion - Dedicated Fleet Node</h1> <h1>Security Onion - Dedicated Fleet Node</h1>
<h2>Osquery Packages</h2>
</div> </div>
<br/> <br/>
<h2>Notes</h2>
<ul>
<li>These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from <a href="https://osquery.io/downloads">osquery.io</a></li>
<li>Packages are not signed.</li>
</ul>
<br/> <br/>
<h2>Downloads</h2>
<div>
Generated: {{ PACKAGESTS }}
<br/>
<br/>
Packages:
<ul>
<li><a href="/launcher.msi" download="msi-launcher.msi">MSI (Windows)</a></li>
<li><a href="/launcher.deb" download="deb-launcher.deb">DEB (Debian)</a></li>
<li><a href="/launcher.rpm" download="rpm-launcher.rpm">RPM (RPM)</a></li>
<li><a href="/launcher.pkg" download="pkg-launcher.pkg">PKG (MacOS)</a></li>
</ul>
<br/>
<br/>
Config Files:
<ul>
<li><a href="/launcher.flags" download="launcher.flags.txt">RPM & DEB Flag File</a></li>
<li><a href="/launcher-msi.flags" download="launcher-msi.flags.txt">MSI Flag File</a></li>
</ul>
</div>
<br/>
<h2>Known Issues</h2>
<ul>
<li>None</li>
</ul>
</p> </p>
</div> </div>
</div> </div>

13
salt/kibana/bin/so-kibana-config-load
View File

@@ -1,18 +1,18 @@
{%- set MASTER = salt['pillar.get']('static:masterip', '') %}
#!/bin/bash #!/bin/bash
KIBANA_VERSION="7.6.1" KIBANA_VERSION="7.6.1"
MAX_WAIT=60 MAX_WAIT=60
# Check to see if Kibana is available # Check to see if Kibana is available
wait_step=0 until curl "{{ MASTER }}:5601/nonexistenturl" 2>&1 |grep -q "Not Found" ; do
until curl -s -XGET http://localhost:5601 > /dev/null ; do
wait_step=$(( ${wait_step} + 1 )) wait_step=$(( ${wait_step} + 1 ))
echo "Waiting on Kibana...Attempt #$wait_step" echo "Waiting on Kibana ({{ MASTER }}:5601)...Attempt #$wait_step"
if [ ${wait_step} -gt ${MAX_WAIT} ]; then if [ ${wait_step} -gt ${MAX_WAIT} ]; then
echo "ERROR: Kibana not available for more than ${MAX_WAIT} seconds." echo "ERROR: Kibana not available for more than ${MAX_WAIT} seconds."
exit 5 exit 5
fi fi
sleep 1s; sleep 1s;
done done
# Sleep additional JIC server is not ready # Sleep additional JIC server is not ready
sleep 30s sleep 30s
@@ -30,5 +30,10 @@ curl -X PUT "localhost:5601/api/saved_objects/config/$KIBANA_VERSION" -H 'kbn-xs
} }
}' }'
# Sub our IP for placholders
for i in PLACEHOLDER FLEETPLACEHOLDER PCAPPLACEHOLDER SOCTOPUSPLACEHOLDER; do
sed -i "s/$i/{{ MASTER }}/g" /opt/so/saltstack/salt/kibana/saved_objects.ndjson
done
# Load saved objects # Load saved objects
curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/saltstack/salt/kibana/saved_objects.ndjson curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/saltstack/salt/kibana/saved_objects.ndjson

1
salt/kibana/init.sls
View File

@@ -84,6 +84,7 @@ so-kibana-config-load:
- shell: /bin/bash - shell: /bin/bash
- runas: socore - runas: socore
- source: salt://kibana/bin/so-kibana-config-load - source: salt://kibana/bin/so-kibana-config-load
- template: jinja
# Keep the setting correct # Keep the setting correct
#KibanaHappy: #KibanaHappy:

1278
salt/kibana/saved_objects.ndjson
View File

File diff suppressed because one or more lines are too long

16
salt/logstash/pipelines/templates/so/so-common-template.json
View File

@@ -184,6 +184,10 @@
"type":"object", "type":"object",
"dynamic": true "dynamic": true
}, },
"irc":{
"type":"object",
"dynamic": true
},
"kerberos":{ "kerberos":{
"type":"object", "type":"object",
"dynamic": true "dynamic": true
@@ -208,10 +212,18 @@
"type":"object", "type":"object",
"dynamic": true "dynamic": true
}, },
"mysql":{
"type":"object",
"dynamic": true
},
"network":{ "network":{
"type":"object", "type":"object",
"dynamic": true "dynamic": true
}, },
"notice":{
"type":"object",
"dynamic": true
},
"ntlm":{ "ntlm":{
"type":"object", "type":"object",
"dynamic": true "dynamic": true
@@ -316,6 +328,10 @@
"type":"object", "type":"object",
"dynamic": true "dynamic": true
}, },
"syslog":{
"type":"object",
"dynamic": true
},
"tags":{ "tags":{
"type":"text", "type":"text",
"fields":{ "fields":{

8
salt/reactor/fleet.sls
View File

@@ -15,9 +15,9 @@ def run():
MAINIP = data['data']['mainip'] MAINIP = data['data']['mainip']
STATICFILE = '/opt/so/saltstack/pillar/static.sls' STATICFILE = '/opt/so/saltstack/pillar/static.sls'
AUTHFILE = '/opt/so/saltstack/pillar/auth.sls' SECRETSFILE = '/opt/so/saltstack/pillar/secrets.sls'
if MINIONID.split('_')[-1] in ['master','eval','fleet']: if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']:
if ACTION == 'enablefleet': if ACTION == 'enablefleet':
logging.info('so/fleet enablefleet reactor') logging.info('so/fleet enablefleet reactor')
@@ -29,8 +29,8 @@ def run():
line = re.sub(r'fleet_master: \S*', f"fleet_master: True", line.rstrip()) line = re.sub(r'fleet_master: \S*', f"fleet_master: True", line.rstrip())
print(line) print(line)
# Update the enroll secret in the auth pillar # Update the enroll secret in the secrets pillar
for line in fileinput.input(AUTHFILE, inplace=True): for line in fileinput.input(SECRETSFILE, inplace=True):
line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip()) line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip())
print(line) print(line)

11
salt/soctopus/files/SOCtopus.conf
View File

@@ -4,6 +4,10 @@
[es] [es]
es_url = http://{{ip}}:9200 es_url = http://{{ip}}:9200
es_user = YOURESUSER
es_pass = YOURESPASS
es_index_pattern = so-*
es_verifycert = no
[cortex] [cortex]
auto_analyze_alerts = no auto_analyze_alerts = no
@@ -20,6 +24,7 @@ fir_confidentiality = 1
fir_detection = 2 fir_detection = 2
fir_plan = 8 fir_plan = 8
fir_severity = 4 fir_severity = 4
fir_verifycert = no
[grr] [grr]
grr_url = YOURGRRURL grr_url = YOURGRRURL
@@ -30,12 +35,12 @@ grr_pass = YOURGRRPASS
hive_url = https://{{ip}}/thehive/ hive_url = https://{{ip}}/thehive/
hive_key = {{ HIVEKEY }} hive_key = {{ HIVEKEY }}
hive_tlp = 3 hive_tlp = 3
hive_verifycert = False hive_verifycert = no
[misp] [misp]
misp_url = YOURMISPURL misp_url = YOURMISPURL
misp_key = YOURMISPKEY misp_key = YOURMISPKEY
misp_verifycert = False misp_verifycert = no
distrib = 0 distrib = 0
threat = 4 threat = 4
analysis = 0 analysis = 0
@@ -47,6 +52,7 @@ rtir_user = YOURRTIRUSER
rtir_pass = YOURRTIRPASS rtir_pass = YOURRTIRPASS
rtir_queue = Incidents rtir_queue = Incidents
rtir_creator = root rtir_creator = root
rtir_verifycert = no
[slack] [slack]
slack_url = YOURSLACKWORKSPACE slack_url = YOURSLACKWORKSPACE
@@ -55,6 +61,7 @@ slack_webhook = YOURSLACKWEBHOOK
[playbook] [playbook]
playbook_url = https://{{ip}}/playbook playbook_url = https://{{ip}}/playbook
playbook_key = a4a34538782804adfcb8dfae96262514ad70c37c playbook_key = a4a34538782804adfcb8dfae96262514ad70c37c
playbook_verifycert = no
[log] [log]
logfile = /var/log/SOCtopus/soctopus.log logfile = /var/log/SOCtopus/soctopus.log

14
salt/soctopus/init.sls
View File

@@ -10,12 +10,22 @@ soctopusdir:
soctopussync: soctopussync:
file.recurse: file.recurse:
- name: /opt/so/conf/soctopus - name: /opt/so/conf/soctopus/templates
- source: salt://soctopus/files - source: salt://soctopus/files/templates
- user: 939 - user: 939
- group: 939 - group: 939
- template: jinja - template: jinja
soctopusconf:
file.managed:
- name: /opt/so/conf/soctopus/SOCtopus.conf
- source: salt://soctopus/files/SOCtopus.conf
- user: 939
- group: 939
- replace: False
- mode: 600
- template: jinja
soctopuslogdir: soctopuslogdir:
file.directory: file.directory:
- name: /opt/so/log/soctopus - name: /opt/so/log/soctopus

2
salt/ssl/init.sls
View File

@@ -142,7 +142,7 @@ fbcrtlink:
backup: True backup: True
{% endif %} {% endif %}
{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-master' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %} {% if grains['role'] == 'so-sensor' or grains['role'] == 'so-master' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' or grains['role'] == 'so-fleet' %}
fbcertdir: fbcertdir:
file.directory: file.directory:

3
salt/strelka/init.sls
View File

@@ -89,6 +89,7 @@ strelka_backend:
- /opt/so/conf/strelka/backend/yara:/etc/yara/:ro - /opt/so/conf/strelka/backend/yara:/etc/yara/:ro
- name: so-strelka-backend - name: so-strelka-backend
- command: strelka-backend - command: strelka-backend
- restart_policy: on-failure
strelka_manager: strelka_manager:
docker_container.running: docker_container.running:
@@ -109,6 +110,6 @@ strelka_filestream:
strelka_zeek_extracted_sync: strelka_zeek_extracted_sync:
cron.present: cron.present:
- user: socore - user: root
- name: mv /nsm/zeek/extracted/complete/* /nsm/strelka - name: mv /nsm/zeek/extracted/complete/* /nsm/strelka
- minute: '*' - minute: '*'

2
salt/top.sls
View File

@@ -6,7 +6,7 @@
{%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%} {%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
{%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
{%- set STRELKA = salt['pillar.get']('master:strelka', '1') -%} {%- set STRELKA = salt['pillar.get']('master:strelka', '0') -%}
base: base:

12
setup/so-functions
View File

@@ -234,7 +234,7 @@ check_network_manager_conf() {
{ {
mv "$gmdconf" "${gmdconf}.bak" mv "$gmdconf" "${gmdconf}.bak"
touch "$gmdconf" touch "$gmdconf"
systemctl restart network-manager systemctl restart NetworkManager
} >> $SETUPLOG 2>&1 } >> $SETUPLOG 2>&1
fi fi
@@ -395,7 +395,7 @@ create_sensor_bond() {
ethernet.mtu $MTU \ ethernet.mtu $MTU \
connection.autoconnect "yes" >> $SETUPLOG 2>&1 connection.autoconnect "yes" >> $SETUPLOG 2>&1
for BNIC in "${BNICS[@]}"; do for BNIC in ${BNICS[@]}; do
BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" # Strip the quotes from the NIC names BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" # Strip the quotes from the NIC names
# Check if specific offload features are able to be disabled # Check if specific offload features are able to be disabled
@@ -458,8 +458,8 @@ detect_os() {
fi fi
# Install network manager so we can do interface stuff # Install network manager so we can do interface stuff
apt-get install -y network-manager apt-get install -y network-manager
/bin/systemctl enable network-manager /bin/systemctl enable NetworkManager
/bin/systemctl start network-manager /bin/systemctl start NetworkManager
else else
echo "We were unable to determine if you are using a supported OS." >> $SETUPLOG 2>&1 echo "We were unable to determine if you are using a supported OS." >> $SETUPLOG 2>&1
exit exit
@@ -486,7 +486,7 @@ disable_onion_user() {
} }
disable_misc_network_features() { disable_misc_network_features() {
for UNUSED_NIC in "${FNICS[@]}"; do for UNUSED_NIC in ${FNICS[@]}; do
# Disable DHCPv4/v6 and autoconnect # Disable DHCPv4/v6 and autoconnect
nmcli con mod "$UNUSED_NIC" \ nmcli con mod "$UNUSED_NIC" \
ipv4.method disabled \ ipv4.method disabled \
@@ -745,7 +745,7 @@ get_main_ip() {
get_redirect() { get_redirect() {
whiptail_set_redirect_info whiptail_set_redirect_info
whiptail_set_redirect whiptail_set_redirect
if [ $REDIRECTINFO == 'OTHER' ]; then if [ "$REDIRECTINFO" == "OTHER" ]; then
whiptail_set_redirect_host whiptail_set_redirect_host
fi fi
} }

57
setup/so-setup
View File

@@ -29,6 +29,9 @@ else
INSTALLMETHOD="network" INSTALLMETHOD="network"
fi fi
# Allow execution of SO tools during setup
export PATH=$PATH:../salt/common/tools/sbin
# Global Variables # Global Variables
HOSTNAME=$(cat /etc/hostname) HOSTNAME=$(cat /etc/hostname)
TOTAL_MEM=`grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//'` TOTAL_MEM=`grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//'`
@@ -141,7 +144,7 @@ if (whiptail_you_sure) ; then
if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
MASTERUPDATES=OPEN MASTERUPDATES=OPEN
filter_unused_nics filter_unused_nics
whiptail_bond_nics [[ $SKIP_BOND != 'yes' ]] && whiptail_bond_nics
whiptail_helix_apikey whiptail_helix_apikey
whiptail_homenet_master whiptail_homenet_master
RULESETUP=ETOPEN RULESETUP=ETOPEN
@@ -244,6 +247,32 @@ if (whiptail_you_sure) ; then
fi fi
function collect_webuser_inputs() {
# Get a password for the web admin user
VALIDUSER=no
while [ $VALIDUSER != yes ]; do
whiptail_create_web_user
so-user valemail "$WEBUSER"
if [ $? == 0 ]; then
VALIDUSER=yes
else
whiptail_invalid_user_warning
fi
done
WPMATCH=no
while [ $WPMATCH != yes ]; do
whiptail_create_web_user_password1
echo "$WEBPASSWD1" | so-user valpass
if [ $? == 0 ]; then
whiptail_create_web_user_password2
check_web_pass
else
whiptail_invalid_pass_warning
fi
done
}
#################### ####################
## Master ## ## Master ##
#################### ####################
@@ -292,14 +321,7 @@ if (whiptail_you_sure) ; then
check_soremote_pass check_soremote_pass
done done
# Get a password for the web admin user collect_webuser_inputs
whiptail_create_web_user
WPMATCH=no
while [ $WPMATCH != yes ]; do
whiptail_create_web_user_password1
whiptail_create_web_user_password2
check_web_pass
done
get_redirect get_redirect
# Last Chance to back out # Last Chance to back out
whiptail_make_changes whiptail_make_changes
@@ -446,7 +468,7 @@ if (whiptail_you_sure) ; then
if [ $INSTALLTYPE == 'SENSOR' ]; then if [ $INSTALLTYPE == 'SENSOR' ]; then
filter_unused_nics filter_unused_nics
whiptail_bond_nics [[ $SKIP_BOND != 'yes' ]] && whiptail_bond_nics
whiptail_management_server whiptail_management_server
whiptail_master_updates whiptail_master_updates
set_updates set_updates
@@ -506,6 +528,8 @@ if (whiptail_you_sure) ; then
salt-call state.apply pcap >> $SETUPLOG 2>&1 salt-call state.apply pcap >> $SETUPLOG 2>&1
echo -e "XXX\n60\nInstalling IDS components... \nXXX" echo -e "XXX\n60\nInstalling IDS components... \nXXX"
salt-call state.apply suricata >> $SETUPLOG 2>&1 salt-call state.apply suricata >> $SETUPLOG 2>&1
echo -e "XXX\n70\nInstalling Strelka... \nXXX"
salt-call state.apply strelka >> $SETUPLOG 2>&1
checkin_at_boot >> $SETUPLOG 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XX\n97\nFinishing touches... \nXXX" echo -e "XX\n97\nFinishing touches... \nXXX"
filter_unused_nics >> $SETUPLOG 2>&1 filter_unused_nics >> $SETUPLOG 2>&1
@@ -535,7 +559,7 @@ if (whiptail_you_sure) ; then
if [ $INSTALLTYPE == 'EVAL' ]; then if [ $INSTALLTYPE == 'EVAL' ]; then
TYPE='eval' TYPE='eval'
# Select which NICs are in the bond # Select which NICs are in the bond
whiptail_bond_nics [[ $SKIP_BOND != 'yes' ]] && whiptail_bond_nics
elif [ $INSTALLTYPE == 'MASTERSEARCH' ]; then elif [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
TYPE='mastersearch' TYPE='mastersearch'
fi fi
@@ -573,14 +597,7 @@ if (whiptail_you_sure) ; then
check_soremote_pass check_soremote_pass
done done
fi fi
# Get a password for the web admin user collect_webuser_inputs
whiptail_create_web_user
WPMATCH=no
while [ $WPMATCH != yes ]; do
whiptail_create_web_user_password1
whiptail_create_web_user_password2
check_web_pass
done
get_redirect get_redirect
whiptail_make_changes whiptail_make_changes
set_hostname set_hostname
@@ -832,7 +849,7 @@ if (whiptail_you_sure) ; then
if [ $INSTALLTYPE == 'HEAVYNODE' ]; then if [ $INSTALLTYPE == 'HEAVYNODE' ]; then
filter_unused_nics filter_unused_nics
whiptail_bond_nics [[ $SKIP_BOND != 'yes' ]] && whiptail_bond_nics
whiptail_management_server whiptail_management_server
whiptail_master_updates whiptail_master_updates
set_updates set_updates

8
setup/so-whiptail
View File

@@ -163,8 +163,13 @@ whiptail_create_web_user() {
WEBUSER=$(whiptail --title "Security Onion Install" --inputbox \ WEBUSER=$(whiptail --title "Security Onion Install" --inputbox \
"Please enter an email address to create an administrator account for the web interface." 10 60 3>&1 1>&2 2>&3) "Please enter an email address to create an administrator account for the web interface." 10 60 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
} }
whiptail_invalid_user_warning() {
whiptail --title "Security Onion Setup" --msgbox "Please enter a valid email address." 8 75
}
whiptail_create_web_user_password1() { whiptail_create_web_user_password1() {
@@ -185,6 +190,9 @@ whiptail_create_web_user_password2() {
} }
whiptail_invalid_pass_warning() {
whiptail --title "Security Onion Setup" --msgbox "Please choose a more secure password." 8 75
}
whiptail_cur_close_days() { whiptail_cur_close_days() {