mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-08 10:12:53 +01:00
Merge branch 'Security-Onion-Solutions:2.4/dev' into 2.4/dev
This commit is contained in:
Elijah Gibson
GitHub
@@ -27,6 +27,7 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
{%- endraw -%}
|
{%- endraw -%}
|
||||||
|
|||||||
@@ -28,6 +28,7 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
{%- endraw -%}
|
{%- endraw -%}
|
||||||
|
|||||||
@@ -39,6 +39,7 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
{%- endraw -%}
|
{%- endraw -%}
|
||||||
|
|||||||
@@ -16,5 +16,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -73,5 +73,6 @@
|
|||||||
"system-system/metrics": {
|
"system-system/metrics": {
|
||||||
"enabled": false
|
"enabled": false
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -63,5 +63,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -102,5 +102,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,5 +25,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -28,5 +28,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,5 +25,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,5 +25,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -16,5 +16,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -72,5 +72,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,5 +25,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,5 +25,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,5 +25,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,5 +25,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,5 +25,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,5 +25,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -28,5 +28,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -29,5 +29,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -36,5 +36,6 @@
|
|||||||
"system-system/metrics": {
|
"system-system/metrics": {
|
||||||
"enabled": false
|
"enabled": false
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -16,5 +16,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -36,5 +36,6 @@
|
|||||||
"system-system/metrics": {
|
"system-system/metrics": {
|
||||||
"enabled": false
|
"enabled": false
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
"force": true
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -26,7 +26,12 @@ so-elasticsearch:
|
|||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
|
- ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
|
||||||
- extra_hosts: {{ LOGSTASH_NODES }}
|
- extra_hosts:
|
||||||
|
{% for node in LOGSTASH_NODES %}
|
||||||
|
{% for hostname, ip in node.items() %}
|
||||||
|
- {{hostname}}:{{ip}}
|
||||||
|
{% endfor %}
|
||||||
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
|
{% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
|
{% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
|
|||||||
@@ -8,12 +8,7 @@
|
|||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKER %}
|
||||||
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
|
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
|
||||||
{% from 'logstash/map.jinja' import REDIS_NODES %}
|
{% from 'logstash/map.jinja' import LOGSTASH_NODES %}
|
||||||
{# we append the manager here so that it is added to extra_hosts so the heavynode can resolve it #}
|
|
||||||
{# we cannont append in the logstash/map.jinja because then it would be added to the 0900_input_redis.conf #}
|
|
||||||
{% if GLOBALS.role == 'so-heavynode' %}
|
|
||||||
{% do REDIS_NODES.append({GLOBALS.manager:GLOBALS.manager_ip}) %}
|
|
||||||
{% endif %}
|
|
||||||
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
|
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -33,7 +28,12 @@ so-logstash:
|
|||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
|
- ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
|
||||||
- user: logstash
|
- user: logstash
|
||||||
- extra_hosts: {{ REDIS_NODES }}
|
- extra_hosts:
|
||||||
|
{% for node in LOGSTASH_NODES %}
|
||||||
|
{% for hostname, ip in node.items() %}
|
||||||
|
- {{hostname}}:{{ip}}
|
||||||
|
{% endfor %}
|
||||||
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-logstash'].extra_hosts %}
|
{% if DOCKER.containers['so-logstash'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
|
{% for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
|
|||||||
@@ -3,7 +3,7 @@ output {
|
|||||||
if [metadata][pipeline] {
|
if [metadata][pipeline] {
|
||||||
if [metadata][_id] {
|
if [metadata][_id] {
|
||||||
elasticsearch {
|
elasticsearch {
|
||||||
hosts => "{{ GLOBALS.manager }}"
|
hosts => "{{ GLOBALS.hostname }}"
|
||||||
ecs_compatibility => v8
|
ecs_compatibility => v8
|
||||||
data_stream => true
|
data_stream => true
|
||||||
user => "{{ ES_USER }}"
|
user => "{{ ES_USER }}"
|
||||||
@@ -17,7 +17,7 @@ output {
|
|||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
elasticsearch {
|
elasticsearch {
|
||||||
hosts => "{{ GLOBALS.manager }}"
|
hosts => "{{ GLOBALS.hostname }}"
|
||||||
ecs_compatibility => v8
|
ecs_compatibility => v8
|
||||||
data_stream => true
|
data_stream => true
|
||||||
user => "{{ ES_USER }}"
|
user => "{{ ES_USER }}"
|
||||||
@@ -30,7 +30,7 @@ output {
|
|||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
elasticsearch {
|
elasticsearch {
|
||||||
hosts => "{{ GLOBALS.manager }}"
|
hosts => "{{ GLOBALS.hostname }}"
|
||||||
ecs_compatibility => v8
|
ecs_compatibility => v8
|
||||||
data_stream => true
|
data_stream => true
|
||||||
user => "{{ ES_USER }}"
|
user => "{{ ES_USER }}"
|
||||||
|
|||||||
@@ -470,6 +470,18 @@ soc:
|
|||||||
- rule.action
|
- rule.action
|
||||||
- rule.reason
|
- rule.reason
|
||||||
- network.community_id
|
- network.community_id
|
||||||
|
':pfsense:':
|
||||||
|
- soc_timestamp
|
||||||
|
- source.ip
|
||||||
|
- source.port
|
||||||
|
- destination.ip
|
||||||
|
- destination.port
|
||||||
|
- network.transport
|
||||||
|
- network.direction
|
||||||
|
- observer.ingress.interface.name
|
||||||
|
- event.action
|
||||||
|
- event.reason
|
||||||
|
- network.community_id
|
||||||
':osquery:':
|
':osquery:':
|
||||||
- soc_timestamp
|
- soc_timestamp
|
||||||
- source.ip
|
- source.ip
|
||||||
@@ -1348,7 +1360,7 @@ soc:
|
|||||||
showSubtitle: true
|
showSubtitle: true
|
||||||
- name: Firewall
|
- name: Firewall
|
||||||
description: Firewall events grouped by action
|
description: Firewall events grouped by action
|
||||||
query: 'tags:firewall | groupby rule.action'
|
query: 'observer.type:firewall | groupby event.action'
|
||||||
showSubtitle: true
|
showSubtitle: true
|
||||||
dashboards:
|
dashboards:
|
||||||
advanced: true
|
advanced: true
|
||||||
@@ -1551,7 +1563,7 @@ soc:
|
|||||||
query: 'tags:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
|
query: 'tags:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||||
- name: Firewall
|
- name: Firewall
|
||||||
description: Firewall logs
|
description: Firewall logs
|
||||||
query: 'tags:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
|
query: 'observer.type:firewall | groupby -sankey event.action observer.ingress.interface.name | groupby event.action | groupby observer.ingress.interface.name | groupby network.type | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||||
- name: VLAN
|
- name: VLAN
|
||||||
description: VLAN (Virtual Local Area Network) tagged logs
|
description: VLAN (Virtual Local Area Network) tagged logs
|
||||||
query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name'
|
query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name'
|
||||||
|
|||||||
@@ -33,7 +33,12 @@ so-soc:
|
|||||||
- /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
|
- /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
|
||||||
- /opt/so/conf/soc/queue:/opt/sensoroni/queue:rw
|
- /opt/so/conf/soc/queue:/opt/sensoroni/queue:rw
|
||||||
- /opt/so/saltstack:/opt/so/saltstack:rw
|
- /opt/so/saltstack:/opt/so/saltstack:rw
|
||||||
- extra_hosts: {{ DOCKER_EXTRA_HOSTS }}
|
- extra_hosts:
|
||||||
|
{% for node in DOCKER_EXTRA_HOSTS %}
|
||||||
|
{% for hostname, ip in node.items() %}
|
||||||
|
- {{hostname}}:{{ip}}
|
||||||
|
{% endfor %}
|
||||||
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-soc'].extra_hosts %}
|
{% if DOCKER.containers['so-soc'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %}
|
{% for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
|
|||||||
@@ -33,7 +33,7 @@ log_has_errors() {
|
|||||||
# Ignore Failed: 0 since that is the salt state output, and we detect state failures
|
# Ignore Failed: 0 since that is the salt state output, and we detect state failures
|
||||||
# via Result: False already.
|
# via Result: False already.
|
||||||
|
|
||||||
# This is ignored for Ubuntu
|
# This is ignored for Ubuntu:
|
||||||
# Failed to restart snapd.mounts-pre.target: Operation refused, unit snapd.mounts-pre.target
|
# Failed to restart snapd.mounts-pre.target: Operation refused, unit snapd.mounts-pre.target
|
||||||
# may be requested by dependency only (it is configured to refuse manual start/stop).
|
# may be requested by dependency only (it is configured to refuse manual start/stop).
|
||||||
|
|
||||||
@@ -41,6 +41,10 @@ log_has_errors() {
|
|||||||
|
|
||||||
# "remove failed" is caused by a warning generated by upgrade of libwbclient
|
# "remove failed" is caused by a warning generated by upgrade of libwbclient
|
||||||
|
|
||||||
|
# Exit code 100 failure is likely apt-get running in the background, we wait for it to unlock.
|
||||||
|
|
||||||
|
# Failed to deduce dest mapping appears to occur when a shard isn't yet ready. Temporary.
|
||||||
|
|
||||||
grep -E "FAILED|Failed|failed|ERROR|Result: False|Error is not recoverable" "$setup_log" | \
|
grep -E "FAILED|Failed|failed|ERROR|Result: False|Error is not recoverable" "$setup_log" | \
|
||||||
grep -vE "The Salt Master has cached the public key for this node" | \
|
grep -vE "The Salt Master has cached the public key for this node" | \
|
||||||
grep -vE "Minion failed to authenticate with the master" | \
|
grep -vE "Minion failed to authenticate with the master" | \
|
||||||
@@ -58,6 +62,7 @@ log_has_errors() {
|
|||||||
grep -vE "remove failed" | \
|
grep -vE "remove failed" | \
|
||||||
grep -vE "Failed to restart snapd" | \
|
grep -vE "Failed to restart snapd" | \
|
||||||
grep -vE "Login Failed Details" | \
|
grep -vE "Login Failed Details" | \
|
||||||
|
grep -vE "Failed to deduce dest mappings" | \
|
||||||
grep -vE "response from daemon: unauthorized" | \
|
grep -vE "response from daemon: unauthorized" | \
|
||||||
grep -vE "Reading first line of patchfile" | \
|
grep -vE "Reading first line of patchfile" | \
|
||||||
grep -vE "Command failed with exit code" | \
|
grep -vE "Command failed with exit code" | \
|
||||||
|
|||||||
Reference in New Issue
Block a user