CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10601 from Security-Onion-Solutions/cogburn/10413

Browse Source 
Cogburn/10413
This commit is contained in:
coreyogburn
2023-06-20 11:08:53 -06:00
committed by GitHub
parent b60cf29598 ad28ea275f
commit fb81c6e2e3
2 changed files with 111 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
salt/soc/config.sls
View File

@@ -106,6 +106,13 @@ socusersroles:
- require: - require:
- sls: manager.sync_es_users - sls: manager.sync_es_users
socuploaddir:
file.directory:
- name: /nsm/soc/uploads
- user: 939
- group: 939
- makedirs: True
{% else %} {% else %}
{{sls}}_state_not_allowed: {{sls}}_state_not_allowed:

101
salt/soc/files/bin/salt-relay.sh
View File

@@ -172,6 +172,101 @@ function manage_salt() {
fi fi
} }
function send_file() {
request=$1
from=$(echo "$request" | jq -r .from)
to=$(echo "$request" | jq -r .to)
node=$(echo "$request" | jq -r .node)
[ $(echo "$request" | jq -r .cleanup) != "true" ] ; cleanup=$?
log "From: $from"
log "To: $to"
log "Node: $node"
log "Cleanup: $cleanup"
log "encrypting..."
gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from"
fromgpg="$from.gpg"
filename=$(basename "$fromgpg")
log "sending..."
response=$($CMD_PREFIX salt-cp -C "$node" "$fromgpg" "$to")
# salt-cp returns 0 even if the file transfer fails, so we need to check the response.
# Remove the node and filename from the response on the off-chance they contain
# the word "True" in them
echo $response | sed "s/$node//" | sed "s/$filename//" | grep True
exit_code=$?
rm -f "$fromgpg"
log Response:$'\n'"$response"
log "Exit Code: $exit_code"
if [[ $cleanup -eq 1 ]]; then
log "Cleaning up file $from"
rm -f "$from"
fi
if [[ exit_code -eq 0 ]]; then
$(echo "true" > "${SOC_PIPE}")
else
$(echo "false" > "${SOC_PIPE}")
fi
}
function import_file() {
request=$1
node=$(echo "$request" | jq -r .node)
file=$(echo "$request" | jq -r .file)
importer=$(echo "$request" | jq -r .importer)
log "Node: $node"
log "File: $file"
log "Importer: $importer"
filegpg="$file.gpg"
log "decrypting..."
$CMD_PREFIX "salt '$node' cmd.run 'gpg --passphrase \"infected\" --batch --decrypt \"$filegpg\" > \"$file\"'"
decrypt_code=$?
if [[ $decrypt_code -eq 0 ]]; then
log "importing..."
case $importer in
pcap)
response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'")
exit_code=$?
;;
evtx)
response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'")
exit_code=$?
;;
*)
response="Unsupported importer: $importer"
exit_code=1
;;
esac
else
response="Failed to decrypt file: $file"
exit_code=$decrypt_code
fi
rm -f "$file" "$filegpg"
log Response:$'\n'"$response"
log "Exit Code: $exit_code"
if [[ exit_code -eq 0 ]]; then
# trim off the node header ("manager_standalone:\n") and parse out the URL
url=$(echo "$response" | tail -n +2 | jq -r .url)
$(echo "$url" > "${SOC_PIPE}")
else
log "false"
$(echo "false" > "${SOC_PIPE}")
fi
}
while true; do while true; do
log "Listening for request" log "Listening for request"
request=$(cat ${SOC_PIPE}) request=$(cat ${SOC_PIPE})
@@ -191,6 +286,12 @@ while true; do
manage-salt) manage-salt)
manage_salt "${request}" manage_salt "${request}"
;; ;;
send-file)
send_file "${request}"
;;
import-file)
import_file "${request}"
;;
*) *)
log "Unsupported command: $command" log "Unsupported command: $command"
$(echo "false" > "${SOC_PIPE}") $(echo "false" > "${SOC_PIPE}")