CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into iptables

Browse Source
This commit is contained in:
m0duspwnens
2023-07-26 16:32:03 -04:00
parent 373298430b 4a18eb02f3
commit fe9b934af6
12 changed files with 1071 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

851
salt/desktop/packages.sls
View File

@@ -1,170 +1,279 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'Rocky' %}
{% if GLOBALS.os == 'OEL' %}
desktop_packages:
pkg.installed:
- pkgs:
- ModemManager
- ModemManager-glib
- NetworkManager
- NetworkManager-adsl
- NetworkManager-bluetooth
- NetworkManager-l2tp-gnome
- NetworkManager-libreswan-gnome
- NetworkManager-openconnect-gnome
- NetworkManager-openvpn-gnome
- NetworkManager-ppp
- NetworkManager-pptp-gnome
- NetworkManager-config-server
- NetworkManager-libnm
- NetworkManager-team
- NetworkManager-tui
- NetworkManager-wifi
- NetworkManager-wwan
- PackageKit
- PackageKit-command-not-found
- PackageKit-glib
- PackageKit-gstreamer-plugin
- aajohan-comfortaa-fonts
- abattis-cantarell-fonts
- acl
- alsa-ucm
- alsa-utils
- anaconda
- anaconda-install-env-deps
- anaconda-live
- at
- attr
- PackageKit-gtk3-module
- audit
- audit-libs
- authselect
- authselect-libs
- avahi
- avahi-glib
- avahi-libs
- baobab
- basesystem
- bash
- bash-completion
- bc
- blktrace
- bcache-tools
- bluez
- bluez-libs
- bluez-obexd
- bolt
- bpftool
- bzip2
- bzip2-libs
- c-ares
- ca-certificates
- cairo
- cairo-gobject
- cairomm
- checkpolicy
- cheese
- cheese-libs
- chkconfig
- chromium
- chrony
- cinnamon
- cinnamon-control-center
- cinnamon-screensaver
- cockpit
- coreutils
- cpio
- cronie
- crontabs
- crypto-policies
- crypto-policies-scripts
- cryptsetup
- curl
- cyrus-sasl-plain
- dbus
- chrome-gnome-shell
- clutter
- clutter-gst3
- clutter-gtk
- cogl
- color-filesystem
- colord
- colord-gtk
- colord-libs
- conmon
- cups
- cups-client
- cups-filesystem
- cups-filters
- cups-filters-libs
- cups-ipptool
- cups-libs
- cups-pk-helper
- dconf
- dejavu-sans-fonts
- dejavu-sans-mono-fonts
- dejavu-serif-fonts
- dnf
- dnf-plugins-core
- dos2unix
- dosfstools
- dracut-config-rescue
- dracut-live
- dsniff
- e2fsprogs
- ed
- efi-filesystem
- efibootmgr
- efivar-libs
- eom
- ethtool
- f36-backgrounds-extras-gnome
- f36-backgrounds-gnome
- f37-backgrounds-extras-gnome
- f37-backgrounds-gnome
- file
- filesystem
- firewall-config
- firewalld
- fprintd-pam
- git
- glibc
- glibc-all-langpacks
- desktop-file-utils
- evolution-data-server
- evolution-data-server-langpacks
- firefox
- flac-libs
- flashrom
- flatpak
- flatpak-libs
- flatpak-selinux
- flatpak-session-helper
- fontconfig
- fonts-filesystem
- foomatic
- foomatic-db
- foomatic-db-filesystem
- foomatic-db-ppds
- freetype
- fuse
- fuse-common
- fuse-libs
- fuse-overlayfs
- fuse3
- fuse3-libs
- fwupd
- fwupd-plugin-flashrom
- gcr
- gcr-base
- gd
- gdbm-libs
- gdisk
- gdk-pixbuf2
- gdk-pixbuf2-modules
- gdm
- gedit
- geoclue2
- geoclue2-libs
- geocode-glib
- gettext
- gettext-libs
- ghostscript
- ghostscript-tools-fonts
- ghostscript-tools-printing
- giflib
- glx-utils
- gmp
- gnome-autoar
- gnome-bluetooth
- gnome-bluetooth-libs
- gnome-calculator
- gnome-characters
- gnome-classic-session
- gnome-color-manager
- gnome-control-center
- gnome-control-center-filesystem
- gnome-desktop3
- gnome-disk-utility
- gnome-font-viewer
- gnome-initial-setup
- gnome-keyring
- gnome-keyring-pam
- gnome-logs
- gnome-menus
- gnome-online-accounts
- gnome-remote-desktop
- gnome-screenshot
- gnome-session
- gnome-session-wayland-session
- gnome-session-xsession
- gnome-settings-daemon
- gnome-shell
- gnome-shell-extension-apps-menu
- gnome-shell-extension-background-logo
- gnome-shell-extension-common
- gnome-shell-extension-desktop-icons
- gnome-shell-extension-launch-new-instance
- gnome-shell-extension-places-menu
- gnome-shell-extension-window-list
- gnome-software
- gnome-system-monitor
- gnome-terminal
- gnupg2
- gnome-terminal-nautilus
- gnome-tour
- gnome-user-docs
- gnome-video-effects
- gobject-introspection
- gom
- google-droid-sans-fonts
- google-noto-cjk-fonts-common
- google-noto-emoji-color-fonts
- google-noto-fonts-common
- google-noto-sans-cjk-ttc-fonts
- google-noto-sans-gurmukhi-fonts
- google-noto-sans-sinhala-vf-fonts
- google-noto-serif-cjk-ttc-fonts
- grub2-common
- grub2-pc-modules
- grub2-tools
- grub2-tools-efi
- grub2-tools-extra
- grub2-tools-minimal
- grubby
- gpgme
- gpm-libs
- graphene
- graphite2
- gsettings-desktop-schemas
- gsm
- gsound
- gspell
- gstreamer1
- gstreamer1-plugins-bad-free
- gstreamer1-plugins-base
- gstreamer1-plugins-good
- gstreamer1-plugins-good-gtk
- gstreamer1-plugins-ugly-free
- gtk-update-icon-cache
- gtk3
- gtk4
- gtkmm30
- gtksourceview4
- gutenprint
- gutenprint-cups
- gutenprint-doc
- gutenprint-libs
- gvfs
- gvfs-client
- gvfs-fuse
- gvfs-goa
- gvfs-gphoto2
- gvfs-mtp
- gvfs-smb
- hostname
- hyperv-daemons
- ibus-anthy
- ibus-hangul
- ibus-libpinyin
- ibus-libzhuyin
- ibus-m17n
- ibus-typing-booster
- imsettings-systemd
- initial-setup-gui
- initscripts
- gzip
- harfbuzz
- harfbuzz-icu
- hdparm
- hicolor-icon-theme
- highcontrast-icon-theme
- hplip-common
- hplip-libs
- hunspell
- hunspell-en
- hunspell-en-GB
- hunspell-en-US
- hunspell-filesystem
- hyphen
- ibus
- ibus-gtk3
- ibus-libs
- ibus-setup
- iio-sensor-proxy
- ima-evm-utils
- inih
- initscripts-rename-device
- iproute
- iproute-tc
- iprutils
- iputils
- irqbalance
- iwl100-firmware
- iwl1000-firmware
- iwl105-firmware
- iwl135-firmware
- iwl2000-firmware
- iwl2030-firmware
- iwl3160-firmware
- iwl5000-firmware
- iwl5150-firmware
- iwl6000g2a-firmware
- iwl6000g2b-firmware
- iwl6050-firmware
- iwl7260-firmware
- initscripts-service
- iso-codes
- jansson
- jbig2dec-libs
- jbigkit-libs
- jomolhari-fonts
- jose
- jq
- json-c
- json-glib
- julietaula-montserrat-fonts
- kbd
- kernel
- kernel-modules
- kernel-modules-extra
- kernel-tools
- kexec-tools
- kbd-misc
- khmer-os-system-fonts
- kmod-kvdo
- kpatch
- kpatch-dnf
- ledmon
- less
- langpacks-core-en
- langpacks-core-font-en
- langpacks-en
- lcms2
- libICE
- libSM
- libX11
- libX11-common
- libX11-xcb
- libXau
- libXcomposite
- libXcursor
- libXdamage
- libXdmcp
- libXext
- libXfixes
- libXfont2
- libXft
- libXi
- libXinerama
- libXmu
- libXpm
- libXrandr
- libXrender
- libXres
- libXt
- libXtst
- libXv
- libXxf86dga
- libXxf86vm
- libappstream-glib
- liberation-fonts-common
- liberation-mono-fonts
- liberation-sans-fonts
- liberation-serif-fonts
- libertas-sd8787-firmware
- libstoragemgmt
- libsysfs
- lightdm
- linux-firmware
- logrotate
- libglvnd-gles
- libglvnd-glx
- libglvnd-opengl
- libgnomekbd
- libgomp
- libgphoto2
- lockdev
- lohit-assamese-fonts
- lohit-bengali-fonts
- lohit-devanagari-fonts
@@ -173,138 +282,454 @@ desktop_packages:
- lohit-odia-fonts
- lohit-tamil-fonts
- lohit-telugu-fonts
- lshw
- lsof
- lsscsi
- lvm2
- mailcap
- man-db
- man-pages
- mcelog
- mdadm
- memtest86+
- metacity
- mesa-dri-drivers
- mesa-filesystem
- mesa-libEGL
- mesa-libGL
- mesa-libgbm
- mesa-libglapi
- mesa-libxatracker
- mesa-vulkan-drivers
- microcode_ctl
- mlocate
- mobile-broadband-provider-info
- mozilla-filesystem
- mpfr
- mpg123-libs
- mtdev
- mtr
- nano
- ncurses
- nemo-fileroller
- nemo-image-converter
- nemo-preview
- net-tools
- netronome-firmware
- ngrep
- nm-connection-editor
- nmap-ncat
- nvme-cli
- open-vm-tools-desktop
- openssh-clients
- openssh-server
- p11-kit
- paktype-naskh-basic-fonts
- parole
- parted
- passwd
- pciutils
- nautilus
- nautilus-extensions
- oracle-backgrounds
- oracle-indexhtml
- oracle-logos
- pcaudiolib
- pinentry
- pinentry-gnome3
- pinfo
- pipewire
- pipewire-alsa
- pipewire-gstreamer
- pipewire-jack-audio-connection-kit
- pipewire-libs
- pipewire-pulseaudio
- pipewire-utils
- pixman
- plymouth
- plymouth-core-libs
- plymouth-graphics-libs
- plymouth-plugin-label
- plymouth-plugin-two-step
- plymouth-scripts
- plymouth-system-theme
- plymouth-theme-spinner
- policycoreutils
- powerline
- ppp
- prefixdevname
- procps-ng
- psacct
- policycoreutils-python-utils
- pt-sans-fonts
- python3-libselinux
- python3-scapy
- qemu-guest-agent
- quota
- realmd
- redshift-gtk
- rocky-backgrounds
- rocky-release
- rootfiles
- rpm
- rpm-plugin-audit
- rsync
- rsyslog
- rsyslog-gnutls
- rsyslog-gssapi
- rsyslog-relp
- salt-minion
- pulseaudio-libs
- pulseaudio-libs-glib2
- pulseaudio-utils
- sane-airscan
- sane-backends
- sane-backends-drivers-cameras
- sane-backends-drivers-scanners
- selinux-policy-targeted
- setroubleshoot
- setup
- sg3_utils
- sg3_utils-libs
- shadow-utils
- sane-backends-libs
- sil-abyssinica-fonts
- sil-nuosu-fonts
- sil-padauk-fonts
- slick-greeter
- slick-greeter-cinnamon
- smartmontools
- smc-meera-fonts
- sos
- snappy
- sound-theme-freedesktop
- soundtouch
- speech-dispatcher
- speech-dispatcher-espeak-ng
- speex
- spice-vdagent
- ssldump
- sssd
- sssd-common
- sssd-kcm
- stix-fonts
- strace
- sudo
- switcheroo-control
- symlinks
- syslinux
- systemd
- systemd-udev
- tar
- system-config-printer-libs
- system-config-printer-udev
- taglib
- tcpdump
- tcpflow
- teamd
- thai-scalable-fonts-common
- thai-scalable-waree-fonts
- time
- tmux
- tmux-powerline
- transmission
- totem
- totem-pl-parser
- totem-video-thumbnailer
- tpm2-tools
- tpm2-tss
- tracer-common
- tracker
- tracker-miners
- tree
- tuned
- twolame-libs
- tzdata
- udisks2
- udisks2-iscsi
- udisks2-lvm2
- unzip
- upower
- urw-base35-bookman-fonts
- urw-base35-c059-fonts
- urw-base35-d050000l-fonts
- urw-base35-fonts
- urw-base35-fonts-common
- urw-base35-gothic-fonts
- urw-base35-nimbus-mono-ps-fonts
- urw-base35-nimbus-roman-fonts
- urw-base35-nimbus-sans-fonts
- urw-base35-p052-fonts
- urw-base35-standard-symbols-ps-fonts
- urw-base35-z003-fonts
- usb_modeswitch
- usb_modeswitch-data
- usbutils
- util-linux
- util-linux-user
- usermode
- userspace-rcu
- vdo
- vim-enhanced
- vim-minimal
- vim-powerline
- virt-what
- wget
- whois
- which
- vulkan-loader
- wavpack
- webkit2gtk3
- webkit2gtk3-jsc
- webrtc-audio-processing
- wireless-regdb
- wireplumber
- wireshark
- wireplumber-libs
- woff2
- words
- wpa_supplicant
- wpebackend-fdo
- xdg-dbus-proxy
- xdg-desktop-portal
- xdg-desktop-portal-gnome
- xdg-desktop-portal-gtk
- xdg-user-dirs
- xdg-user-dirs-gtk
- xed
- xfsdump
- xfsprogs
- xreader
- yum
- zip
- xdg-utils
- xkeyboard-config
- xorg-x11-drv-evdev
- xorg-x11-drv-fbdev
- xorg-x11-drv-libinput
- xorg-x11-drv-vmware
- xorg-x11-drv-wacom
- xorg-x11-drv-wacom-serial-support
- xorg-x11-server-Xorg
- xorg-x11-server-Xwayland
- xorg-x11-server-common
- xorg-x11-server-utils
- xorg-x11-utils
- xorg-x11-xauth
- xorg-x11-xinit
- xorg-x11-xinit-session
#
# - aajohan-comfortaa-fonts
# - abattis-cantarell-fonts
# - acl
# - alsa-ucm
# - alsa-utils
# - anaconda
# - anaconda-install-env-deps
# - at
# - attr
# - audit
# - authselect
# - basesystem
# - bash
# - bash-completion
# - bc
# - blktrace
# - bluez
# - bolt
# - bpftool
# - bzip2
# - chkconfig
# - chromium
# - chrony
# - cockpit
# - coreutils
# - cpio
# - cronie
# - crontabs
# - crypto-policies
# - crypto-policies-scripts
# - cryptsetup
# - curl
# - cyrus-sasl-plain
# - dbus
# - dejavu-sans-fonts
# - dejavu-sans-mono-fonts
# - dejavu-serif-fonts
# - dnf
# - dnf-plugins-core
# - dos2unix
# - dosfstools
# - dracut-config-rescue
# - dracut-live
# - dsniff
# - e2fsprogs
# - ed
# - efibootmgr
# - efi-filesystem
# - efivar-libs
# - eom
# - ethtool
# - file
# - filesystem
# - firewall-config
# - firewalld
# - fprintd-pam
# - gdm
# - git
# - glibc
# - glibc-all-langpacks
# - gnome-autoar
# - gnome-bluetooth
# - gnome-bluetooth-libs
# - gnome-calculator
# - gnome-characters
# - gnome-color-manager
# - gnome-control-center
# - gnome-desktop3
# - gnome-disk-utility
# - gnome-font-viewer
# - gnome-initial-setup
# - gnome-keyring
# - gnome-keyring-pam
# - gnome-logs
# - gnome-menus
# - gnome-online-accounts
# - gnome-remote-desktop
# - gnome-screenshot
# - gnome-session
# - gnome-session-wayland-session
# - gnome-session-xsession
# - gnome-settings-daemon
# - gnome-shell
# - gnome-software
# - gnome-system-monitor
# - gnome-terminal
# - gnome-terminal-nautilus
# - gnome-tour
# - gnupg2
# - google-noto-emoji-color-fonts
# - google-noto-sans-cjk-ttc-fonts
# - google-noto-sans-gurmukhi-fonts
# - google-noto-sans-sinhala-vf-fonts
# - google-noto-serif-cjk-ttc-fonts
# - grub2-common
# - grub2-pc-modules
# - grub2-tools
# - grub2-tools-efi
# - grub2-tools-extra
# - grub2-tools-minimal
# - grubby
# - gstreamer1-plugins-bad-free
# - gstreamer1-plugins-good
# - gstreamer1-plugins-ugly-free
# - gvfs-gphoto2
# - gvfs-mtp
# - gvfs-smb
# - hostname
# - hyperv-daemons
# - ibus-anthy
# - ibus-hangul
# - ibus-libpinyin
# - ibus-libzhuyin
# - ibus-m17n
# - ibus-typing-booster
# - imsettings-systemd
# - initial-setup-gui
# - initscripts
# - initscripts-rename-device
# - iproute
# - iproute-tc
# - iprutils
# - iputils
# - irqbalance
# - iwl1000-firmware
# - iwl100-firmware
# - iwl105-firmware
# - iwl135-firmware
# - iwl2000-firmware
# - iwl2030-firmware
# - iwl3160-firmware
# - iwl5000-firmware
# - iwl5150-firmware
# - iwl6000g2a-firmware
# - iwl6000g2b-firmware
# - iwl6050-firmware
# - iwl7260-firmware
# - jomolhari-fonts
# - julietaula-montserrat-fonts
# - kbd
# - kernel
# - kernel-modules
# - kernel-modules-extra
# - kernel-tools
# - kexec-tools
# - khmer-os-system-fonts
# - kmod-kvdo
# - ledmon
# - less
# - liberation-mono-fonts
# - liberation-sans-fonts
# - liberation-serif-fonts
# - libertas-sd8787-firmware
# - libstoragemgmt
# - libsysfs
# - lightdm
# - linux-firmware
# - logrotate
# - lohit-assamese-fonts
# - lohit-bengali-fonts
# - lohit-devanagari-fonts
# - lohit-gujarati-fonts
# - lohit-kannada-fonts
# - lohit-odia-fonts
# - lohit-tamil-fonts
# - lohit-telugu-fonts
# - lshw
# - lsof
# - lsscsi
# - lvm2
# - mailcap
# - man-db
# - man-pages
# - mcelog
# - mdadm
# - memtest86+
# - metacity
# - microcode_ctl
# - mlocate
# - mtr
# - nano
# - ncurses
# - netronome-firmware
# - net-tools
# - NetworkManager
# - NetworkManager-adsl
# - NetworkManager-bluetooth
# - NetworkManager-l2tp-gnome
# - NetworkManager-libreswan-gnome
# - NetworkManager-openconnect-gnome
# - NetworkManager-openvpn-gnome
# - NetworkManager-ppp
# - NetworkManager-pptp-gnome
# - NetworkManager-team
# - NetworkManager-tui
# - NetworkManager-wifi
# - NetworkManager-wwan
# - ngrep
# - nmap-ncat
# - nm-connection-editor
# - nvme-cli
# - openssh-clients
# - openssh-server
# - open-vm-tools-desktop
# - p11-kit
# - PackageKit-gstreamer-plugin
# - paktype-naskh-basic-fonts
# - parole
# - parted
# - passwd
# - pciutils
# - pinfo
# - pipewire
# - pipewire-alsa
# - pipewire-gstreamer
# - pipewire-jack-audio-connection-kit
# - pipewire-pulseaudio
# - pipewire-utils
# - plymouth
# - policycoreutils
# - powerline
# - ppp
# - prefixdevname
# - procps-ng
# - psacct
# - pt-sans-fonts
# - python3-libselinux
# - python3-scapy
# - qemu-guest-agent
# - quota
# - realmd
# - redshift-gtk
# - rootfiles
# - rpm
# - rpm-plugin-audit
# - rsync
# - rsyslog
# - rsyslog-gnutls
# - rsyslog-gssapi
# - rsyslog-relp
# - salt-minion
# - sane-backends-drivers-scanners
# - selinux-policy-targeted
# - setroubleshoot
# - setup
# - sg3_utils
# - sg3_utils-libs
# - shadow-utils
# - sil-abyssinica-fonts
# - sil-nuosu-fonts
# - sil-padauk-fonts
# - slick-greeter
# - slick-greeter-cinnamon
# - smartmontools
# - smc-meera-fonts
# - sos
# - spice-vdagent
# - ssldump
# - sssd
# - sssd-common
# - sssd-kcm
# - stix-fonts
# - strace
# - sudo
# - symlinks
# - syslinux
# - systemd
# - systemd-udev
# - tar
# - tcpdump
# - tcpflow
# - teamd
# - thai-scalable-waree-fonts
# - time
# - tmux
# - tmux-powerline
# - transmission
# - tree
# - tuned
# - unzip
# - usb_modeswitch
# - usbutils
# - util-linux
# - util-linux-user
# - vdo
# - vim-enhanced
# - vim-minimal
# - vim-powerline
# - virt-what
# - wget
# - which
# - whois
# - wireplumber
# - wireshark
# - words
# - xdg-user-dirs-gtk
# - xed
# - xfsdump
# - xfsprogs
# - xreader
# - yum
# - zip
#
{% else %}
desktop_packages_os_fail:
test.fail_without_changes:
- comment: 'SO desktop can only be installed on Rocky'
- comment: 'SO desktop can only be installed on Oracle Linux'
{% endif %}

4
salt/desktop/remove_gui.sls
View File

@@ -1,7 +1,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'Rocky' %}
{% if GLOBALS.os == 'OEL' %}
remove_graphical_target:
file.symlink:
@@ -12,6 +12,6 @@ remove_graphical_target:
{% else %}
desktop_trusted-ca_os_fail:
test.fail_without_changes:
- comment: 'SO Desktop can only be installed on Rocky'
- comment: 'SO Desktop can only be installed on Oracle Linux'
{% endif %}

28
salt/desktop/trusted-ca.sls
View File

@@ -1,33 +1,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'Rocky' %}
{% set global_ca_text = [] %}
{% set global_ca_server = [] %}
{% set manager = GLOBALS.manager %}
{% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %}
{% for host in x509dict %}
{% if host.split('_')|last in ['manager', 'managersearch', 'standalone', 'import', 'eval'] %}
{% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
{% do global_ca_server.append(host) %}
{% endif %}
{% endfor %}
{% set trusttheca_text = global_ca_text[0] %}
{% set ca_server = global_ca_server[0] %}
trusted_ca:
x509.pem_managed:
- name: /etc/pki/ca-trust/source/anchors/ca.crt
- text: {{ trusttheca_text }}
update_ca_certs:
cmd.run:
- name: update-ca-trust
- onchanges:
- x509: trusted_ca
{% elif GLOBALS.os == 'CentOS Stream' %}
{% if GLOBALS.os == 'OEL' %}
{% set global_ca_text = [] %}
{% set global_ca_server = [] %}

4
salt/desktop/xwindows.sls
View File

@@ -1,7 +1,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'Rocky' %}
{% if GLOBALS.os == 'OEL' %}
include:
- desktop.packages
@@ -18,6 +18,6 @@ graphical_target:
desktop_xwindows_os_fail:
test.fail_without_changes:
- comment: 'SO Desktop can only be installed on Rocky'
- comment: 'SO Desktop can only be installed on Oracle Linux'
{% endif %}

7
salt/elasticagent/enabled.sls
View File

@@ -33,19 +33,22 @@ so-elastic-agent:
{% endif %}
- binds:
- /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /nsm:/nsm:ro
{% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-elastic-agent'].extra_env %}
- environment:
- FLEET_CA=/etc/pki/tls/certs/intca.crt
{% if DOCKER.containers['so-elastic-agent'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- watch:
- file: create-elastic-agent-config
delete_so-elastic-agent_so-status.disabled:
file.uncomment:

2
salt/elasticagent/files/elastic-agent.yml.jinja
View File

@@ -11,7 +11,7 @@ outputs:
- 'https://{{ GLOBALS.hostname }}:9200'
username: '{{ ES_USER }}'
password: '{{ ES_PASS }}'
ssl.verification_mode: none
ssl.verification_mode: full
output_permissions: {}
agent:
download:

1
salt/elasticfleet/defaults.yaml
View File

@@ -28,6 +28,7 @@ elasticfleet:
- aws
- azure
- cloudflare
- endpoint
- fim
- github
- google_workspace

394
salt/elasticsearch/defaults.yaml
View File

@@ -81,6 +81,8 @@ elasticsearch:
managed: true
composed_of:
- "so-data-streams-mappings"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
- "so-logs-mappings"
- "so-logs-settings"
priority: 225
@@ -1312,6 +1314,398 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.alerts:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.alerts-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.alerts@custom"
- "logs-endpoint.alerts@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.api:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.api-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.api@custom"
- "logs-endpoint.events.api@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.file:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.file-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.file@custom"
- "logs-endpoint.events.file@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.library:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.library-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.library@custom"
- "logs-endpoint.events.library@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.network:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.network-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.network@custom"
- "logs-endpoint.events.network@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.process:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.process-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.process@custom"
- "logs-endpoint.events.process@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.registry:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.registry-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.registry@custom"
- "logs-endpoint.events.registry@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.security:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.security-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.security@custom"
- "logs-endpoint.events.security@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.filebeat:
index_sorting: False
index_template:

4
salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
View File

@@ -72,8 +72,8 @@
{ "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } },
{ "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } },
{ "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } },
{ "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } },
{ "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" } },
{ "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } },
{ "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}" } },
{ "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } },
{ "set": { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } },
{ "set": { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } },

16
salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json
View File

@@ -9,6 +9,10 @@
"properties": {
"event": {
"properties": {
"agent_id": {
"ignore_above": 1024,
"type": "keyword"
},
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
@@ -18,6 +22,18 @@
"type": "date"
}
}
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"network.initiated": {
"ignore_above": 1024,
"type": "keyword"
},
"destination.ipv6": {
"ignore_above": 1024,
"type": "keyword"
}
}
}

8
salt/firewall/defaults.yaml
View File

@@ -999,6 +999,14 @@ firewall:
portgroups:
- elasticsearch_node
- elasticsearch_rest
managersearch:
portgroups:
- elasticsearch_node
- elasticsearch_rest
standalone:
portgroups:
- elasticsearch_node
- elasticsearch_rest
dockernet:
portgroups:
- elasticsearch_node

2
salt/nginx/files/nav_layer_playbook.json
View File

@@ -3,7 +3,7 @@
"versions": {
"attack": "11",
"navigator": "4.8.4",
"layer": "4.3"
"layer": "4.4"
},
"domain": "enterprise-attack",
"description": "",