From 9df8ccac7b395289f8b1567c01bd088375d35c6e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 26 Mar 2019 20:26:57 -0400 Subject: [PATCH 1/9] Add masterhostname & masterip to fleet.crt as SAN --- salt/ssl/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index a2d2b613f..841fc32ff 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,4 +1,5 @@ {% set master = salt['grains.get']('master') %} +{%- set masterip = salt['pillar.get']('static:masterip', '') -%} # Trust the CA @@ -109,6 +110,7 @@ fbcrtlink: x509.certificate_managed: - signing_private_key: /etc/pki/fleet.key - CN: {{ master }} + - subjectAltName: DNS:{{ master }},IP:{{ masterip }} - days_remaining: 0 - days_valid: 3650 - backup: True From d19d541e325e392899205ca560bdb1e510661eba Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 27 Mar 2019 08:39:59 -0400 Subject: [PATCH 2/9] Copy over so-fleet-setup.sh --- salt/fleet/init.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index f3a844ff3..6f2e298a0 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -30,6 +30,11 @@ fleetlogdir: - user: 939 - group: 939 - makedirs: True + +fleetsetupscript: + file.managed: + - name: /opt/so/conf/fleet/so-fleet-setup.sh + - source: salt://fleet/so-fleet-setup.sh fleetdb: mysql_database.present: From b84b356c226179f008d212ecba158871b2004043 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 27 Mar 2019 08:40:35 -0400 Subject: [PATCH 3/9] Create so-fleet-setup.sh --- salt/fleet/so-fleet-setup.sh | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 salt/fleet/so-fleet-setup.sh diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh new file mode 100644 index 000000000..41fdf854a --- /dev/null +++ b/salt/fleet/so-fleet-setup.sh @@ -0,0 +1,27 @@ +#so-fleet-setup.sh $MasterIP $FleetEmail + +initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo) + +docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify +docker exec so-fleet fleetctl setup --email $2 --password $initpw + +docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml +docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml +docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml +docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml + +esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret) + +#Concat fleet.crt & ca.crt - this is required for launcher connectivity +cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/fleet-launcher.crt + +#Create the output directory +mkdir /opt/so/osquery + +docker run \ + --mount type=bind,source=/opt/so/osquery,target=/output \ + --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/fleet-launcher.crt \ + defensivedepth/soq-launcher "$esecret" "$1" + +echo "Fleet Setup Complete - Login here: https://$1" +echo "Your username is $2 and your password is $initpw" From d9b8bc08c25dbe5cb5078a7f502d55b868896482 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 3 Apr 2019 12:28:58 -0400 Subject: [PATCH 4/9] update so-fleet-setup.sh for new hh-launcher docker --- salt/fleet/so-fleet-setup.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh index 41fdf854a..d459df8e3 100644 --- a/salt/fleet/so-fleet-setup.sh +++ b/salt/fleet/so-fleet-setup.sh @@ -16,12 +16,12 @@ esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret) cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/fleet-launcher.crt #Create the output directory -mkdir /opt/so/osquery +mkdir /opt/so/conf/fleet/packages docker run \ - --mount type=bind,source=/opt/so/osquery,target=/output \ - --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/fleet-launcher.crt \ - defensivedepth/soq-launcher "$esecret" "$1" + --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \ + --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/launcher.crt \ + defensivedepth/hh-launcher "$esecret" "$1":8080 echo "Fleet Setup Complete - Login here: https://$1" echo "Your username is $2 and your password is $initpw" From b11668b6010444e081f58c688fc70d7419b7007a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 4 Apr 2019 06:06:35 -0400 Subject: [PATCH 5/9] Update timestamp on packages webpage --- salt/fleet/so-fleet-setup.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh index d459df8e3..4fe2527d8 100644 --- a/salt/fleet/so-fleet-setup.sh +++ b/salt/fleet/so-fleet-setup.sh @@ -23,5 +23,8 @@ docker run \ --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/launcher.crt \ defensivedepth/hh-launcher "$esecret" "$1":8080 +#Update timestamp on packages webpage +sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html + echo "Fleet Setup Complete - Login here: https://$1" echo "Your username is $2 and your password is $initpw" From ca8a774c19130b0fe20e756fd9eb608d6b12b214 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 4 Apr 2019 06:12:34 -0400 Subject: [PATCH 6/9] Create osquery-packages.html --- salt/fleet/osquery-packages.html | 113 +++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 salt/fleet/osquery-packages.html diff --git a/salt/fleet/osquery-packages.html b/salt/fleet/osquery-packages.html new file mode 100644 index 000000000..b30cd1343 --- /dev/null +++ b/salt/fleet/osquery-packages.html @@ -0,0 +1,113 @@ + + + +Security Onion - Hybrid Hunter + + + + + + + + +
+ Kibana + Grafana + Fleet + TheHive + Osquery Binaries + FAQ + Security Onion Solutions + Blog +
+ +
+ +

Osquery Packages


+ +

Notes

+
    +
  • These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from osquery.io
    • +
  • Packages are not signed.
    • +
+

Downloads

+ + +

Known Issues

+
    +
  • None
    • +
+

+
+ + + + From 55fcb930cddd67314bcd58cb03ecf74c0ab6c6f8 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 4 Apr 2019 06:15:09 -0400 Subject: [PATCH 7/9] Add osquery-packages.html --- salt/fleet/init.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 6f2e298a0..9986d40a9 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -35,6 +35,11 @@ fleetsetupscript: file.managed: - name: /opt/so/conf/fleet/so-fleet-setup.sh - source: salt://fleet/so-fleet-setup.sh + +osquerypackageswebpage: + file.managed: + - name: /opt/so/conf/fleet/packages/index.html + - source: salt://fleet/osquery-packages.html fleetdb: mysql_database.present: From 7607739fca7bc3b5e2a8d7c4dd2463459dde28d5 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 4 Apr 2019 07:52:12 -0400 Subject: [PATCH 8/9] Update osquery-packages.html --- salt/fleet/osquery-packages.html | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/fleet/osquery-packages.html b/salt/fleet/osquery-packages.html index b30cd1343..c94ba89b9 100644 --- a/salt/fleet/osquery-packages.html +++ b/salt/fleet/osquery-packages.html @@ -91,14 +91,14 @@ a {

Downloads


Known Issues

From 91d814f4eb8b13bc378cbc6530d3a34028ef1d66 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 4 Apr 2019 08:03:34 -0400 Subject: [PATCH 9/9] added pre-flight check (is so-fleet running?) --- salt/fleet/so-fleet-setup.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh index 4fe2527d8..64d7fe435 100644 --- a/salt/fleet/so-fleet-setup.sh +++ b/salt/fleet/so-fleet-setup.sh @@ -1,5 +1,10 @@ #so-fleet-setup.sh $MasterIP $FleetEmail +if [ ! "$(docker ps -q -f name=so-fleet)" ]; then + echo "so-fleet container not running... Exiting..." + exit 1 +fi + initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo) docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify