From a229ae82ce999efad2168e16906e41d6b0d14abe Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 2 Sep 2020 16:15:52 -0400 Subject: [PATCH 01/24] only allow state to run if it is in top for the node --- salt/ca/init.sls | 9 ++++++++- salt/common/init.sls | 9 ++++++++- salt/curator/init.sls | 7 +++++++ salt/docker/init.sls | 9 ++++++++- salt/domainstats/init.sls | 6 ++++++ salt/elastalert/init.sls | 7 +++++++ salt/elasticsearch/init.sls | 7 +++++++ salt/filebeat/init.sls | 7 +++++++ salt/firewall/init.sls | 7 +++++++ salt/fleet/init.sls | 7 +++++++ salt/freqserver/init.sls | 6 ++++++ salt/grafana/init.sls | 7 +++++++ salt/healthcheck/init.sls | 7 +++++++ salt/idstools/init.sls | 7 +++++++ salt/influxdb/init.sls | 5 +++++ salt/kibana/init.sls | 9 ++++++++- salt/logstash/init.sls | 7 +++++++ salt/manager/init.sls | 7 +++++++ salt/minio/init.sls | 8 +++++++- salt/motd/init.sls | 7 +++++++ salt/mysql/init.sls | 7 +++++++ salt/nginx/init.sls | 7 +++++++ salt/nodered/init.sls | 5 +++++ salt/pcap/init.sls | 7 +++++++ salt/playbook/init.sls | 9 ++++++++- salt/redis/init.sls | 7 +++++++ salt/registry/init.sls | 7 +++++++ salt/salt/master.sls | 9 ++++++++- salt/soc/init.sls | 7 +++++++ salt/soctopus/init.sls | 7 +++++++ salt/ssl/init.sls | 7 +++++++ salt/strelka/init.sls | 7 +++++++ salt/suricata/init.sls | 6 ++++++ salt/telegraf/init.sls | 9 ++++++++- salt/thehive/init.sls | 7 +++++++ salt/utility/init.sls | 7 +++++++ salt/wazuh/init.sls | 7 +++++++ salt/yum/init.sls | 9 ++++++++- salt/zeek/init.sls | 8 +++++++- 39 files changed, 274 insertions(+), 10 deletions(-) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 62b89d351..850550b7d 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'ca' in top_states %} + {% set manager = salt['grains.get']('master') %} /etc/salt/minion.d/signing_policies.conf: file.managed: @@ -51,4 +56,6 @@ cakeyperms: - replace: False - name: /etc/pki/ca.key - mode: 640 - - group: 939 \ No newline at end of file + - group: 939 + +{% endif %} \ No newline at end of file diff --git a/salt/common/init.sls b/salt/common/init.sls index c950e6036..c840eca26 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'common' in top_states %} + {% set role = grains.id.split('_') | last %} # Remove variables.txt from /tmp - This is temp @@ -190,4 +195,6 @@ sensorrotateconf: # Make sure Docker is always running docker: service.running: - - enable: True \ No newline at end of file + - enable: True + +{% endif %} \ No newline at end of file diff --git a/salt/curator/init.sls b/salt/curator/init.sls index b98eaf6cb..73b4fa0fa 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'curator' in top_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -131,3 +136,5 @@ so-curator: # End Curator Cron Jobs {% endif %} + +{% endif %} \ No newline at end of file diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 3021552ab..8e92a1b19 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'docker' in top_states %} + installdocker: pkg.installed: - name: docker-ce @@ -5,4 +10,6 @@ installdocker: # Make sure Docker is running! docker: service.running: - - enable: True \ No newline at end of file + - enable: TrueA + +{% endif %} \ No newline at end of file diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls index 764435e5f..445861b26 100644 --- a/salt/domainstats/init.sls +++ b/salt/domainstats/init.sls @@ -12,6 +12,10 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'domainstats' in top_states %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -51,3 +55,5 @@ so-domainstats: - user: domainstats - binds: - /opt/so/log/domainstats:/var/log/domain_stats + +{% endif %} \ No newline at end of file diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 741f9ff2a..75da480ac 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -12,6 +12,11 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'elastalert' in top_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -125,3 +130,5 @@ so-elastalert: - require: - module: wait_for_elasticsearch {% endif %} + +{% endif %} \ No newline at end of file diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index cc2d91537..357895b23 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -12,6 +12,11 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'elasticsearch' in top_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -237,4 +242,6 @@ so-elasticsearch-templates: cmd.run: - name: /usr/sbin/so-elasticsearch-templates - cwd: /opt/so +{% endif %} + {% endif %} \ No newline at end of file diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index ee7c5ae10..31acc63b2 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -11,6 +11,11 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'filebeat' in top_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -69,3 +74,5 @@ so-filebeat: - 0.0.0.0:514:514/udp - watch: - file: /opt/so/conf/filebeat/etc/filebeat.yml + +{% endif %} \ No newline at end of file diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 7d4dab0bf..3a943874d 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'firewall' in top_states %} + # Firewall Magic for the grid {% from 'firewall/map.jinja' import hostgroups with context %} {% from 'firewall/map.jinja' import assigned_hostgroups with context %} @@ -128,3 +133,5 @@ iptables_drop_all_the_things: - chain: LOGGING - jump: DROP - save: True + +{% endif %} \ No newline at end of file diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index b2a3bb516..aded11fb3 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'fleet' in top_states %} + {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%} {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%} @@ -133,3 +138,5 @@ so-fleet: - /opt/so/conf/fleet/etc {% endif %} + +{% endif %} \ No newline at end of file diff --git a/salt/freqserver/init.sls b/salt/freqserver/init.sls index f48b66cff..06e25c87c 100644 --- a/salt/freqserver/init.sls +++ b/salt/freqserver/init.sls @@ -12,6 +12,10 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'freqserver' in top_states %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -52,3 +56,5 @@ so-freq: - binds: - /opt/so/log/freq_server:/var/log/freq_server:rw +{% endif %} + diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 9fdd26b12..7f760daa2 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'grafana' in top_states %} + {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -230,4 +235,6 @@ so-grafana: - watch: - file: /opt/so/conf/grafana/* +{% endif %} + {% endif %} \ No newline at end of file diff --git a/salt/healthcheck/init.sls b/salt/healthcheck/init.sls index 94f8028ba..b2a9121e2 100644 --- a/salt/healthcheck/init.sls +++ b/salt/healthcheck/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'healthcheck' in top_states %} + {% set CHECKS = salt['pillar.get']('healthcheck:checks', {}) %} {% set ENABLED = salt['pillar.get']('healthcheck:enabled', False) %} {% set SCHEDULE = salt['pillar.get']('healthcheck:schedule', 300) %} @@ -23,3 +28,5 @@ healthcheck_schedule_{{ STATUS[0] }}: healthcheck_schedule_{{ STATUS[1] }}: schedule.{{ STATUS[1] }}: - name: healthcheck + +{% endif %} \ No newline at end of file diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 93db83759..c125444e1 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -12,6 +12,11 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'idstools' in top_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -69,3 +74,5 @@ so-idstools: - /opt/so/rules/nids:/opt/so/rules/nids:rw - watch: - file: idstoolsetcsync + +{% endif%} \ No newline at end of file diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index d35ab6cae..d8f6fc46b 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'influxdb' in top_states %} + {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 8711d47d1..a499ea70e 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'kibana' in top_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -114,4 +119,6 @@ so-kibana-config-load: # - shell: /bin/bash # - runas: socore # - source: salt://kibana/bin/keepkibanahappy.sh -# - template: jinja \ No newline at end of file +# - template: jinja + +{% endif %} \ No newline at end of file diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 33fc496dc..24257aa93 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -12,6 +12,11 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'logstash' in top_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -195,3 +200,5 @@ so-logstash: {% for TEMPLATE in TEMPLATES %} - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} {% endfor %} + +{% endif %} \ No newline at end of file diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 3b4852542..f48ebb496 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -12,6 +12,11 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'manager' in top_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -76,3 +81,5 @@ so-aptcacherng: - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro {% endif %} + +{% endif %} \ No newline at end of file diff --git a/salt/minio/init.sls b/salt/minio/init.sls index ece8673bd..6fc383f4e 100644 --- a/salt/minio/init.sls +++ b/salt/minio/init.sls @@ -12,6 +12,10 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'minio' in top_states %} {% set access_key = salt['pillar.get']('minio:access_key', '') %} {% set access_secret = salt['pillar.get']('minio:access_secret', '') %} @@ -56,4 +60,6 @@ so-minio: - /opt/so/conf/minio/etc:/.minio:rw - /etc/pki/minio.key:/.minio/certs/private.key:ro - /etc/pki/minio.crt:/.minio/certs/public.crt:ro - - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data" \ No newline at end of file + - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data" + +{% endif %} \ No newline at end of file diff --git a/salt/motd/init.sls b/salt/motd/init.sls index 06ad270a1..a689d1707 100644 --- a/salt/motd/init.sls +++ b/salt/motd/init.sls @@ -1,5 +1,12 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'motd' in top_states %} + so_motd: file.managed: - name: /etc/motd - source: salt://motd/files/so_motd.jinja - template: jinja + +{% endif %} \ No newline at end of file diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index c9c6fde41..ff694227b 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'mysql' in top_states %} + {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %} {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -93,3 +98,5 @@ so-mysql: - onchanges: - docker_container: so-mysql {% endif %} + +{% endif %} \ No newline at end of file diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 2e67a6b2c..2768f0ff9 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'nginx' in top_states %} + {% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} {% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set MANAGER = salt['grains.get']('master') %} @@ -85,3 +90,5 @@ so-nginx: - watch: - file: nginxconf - file: nginxconfdir + +{% endif %} \ No newline at end of file diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls index 34aacbd81..6d2e75aa6 100644 --- a/salt/nodered/init.sls +++ b/salt/nodered/init.sls @@ -12,6 +12,10 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'nodered' in top_states %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -75,3 +79,4 @@ so-nodered-flows: - name: /usr/sbin/so-nodered-load-flows - cwd: / +{% endif %} \ No newline at end of file diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 135b49334..cf0a978aa 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -12,6 +12,11 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'pcap' in top_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -160,3 +165,5 @@ so-sensoroni: - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw - watch: - file: /opt/so/conf/sensoroni/sensoroni.json + +{% endif %} \ No newline at end of file diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index d390a36fb..8f3076faa 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'playbook' in top_states %} + {% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -96,4 +101,6 @@ so-playbookruleupdatecron: - name: /usr/sbin/so-playbook-ruleupdate > /opt/so/log/playbook/update.log 2>&1 - user: root - minute: '1' - - hour: '6' \ No newline at end of file + - hour: '6' + +{% endif %} \ No newline at end of file diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 3f24ba079..b0f663671 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -12,6 +12,11 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'redis' in top_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -64,3 +69,5 @@ so-redis: - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - watch: - file: /opt/so/conf/redis/etc + +{% endif %} \ No newline at end of file diff --git a/salt/registry/init.sls b/salt/registry/init.sls index 6e17d639e..d366404fc 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'registry' in top_states %} + # Create the config directory for the docker registry dockerregistryconfdir: file.directory: @@ -51,3 +56,5 @@ so-dockerregistry: - /nsm/docker-registry/docker:/var/lib/registry/docker:rw - /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro + +{% endif %} \ No newline at end of file diff --git a/salt/salt/master.sls b/salt/salt/master.sls index 481be743a..1ff35bfd1 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'salt.master' in top_states %} + salt_master_package: pkg.installed: - pkgs: @@ -8,4 +13,6 @@ salt_master_package: salt_master_service: service.running: - name: salt-master - - enable: True \ No newline at end of file + - enable: True + +{% endif %} \ No newline at end of file diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 1c25f42a1..a9d428b8a 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'soc' in top_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -98,3 +103,5 @@ so-kratos: - 0.0.0.0:4434:4434 - watch: - file: /opt/so/conf/kratos + +{% endif %} \ No newline at end of file diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 39768fc42..90a654e95 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'soctopus' in top_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -63,3 +68,5 @@ so-soctopus: - 0.0.0.0:7000:7000 - extra_hosts: - {{MANAGER_URL}}:{{MANAGER_IP}} + +{% endif %} \ No newline at end of file diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 70d4c4b6a..b0895dd72 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'ssl' in top_states %} + {% set manager = salt['grains.get']('master') %} {% set managerip = salt['pillar.get']('global:managerip', '') %} {% set HOSTNAME = salt['grains.get']('host') %} @@ -570,3 +575,5 @@ elastickeyperms: - group: 930 {%- endif %} + +{% endif %} \ No newline at end of file diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 1e87aa602..d670ab440 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -12,6 +12,11 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'strelka' in top_states %} + {%- set MANAGER = salt['grains.get']('master') %} {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -139,3 +144,5 @@ strelka_zeek_extracted_sync: - user: root - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1' - minute: '*' + +{% endif %} \ No newline at end of file diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 79e06db66..30757d617 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -12,6 +12,10 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'suricata' in top_states %} {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} {% set ZEEKVER = salt['pillar.get']('global:zeekversion', '') %} @@ -173,3 +177,5 @@ surilogrotate: - daymonth: '*' - month: '*' - dayweek: '*' + +{% endif %} \ No newline at end of file diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index c252cdb5b..e8665cd87 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'telegraf' in top_states %} + {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -66,4 +71,6 @@ so-telegraf: - /opt/so/log/suricata:/var/log/suricata:ro - watch: - file: tgrafconf - - file: tgrafsyncscripts \ No newline at end of file + - file: tgrafsyncscripts + +{% endif %} \ No newline at end of file diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index ffbb50f0c..ae3407a69 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'thehive' in top_states %} + {% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -137,3 +142,5 @@ thehivescript: - cwd: /opt/so - template: jinja - hide_output: True + +{% endif %} \ No newline at end of file diff --git a/salt/utility/init.sls b/salt/utility/init.sls index 4779f9c1d..4f0ffaa77 100644 --- a/salt/utility/init.sls +++ b/salt/utility/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'utility' in top_states %} + # This state is for checking things {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %} # Make sure Cross Cluster is good. Will need some logic once we have hot/warm @@ -19,3 +24,5 @@ fixsearch: - source: salt://utility/bin/eval - template: jinja {% endif %} + +{% endif %} diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 94b16b199..6b22db8c6 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'wazuh' in top_states %} + {%- set HOSTNAME = salt['grains.get']('host', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -141,3 +146,5 @@ hidsruledir: /opt/so/rules/hids/ruleset: file.symlink: - target: /nsm/wazuh/ruleset + +{% endif %} \ No newline at end of file diff --git a/salt/yum/init.sls b/salt/yum/init.sls index c91de908e..70cc003ed 100644 --- a/salt/yum/init.sls +++ b/salt/yum/init.sls @@ -1,6 +1,13 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'yum' in top_states %} + yumconf: file.managed: - name: /etc/yum.conf - source: salt://yum/etc/yum.conf.jinja - mode: 644 - - template: jinja \ No newline at end of file + - template: jinja + +{% endif %} \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index f6e1e999e..d27290f98 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -1,3 +1,8 @@ +{% set show_top = salt['state.show_top']() %} +{% set top_states = show_top.values() | join(', ') %} + +{% if 'zeek' in top_states %} + {% from "zeek/map.jinja" import START with context %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -190,4 +195,5 @@ so-zeek: - file: /opt/so/conf/zeek/zeekctl.cfg - file: /opt/so/conf/zeek/policy - file: /opt/so/conf/zeek/bpf - \ No newline at end of file + +{% endif %} \ No newline at end of file From 770cd6eafcac1da121be92f7b366e5db31a6f8df Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 2 Sep 2020 16:19:58 -0400 Subject: [PATCH 02/24] add endif --- salt/influxdb/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index d8f6fc46b..ab17e8e62 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -45,4 +45,6 @@ so-influxdb: - watch: - file: influxdbconf +{% endif %} + {% endif %} \ No newline at end of file From 9ee9a199b149ffec4a9c909be8ece46770903b7c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 12:50:22 -0400 Subject: [PATCH 03/24] predefine each component as 0 to fix issues with it being unset --- setup/so-whiptail | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index d760373af..52f60501a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -412,6 +412,13 @@ whiptail_enable_components() { [ -n "$TESTING" ] && return + GRAFANA=0 + OSQUERY=0 + WAZUH=0 + THEHIVE=0 + PLAYBOOK=0 + STRELKA=0 + COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \ "Select Components to install" 20 75 8 \ GRAFANA "Enable Grafana for system monitoring" ON \ From 3433b90029c5e5498c85d06d1402a9e6fc628972 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 13:53:10 -0400 Subject: [PATCH 04/24] fix so-status for strelka and wazuh --- salt/common/maps/so-status.map.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja index 21dd14ec9..448423d83 100644 --- a/salt/common/maps/so-status.map.jinja +++ b/salt/common/maps/so-status.map.jinja @@ -21,7 +21,7 @@ {% if role in ['eval', 'managersearch', 'manager', 'standalone'] %} {{ append_containers('manager', 'grafana', 0) }} {{ append_containers('global', 'fleet_manager', 0) }} - {{ append_containers('manager', 'wazuh', 0) }} + {{ append_containers('global', 'wazuh', 0) }} {{ append_containers('manager', 'thehive', 0) }} {{ append_containers('manager', 'playbook', 0) }} {{ append_containers('manager', 'freq', 0) }} @@ -29,7 +29,7 @@ {% endif %} {% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %} - {{ append_containers('global', 'strelka', 0) }} + {{ append_containers('global', 'strelka:enabled', 0) }} {% endif %} {% if role in ['heavynode', 'standalone'] %} From 918d9cf00f0a6e9a7300be7be87218c2ccd6596b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 13:57:53 -0400 Subject: [PATCH 05/24] handle strelka --- salt/common/maps/so-status.map.jinja | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja index 448423d83..560ea2546 100644 --- a/salt/common/maps/so-status.map.jinja +++ b/salt/common/maps/so-status.map.jinja @@ -5,6 +5,9 @@ # to the list predefined by the role / minion id affix {% macro append_containers(pillar_name, k, compare )%} {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %} + {% if ':enabled' in k %} + {% set k = k.split(':') | first %} + {% endif %} {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %} {% for li in d['containers'] %} {{ docker['containers'].append(li) }} From 05d736d2dfafe831c107f32b4909393316b3408e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 14:00:58 -0400 Subject: [PATCH 06/24] handle strelka --- salt/common/maps/so-status.map.jinja | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja index 560ea2546..2aea71c76 100644 --- a/salt/common/maps/so-status.map.jinja +++ b/salt/common/maps/so-status.map.jinja @@ -5,9 +5,6 @@ # to the list predefined by the role / minion id affix {% macro append_containers(pillar_name, k, compare )%} {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %} - {% if ':enabled' in k %} - {% set k = k.split(':') | first %} - {% endif %} {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %} {% for li in d['containers'] %} {{ docker['containers'].append(li) }} @@ -32,7 +29,7 @@ {% endif %} {% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %} - {{ append_containers('global', 'strelka:enabled', 0) }} + {{ append_containers('strelka', 'enabled', 0) }} {% endif %} {% if role in ['heavynode', 'standalone'] %} From 921262b9a5542aed81acd0475fca4c50b303e3d3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 14:07:38 -0400 Subject: [PATCH 07/24] prevent duplicate containers for so-stauts --- salt/common/tools/sbin/so-status | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 7a7d6c783..85709501a 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -15,7 +15,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {%- from 'common/maps/so-status.map.jinja' import docker with context %} -{%- set container_list = docker['containers'] | sort %} +{%- set container_list = docker['containers'] | sort | unique %} if ! [ "$(id -u)" = 0 ]; then echo "This command must be run as root" From b0c526364fd6c86734ab70052343ddb55684341f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 14:55:54 -0400 Subject: [PATCH 08/24] handle strelka --- salt/common/maps/so-status.map.jinja | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja index 2aea71c76..fb23e6708 100644 --- a/salt/common/maps/so-status.map.jinja +++ b/salt/common/maps/so-status.map.jinja @@ -5,6 +5,9 @@ # to the list predefined by the role / minion id affix {% macro append_containers(pillar_name, k, compare )%} {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %} + {% if k == 'enabled' %} + {% set k = pillar_name %} + {% endif %} {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %} {% for li in d['containers'] %} {{ docker['containers'].append(li) }} From 39f200f5658b6bd5bb60c377a8071b8faee64b79 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 14:59:21 -0400 Subject: [PATCH 09/24] fix whitespace --- salt/common/tools/sbin/so-status | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 85709501a..8658f4757 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -71,9 +71,9 @@ compare_lists() { # {% endraw %} create_expected_container_list() { - {% for item in container_list%} + {% for item in container_list -%} expected_container_list+=("{{ item }}") - {% endfor %} + {% endfor -%} } populate_container_lists() { From 09cc8ae1fbd43ef162b96f0b363fdd07eb7cd2ee Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 16:48:50 -0400 Subject: [PATCH 10/24] fail the state if it isnt in top --- salt/ca/init.sls | 6 ++++++ salt/common/init.sls | 6 ++++++ salt/curator/init.sls | 6 ++++++ salt/docker/init.sls | 8 +++++++- salt/domainstats/init.sls | 6 ++++++ salt/elastalert/init.sls | 6 ++++++ salt/elasticsearch/init.sls | 6 ++++++ salt/filebeat/init.sls | 6 ++++++ salt/firewall/init.sls | 6 ++++++ salt/fleet/init.sls | 6 ++++++ salt/freqserver/init.sls | 6 ++++++ salt/grafana/init.sls | 6 ++++++ salt/healthcheck/init.sls | 6 ++++++ salt/idstools/init.sls | 6 ++++++ salt/influxdb/init.sls | 6 ++++++ salt/kibana/init.sls | 6 ++++++ salt/logstash/init.sls | 6 ++++++ salt/manager/init.sls | 6 ++++++ salt/minio/init.sls | 6 ++++++ salt/motd/init.sls | 6 ++++++ salt/mysql/init.sls | 6 ++++++ salt/nginx/init.sls | 6 ++++++ salt/nodered/init.sls | 6 ++++++ salt/pcap/init.sls | 6 ++++++ salt/playbook/init.sls | 6 ++++++ salt/redis/init.sls | 6 ++++++ salt/registry/init.sls | 6 ++++++ salt/salt/master.sls | 6 ++++++ salt/soc/init.sls | 6 ++++++ salt/soctopus/init.sls | 6 ++++++ salt/ssl/init.sls | 6 ++++++ salt/strelka/init.sls | 6 ++++++ salt/suricata/init.sls | 6 ++++++ salt/tcpreplay/init.sls | 6 ++++++ salt/telegraf/init.sls | 6 ++++++ salt/thehive/init.sls | 6 ++++++ salt/utility/init.sls | 6 ++++++ salt/wazuh/init.sls | 6 ++++++ salt/yum/init.sls | 6 ++++++ salt/zeek/init.sls | 6 ++++++ 40 files changed, 241 insertions(+), 1 deletion(-) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 850550b7d..84c74ef3d 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -58,4 +58,10 @@ cakeyperms: - mode: 640 - group: 939 +{% else %} + +ca_state_not_allowed: + test.fail_without_changes: + - name: ca_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/common/init.sls b/salt/common/init.sls index c840eca26..896e0f025 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -197,4 +197,10 @@ docker: service.running: - enable: True +{% else %} + +common_state_not_allowed: + test.fail_without_changes: + - name: common_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 73b4fa0fa..31f738349 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -137,4 +137,10 @@ so-curator: # End Curator Cron Jobs {% endif %} +{% else %} + +curator_state_not_allowed: + test.fail_without_changes: + - name: curator_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 8e92a1b19..273dbae91 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -10,6 +10,12 @@ installdocker: # Make sure Docker is running! docker: service.running: - - enable: TrueA + - enable: True + +{% else %} + +docker_state_not_allowed: + test.fail_without_changes: + - name: docker_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls index 445861b26..daac87387 100644 --- a/salt/domainstats/init.sls +++ b/salt/domainstats/init.sls @@ -56,4 +56,10 @@ so-domainstats: - binds: - /opt/so/log/domainstats:/var/log/domain_stats +{% else %} + +domainstats_state_not_allowed: + test.fail_without_changes: + - name: domainstats_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 75da480ac..a97a3f512 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -131,4 +131,10 @@ so-elastalert: - module: wait_for_elasticsearch {% endif %} +{% else %} + +elastalert_state_not_allowed: + test.fail_without_changes: + - name: elastalert_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 357895b23..c87afc65c 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -244,4 +244,10 @@ so-elasticsearch-templates: - cwd: /opt/so {% endif %} +{% else %} + +elasticsearch_state_not_allowed: + test.fail_without_changes: + - name: elasticsearch_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 31acc63b2..8937d8e13 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -75,4 +75,10 @@ so-filebeat: - watch: - file: /opt/so/conf/filebeat/etc/filebeat.yml +{% else %} + +filebeat_state_not_allowed: + test.fail_without_changes: + - name: filebeat_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 3a943874d..07871fa74 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -134,4 +134,10 @@ iptables_drop_all_the_things: - jump: DROP - save: True +{% else %} + +firewall_state_not_allowed: + test.fail_without_changes: + - name: firewall_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index aded11fb3..92926ac8f 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -139,4 +139,10 @@ so-fleet: {% endif %} +{% else %} + +fleet_state_not_allowed: + test.fail_without_changes: + - name: fleet_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/freqserver/init.sls b/salt/freqserver/init.sls index 06e25c87c..668e33079 100644 --- a/salt/freqserver/init.sls +++ b/salt/freqserver/init.sls @@ -56,5 +56,11 @@ so-freq: - binds: - /opt/so/log/freq_server:/var/log/freq_server:rw +{% else %} + +freqserver_state_not_allowed: + test.fail_without_changes: + - name: freqserver_state_not_allowed + {% endif %} diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 7f760daa2..401d2d7d7 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -237,4 +237,10 @@ so-grafana: {% endif %} +{% else %} + +grafana_state_not_allowed: + test.fail_without_changes: + - name: grafana_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/healthcheck/init.sls b/salt/healthcheck/init.sls index b2a9121e2..af1de6d83 100644 --- a/salt/healthcheck/init.sls +++ b/salt/healthcheck/init.sls @@ -29,4 +29,10 @@ healthcheck_schedule_{{ STATUS[1] }}: schedule.{{ STATUS[1] }}: - name: healthcheck +{% else %} + +healthcheck_state_not_allowed: + test.fail_without_changes: + - name: healthcheck_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index c125444e1..87f35777d 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -75,4 +75,10 @@ so-idstools: - watch: - file: idstoolsetcsync +{% else %} + +idstools_state_not_allowed: + test.fail_without_changes: + - name: idstools_state_not_allowed + {% endif%} \ No newline at end of file diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index ab17e8e62..6f95cfec2 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -47,4 +47,10 @@ so-influxdb: {% endif %} +{% else %} + +influxdb_state_not_allowed: + test.fail_without_changes: + - name: influxdb_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index a499ea70e..7f91719d4 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -121,4 +121,10 @@ so-kibana-config-load: # - source: salt://kibana/bin/keepkibanahappy.sh # - template: jinja +{% else %} + +kibana_state_not_allowed: + test.fail_without_changes: + - name: kibana_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 24257aa93..ad11bf567 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -201,4 +201,10 @@ so-logstash: - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} {% endfor %} +{% else %} + +logstash_state_not_allowed: + test.fail_without_changes: + - name: logstash_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/manager/init.sls b/salt/manager/init.sls index f48ebb496..372f680fe 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -82,4 +82,10 @@ so-aptcacherng: {% endif %} +{% else %} + +manager_state_not_allowed: + test.fail_without_changes: + - name: manager_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/minio/init.sls b/salt/minio/init.sls index 6fc383f4e..c1a681747 100644 --- a/salt/minio/init.sls +++ b/salt/minio/init.sls @@ -62,4 +62,10 @@ so-minio: - /etc/pki/minio.crt:/.minio/certs/public.crt:ro - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data" +{% else %} + +minio_state_not_allowed: + test.fail_without_changes: + - name: minio_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/motd/init.sls b/salt/motd/init.sls index a689d1707..bf9d276a6 100644 --- a/salt/motd/init.sls +++ b/salt/motd/init.sls @@ -9,4 +9,10 @@ so_motd: - source: salt://motd/files/so_motd.jinja - template: jinja +{% else %} + +motd_state_not_allowed: + test.fail_without_changes: + - name: motd_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index ff694227b..818b5c303 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -99,4 +99,10 @@ so-mysql: - docker_container: so-mysql {% endif %} +{% else %} + +mysql_state_not_allowed: + test.fail_without_changes: + - name: mysql_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 4266980d7..98843b720 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -95,4 +95,10 @@ so-nginx: - file: nginxconf - file: nginxconfdir +{% else %} + +nginx_state_not_allowed: + test.fail_without_changes: + - name: nginx_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls index 6d2e75aa6..ac886a6b7 100644 --- a/salt/nodered/init.sls +++ b/salt/nodered/init.sls @@ -79,4 +79,10 @@ so-nodered-flows: - name: /usr/sbin/so-nodered-load-flows - cwd: / +{% else %} + +nodered_state_not_allowed: + test.fail_without_changes: + - name: nodered_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index cf0a978aa..a82e0fb8d 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -166,4 +166,10 @@ so-sensoroni: - watch: - file: /opt/so/conf/sensoroni/sensoroni.json +{% else %} + +pcap_state_not_allowed: + test.fail_without_changes: + - name: pcap_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 8f3076faa..9d02dfce2 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -103,4 +103,10 @@ so-playbookruleupdatecron: - minute: '1' - hour: '6' +{% else %} + +playbook_state_not_allowed: + test.fail_without_changes: + - name: playbook_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/redis/init.sls b/salt/redis/init.sls index b0f663671..1b7611eab 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -70,4 +70,10 @@ so-redis: - watch: - file: /opt/so/conf/redis/etc +{% else %} + +redis_state_not_allowed: + test.fail_without_changes: + - name: redis_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/registry/init.sls b/salt/registry/init.sls index d366404fc..c98577ca2 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -57,4 +57,10 @@ so-dockerregistry: - /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro +{% else %} + +registry_state_not_allowed: + test.fail_without_changes: + - name: registry_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/salt/master.sls b/salt/salt/master.sls index 72ca75cb0..20a204909 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -33,4 +33,10 @@ engines_config: - watch_in: - service: salt_minion_service +{% else %} + +salt_master_state_not_allowed: + test.fail_without_changes: + - name: salt_master_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/soc/init.sls b/salt/soc/init.sls index a9d428b8a..ca40eb4f3 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -104,4 +104,10 @@ so-kratos: - watch: - file: /opt/so/conf/kratos +{% else %} + +soc_state_not_allowed: + test.fail_without_changes: + - name: soc_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 90a654e95..4c04f3fd1 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -69,4 +69,10 @@ so-soctopus: - extra_hosts: - {{MANAGER_URL}}:{{MANAGER_IP}} +{% else %} + +soctopus_state_not_allowed: + test.fail_without_changes: + - name: soctopus_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 550770488..1283c581d 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -576,4 +576,10 @@ elastickeyperms: {%- endif %} +{% else %} + +ssl_state_not_allowed: + test.fail_without_changes: + - name: ssl_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index d670ab440..980b1e808 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -145,4 +145,10 @@ strelka_zeek_extracted_sync: - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1' - minute: '*' +{% else %} + +strelka_state_not_allowed: + test.fail_without_changes: + - name: strelka_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 30757d617..45b99586c 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -178,4 +178,10 @@ surilogrotate: - month: '*' - dayweek: '*' +{% else %} + +suricata_state_not_allowed: + test.fail_without_changes: + - name: suricata_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls index a828c72f1..2634e6c15 100644 --- a/salt/tcpreplay/init.sls +++ b/salt/tcpreplay/init.sls @@ -12,4 +12,10 @@ so-tcpreplay: - interactive: True - tty: True +{% else %} + +tcpreplay_state_not_allowed: + test.fail_without_changes: + - name: tcpreplay_state_not_allowed + {% endif %} diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index e8665cd87..0bbf131f7 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -73,4 +73,10 @@ so-telegraf: - file: tgrafconf - file: tgrafsyncscripts +{% else %} + +telegraf_state_not_allowed: + test.fail_without_changes: + - name: telegraf_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index ae3407a69..443ac9a8f 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -143,4 +143,10 @@ thehivescript: - template: jinja - hide_output: True +{% else %} + +thehive_state_not_allowed: + test.fail_without_changes: + - name: thehive_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/utility/init.sls b/salt/utility/init.sls index 4f0ffaa77..d18ad5e1c 100644 --- a/salt/utility/init.sls +++ b/salt/utility/init.sls @@ -25,4 +25,10 @@ fixsearch: - template: jinja {% endif %} +{% else %} + +utility_state_not_allowed: + test.fail_without_changes: + - name: utility_state_not_allowed + {% endif %} diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 6b22db8c6..f2a4ae05b 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -147,4 +147,10 @@ hidsruledir: file.symlink: - target: /nsm/wazuh/ruleset +{% else %} + +wazuh_state_not_allowed: + test.fail_without_changes: + - name: wazuh_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/yum/init.sls b/salt/yum/init.sls index 70cc003ed..b8a4df9ee 100644 --- a/salt/yum/init.sls +++ b/salt/yum/init.sls @@ -10,4 +10,10 @@ yumconf: - mode: 644 - template: jinja +{% else %} + +yum_state_not_allowed: + test.fail_without_changes: + - name: yum_state_not_allowed + {% endif %} \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index d27290f98..712ca53fd 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -196,4 +196,10 @@ so-zeek: - file: /opt/so/conf/zeek/policy - file: /opt/so/conf/zeek/bpf +{% else %} + +zeek_state_not_allowed: + test.fail_without_changes: + - name: zeek_state_not_allowed + {% endif %} \ No newline at end of file From d18c498574ef1d95dfb5fe3a86797c68076654bd Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 9 Sep 2020 17:32:42 -0400 Subject: [PATCH 11/24] Update so-features-enable --- salt/common/tools/sbin/so-features-enable | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable index 070ecedc0..ae8981fe9 100755 --- a/salt/common/tools/sbin/so-features-enable +++ b/salt/common/tools/sbin/so-features-enable @@ -17,6 +17,28 @@ . /usr/sbin/so-common local_salt_dir=/opt/so/saltstack/local +cat << EOF +This program will switch from the open source version of the Elastic Stack to the Features version licensed under the Elastic license. +If you proceed, then we will download new Docker images and restart services. + +Please review the Elastic license: +https://raw.githubusercontent.com/elastic/elasticsearch/master/licenses/ELASTIC-LICENSE.txt + +Please also note that, if you have a distributed deployment and continue with this change, Elastic traffic between nodes will change from encrypted to cleartext! +(We expect to support Elastic Features Security at some point in the future.) + +Do you agree to the terms of the Elastic license and understand the note about encryption? + +If so, type AGREE to accept the Elastic license and continue. Otherwise, just press Enter to exit this program without making any changes. +EOF + +read INPUT +if [ "$INPUT" != "AGREE" ]; then + exit +fi + +echo "Please wait while switching to Elastic Features." + manager_check() { # Check to see if this is a manager MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') From 7161a662aa2519e1f99fb3764c2c1444465ab89d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 10 Sep 2020 06:03:33 -0400 Subject: [PATCH 12/24] improve Wazuh support in Hunt --- salt/soc/files/soc/soc.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index f3c103dc4..8d7b6c31d 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -70,7 +70,7 @@ "::x509": ["soc_timestamp", "x509.certificate.subject", "x509.certificate.key.type", "x509.certificate.key.length", "x509.certificate.issuer", "log.id.id" ], ":firewall:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "direction", "interface", "action", "reason" ], ":osquery:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ], - ":ossec:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location", "process.name" ], + ":ossec:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location" ], ":strelka:file": ["soc_timestamp", "scan.exiftool.OriginalFileName", "file.size", "hash.md5", "scan.exiftool.CompanyName", "scan.exiftool.Description", "scan.exiftool.Directory", "scan.exiftool.FileType", "scan.exiftool.FileOS", "log.id.fuid" ], ":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.gid", "rule.name", "rule.category", "rule.rev", "event.severity", "event.severity_label" ], ":sysmon:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ], @@ -84,8 +84,8 @@ { "name": "NIDS Alerts", "description": "Show all NIDS alerts grouped by alert name", "query": "event.category: network AND event.dataset: alert | groupby rule.name"}, { "name": "Wazuh/OSSEC Alerts", "description": "Show all Wazuh alerts grouped by category", "query": "event.module:ossec AND event.dataset:alert | groupby rule.category"}, { "name": "Wazuh/OSSEC Commands", "description": "Show all Wazuh alerts grouped by command line", "query": "event.module:ossec AND event.dataset:alert | groupby process.command_line"}, - { "name": "Wazuh/OSSEC Processes", "description": "Show all Wazuh alerts grouped by process name", "query": "event.module:ossec AND event.dataset:alert | groupby process.name"}, - { "name": "Wazuh/OSSEC Users", "description": "Show all Wazuh alerts grouped by username", "query": "event.module:ossec AND event.dataset:alert | groupby user.name"}, + { "name": "Wazuh/OSSEC Processes", "description": "Show all Wazuh alerts grouped by process name", "query": "event.module:ossec AND event.dataset:alert | groupby process.name.keyword"}, + { "name": "Wazuh/OSSEC Users", "description": "Show all Wazuh alerts grouped by username", "query": "event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword"}, { "name": "Sysmon Events", "description": "Show all Sysmon logs grouped by event type", "query": "event.module:sysmon | groupby event.dataset"}, { "name": "Sysmon Usernames", "description": "Show all Sysmon logs grouped by username", "query": "event.module:sysmon | groupby event.dataset, user.name.keyword"}, { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.dataset:notice | groupby notice.note notice.message"}, From c3b2d98ffb383bfdaf4be51e2ce2bf34229fc59c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 10 Sep 2020 06:15:30 -0400 Subject: [PATCH 13/24] Add event.category to WEL --- salt/elasticsearch/files/ingest/import.wel | 2 +- salt/elasticsearch/files/ingest/win.eventlogs | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/ingest/import.wel b/salt/elasticsearch/files/ingest/import.wel index 64add2f44..5a04324b7 100644 --- a/salt/elasticsearch/files/ingest/import.wel +++ b/salt/elasticsearch/files/ingest/import.wel @@ -1,7 +1,7 @@ { "description" : "import.wel", "processors" : [ - { "remove": { "field": ["event.created","timestamp", "winlog.event_data.UtcTime"], "ignore_failure": true } }, + { "remove": { "field": ["event.created","timestamp", "winlog.event_data.UtcTime", "event_record_id"], "ignore_failure": true } }, { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, { "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "name":"win.eventlogs" } }, { "pipeline": { "name": "common" } } diff --git a/salt/elasticsearch/files/ingest/win.eventlogs b/salt/elasticsearch/files/ingest/win.eventlogs index 7bd6e9a5a..f7f9d6bac 100644 --- a/salt/elasticsearch/files/ingest/win.eventlogs +++ b/salt/elasticsearch/files/ingest/win.eventlogs @@ -4,7 +4,8 @@ { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, { "set": { "if": "ctx.winlog?.channel != null", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } }, { "set": { "if": "ctx.winlog?.computer_name != null", "field": "observer.name", "value": "{{winlog.computer_name}}", "override": true } }, - { "set": { "field": "event.code", "value": "{{winlog.event_id}}", "override": true } }, + { "set": { "field": "event.code", "value": "{{winlog.event_id}}", "override": true } }, + { "set": { "field": "event.category", "value": "host", "override": true } }, { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } } ] From 24c325e9a10f2a9f1d83bbe4cf16d3266e58273c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 10 Sep 2020 06:41:19 -0400 Subject: [PATCH 14/24] Fix Elasticsearch parsing for Zeek Intel Indicator #1309 --- salt/elasticsearch/files/ingest/zeek.intel | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/zeek.intel b/salt/elasticsearch/files/ingest/zeek.intel index 1f6e7829e..8be25c9ef 100644 --- a/salt/elasticsearch/files/ingest/zeek.intel +++ b/salt/elasticsearch/files/ingest/zeek.intel @@ -3,6 +3,7 @@ "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "dot_expander": { "field": "seen.indicator", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.seen.indicator", "target_field": "intel.indicator", "ignore_missing": true } }, { "dot_expander": { "field": "seen.indicator_type", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.seen.indicator_type", "target_field": "intel.indicator_type", "ignore_missing": true } }, From 8c280221da97e717c1a0a4891a8b5c881470ba21 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 10 Sep 2020 07:00:54 -0400 Subject: [PATCH 15/24] Hunt: Fix Intel groupby #1131 --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 8d7b6c31d..be557b58d 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -114,7 +114,7 @@ { "name": "HTTP", "description": "HTTP grouped by user agent", "query": "event.dataset:http | groupby http.useragent"}, { "name": "HTTP", "description": "HTTP grouped by virtual host", "query": "event.dataset:http | groupby http.virtual_host"}, { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.dataset:http AND file.resp_mime_types:dosexec | groupby http.virtual_host"}, - { "name": "Intel", "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator"}, + { "name": "Intel", "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator.keyword"}, { "name": "IRC", "description": "IRC grouped by command", "query": "event.dataset:irc | groupby irc.command.type"}, { "name": "KERBEROS", "description": "KERBEROS grouped by service", "query": "event.dataset:kerberos | groupby kerberos.service"}, { "name": "MODBUS", "description": "MODBUS grouped by function", "query": "event.dataset:modbus | groupby modbus.function"}, From 0ed9c656469902edc5c6d14a065077a3012f23e5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 10 Sep 2020 10:07:05 -0400 Subject: [PATCH 16/24] remove logic from fleet state to only run if in top --- salt/fleet/init.sls | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 92926ac8f..220f3c4cb 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -1,8 +1,3 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'fleet' in top_states %} - {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%} {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%} @@ -137,12 +132,4 @@ so-fleet: - watch: - /opt/so/conf/fleet/etc -{% endif %} - -{% else %} - -fleet_state_not_allowed: - test.fail_without_changes: - - name: fleet_state_not_allowed - {% endif %} \ No newline at end of file From bc420d4a02e8bde2847eba32f38cb9ec07d7cd4f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 10 Sep 2020 11:57:15 -0400 Subject: [PATCH 17/24] add --- salt/top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/top.sls b/salt/top.sls index 2fa33c2d3..0e6e8d917 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -158,6 +158,7 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + - elasticsearch - logstash - redis - kibana From 5f7c270984649fcafbb0aa6b71936b42fd1ab3ca Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 11 Sep 2020 10:22:12 -0400 Subject: [PATCH 18/24] only allow strelka to run on nodes that are sensors --- setup/so-setup | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index f771d7d57..028683325 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -678,8 +678,10 @@ fi fi if [[ "$STRELKA" = 1 ]]; then - set_progress_str 80 "$(print_salt_state_apply 'strelka')" - salt-call state.apply -l info strelka >> $setup_log 2>&1 + if [[ $is_sensor ]]; then + set_progress_str 80 "$(print_salt_state_apply 'strelka')" + salt-call state.apply -l info strelka >> $setup_log 2>&1 + fi if [[ $STRELKARULES == 1 ]]; then /usr/sbin/so-yara-update >> $setup_log 2>&1 fi From bb0e6864448f399dbebcc446870792544efaa4c6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 11 Sep 2020 11:35:17 -0400 Subject: [PATCH 19/24] add elasticsearch to top for nodes missing it --- salt/top.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/top.sls b/salt/top.sls index 0e6e8d917..9c2a748c8 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -286,6 +286,7 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + - elasticsearch - logstash - curator - filebeat @@ -331,6 +332,7 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + - elasticsearch - logstash - redis - curator @@ -368,6 +370,7 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + - elasticsearch - logstash - redis - curator From 15563f2ee6e87d793b763c886aa8992474007b2f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 11 Sep 2020 12:28:42 -0400 Subject: [PATCH 20/24] add nginx to top for sensor --- salt/top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/top.sls b/salt/top.sls index 9c2a748c8..04627b18f 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -62,6 +62,7 @@ base: - common - telegraf - firewall + - nginx - pcap - suricata - healthcheck From 5f567368beafcd6700a09d31b014f315b3fa4496 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 11 Sep 2020 18:30:21 -0400 Subject: [PATCH 21/24] add redis to eval if playbook enabled --- salt/top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/top.sls b/salt/top.sls index 04627b18f..7120c15b7 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -128,6 +128,7 @@ base: {%- endif %} {%- if PLAYBOOK != 0 %} - playbook + - redis {%- endif %} {%- if FREQSERVER != 0 %} - freqserver From 311d67b9341801f453736b9c6627191c8c62fef6 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 12 Sep 2020 06:14:58 -0400 Subject: [PATCH 22/24] Hunt: fix RFB groupby #1332 --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index be557b58d..29ae59219 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -124,7 +124,7 @@ { "name": "PE", "description": "PE files list", "query": "event.dataset:pe | groupby file.machine file.os file.subsystem"}, { "name": "RADIUS", "description": "RADIUS grouped by username", "query": "event.dataset:radius | groupby user.name.keyword"}, { "name": "RDP", "description": "RDP grouped by client name", "query": "event.dataset:rdp | groupby client.name"}, - { "name": "RFB", "description": "RFB grouped by desktop name", "query": "event.dataset:rfb | groupby rfb.desktop.name"}, + { "name": "RFB", "description": "RFB grouped by desktop name", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword"}, { "name": "Signatures", "description": "Zeek signatures grouped by signature id", "query": "event.dataset:signatures | groupby signature_id"}, { "name": "SIP", "description": "SIP grouped by user agent", "query": "event.dataset:sip | groupby client.user_agent"}, { "name": "SMB_Files", "description": "SMB files grouped by action", "query": "event.dataset:smb_files | groupby file.action"}, From 89c38541ee35e6b9b91ff2bef0ae28b0f957542a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sun, 13 Sep 2020 02:52:19 -0400 Subject: [PATCH 23/24] Force all SOC quick actions to open in new tab --- salt/soc/files/soc/soc.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 29ae59219..ebfa1a632 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -143,10 +143,10 @@ { "name": "Firewall", "description": "Firewall events grouped by action", "query": "event_type:firewall | groupby action"} ], "actions": [ - { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}" }, - { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}" }, - { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}" }, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}" } + { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "_blank" }, + { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}", "target": "_blank" }, + { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } ] } } From 18dc7a915a77f77457491d7a4694f40db9004b93 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sun, 13 Sep 2020 08:26:33 -0400 Subject: [PATCH 24/24] Hunt: Fix Tunnel query #1335 --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index ebfa1a632..bbb600a6b 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -135,7 +135,7 @@ { "name": "SSH", "description": "SSH grouped by version", "query": "event.dataset:ssh | groupby ssh.version"}, { "name": "SSL", "description": "SSL grouped by version and server name", "query": "event.dataset:ssl | groupby ssl.version ssl.server_name"}, { "name": "SYSLOG", "description": "SYSLOG grouped by severity and facility ", "query": "event.dataset:syslog | groupby syslog.severity syslog.facility"}, - { "name": "Tunnels", "description": "Tunnels grouped by action", "query": "event.dataset:tunnels | groupby event.action"}, + { "name": "Tunnel", "description": "Tunnels grouped by action", "query": "event.dataset:tunnel | groupby event.action"}, { "name": "Weird", "description": "Zeek weird log grouped by name", "query": "event.dataset:weird | groupby weird.name"}, { "name": "x509", "description": "x.509 grouped by key length", "query": "event.dataset:x509 | groupby x509.certificate.key.length"}, { "name": "x509", "description": "x.509 grouped by issuer", "query": "event.dataset:x509 | groupby x509.certificate.issuer"},