CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14990 from Security-Onion-Solutions/vlb2

Browse Source 
merge with 2.4/dev
This commit is contained in:
Josh Patterson
2025-09-03 10:37:46 -04:00
committed by GitHub
parent 23ae259c82 a007fa6505
commit f3328c41fb
13 changed files with 28 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pillar/top.sls
View File

@@ -262,6 +262,7 @@ base:
- minions.adv_{{ grains.id }} - minions.adv_{{ grains.id }}
- kafka.nodes - kafka.nodes
- kafka.soc_kafka - kafka.soc_kafka
- stig.soc_stig
'*_import': '*_import':
- node_data.ips - node_data.ips
@@ -319,10 +320,12 @@ base:
- elasticfleet.adv_elasticfleet - elasticfleet.adv_elasticfleet
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }} - minions.adv_{{ grains.id }}
- stig.soc_stig
'*_hypervisor': '*_hypervisor':
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }} - minions.adv_{{ grains.id }}
- stig.soc_stig
'*_desktop': '*_desktop':
- minions.{{ grains.id }} - minions.{{ grains.id }}

1
salt/allowed_states.map.jinja
View File

@@ -143,6 +143,7 @@
), ),
'so-fleet': ( 'so-fleet': (
ssl_states + ssl_states +
stig_states +
['logstash', 'nginx', 'healthcheck', 'elasticfleet'] ['logstash', 'nginx', 'healthcheck', 'elasticfleet']
), ),
'so-receiver': ( 'so-receiver': (

2
salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json
View File

@@ -20,7 +20,7 @@
], ],
"data_stream.dataset": "import", "data_stream.dataset": "import",
"custom": "", "custom": "",
"processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-2.3.3\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-3.1.0\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-2.3.3\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-2.3.3\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-3.1.0\n- add_fields:\n target: data_stream\n fields:\n dataset: import", "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-2.5.4\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-3.1.2\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-2.5.4\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-2.5.4\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-3.1.2\n- add_fields:\n target: data_stream\n fields:\n dataset: import",
"tags": [ "tags": [
"import" "import"
] ]

2
salt/elasticsearch/defaults.yaml
View File

@@ -1,6 +1,6 @@
elasticsearch: elasticsearch:
enabled: false enabled: false
version: 8.18.4 version: 8.18.6
index_clean: true index_clean: true
config: config:
action: action:

20
salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.0 → salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.1
View File

@@ -107,61 +107,61 @@
}, },
{ {
"pipeline": { "pipeline": {
"name": "logs-pfsense.log-1.23.0-firewall", "name": "logs-pfsense.log-1.23.1-firewall",
"if": "ctx.event.provider == 'filterlog'" "if": "ctx.event.provider == 'filterlog'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"name": "logs-pfsense.log-1.23.0-openvpn", "name": "logs-pfsense.log-1.23.1-openvpn",
"if": "ctx.event.provider == 'openvpn'" "if": "ctx.event.provider == 'openvpn'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"name": "logs-pfsense.log-1.23.0-ipsec", "name": "logs-pfsense.log-1.23.1-ipsec",
"if": "ctx.event.provider == 'charon'" "if": "ctx.event.provider == 'charon'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"name": "logs-pfsense.log-1.23.0-dhcp", "name": "logs-pfsense.log-1.23.1-dhcp",
"if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\"].contains(ctx.event.provider)" "if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\"].contains(ctx.event.provider)"
} }
}, },
{ {
"pipeline": { "pipeline": {
"name": "logs-pfsense.log-1.23.0-unbound", "name": "logs-pfsense.log-1.23.1-unbound",
"if": "ctx.event.provider == 'unbound'" "if": "ctx.event.provider == 'unbound'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"name": "logs-pfsense.log-1.23.0-haproxy", "name": "logs-pfsense.log-1.23.1-haproxy",
"if": "ctx.event.provider == 'haproxy'" "if": "ctx.event.provider == 'haproxy'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"name": "logs-pfsense.log-1.23.0-php-fpm", "name": "logs-pfsense.log-1.23.1-php-fpm",
"if": "ctx.event.provider == 'php-fpm'" "if": "ctx.event.provider == 'php-fpm'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"name": "logs-pfsense.log-1.23.0-squid", "name": "logs-pfsense.log-1.23.1-squid",
"if": "ctx.event.provider == 'squid'" "if": "ctx.event.provider == 'squid'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"name": "logs-pfsense.log-1.23.0-snort", "name": "logs-pfsense.log-1.23.1-snort",
"if": "ctx.event.provider == 'snort'" "if": "ctx.event.provider == 'snort'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"name": "logs-pfsense.log-1.23.0-suricata", "name": "logs-pfsense.log-1.23.1-suricata",
"if": "ctx.event.provider == 'suricata'" "if": "ctx.event.provider == 'suricata'"
} }
}, },

0
salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.0-suricata → salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.1-suricata
View File

2
salt/kibana/defaults.yaml
View File

@@ -22,7 +22,7 @@ kibana:
- default - default
- file - file
migrations: migrations:
discardCorruptObjects: "8.18.4" discardCorruptObjects: "8.18.6"
telemetry: telemetry:
enabled: False enabled: False
security: security:

4
salt/sensor/init.sls
View File

@@ -43,5 +43,5 @@ combine_bond_script:
execute_combine_bond: execute_combine_bond:
cmd.run: cmd.run:
- name: /usr/sbin/so-combine-bond - name: /usr/sbin/so-combine-bond
- onchanges: - onlyif:
- file: combine_bond_script - ip link show bond0

4
salt/sensor/tools/sbin_jinja/so-combine-bond
View File

@@ -18,7 +18,7 @@ fi
# Check if bond0 exists # Check if bond0 exists
if ! ip link show bond0 &>/dev/null; then if ! ip link show bond0 &>/dev/null; then
exit 1 exit 0
fi fi
# Function to get slave interfaces - works across distributions # Function to get slave interfaces - works across distributions
@@ -48,7 +48,7 @@ get_bond_slaves() {
SLAVES=$(get_bond_slaves bond0) SLAVES=$(get_bond_slaves bond0)
if [ -z "$SLAVES" ]; then if [ -z "$SLAVES" ]; then
exit 1 exit 0
fi fi
# Process each slave interface # Process each slave interface

2
salt/soc/defaults.yaml
View File

@@ -1359,6 +1359,7 @@ soc:
importUploadDir: /nsm/soc/uploads importUploadDir: /nsm/soc/uploads
forceUserOtp: false forceUserOtp: false
customReportsPath: /opt/sensoroni/templates/reports/custom customReportsPath: /opt/sensoroni/templates/reports/custom
enableReverseLookup: false
modules: modules:
cases: soc cases: soc
filedatastore: filedatastore:
@@ -1566,7 +1567,6 @@ soc:
outputPath: /opt/sensoroni/navigator outputPath: /opt/sensoroni/navigator
lookbackDays: 3 lookbackDays: 3
client: client:
enableReverseLookup: false
docsUrl: /docs/ docsUrl: /docs/
cheatsheetUrl: /docs/cheatsheet.pdf cheatsheetUrl: /docs/cheatsheet.pdf
releaseNotesUrl: /docs/release-notes.html releaseNotesUrl: /docs/release-notes.html

7
salt/soc/soc_soc.yaml
View File

@@ -180,6 +180,10 @@ soc:
label: Subgrid Enabled label: Subgrid Enabled
forcedType: bool forcedType: bool
default: false default: false
enableReverseLookup:
description: "Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. To add your own local lookups, create a CSV file at /nsm/custom-mappings/ip-descriptions.csv on your Manager and populate the file with IP addresses and descriptions as follows: IP, Description. Elasticsearch will then ingest the CSV during the next high state."
global: True
helpLink: soc-customization.html#reverse-dns
modules: modules:
elastalertengine: elastalertengine:
aiRepoUrl: aiRepoUrl:
@@ -577,9 +581,6 @@ soc:
label: Folder label: Folder
airgap: *pbRepos airgap: *pbRepos
client: client:
enableReverseLookup:
description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.
global: True
apiTimeoutMs: apiTimeoutMs:
description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI. description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.
global: True global: True

1
salt/stig/enabled.sls
View File

@@ -47,6 +47,7 @@ update_stig_profile:
- name: /opt/so/conf/stig/sos-oscap.xml - name: /opt/so/conf/stig/sos-oscap.xml
- source: salt://stig/files/sos-oscap.xml - source: salt://stig/files/sos-oscap.xml
- user: socore - user: socore
- show_changes: False
- group: socore - group: socore
- mode: 0644 - mode: 0644

1
salt/top.sls
View File

@@ -299,6 +299,7 @@ base:
- elasticfleet - elasticfleet
- elasticfleet.install_agent_grid - elasticfleet.install_agent_grid
- schedule - schedule
- stig
'*_hypervisor and I@features:vrt and G@saltversion:{{saltversion}}': '*_hypervisor and I@features:vrt and G@saltversion:{{saltversion}}':
- match: compound - match: compound