CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-02-21 14:35:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/dev' into issue/4674

Browse Source
This commit is contained in:
m0duspwnens
2021-07-08 14:12:26 -04:00
parent 56697fde19 70d7513f84
commit f56514ed7d
11 changed files with 67 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
salt/elasticsearch/files/ingest/ossec
View File

@@ -63,8 +63,7 @@
{ "rename": { "field": "fields.module", "target_field": "event.module", "ignore_failure": true, "ignore_missing": true } },
{ "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } },
{ "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "name":"win.eventlogs" } },
{ "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.dataset", "value": "ossec.alert", "override": true } },
{ "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.kind", "value": "alert", "override": true } },
{ "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.dataset", "value": "alert", "override": true } },
{ "pipeline": { "name": "common" } }
]
}

3
salt/elasticsearch/files/ingest/strelka.file
View File

@@ -53,8 +53,7 @@
{ "set": { "if": "ctx.exiftool?.FileDirectory != null", "field": "file.directory", "value": "{{exiftool.FileDirectory}}", "ignore_failure": true }},
{ "set": { "if": "ctx.exiftool?.Subsystem != null", "field": "host.subsystem", "value": "{{exiftool.Subsystem}}", "ignore_failure": true }},
{ "set": { "if": "ctx.scan?.yara?.matches != null", "field": "rule.name", "value": "{{scan.yara.matches.0}}" }},
{ "set": { "if": "ctx.scan?.yara?.matches != null", "field": "dataset", "value": "strelka.alert", "override": true }},
{ "set": { "if": "ctx.scan?.yara?.matches != null", "field": "event.kind", "value": "alert", "override": true }},
{ "set": { "if": "ctx.scan?.yara?.matches != null", "field": "dataset", "value": "alert", "override": true }},
{ "rename": { "field": "file.flavors.mime", "target_field": "file.mime_type", "ignore_missing": true }},
{ "set": { "if": "ctx.rule?.name != null && ctx.rule?.score == null", "field": "event.severity", "value": 3, "override": true } },
{ "convert" : { "if": "ctx.rule?.score != null", "field" : "rule.score","type": "integer"}},

12
salt/logstash/init.sls
View File

@@ -36,6 +36,14 @@
{% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %}
{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}
{% if grains.role in ['so-heavynode'] %}
{% set EXTRAHOSTHOSTNAME = salt['grains.get']('host') %}
{% set EXTRAHOSTIP = salt['pillar.get']('sensor:mainip') %}
{% else %}
{% set EXTRAHOSTHOSTNAME = MANAGER %}
{% set EXTRAHOSTIP = MANAGERIP %}
{% endif %}
include:
- elasticsearch
@@ -145,7 +153,7 @@ so-logstash:
- name: so-logstash
- user: logstash
- extra_hosts:
- {{ MANAGER }}:{{ MANAGERIP }}
- {{ EXTRAHOSTHOSTNAME }}:{{ EXTRAHOSTIP }}
- environment:
- LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
- port_bindings:
@@ -205,4 +213,4 @@ append_so-logstash_so-status.conf:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}
{% endif %}

13
salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
View File

@@ -1,10 +1,13 @@
{%- set MANAGER = salt['grains.get']('master') %}
{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
{%- if grains.role in ['so-heavynode'] %}
{%- set HOST = salt['grains.get']('host') %}
{%- else %}
{%- set HOST = salt['grains.get']('master') %}
{%- endif %}
{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
input {
redis {
host => '{{ MANAGER }}'
host => '{{ HOST }}'
port => 9696
ssl => true
data_type => 'list'

10
salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
View File

@@ -1,8 +1,12 @@
{%- set MANAGER = salt['grains.get']('master') %}
{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
{%- if grains.role in ['so-heavynode'] %}
{%- set HOST = salt['grains.get']('host') %}
{%- else %}
{%- set HOST = salt['grains.get']('master') %}
{%- endif %}
{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
output {
redis {
host => '{{ MANAGER }}'
host => '{{ HOST }}'
port => 6379
data_type => 'list'
key => 'logstash:unparsed'

41
salt/ssl/init.sls
View File

@@ -9,6 +9,11 @@
{% set MAININT = salt['pillar.get']('host:mainint') %}
{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %}
{% if grains.role in ['so-heavynode'] %}
{% set COMMONNAME = salt['grains.get']('host') %}
{% else %}
{% set COMMONNAME = manager %}
{% endif %}
{% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import', 'helixsensor'] %}
{% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %}
@@ -83,10 +88,12 @@ removeesp12dir:
- days_remaining: 0
- days_valid: 820
- backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30
- retry:
attempts: 5
@@ -103,7 +110,7 @@ influxkeyperms:
# Create a cert for Redis encryption
/etc/pki/redis.key:
x509.private_key_managed:
- CN: {{ manager }}
- CN: {{ COMMONNAME }}
- bits: 4096
- days_remaining: 0
- days_valid: 820
@@ -123,14 +130,16 @@ influxkeyperms:
- ca_server: {{ ca_server }}
- signing_policy: registry
- public_key: /etc/pki/redis.key
- CN: {{ manager }}
- CN: {{ COMMONNAME }}
- days_remaining: 0
- days_valid: 820
- backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30
- retry:
attempts: 5
@@ -147,7 +156,7 @@ rediskeyperms:
{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
/etc/pki/filebeat.key:
x509.private_key_managed:
- CN: {{ manager }}
- CN: {{ COMMONNAME }}
- bits: 4096
- days_remaining: 0
- days_valid: 820
@@ -168,18 +177,16 @@ rediskeyperms:
- ca_server: {{ ca_server }}
- signing_policy: filebeat
- public_key: /etc/pki/filebeat.key
{% if grains.role == 'so-heavynode' %}
- CN: {{grains.host}}
{% else %}
- CN: {{manager}}
{% endif %}
- CN: {{ COMMONNAME }}
- days_remaining: 0
- days_valid: 820
- backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30
- retry:
attempts: 5
@@ -315,7 +322,7 @@ miniokeyperms:
# Create a cert for elasticsearch
/etc/pki/elasticsearch.key:
x509.private_key_managed:
- CN: {{ manager }}
- CN: {{ COMMONNAME }}
- bits: 4096
- days_remaining: 0
- days_valid: 820
@@ -335,14 +342,16 @@ miniokeyperms:
- ca_server: {{ ca_server }}
- signing_policy: registry
- public_key: /etc/pki/elasticsearch.key
- CN: {{ manager }}
- CN: {{ COMMONNAME }}
- days_remaining: 0
- days_valid: 820
- backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30
- retry:
attempts: 5
@@ -462,7 +471,7 @@ fbcertdir:
/opt/so/conf/filebeat/etc/pki/filebeat.key:
x509.private_key_managed:
- CN: {{ manager }}
- CN: {{ COMMONNAME }}
- bits: 4096
- days_remaining: 0
- days_valid: 820
@@ -483,18 +492,16 @@ fbcertdir:
- ca_server: {{ ca_server }}
- signing_policy: filebeat
- public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
{% if grains.role == 'so-heavynode' %}
- CN: {{grains.id}}
{% else %}
- CN: {{manager}}
{% endif %}
- CN: {{ COMMONNAME }}
- days_remaining: 0
- days_valid: 820
- backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30
- retry:
attempts: 5
@@ -677,4 +684,4 @@ elastickeyperms:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}
{% endif %}

2
salt/telegraf/etc/telegraf.conf
View File

@@ -630,8 +630,10 @@
{% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %}
[[inputs.elasticsearch]]
servers = ["https://{{ NODEIP }}:9200"]
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
username = "{{ ES_USER }}"
password = "{{ ES_PASS }}"
{% endif %}
insecure_skip_verify = true
{% endif %}