Merge pull request #77 from defensivedepth/master

Adds osquery package generation
2025-12-06 17:22:49 +01:00 · 2019-04-08 14:38:44 -04:00
parent c162095327 e3e05133fe
commit f5ca34e03e
4 changed files with 160 additions and 0 deletions
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -31,6 +31,16 @@ fleetlogdir:
    - group: 939
    - makedirs: True
    
+fleetsetupscript:
+  file.managed:
+    - name: /opt/so/conf/fleet/so-fleet-setup.sh
+    - source: salt://fleet/so-fleet-setup.sh
+    
+osquerypackageswebpage:
+  file.managed:
+    - name: /opt/so/conf/fleet/packages/index.html
+    - source: salt://fleet/osquery-packages.html
+
 fleetdb:
  mysql_database.present:
    - name: fleet
--- a/salt/fleet/osquery-packages.html
+++ b/salt/fleet/osquery-packages.html
@@ -0,0 +1,113 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<title>Security Onion - Hybrid Hunter</title>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
+<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
+<style>
+* {
+  box-sizing: border-box;
+  font-family: Arial, Helvetica, sans-serif;
+	padding-left: 30px;
+	padding right: 30px;
+}
+
+body {
+  font-family: Arial, Helvetica, sans-serif;
+	background-color: #2a2a2a;
+
+}
+a {
+	color: #f2f2f2;
+	text-align: left;
+	padding: 0px;
+}
+/* Style the top navigation bar */
+.topnav {
+  overflow: hidden;
+  background-color: #333;
+	width: 1080px;
+}
+
+/* Style the topnav links */
+.topnav a {
+  float: left;
+  display: block;
+  color: #f2f2f2;
+  text-align: center;
+  padding: 14px 16px;
+  text-decoration: none;
+}
+
+/* Change color on hover */
+.topnav a:hover {
+  background-color: #ddd;
+  color: black;
+}
+
+/* Style the content */
+.content {
+  background-color: #2a2a2a;
+  padding: 10px;
+	padding-top: 20px;
+	padding-left: 60px;
+	color: #E3DBCC;
+	width: 1080px;
+}
+
+/* Style the footer */
+.footer {
+  background-color: #2a2a2a;
+  padding: 60px;
+	color: #E3DBCC;
+	width: 1080px;
+}
+</style>
+</head>
+<body>
+
+<div class="topnav">
+  <a href="/kibana/" target="_blank">Kibana</a>
+  <a href="/grafana/" target="_blank">Grafana</a>
+  <a href="/fleet/" target="_blank">Fleet</a>
+	<a href="/thehive/" target="_blank">TheHive</a>
+	<a href="/packages/" target="_blank">Osquery Binaries</a>
+	<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
+	<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
+	<a href="https://blog.securityonion.net" target="_blank">Blog</a>
+</div>
+
+<div class="content">
+
+	<p><center><h1>Osquery Packages</h1></center><br>
+
+              <h2>Notes</h2>
+                <ul>
+                        <li>These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from <a href="https://osquery.io/downloads">osquery.io</a></li>
+                        <li>Packages are not signed.</li>
+	       	</ul>
+		<BR> <h2>Downloads</h2>
+                <ul>
+
+Generated: N/A
+                       <BR><BR>Packages:
+			<li><a href="/packages/launcher.msi" download="msi-launcher.msi">MSI (Windows)</a></li>
+                        <li><a href="/packages/launcher.deb" download="deb-launcher.deb">DEB (Debian)</a></li>
+                        <li><a href="/packages/launcher.rpm" download="rpm-launcher.rpm">RPM (RPM)</a></li>
+			<BR><BR>Config Files:
+	                <li><a href="/packages/launcher.flags" download="launcher.flags.txt">RPM & DEB Flag File</a></li>
+			 <li><a href="/packages/launcher-msi.flags" download="launcher-msi.flags.txt">MSI Flag File</a></li>
+		</ul>
+
+		<BR><h2>Known Issues</h2>
+		<ul>
+			<li>None</li>
+		</ul>
+	</p>
+</div>
+
+
+</body>
+</html>
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -0,0 +1,35 @@
+#so-fleet-setup.sh $MasterIP $FleetEmail
+
+if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
+        echo "so-fleet container not running... Exiting..."
+        exit 1 
+fi
+
+initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
+
+docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify        
+docker exec so-fleet fleetctl setup --email $2 --password $initpw
+
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
+
+esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret)
+
+#Concat fleet.crt & ca.crt  - this is required for launcher connectivity
+cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/fleet-launcher.crt
+
+#Create the output directory
+mkdir /opt/so/conf/fleet/packages
+
+docker run \
+  --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
+  --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/launcher.crt \
+  defensivedepth/hh-launcher "$esecret" "$1":8080
+
+#Update timestamp on packages webpage
+sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
+
+echo "Fleet Setup Complete - Login here: https://$1"
+echo "Your username is $2 and your password is $initpw"
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -1,4 +1,5 @@
 {% set master = salt['grains.get']('master') %}
+{%- set masterip = salt['pillar.get']('static:masterip', '') -%}

 # Trust the CA

@@ -109,6 +110,7 @@ fbcrtlink:
  x509.certificate_managed:
    - signing_private_key: /etc/pki/fleet.key
    - CN: {{ master }}
+    - subjectAltName: DNS:{{ master }},IP:{{ masterip }}
    - days_remaining: 0
    - days_valid: 3650
    - backup: True