CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #34 from TOoSmOotH/master

Browse Source 
Hybrid Hunter 1.0.7
This commit is contained in:
Mike Reeves
2019-04-03 11:00:50 -04:00
committed by GitHub
parent 3b6b896390 2bbd31c954
commit fa8424ee87
20 changed files with 394 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
salt/common/init.sls
View File

@@ -1,3 +1,4 @@
{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
# Add socore Group # Add socore Group
socoregroup: socoregroup:
group.present: group.present:
@@ -102,7 +103,7 @@ nginxtmp:
# Start the core docker # Start the core docker
so-core: so-core:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-core:HH1.0.5 - image: soshybridhunter/so-core:HH1.0.7
- hostname: so-core - hostname: so-core
- user: socore - user: socore
- binds: - binds:
@@ -113,6 +114,7 @@ so-core:
- /opt/so/tmp/nginx/:/run:rw - /opt/so/tmp/nginx/:/run:rw
- /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
- /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
- /opt/so/conf/fleet/packages:/opt/so/html/packages
- cap_add: NET_BIND_SERVICE - cap_add: NET_BIND_SERVICE
- port_bindings: - port_bindings:
- 80:80 - 80:80
@@ -155,7 +157,7 @@ tgrafconf:
so-telegraf: so-telegraf:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-telegraf:HH1.0.4 - image: soshybridhunter/so-telegraf:HH1.0.7
- environment: - environment:
- HOST_PROC=/host/proc - HOST_PROC=/host/proc
- HOST_ETC=/host/etc - HOST_ETC=/host/etc
@@ -187,7 +189,7 @@ so-telegraf:
- /opt/so/conf/telegraf/scripts - /opt/so/conf/telegraf/scripts
# If its a master or eval lets install the back end for now # If its a master or eval lets install the back end for now
{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %} {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' and GRAFANA == 1 %}
# Influx DB # Influx DB
influxconfdir: influxconfdir:
@@ -210,7 +212,7 @@ influxdbconf:
so-influxdb: so-influxdb:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-influxdb:HH1.0.4 - image: soshybridhunter/so-influxdb:HH1.0.7
- hostname: influxdb - hostname: influxdb
- environment: - environment:
- INFLUXDB_HTTP_LOG_ENABLED=false - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -367,7 +369,7 @@ dashboard-{{ SN }}:
# Install the docker. This needs to be behind nginx at some point # Install the docker. This needs to be behind nginx at some point
so-grafana: so-grafana:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-grafana:HH1.0.4 - image: soshybridhunter/so-grafana:HH1.0.7
- hostname: grafana - hostname: grafana
- user: socore - user: socore
- binds: - binds:

22
salt/common/nginx/nginx.conf.so-eval
View File

@@ -136,6 +136,28 @@ http {
} }
location /thehive/ {
proxy_pass http://{{ masterip }}:9000/thehive/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /soctopus/ {
proxy_pass http://{{ masterip }}:7000/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
error_page 404 /404.html; error_page 404 /404.html;
location = /40x.html { location = /40x.html {
} }

23
salt/common/nginx/nginx.conf.so-master
View File

@@ -136,6 +136,29 @@ http {
} }
location /thehive/ {
proxy_pass http://{{ masterip }}:9000/thehive/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /soctopus/ {
proxy_pass http://{{ masterip }}:7000/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
error_page 404 /404.html; error_page 404 /404.html;
location = /40x.html { location = /40x.html {
} }

11
salt/firewall/init.sls
View File

@@ -389,6 +389,17 @@ enable_standard_analyst_3000_{{ip}}:
- position: 1 - position: 1
- save: True - save: True
enable_standard_analyst_7000_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 7000
- position: 1
- save: True
enable_standard_analyst_9000_{{ip}}: enable_standard_analyst_9000_{{ip}}:
iptables.insert: iptables.insert:
- table: filter - table: filter

61
salt/hive/init.sls
View File

@@ -1,3 +1,25 @@
hiveconfdir:
file.directory:
- name: /opt/so/conf/hive/etc
- makedirs: True
- user: 939
- group: 939
hivelogdir:
file.directory:
- name: /opt/so/log/hive
- makedirs: True
- user: 939
- group: 939
hiveconf:
file.recurse:
- name: /opt/so/conf/hive/etc
- source: salt://hive/thehive/etc
- user: 939
- group: 939
- template: jinja
# Install Elasticsearch # Install Elasticsearch
# Made directory for ES data to live in # Made directory for ES data to live in
@@ -5,27 +27,36 @@ hiveesdata:
file.directory: file.directory:
- name: /nsm/hive/esdata - name: /nsm/hive/esdata
- makedirs: True - makedirs: True
- user: 939
- group: 939
so-thehive-es: so-thehive-es:
docker_container.running: docker_container.running:
- image: docker.elastic.co/elasticsearch/elasticsearch:5.6.0 - image: soshybridhunter/so-thehive-es:HH1.0.7
- hostname: so-thehive-es - hostname: so-thehive-es
- name: so-thehive-es - name: so-thehive-es
- user: 939
- interactive: True - interactive: True
- tty: True - tty: True
- binds: - binds:
- /nsm/hive/esdata:/usr/share/elasticsearch/data:rw - /nsm/hive/esdata:/usr/share/elasticsearch/data:rw
- /opt/so/conf/hive/etc/es/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
- /opt/so/conf/hive/etc/es/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
- /opt/so/log/hive:/var/log/elasticsearch:rw
- environment: - environment:
- http.host=0.0.0.0 - http.host=0.0.0.0
- http.port=9400 - http.port=9400
- transport.tcp.port=9500 - transport.tcp.port=9500
- transport.host=0.0.0.0 - transport.host=0.0.0.0
- xpack.security.enabled=false
- cluster.name=hive - cluster.name=hive
- script.inline=true - script.inline=true
- thread_pool.index.queue_size=100000 - thread_pool.index.queue_size=100000
- thread_pool.search.queue_size=100000 - thread_pool.search.queue_size=100000
- thread_pool.bulk.queue_size=100000 - thread_pool.bulk.queue_size=100000
- ES_JAVA_OPTS=-Xms512m -Xmx512m
- port_bindings:
- 0.0.0.0:9400:9400
- 0.0.0.0:9500:9500
# Install Cortex # Install Cortex
@@ -34,21 +65,21 @@ so-cortex:
- image: thehiveproject/cortex:latest - image: thehiveproject/cortex:latest
- hostname: so-cortex - hostname: so-cortex
- name: so-cortex - name: so-cortex
- port_bindings:
# Install Hive - 0.0.0.0:9001:9001
hiveconfdir:
file.directory:
- name: /opt/so/conf/hive/etc
- makedirs: True
hiveconf:
file.managed:
- name: /opt/so/conf/hive/etc/application.conf
- source: salt://hive/thehive/etc/application.conf
- template: jinja
so-thehive: so-thehive:
docker_container.running: docker_container.running:
- image: thehiveproject/thehive:latest - image: soshybridhunter/so-thehive:HH1.0.7
- hostname: so-thehive - hostname: so-thehive
- name: so-thehive - name: so-thehive
- user: 939
- binds:
- /opt/so/conf/hive/etc/application.conf:/opt/thehive/conf/application.conf:ro
- port_bindings:
- 0.0.0.0:9000:9000
hivescript:
cmd.script:
- source: salt://hive/thehive/scripts/hive_init.sh
- template: jinja

1
salt/hive/thehive/etc/application.conf
View File

@@ -4,6 +4,7 @@
# The secret key is used to secure cryptographic functions. # The secret key is used to secure cryptographic functions.
# WARNING: If you deploy your application on several servers, make sure to use the same key. # WARNING: If you deploy your application on several servers, make sure to use the same key.
play.http.secret.key="letsdewdis" play.http.secret.key="letsdewdis"
play.http.context=/thehive/
# Elasticsearch # Elasticsearch
search { search {

17
salt/hive/thehive/etc/es/elasticsearch.yml Normal file
View File

@@ -0,0 +1,17 @@
cluster.name: "hive"
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
# This is a test -- if this is here, then the volume is mounted correctly.
path.logs: /var/log/elasticsearch
action.destructive_requires_name: true
transport.bind_host: 0.0.0.0
transport.publish_host: 0.0.0.0
transport.publish_port: 9500
http.host: 0.0.0.0
http.port: 9400
transport.tcp.port: 9500
transport.host: 0.0.0.0
script.inline: true
thread_pool.index.queue_size: 100000
thread_pool.search.queue_size: 100000
thread_pool.bulk.queue_size: 100000

20
salt/hive/thehive/etc/es/log4j2.properties Normal file
View File

@@ -0,0 +1,20 @@
status = error
#appender.console.type = Console
#appender.console.name = console
#appender.console.layout.type = PatternLayout
#appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n
#rootLogger.level = info
#rootLogger.appenderRef.console.ref = console
# This is a test -- if this here, then the volume is mounted correctly.
appender.rolling.type = RollingFile
appender.rolling.name = rolling
appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log
appender.rolling.layout.type = PatternLayout
appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %.10000m%n
appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}.log
appender.rolling.policies.type = Policies
appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.rolling.policies.time.interval = 1
appender.rolling.policies.time.modulate = true
rootLogger.level = info
rootLogger.appenderRef.rolling.ref = rolling

37
salt/hive/thehive/scripts/hive_init.sh Executable file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
{%- set HIVEUSER = salt['pillar.get']('static:hiveuser', '') %}
{%- set HIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %}
{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %}
hive_init(){
sleep 60
HIVE_IP="{{MASTERIP}}"
HIVE_USER="{{HIVEUSER}}"
HIVE_PASSWORD="{{HIVEPASSWORD}}"
SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf"
# Migrate DB
curl -v -k -XPOST "https://$HIVE_IP:/thehive/api/maintenance/migrate"
# Generate unique ID for apikey
HIVE_KEY="{{HIVEKEY}}"
# Create intial TheHive user
curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}"
# Update SOCtopus config with apikey value
#sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG
# Check for correct authentication
#curl -v -k -H "Authorization: Bearer $HIVE_KEY" "https://$HIVE_IP/thehive/api/user/$USER"
touch /opt/so/state/thehive.txt
}
if [ -f /opt/so/state/thehive.txt ]; then
exit 0
else
hive_init
fi

2
salt/kibana/init.sls
View File

@@ -57,7 +57,7 @@ synckibanacustom:
# Start the kibana docker # Start the kibana docker
so-kibana: so-kibana:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-kibana:HH1.0.6 - image: soshybridhunter/so-kibana:HH1.0.7
- hostname: kibana - hostname: kibana
- user: kibana - user: kibana
- environment: - environment:

72
salt/logstash/conf/conf.enabled.txt.so-eval
View File

@@ -7,25 +7,25 @@
# /usr/share/logstash/pipeline.custom/1234_input_custom.conf # /usr/share/logstash/pipeline.custom/1234_input_custom.conf
## ##
# All of the defaults are loaded. # All of the defaults are loaded.
/usr/share/logstash/pipeline.so/0000_input_syslogng.conf #/usr/share/logstash/pipeline.so/0000_input_syslogng.conf
/usr/share/logstash/pipeline.so/0001_input_json.conf #/usr/share/logstash/pipeline.so/0001_input_json.conf
/usr/share/logstash/pipeline.so/0002_input_windows_json.conf #/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
/usr/share/logstash/pipeline.so/0003_input_syslog.conf #/usr/share/logstash/pipeline.so/0003_input_syslog.conf
/usr/share/logstash/pipeline.so/0005_input_suricata.conf #/usr/share/logstash/pipeline.so/0005_input_suricata.conf
/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf /usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
/usr/share/logstash/pipeline.so/0007_input_import.conf /usr/share/logstash/pipeline.so/0007_input_import.conf
/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf #/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf #/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
/usr/share/logstash/pipeline.so/1002_preprocess_json.conf #/usr/share/logstash/pipeline.so/1002_preprocess_json.conf
/usr/share/logstash/pipeline.so/1003_preprocess_bro.conf /usr/share/logstash/pipeline.so/1003_preprocess_bro.conf
/usr/share/logstash/pipeline.so/1004_preprocess_syslog_types.conf #/usr/share/logstash/pipeline.so/1004_preprocess_syslog_types.conf
/usr/share/logstash/pipeline.so/1026_preprocess_dhcp.conf /usr/share/logstash/pipeline.so/1026_preprocess_dhcp.conf
/usr/share/logstash/pipeline.so/1029_preprocess_esxi.conf #/usr/share/logstash/pipeline.so/1029_preprocess_esxi.conf
/usr/share/logstash/pipeline.so/1030_preprocess_greensql.conf #/usr/share/logstash/pipeline.so/1030_preprocess_greensql.conf
/usr/share/logstash/pipeline.so/1031_preprocess_iis.conf #/usr/share/logstash/pipeline.so/1031_preprocess_iis.conf
/usr/share/logstash/pipeline.so/1032_preprocess_mcafee.conf #/usr/share/logstash/pipeline.so/1032_preprocess_mcafee.conf
/usr/share/logstash/pipeline.so/1033_preprocess_snort.conf /usr/share/logstash/pipeline.so/1033_preprocess_snort.conf
/usr/share/logstash/pipeline.so/1034_preprocess_syslog.conf #/usr/share/logstash/pipeline.so/1034_preprocess_syslog.conf
/usr/share/logstash/pipeline.so/1100_preprocess_bro_conn.conf /usr/share/logstash/pipeline.so/1100_preprocess_bro_conn.conf
/usr/share/logstash/pipeline.so/1101_preprocess_bro_dhcp.conf /usr/share/logstash/pipeline.so/1101_preprocess_bro_dhcp.conf
/usr/share/logstash/pipeline.so/1102_preprocess_bro_dns.conf /usr/share/logstash/pipeline.so/1102_preprocess_bro_dns.conf
@@ -60,17 +60,17 @@
/usr/share/logstash/pipeline.so/1132_preprocess_bro_smb_mapping.conf /usr/share/logstash/pipeline.so/1132_preprocess_bro_smb_mapping.conf
/usr/share/logstash/pipeline.so/1133_preprocess_bro_ntlm.conf /usr/share/logstash/pipeline.so/1133_preprocess_bro_ntlm.conf
/usr/share/logstash/pipeline.so/1134_preprocess_bro_dce_rpc.conf /usr/share/logstash/pipeline.so/1134_preprocess_bro_dce_rpc.conf
/usr/share/logstash/pipeline.so/1998_test_data.conf #/usr/share/logstash/pipeline.so/1998_test_data.conf
/usr/share/logstash/pipeline.so/2000_network_flow.conf #/usr/share/logstash/pipeline.so/2000_network_flow.conf
/usr/share/logstash/pipeline.so/6000_bro.conf /usr/share/logstash/pipeline.so/6000_bro.conf
/usr/share/logstash/pipeline.so/6001_bro_import.conf /usr/share/logstash/pipeline.so/6001_bro_import.conf
/usr/share/logstash/pipeline.so/6002_syslog.conf #/usr/share/logstash/pipeline.so/6002_syslog.conf
/usr/share/logstash/pipeline.so/6101_switch_brocade.conf #/usr/share/logstash/pipeline.so/6101_switch_brocade.conf
/usr/share/logstash/pipeline.so/6200_firewall_fortinet.conf #/usr/share/logstash/pipeline.so/6200_firewall_fortinet.conf
/usr/share/logstash/pipeline.so/6201_firewall_pfsense.conf #/usr/share/logstash/pipeline.so/6201_firewall_pfsense.conf
/usr/share/logstash/pipeline.so/6300_windows.conf #/usr/share/logstash/pipeline.so/6300_windows.conf
/usr/share/logstash/pipeline.so/6301_dns_windows.conf #/usr/share/logstash/pipeline.so/6301_dns_windows.conf
/usr/share/logstash/pipeline.so/6400_suricata.conf #/usr/share/logstash/pipeline.so/6400_suricata.conf
/usr/share/logstash/pipeline.so/6500_ossec.conf /usr/share/logstash/pipeline.so/6500_ossec.conf
/usr/share/logstash/pipeline.so/6501_ossec_sysmon.conf /usr/share/logstash/pipeline.so/6501_ossec_sysmon.conf
/usr/share/logstash/pipeline.so/6502_ossec_autoruns.conf /usr/share/logstash/pipeline.so/6502_ossec_autoruns.conf
@@ -87,25 +87,25 @@
#/usr/share/logstash/pipeline.so/8503_postprocess_freq_analysis_bro_http.conf #/usr/share/logstash/pipeline.so/8503_postprocess_freq_analysis_bro_http.conf
#/usr/share/logstash/pipeline.so/8504_postprocess_freq_analysis_bro_ssl.conf #/usr/share/logstash/pipeline.so/8504_postprocess_freq_analysis_bro_ssl.conf
#/usr/share/logstash/pipeline.so/8505_postprocess_freq_analysis_bro_x509.conf #/usr/share/logstash/pipeline.so/8505_postprocess_freq_analysis_bro_x509.conf
/usr/share/logstash/pipeline.so/8998_postprocess_log_elapsed.conf #/usr/share/logstash/pipeline.so/8998_postprocess_log_elapsed.conf
/usr/share/logstash/pipeline.so/8999_postprocess_rename_type.conf /usr/share/logstash/pipeline.so/8999_postprocess_rename_type.conf
/usr/share/logstash/pipeline.dynamic/9000_output_bro.conf /usr/share/logstash/pipeline.dynamic/9000_output_bro.conf
/usr/share/logstash/pipeline.dynamic/9001_output_switch.conf #/usr/share/logstash/pipeline.dynamic/9001_output_switch.conf
/usr/share/logstash/pipeline.dynamic/9002_output_import.conf /usr/share/logstash/pipeline.dynamic/9002_output_import.conf
/usr/share/logstash/pipeline.dynamic/9004_output_flow.conf #/usr/share/logstash/pipeline.dynamic/9004_output_flow.conf
/usr/share/logstash/pipeline.dynamic/9026_output_dhcp.conf #/usr/share/logstash/pipeline.dynamic/9026_output_dhcp.conf
/usr/share/logstash/pipeline.dynamic/9029_output_esxi.conf #/usr/share/logstash/pipeline.dynamic/9029_output_esxi.conf
/usr/share/logstash/pipeline.dynamic/9030_output_greensql.conf #/usr/share/logstash/pipeline.dynamic/9030_output_greensql.conf
/usr/share/logstash/pipeline.dynamic/9031_output_iis.conf #/usr/share/logstash/pipeline.dynamic/9031_output_iis.conf
/usr/share/logstash/pipeline.dynamic/9032_output_mcafee.conf #/usr/share/logstash/pipeline.dynamic/9032_output_mcafee.conf
/usr/share/logstash/pipeline.dynamic/9033_output_snort.conf /usr/share/logstash/pipeline.dynamic/9033_output_snort.conf
/usr/share/logstash/pipeline.dynamic/9034_output_syslog.conf #/usr/share/logstash/pipeline.dynamic/9034_output_syslog.conf
/usr/share/logstash/pipeline.dynamic/9200_output_firewall.conf #/usr/share/logstash/pipeline.dynamic/9200_output_firewall.conf
/usr/share/logstash/pipeline.dynamic/9300_output_windows.conf #/usr/share/logstash/pipeline.dynamic/9300_output_windows.conf
/usr/share/logstash/pipeline.dynamic/9301_output_dns_windows.conf #/usr/share/logstash/pipeline.dynamic/9301_output_dns_windows.conf
/usr/share/logstash/pipeline.dynamic/9400_output_suricata.conf /usr/share/logstash/pipeline.dynamic/9400_output_suricata.conf
/usr/share/logstash/pipeline.dynamic/9500_output_beats.conf /usr/share/logstash/pipeline.dynamic/9500_output_beats.conf
/usr/share/logstash/pipeline.dynamic/9600_output_ossec.conf /usr/share/logstash/pipeline.dynamic/9600_output_ossec.conf
/usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf #/usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf
/usr/share/logstash/pipeline.dynamic/7100_osquery_wel.conf /usr/share/logstash/pipeline.dynamic/7100_osquery_wel.conf
/usr/share/logstash/pipeline.dynamic/9100_output_osquery.conf /usr/share/logstash/pipeline.dynamic/9100_output_osquery.conf

2
salt/master/init.sls
View File

@@ -49,7 +49,7 @@ acngcopyconf:
# Install the apt-cacher-ng container # Install the apt-cacher-ng container
so-aptcacherng: so-aptcacherng:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-acng:HH1.0.5 - image: soshybridhunter/so-acng:HH1.0.7
- hostname: so-acng - hostname: so-acng
- port_bindings: - port_bindings:
- 0.0.0.0:3142:3142 - 0.0.0.0:3142:3142

2
salt/mysql/init.sls
View File

@@ -50,7 +50,7 @@ mysqldatadir:
so-mysql: so-mysql:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-mysql:HH1.0.5 - image: soshybridhunter/so-mysql:HH1.0.7
- hostname: so-mysql - hostname: so-mysql
- user: socore - user: socore
- port_bindings: - port_bindings:

2
salt/redis/init.sls
View File

@@ -49,7 +49,7 @@ toosmooth/so-redis:test2:
so-redis: so-redis:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-redis:HH1.0.5 - image: soshybridhunter/so-redis:HH1.0.7
- hostname: so-redis - hostname: so-redis
- user: socore - user: socore
- port_bindings: - port_bindings:

49
salt/soctopus/files/SOCtopus.conf Normal file
View File

@@ -0,0 +1,49 @@
{%- set ip = salt['pillar.get']('static:masterip', '') %}
{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %}
[es]
es_url = http://{{ip}}:9200
[fir]
fir_url = YOURFIRURL
fir_token = YOURFIRTOKEN
fir_actor = 3
fir_category = 3
fir_confidentiality = 1
fir_detection = 2
fir_plan = 8
fir_severity = 4
[grr]
grr_url = YOURGRRURL
grr_user = YOURGRRUSER
grr_pass = YOURGRRPASS
[hive]
hive_url = https://{{ip}}/thehive/
hive_key = {{ HIVEKEY }}
hive_tlp = 3
hive_verifycert = False
[misp]
misp_url = YOURMISPURL
misp_key = YOURMISPKEY
misp_verifycert = False
distrib = 0
threat = 4
analysis = 0
[rtir]
rtir_url = YOURRTIRURL
rtir_api = REST/1.0/
rtir_user = YOURRTIRUSER
rtir_pass = YOURRTIRPASS
rtir_queue = Incidents
rtir_creator = root
[slack]
slack_url = YOURSLACKWORKSPACE
slack_webhook = YOURSLACKWEBHOOK
[log]
logfile = /tmp/soctopus.log

24
salt/soctopus/init.sls Normal file
View File

@@ -0,0 +1,24 @@
soctopusdir:
file.directory:
- name: /opt/so/conf/soctopus
- user: 939
- group: 939
- makedirs: True
soctopussync:
file.recurse:
- name: /opt/so/conf/soctopus
- source: salt://soctopus/files
- user: 939
- group: 939
- template: jinja
so-soctopus:
docker_container.running:
- image: soshybridhunter/so-soctopus:HH1.0.7
- hostname: soctopus
- name: so-soctopus
- binds:
- /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro
- port_bindings:
- 0.0.0.0:7000:7000

2
salt/suricata/init.sls
View File

@@ -72,7 +72,7 @@ suriconfigsync:
so-suricata: so-suricata:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-suricata:HH1.0.6 - image: soshybridhunter/so-suricata:HH1.0.7
- privileged: True - privileged: True
- environment: - environment:
- INTERFACE={{ interface }} - INTERFACE={{ interface }}

12
salt/top.sls
View File

@@ -1,4 +1,6 @@
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
{%- set OSQUERY = salt['pillar.get']('master:osquery', '0') %}
{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
base: base:
'G@role:so-sensor': 'G@role:so-sensor':
- ca - ca
@@ -21,7 +23,9 @@ base:
- firewall - firewall
- master - master
- idstools - idstools
{%- if OSQUERY != 0 %}
- mysql - mysql
{%- endif %}
- elasticsearch - elasticsearch
- logstash - logstash
- kibana - kibana
@@ -30,12 +34,17 @@ base:
- bro - bro
- curator - curator
- elastalert - elastalert
- redis {%- if OSQUERY != 0 %}
- fleet - fleet
- redis
{%- endif %}
{%- if WAZUH != 0 %}
- wazuh - wazuh
{%- endif %}
- filebeat - filebeat
- utility - utility
- schedule - schedule
- soctopus
'G@role:so-master': 'G@role:so-master':
@@ -56,6 +65,7 @@ base:
- utility - utility
- schedule - schedule
- fleet - fleet
- soctopus
# Storage node logic # Storage node logic

2
salt/wazuh/init.sls
View File

@@ -58,7 +58,7 @@ wazuhagentregister:
so-wazuh: so-wazuh:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-wazuh:HH1.0.5 - image: soshybridhunter/so-wazuh:HH1.0.7
- hostname: {{HOSTNAME}}-wazuh-manager - hostname: {{HOSTNAME}}-wazuh-manager
- name: so-wazuh - name: so-wazuh
- detach: True - detach: True

85
so-setup-network.sh
View File

@@ -410,6 +410,12 @@ es_heapsize() {
} }
eval_mode_hostsfile() {
echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
}
filter_nics() { filter_nics() {
# Filter the NICs that we don't want to see in setup # Filter the NICs that we don't want to see in setup
@@ -421,6 +427,7 @@ generate_passwords(){
# Generate Random Passwords for Things # Generate Random Passwords for Things
MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
} }
get_filesystem_nsm(){ get_filesystem_nsm(){
@@ -528,6 +535,28 @@ master_pillar() {
echo " ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo " ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo " ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " mtu: 1500" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo " mtu: 1500" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
if [ $EVALADVANCED == 'ADVANCED' ]; then
if [ $EVALGRAFANA == '0' ]; then
echo " grafana: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
else
echo " grafana: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
fi
if [ $EVALOSQUERY == '0' ]; then
echo " osquery: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
else
echo " osquery: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
fi
if [ $EVALWAZUH == '0' ]; then
echo " wazuh: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
else
echo " wazuh: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
fi
else
echo " grafana: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " osquery: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " wazuh: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
fi
else else
echo " freq: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo " freq: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " domainstats: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo " domainstats: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
@@ -560,6 +589,9 @@ master_static() {
echo " broversion: $BROVERSION" >> /opt/so/saltstack/pillar/static.sls echo " broversion: $BROVERSION" >> /opt/so/saltstack/pillar/static.sls
echo " ids: $NIDS" >> /opt/so/saltstack/pillar/static.sls echo " ids: $NIDS" >> /opt/so/saltstack/pillar/static.sls
echo " masterip: $MAINIP" >> /opt/so/saltstack/pillar/static.sls echo " masterip: $MAINIP" >> /opt/so/saltstack/pillar/static.sls
echo " hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls
echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls
echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls
if [[ $MASTERUPDATES == 'MASTER' ]]; then if [[ $MASTERUPDATES == 'MASTER' ]]; then
echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
else else
@@ -1066,6 +1098,11 @@ whiptail_bond_nics() {
BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 ) BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 )
while [ -z "$BNICS" ]
do
BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 )
done
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
@@ -1109,6 +1146,35 @@ whiptail_cur_close_days() {
} }
whiptail_eval_adv() {
EVALADVANCED=$(whiptail --title "Security Onion Setup" --radiolist \
"Choose your eval install:" 20 78 4 \
"BASIC" "Install basic components for evaluation" ON \
"ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 )
}
whiptail_eval_adv_service_grafana() {
whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable Grafana for detailed monitoring?" 8 78
local exitstatus=$?
EVALGRAFANA=$exitstatus
}
whiptail_eval_adv_service_osquery() {
whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable OSquery for client monitoring?" 8 78
local exitstatus=$?
EVALOSQUERY=$exitstatus
}
whiptail_eval_adv_service_wazuh() {
whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable Wazuh for client monitoring?" 8 78
local exitstatus=$?
EVALWAZUH=$exitstatus
}
whiptail_eval_adv_warning() {
whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 78
}
whiptail_homenet_master() { whiptail_homenet_master() {
# Ask for the HOME_NET on the master # Ask for the HOME_NET on the master
@@ -1172,6 +1238,11 @@ whiptail_management_nic() {
MNIC=$(whiptail --title "NIC Setup" --radiolist "Please select your management NIC" 20 78 12 ${NICS[@]} 3>&1 1>&2 2>&3 ) MNIC=$(whiptail --title "NIC Setup" --radiolist "Please select your management NIC" 20 78 12 ${NICS[@]} 3>&1 1>&2 2>&3 )
while [ -z "$MNIC" ]
do
MNIC=$(whiptail --title "NIC Setup" --radiolist "Please select your management NIC" 20 78 12 ${NICS[@]} 3>&1 1>&2 2>&3 )
done
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
@@ -1686,11 +1757,20 @@ if (whiptail_you_sure); then
# Snag the HOME_NET # Snag the HOME_NET
whiptail_homenet_master whiptail_homenet_master
# Ask about advanced mode
whiptail_eval_adv
if [ $EVALADVANCED == 'ADVANCED' ]; then
whiptail_eval_adv_warning
whiptail_eval_adv_service_grafana
whiptail_eval_adv_service_osquery
whiptail_eval_adv_service_wazuh
fi
# Set a bunch of stuff since this is eval # Set a bunch of stuff since this is eval
es_heapsize es_heapsize
ls_heapsize ls_heapsize
NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE NODE_ES_HEAP_SIZE="600m"
NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE NODE_LS_HEAP_SIZE="2000m"
LSPIPELINEWORKERS=1 LSPIPELINEWORKERS=1
LSPIPELINEBATCH=125 LSPIPELINEBATCH=125
LSINPUTTHREADS=1 LSINPUTTHREADS=1
@@ -1701,6 +1781,7 @@ if (whiptail_you_sure); then
BROVERSION=ZEEK BROVERSION=ZEEK
CURCLOSEDAYS=30 CURCLOSEDAYS=30
whiptail_make_changes whiptail_make_changes
#eval_mode_hostsfile
generate_passwords generate_passwords
auth_pillar auth_pillar
clear_master clear_master