CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-23 16:33:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: CSEC_PUBLIC:2.4.110-20241010
Branches Tags
CSEC_PUBLIC:master CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:bravo CSEC_PUBLIC:fstes CSEC_PUBLIC:cogburn/gemini CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:mwright/assistant-case-reports CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:foxtrot CSEC_PUBLIC:TOoSmOotH-patch-1 CSEC_PUBLIC:fixsource CSEC_PUBLIC:certtest CSEC_PUBLIC:delta CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:dev CSEC_PUBLIC:kilo CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3
..
compare: CSEC_PUBLIC:2.4.120-20250212
Branches Tags
CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:bravo CSEC_PUBLIC:fstes CSEC_PUBLIC:cogburn/gemini CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:mwright/assistant-case-reports CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:foxtrot CSEC_PUBLIC:TOoSmOotH-patch-1 CSEC_PUBLIC:fixsource CSEC_PUBLIC:certtest CSEC_PUBLIC:delta CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:master CSEC_PUBLIC:dev CSEC_PUBLIC:kilo CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3

288 Commits
2.4.110-20 ... 2.4.120-20

Author SHA1 Message Date
Mike Reeves
d430dd2b73 Merge pull request #14219 from Security-Onion-Solutions/2.4/dev 
2.4.120
 2025-02-12 11:14:56 -05:00
Mike Reeves
43a0020a9e Merge pull request #14220 from Security-Onion-Solutions/fixeroni 
Merge Conflict Fix
 2025-02-12 09:37:04 -05:00
Mike Reeves
b0e82cd59b Fix Conflict 2025-02-12 09:35:52 -05:00
Mike Reeves
237370f0c7 Merge pull request #14218 from Security-Onion-Solutions/2.4.120 
2.4.120
 2025-02-12 09:20:40 -05:00
Mike Reeves
69be367acf 2.4.120 2025-02-12 09:09:38 -05:00
Jorge Reyes
66bc0d487c Merge pull request #14206 from Security-Onion-Solutions/reyesj2-patch-00 
zeek.software typo
 2025-02-07 15:27:52 -06:00
reyesj2
9bde70a8e2 zeek.software typo 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2025-02-07 15:19:40 -06:00
Jorge Reyes
322941f29a Merge pull request #14203 from Security-Onion-Solutions/reyesj2-patch-00 
fix defining custom logstash pipelines when kafka is enabled
 2025-02-07 07:52:11 -06:00
reyesj2
dd17ee7665 fix defining custom logstash pipelines when kafka is enabled 2025-02-06 22:19:24 -06:00
Jason Ertel
4b51066327 Merge pull request #14191 from Security-Onion-Solutions/jertel/wip 
ca download; ignore shard errors on startup; clarify oidc id
 2025-02-05 15:09:57 -05:00
Jason Ertel
bf19c6e730 ca download; ignore shard errors on startup; clarify oidc id 2025-02-05 15:04:04 -05:00
Josh Brower
12a2b491c3 Merge pull request #14190 from Security-Onion-Solutions/2.4/fixmsi 
Refresh Agent installers
 2025-02-05 10:22:17 -05:00
Joshua Brower
4636a8d9b1 Refresh Agent installers 2025-02-05 09:38:33 -05:00
Josh Brower
abbb0db1ff Merge pull request #14189 from Security-Onion-Solutions/2.4/fixmsi 
Rework for MSI
 2025-02-05 09:35:37 -05:00
Joshua Brower
95fe212202 Rework for MSI 2025-02-05 09:29:45 -05:00
coreyogburn
fbb9bf14e9 Merge pull request #14183 from Security-Onion-Solutions/cogburn/escalate-limit 
New Limit on Bulk Creating Related Events
 2025-02-04 15:24:53 -07:00
Corey Ogburn
23ebe966e0 Added Large Values Warning 
maxBulkEscalateEvents now has a warning that large values may run into other limits.
 2025-02-04 10:33:04 -07:00
Corey Ogburn
d0fa6eaf83 New Limit on Bulk Creating Related Events 
Used by the UI and API to hint at a user that not every event will be attached to a case. Supports values up to 10,000 (the default limit on the number of documents returned by a single ES search).
 2025-02-03 14:20:33 -07:00
Josh Brower
7a0309cdf4 Merge pull request #14179 from Security-Onion-Solutions/2.4/fixilmpolicy 
Fix ip-mappings ILM
 2025-02-03 09:35:55 -05:00
Joshua Brower
b874619f0d Fix ip-mappings ILM 2025-02-03 09:31:08 -05:00
Jason Ertel
028c73fd3a Merge pull request #14162 from Security-Onion-Solutions/TOoSmOotH-patch-2 
Update so-functions
 2025-01-29 10:12:20 -05:00
Mike Reeves
27e9773782 Update so-functions 2025-01-29 10:07:52 -05:00
Josh Patterson
7ae128dec6 Merge pull request #14161 from Security-Onion-Solutions/esdtsn 
env discovery.type single-node change
 2025-01-29 09:29:04 -05:00
Josh Patterson
fe4129c8e0 env discovery.type single-node change 
only managers and heavynodes are eligible for discovery.type=single-node
 2025-01-29 09:11:52 -05:00
Jason Ertel
ca0c1170ab Merge pull request #14140 from Security-Onion-Solutions/jertel/wip 
fix issue with first-time api client permission toggling
 2025-01-22 17:43:54 -05:00
Jason Ertel
db9387764d fix issue with first-time api client permission toggling 2025-01-22 17:41:04 -05:00
Jorge Reyes
704e30219a Merge pull request #14124 from Security-Onion-Solutions/reyesj2-patch-8 
keep imported data in logs-import-so index
 2025-01-17 13:33:26 -06:00
reyesj2
1396083b7d use so-elasticsearch-query where possible; simplify suricata.alerts index reroute 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2025-01-17 13:29:46 -06:00
Jason Ertel
7017024ba7 Merge pull request #14123 from Security-Onion-Solutions/jertel/wip 
Additional web security measures
 2025-01-17 12:31:42 -05:00
Jason Ertel
7705f45d78 Revert "subgrid config annotations" 
This reverts commit 3ab1b907e4.
 2025-01-17 12:16:12 -05:00
Jason Ertel
964bbe6aa5 additional web server security measures 2025-01-17 12:14:30 -05:00
reyesj2
01a2e4cd4f check for index existence before attemping rollover 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2025-01-17 09:27:28 -06:00
reyesj2
9032d7d7bc any suricata.alert with event.imported: true remains in logs-import-so 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2025-01-16 18:48:31 -06:00
reyesj2
d573c0922d add 2.4.111 -> postupgrade check 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2025-01-16 18:25:06 -06:00
reyesj2
45d3438d18 update ingest pipeline for imported logs 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2025-01-16 17:33:14 -06:00
Jorge Reyes
6c80fd0e18 Merge pull request #14116 from Security-Onion-Solutions/reyesj2-patch-8 
update global@custom
 2025-01-15 14:23:40 -06:00
reyesj2
b3b7fb8f29 add null check and move tag lookup to .contains() in global@custom 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2025-01-15 12:16:11 -06:00
Jason Ertel
d101fda423 Merge branch '2.4/dev' into jertel/wip 2025-01-15 11:06:05 -05:00
Jorge Reyes
846f2485db Merge pull request #14111 from Security-Onion-Solutions/reyesj2-patch-1 
update http query
 2025-01-14 08:26:43 -06:00
Jorge Reyes
107ca38268 fix http query for "includes" function 2025-01-14 08:24:07 -06:00
Jorge Reyes
35547b476f update http query 2025-01-14 08:13:27 -06:00
Jorge Reyes
ad765200c3 Merge pull request #14105 from Security-Onion-Solutions/reyesj2/moarzeekparse 
Additional Zeek parsing & cloudflare_logpush integration
 2025-01-13 11:37:21 -06:00
reyesj2
4618256442 include okta-mappings in so-logs-okta.system index template 2025-01-13 11:32:27 -06:00
reyesj2
323ef1d5d6 add missing lifecycle name to trend_micro_vision_one indices 2025-01-13 09:29:22 -06:00
reyesj2
a5b1648b68 add missing lifecycle name to crowdstrike indices 2025-01-13 09:26:16 -06:00
reyesj2
14c920a258 fix hidden ldap menu subtitle 2025-01-13 09:23:32 -06:00
reyesj2
4f92b7ced1 add support for cloudflare_logpush integration 2025-01-13 09:23:05 -06:00
Josh Brower
5ec2006c9e Merge pull request #14102 from Security-Onion-Solutions/2.4/nav-airgap 
Fix folder perm
 2025-01-10 16:20:18 -05:00
Joshua Brower
dcdf31eee8 Fix folder perm 2025-01-10 16:15:17 -05:00
Jason Ertel
3ab1b907e4 subgrid config annotations 2025-01-10 13:45:42 -05:00
reyesj2
e60a1e4357 zeek ldap & ldap_search parsing 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2025-01-09 16:06:10 -06:00
Josh Brower
2de1f0464f Merge pull request #14091 from Security-Onion-Solutions/2.4/nav-airgap 
Refactor Navigator Airgap
 2025-01-09 11:59:50 -05:00
Joshua Brower
bcb92b63e3 Move json files to container image 2025-01-09 10:58:40 -05:00
Jorge Reyes
412397fa7b Merge pull request #14089 from Security-Onion-Solutions/reyesj2/moarzeekparse 2025-01-08 17:45:14 -06:00
reyesj2
0e87351a9c add zeek.quic mappings 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2025-01-08 16:18:53 -06:00
Josh Brower
71f4150c27 Merge pull request #14013 from Security-Onion-Solutions/2.4/navigator 
Refactor Navigator for Detections
 2025-01-07 13:34:19 -05:00
Joshua Brower
a2caf7425d Add config options 2025-01-07 13:22:14 -05:00
Joshua Brower
6fa11a38ef Update defaults 2025-01-07 13:14:50 -05:00
Joshua Brower
e3f75215b6 Merge remote-tracking branch 'origin/2.4/dev' into 2.4/navigator 2025-01-07 13:06:49 -05:00
Jason Ertel
d14b6e6d7d Merge pull request #14077 from Security-Onion-Solutions/jertel/wip 
invalidate user sessions when an admin changes the user's password
 2025-01-06 17:26:56 -05:00
Jason Ertel
bd96b5d722 invalidate user sessions when an admin changes the user's password 2025-01-06 17:23:10 -05:00
Josh Brower
8408a53b82 Merge remote-tracking branch 'origin/2.4/dev' into 2.4/navigator 2025-01-02 16:13:34 -05:00
Jorge Reyes
5969e9accc Merge pull request #14060 from Security-Onion-Solutions/reyesj2/zeekquic 
zeek quic support
 2025-01-02 08:13:33 -06:00
Doug Burks
927b618ec9 Update Zeek QUIC dashboard, add Hunt query, add quic.server.name as column in Events table 2025-01-02 06:57:56 -05:00
reyesj2
9f83853922 Zeek QUIC support 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-12-31 13:44:20 -06:00
Josh Brower
8f5634d958 Merge pull request #14048 from Security-Onion-Solutions/2.4/sigmaHashes 
Refactor pipeline for hash changes
 2024-12-23 15:49:35 -05:00
defensivedepth
7237b8971e Refactor pipeline for hash changes 2024-12-23 15:41:13 -05:00
Mike Reeves
33239219cb Merge pull request #14046 from Security-Onion-Solutions/TOoSmOotH-patch-1 2024-12-23 08:34:01 -05:00
Mike Reeves
09ef096620 Update soup 2024-12-23 08:27:45 -05:00
Jason Ertel
6c19a4c68a Merge pull request #14043 from Security-Onion-Solutions/jertel/wip 
cloud installs should use the local docker registry data
 2024-12-19 15:01:25 -05:00
Jason Ertel
b8afef1ee4 cloud installs should use the local docker registry data 2024-12-19 14:56:40 -05:00
Jorge Reyes
16a819ff4f Merge pull request #14041 from Security-Onion-Solutions/reyesj2/opencti 
add ti_opencti integration support
 2024-12-18 12:12:03 -06:00
reyesj2
157185c370 add ti_opencti integration support 2024-12-18 11:33:49 -06:00
Mike Reeves
ace6c5c9e4 Merge pull request #14039 from Security-Onion-Solutions/docsfix 
Fix Discussions Dropdown
 2024-12-18 11:42:42 -05:00
Mike Reeves
4a4c8eace2 Update 2-4.yml 2024-12-18 10:49:34 -05:00
Jason Ertel
8183dcf363 Merge pull request #14038 from Security-Onion-Solutions/TOoSmOotH-patch-1 
Update 2-4.yml
 2024-12-18 10:38:42 -05:00
Mike Reeves
d4f1772d2e Update 2-4.yml 2024-12-18 10:36:15 -05:00
Jason Ertel
dc1c7d8bd2 Merge pull request #14036 from Security-Onion-Solutions/merger 
Merge in 2.4.111
 2024-12-18 10:25:42 -05:00
Mike Reeves
9c10094914 Fix conflict 2024-12-18 10:19:40 -05:00
Mike Reeves
72fed8d6a7 Merge branch '2.4/dev' of github.com:Security-Onion-Solutions/securityonion into 2.4/dev 2024-12-18 10:17:04 -05:00
Mike Reeves
ec90adc6d9 Merge branch '2.4/main' of github.com:Security-Onion-Solutions/securityonion into 2.4/main 2024-12-18 10:16:50 -05:00
Mike Reeves
93f3171a63 Merge pull request #14031 from Security-Onion-Solutions/patch/2.4.111 
2.4.111
 2024-12-18 10:05:48 -05:00
Mike Reeves
7d4c6b1174 Merge branch 'patch/2.4.111' of https://github.com/Security-Onion-Solutions/securityonion into patch/2.4.111 2024-12-18 09:29:08 -05:00
Mike Reeves
3e04bfbd21 2.4.111 2024-12-18 09:27:55 -05:00
Josh Brower
c6ebebc4d0 Merge pull request #14033 from Security-Onion-Solutions/patchfix 
Delete uneeded files
 2024-12-17 16:05:13 -05:00
defensivedepth
17405b849a Delete uneeded files 2024-12-17 16:01:31 -05:00
Mike Reeves
897e8f6883 2.4.111 2024-12-17 13:03:52 -05:00
Mike Reeves
7d06dd4b1d Update HOTFIX 2024-12-13 09:20:49 -05:00
Mike Reeves
5bc9fb19a8 Update VERSION 2024-12-13 09:18:58 -05:00
Mike Reeves
607aa1b992 Merge pull request #14016 from Security-Onion-Solutions/TOoSmOotH-patch-1 
Fix port bind for managing external suricata ruleset
 2024-12-10 17:40:35 -05:00
Mike Reeves
e4db2f4819 Update defaults.yaml 2024-12-10 17:19:15 -05:00
defensivedepth
9475211417 Refactor Navigator for Detections 2024-12-09 16:31:51 -05:00
Jorge Reyes
14cb41ea87 Merge pull request #14001 from Security-Onion-Solutions/reyesj2/zeekvpn 
add openvpn & ipsec support to Zeek
 2024-12-06 12:06:02 -06:00
Jorge Reyes
edd90cbed4 Merge pull request #14004 from Security-Onion-Solutions/reyesj2/logcheck 
file extract zeek v7
 2024-12-06 10:28:15 -06:00
reyesj2
1de20e9d43 fix zeek file extract 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-12-06 09:55:56 -06:00
reyesj2
ad8b339a3b fix error due to null reference 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-12-06 09:07:16 -06:00
reyesj2
9532f21c7b check zeek reporter.log 2024-12-05 13:49:44 -06:00
reyesj2
754d28e95d add openvpn & ipsec support to Zeek 2024-12-05 09:52:55 -06:00
Josh Brower
726bdd8735 Merge pull request #13995 from Security-Onion-Solutions/feature/msi 
fix path
 2024-12-02 14:49:22 -05:00
defensivedepth
5b9f6b2d52 fix path 2024-12-02 14:42:56 -05:00
Josh Brower
aabff98bea Merge pull request #13989 from Security-Onion-Solutions/feature/msi 
Generate MSI
 2024-12-02 09:17:45 -05:00
defensivedepth
aade3db80d Generate MSI 2024-11-28 07:00:23 -05:00
Jorge Reyes
129c10dde5 Merge pull request #13981 from Security-Onion-Solutions/reyesj2/integ 2024-11-26 00:55:31 -06:00
reyesj2
993d56cb58 ti_rapid7* 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-25 15:51:49 -06:00
reyesj2
efa6a533c3 add missing ilm to index template 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-25 15:47:47 -06:00
Josh Brower
04ffdf9b15 Merge pull request #13958 from Security-Onion-Solutions/2.4/autoenablesigma 
More flexibility for AutoEnable Sigma rules
 2024-11-21 09:47:49 -05:00
defensivedepth
f61bf1bd67 Remove adv 2024-11-21 09:15:29 -05:00
defensivedepth
b1c4e32123 Remove duplicate option 2024-11-21 09:11:44 -05:00
defensivedepth
8958da83b3 Deprecate instead 2024-11-20 18:00:26 -05:00
defensivedepth
3fcf197bc1 Tweak structure 2024-11-19 11:54:15 -05:00
Jason Ertel
532dfd7f5a Merge pull request #13966 from Security-Onion-Solutions/jertel/wip 
MFA issuer name shouldn't be an advanced setting
 2024-11-19 09:35:26 -05:00
Jason Ertel
92ddf2ec6c MFA issuer name shouldn't be an advanced setting 2024-11-19 09:27:26 -05:00
coreyogburn
a703f46a0a Merge pull request #13961 from Security-Onion-Solutions/cogburn/engine-update-config 
Add Annotations to Existing Detections Options
 2024-11-18 14:46:04 -07:00
Corey Ogburn
d86c009f55 Add Annotations to Existing Detections Options 
The autoUpdateEnabled setting has been present for awhile and now have annotations.
 2024-11-18 14:35:55 -07:00
defensivedepth
56d6857cd6 Addl customization for autoenable sigma 2024-11-18 09:03:17 -05:00
Jason Ertel
52bc9be6b6 Merge pull request #13956 from Security-Onion-Solutions/jertel/wip 
ignore fp from hydra
 2024-11-17 18:23:54 -05:00
Jason Ertel
918f26962a ignore fp from hydra 2024-11-17 12:21:06 -05:00
Jason Ertel
3bf7870729 Merge pull request #13955 from Security-Onion-Solutions/jertel/wip 
soup corrections
 2024-11-16 21:31:08 -05:00
Jason Ertel
0eebe48492 soup corrections 2024-11-16 21:20:24 -05:00
Mike Reeves
e02cb30f1b Merge branch '2.4/dev' of github.com:Security-Onion-Solutions/securityonion into 2.4/dev 2024-11-16 20:41:31 -05:00
Mike Reeves
d005f0d7d6 Merge branch '2.4/main' of github.com:Security-Onion-Solutions/securityonion into 2.4/main 2024-11-16 20:41:20 -05:00
Jason Ertel
cc44558f40 Merge pull request #13954 from Security-Onion-Solutions/jertel/wip 
revert prev commit
 2024-11-16 12:08:49 -05:00
Jason Ertel
73521dd7a7 revert prev commit 2024-11-16 11:09:44 -05:00
Jorge Reyes
3041d7d2b1 Merge pull request #13951 from Security-Onion-Solutions/reyesj2/integ 
additional integrations
 2024-11-15 15:02:04 -06:00
Jason Ertel
b6ab5249f1 Merge pull request #13953 from Security-Onion-Solutions/jertel/wip 
Connect API upgrades
 2024-11-15 14:32:37 -05:00
Jason Ertel
dc838e7148 connect 2024-11-15 14:25:52 -05:00
Jason Ertel
f290e52fbd connect 2024-11-15 14:25:11 -05:00
Jason Ertel
e4de376394 connect api 2024-11-15 13:42:02 -05:00
reyesj2
44ec237447 additional integration support - cisco secure email gateway - rapid7 threat command 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-15 11:39:01 -06:00
Jorge Reyes
ec5a6aec41 Merge pull request #13946 from Security-Onion-Solutions/foxtrot 
Zeek 7 w/ http2
 2024-11-14 14:52:48 -06:00
Josh Patterson
7f96d20eb4 Merge pull request #13944 from Security-Onion-Solutions/saltbootstrap 
update bootstrap-salt
 2024-11-14 10:25:16 -05:00
Jorge Reyes
dfd9108f39 Merge pull request #13945 from Security-Onion-Solutions/2.4/dev 
2.4/dev
 2024-11-14 09:13:00 -06:00
Jorge Reyes
e07c1e6958 Merge pull request #13943 from Security-Onion-Solutions/zeek7 
add http2
 2024-11-14 09:11:08 -06:00
reyesj2
1113c3924f zeek http2 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-14 09:09:23 -06:00
m0duspwnens
b1ddaa7211 support installing specified version for rhel variants. remove bootstrap -x python3 since not needed 2024-11-14 09:07:41 -05:00
Jorge Reyes
ff00ddeb3c Merge pull request #13935 from Security-Onion-Solutions/ilm-detection 2024-11-13 15:07:29 -06:00
reyesj2
ba7a6dbbf0 Remove tuning/defaults "Remove in v7.1 The policy/tuning/defaults package is deprecated. The options set here are now the defaults for Zeek in general." 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-12 18:37:46 -06:00
reyesj2
f3a88de0c3 so-(case/detection)history uses same ilm policy as so-(case/detection) 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-12 16:28:01 -06:00
Jorge Reyes
4e0b5569dc Merge pull request #13933 from Security-Onion-Solutions/ilm-detection 
add ilm and update managed index settings
 2024-11-12 15:22:05 -06:00
reyesj2
a4d763c1e5 use curl vs es query to force PUT request 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-12 14:50:04 -06:00
m0duspwnens
33fdc23965 remove salt repo files created by saltbootstrap 2024-11-12 11:31:42 -05:00
reyesj2
aaf9f53695 update soup; check for index before applying new index setting 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-11 22:40:06 -06:00
Jason Ertel
59cf049a06 Merge pull request #13930 from Security-Onion-Solutions/jertel/wip 
ensure roles file exists since no longer syncing clients to es
 2024-11-11 18:53:46 -05:00
Jason Ertel
5b74a55c3c ensure roles file exists since no longer syncing clients to es 2024-11-11 17:21:42 -05:00
Josh Patterson
f2ce070833 Merge pull request #13927 from Security-Onion-Solutions/saltbootstrap 
upodate saltbootstrap
 2024-11-11 16:17:23 -05:00
reyesj2
ce9bd18947 no error when versionlock dir exists after re-running soup 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-11 14:59:42 -06:00
m0duspwnens
9e5d0e88de fix soversion path 2024-11-11 15:56:01 -05:00
reyesj2
43f7989d73 () 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-11 14:47:17 -06:00
m0duspwnens
69245e4fad have soup_scripts remove old salt repo file 2024-11-11 15:31:57 -05:00
Jason Ertel
f8f496da73 Merge pull request #13923 from Security-Onion-Solutions/jertel/wip 
Connect API
 2024-11-11 15:04:34 -05:00
reyesj2
6dbe0645e5 use auto_expand_replica, configure ilm for so-case* & so-detection* 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-11 13:51:48 -06:00
Jason Ertel
d4ed34d0ea connect 2024-11-11 11:56:19 -05:00
m0duspwnens
7875406da1 update bootstrap-salt for broadcom changes 2024-11-11 10:54:51 -05:00
Jason Ertel
57a9992a3d Merge branch '2.4/dev' into jertel/wip 2024-11-11 10:06:44 -05:00
Josh Patterson
b3ce624fff Merge pull request #13921 from Security-Onion-Solutions/reposynccron 
only enable repo sync cron if OEL
 2024-11-08 16:16:48 -05:00
m0duspwnens
ee4405e75e only enable repo sync cron if OEL 2024-11-08 16:13:44 -05:00
Josh Brower
f7c3957a43 Merge pull request #13920 from Security-Onion-Solutions/2.4/templaterepos 
Fix permissions
 2024-11-08 15:34:56 -05:00
defensivedepth
dcbb0e48d4 make sure its owned by socore 2024-11-08 14:34:29 -05:00
defensivedepth
74b95a0bcc Merge remote-tracking branch 'origin/2.4/dev' into 2.4/templaterepos 2024-11-08 09:20:11 -05:00
defensivedepth
8b70aa9f0e Fix socore permissions 2024-11-08 09:19:41 -05:00
coreyogburn
9095595db1 Merge pull request #13915 from Security-Onion-Solutions/cogburn/source-dates 
Source Dates
 2024-11-07 14:55:48 -07:00
Corey Ogburn
8334fd9c46 Source Dates 2024-11-07 14:44:45 -07:00
Jason Ertel
31cf6a2ebc connect 2024-11-07 16:17:30 -05:00
Jason Ertel
97f4cbdade connect 2024-11-07 16:16:37 -05:00
Jason Ertel
ba0abb156a connect 2024-11-07 16:08:28 -05:00
Josh Brower
47f9b0021c Merge pull request #13879 from Security-Onion-Solutions/2.4/templaterepos 
Add local custom template
 2024-11-07 15:40:36 -05:00
defensivedepth
f5bd8ab585 Rewrite docs 2024-11-07 15:33:47 -05:00
Jorge Reyes
356236ba4c Merge pull request #13912 from Security-Onion-Solutions/crowdstrike 
fix crowdstrike integration
 2024-11-07 08:53:36 -06:00
defensivedepth
28d468dd41 Merge remote-tracking branch 'origin/2.4/dev' into 2.4/templaterepos 2024-11-07 07:25:01 -05:00
reyesj2
80b82b0bd6 missing replica 0 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-06 15:24:13 -06:00
reyesj2
039d5c22ac fix: crowdstrike integration 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-06 14:35:41 -06:00
coreyogburn
07b867df76 Merge pull request #13904 from Security-Onion-Solutions/cogburn/ignored-sids 
Cogburn/ignored sids
 2024-11-05 12:30:08 -07:00
Corey Ogburn
52a144c052 Added Help Link to Annotation for IgnoredSidRanges 2024-11-05 12:11:17 -07:00
Corey Ogburn
25d55feeef More Detailed Description 2024-11-05 11:41:14 -07:00
Corey Ogburn
5e48ccafce Update Default Value 2024-11-05 11:11:34 -07:00
Corey Ogburn
69dd35c30a Add Option for Ignoring Ranges of SIDs in Suricata Integrity Check 2024-11-04 14:31:53 -07:00
Josh Patterson
d37a8d51fa Merge pull request #13900 from Security-Onion-Solutions/saltrepo 
setup use new salt repo
 2024-11-04 13:05:58 -05:00
m0duspwnens
6e14f7b626 fix pub key name 2024-11-04 11:14:00 -05:00
Jason Ertel
e8ab7bce0c connect 2024-11-04 10:49:30 -05:00
m0duspwnens
083c678400 new salt repo 2024-11-04 09:46:26 -05:00
Jason Ertel
7442ffc7d8 connect 2024-11-01 16:37:24 -04:00
Jason Ertel
25479ca71f connect 2024-11-01 16:29:04 -04:00
Jason Ertel
c9f6b5206a connect 2024-11-01 16:18:40 -04:00
Jason Ertel
755cfb4e13 connect 2024-11-01 15:47:33 -04:00
Jason Ertel
fb73517fc1 connect 2024-11-01 15:43:26 -04:00
Jason Ertel
825dbb36dd connect 2024-11-01 15:37:59 -04:00
Jason Ertel
cd2e5bf2d0 rename role 2024-10-31 17:20:44 -04:00
Jason Ertel
520c9d8d51 rename role 2024-10-31 16:42:42 -04:00
Jason Ertel
370b117938 rename role 2024-10-31 16:39:45 -04:00
Josh Brower
6ab05e7c05 Merge pull request #13890 from Security-Onion-Solutions/2.4/templatefix 
timestamp fix
 2024-10-31 10:59:45 -04:00
defensivedepth
7896f951f3 timestamp fix 2024-10-31 10:24:58 -04:00
Josh Brower
01932d873f Merge pull request #13883 from Security-Onion-Solutions/2.4/lookuprev2 
2.4/lookuprev2
 2024-10-31 08:46:01 -04:00
Josh Brower
84a8477c5d Merge pull request #13887 from Security-Onion-Solutions/2.4/soupedite 
rm eaintegration state file
 2024-10-30 17:15:07 -04:00
defensivedepth
6b468eaed3 rm eaintegration state file 2024-10-30 16:52:44 -04:00
Jason Ertel
a146153ee9 switch to json 2024-10-30 12:44:01 -04:00
defensivedepth
c509dab5f1 Use socore user 2024-10-30 11:03:14 -04:00
Josh Brower
1940901386 Merge pull request #13882 from Security-Onion-Solutions/ipmappingses 
add so-ip-mappings index
 2024-10-30 10:28:40 -04:00
reyesj2
36fc3bbd6d add so-ip-mappings index 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-10-30 10:24:11 -04:00
defensivedepth
5406a263d5 Add local custom template 2024-10-29 19:42:06 -04:00
Jason Ertel
3f3ac21f50 connect 2024-10-29 12:28:24 -04:00
Jason Ertel
11820a16f0 connect 2024-10-29 12:04:38 -04:00
Josh Brower
ac359839e2 Merge pull request #13877 from Security-Onion-Solutions/2.4/lookuprev2 
Initial support for local lookup
 2024-10-29 11:22:39 -04:00
defensivedepth
4c5099d429 Initial support for local lookup 2024-10-29 10:27:54 -04:00
Jason Ertel
1243c7588b connect 2024-10-28 19:42:01 -04:00
Jason Ertel
624c4855c8 connect 2024-10-28 19:25:20 -04:00
Jason Ertel
12a76a9d35 connect 2024-10-28 19:11:26 -04:00
Josh Brower
6a3e5415cf Merge pull request #13832 from Security-Onion-Solutions/2.4/sigmapipelines 
Add process and file creation mappings
 2024-10-28 18:30:21 -04:00
coreyogburn
2c4f65009c Merge pull request #13873 from Security-Onion-Solutions/cogburn/tuning-notes 
Tuning Notes
 2024-10-28 15:37:06 -06:00
defensivedepth
f3ca5b1c42 Remove OS-specific mappings 2024-10-28 09:19:51 -04:00
Corey Ogburn
640f53d085 Cleanup 
Fix indentation and trailing comma.
 2024-10-24 17:05:36 -06:00
Corey Ogburn
1aa9d87c5d Corrected 
Put the note on the right model this time.
 2024-10-24 17:05:36 -06:00
Corey Ogburn
e11c562022 Added Note to ES Mappings 2024-10-24 17:05:35 -06:00
coreyogburn
a76a2d8e9f Merge pull request #13800 from Security-Onion-Solutions/cogburn/detection-status-hunt 
Cogburn/detection status hunt
 2024-10-24 16:31:59 -06:00
Jason Ertel
d503c09ef2 connect 2024-10-24 15:45:18 -04:00
Corey Ogburn
6ce52bf9ab Specify Defaults for detectionEngineStatusQueries 
Specify the defaults as an example to the user.
 2024-10-24 13:11:49 -06:00
Corey Ogburn
f67fcecc6e Clean up StatusQueries String 2024-10-24 11:18:48 -06:00
Corey Ogburn
b7c392a244 Corrected a misspelling 2024-10-24 11:18:48 -06:00
Corey Ogburn
ad0b0a5e95 Refactor to String 
To accomodate the config screen, the annotation now specifies it as a multiline string with a yaml syntax. The user can edit the yaml to add or remove queries. The UI will parse the YAML before use.

Also updated the IntegrityFailure queries to specify table columns more relevant to a sync failure than the default ones.
 2024-10-24 11:18:47 -06:00
Corey Ogburn
c77b0afd8e Move to Client/Detections 
Added a basic annotation.
 2024-10-24 11:18:47 -06:00
Corey Ogburn
04ebe4efea Array to Dictionary 2024-10-24 11:18:46 -06:00
Corey Ogburn
cbb4d6846f Detection Engine Status Queries 
A few for testing
 2024-10-24 11:18:45 -06:00
Josh Patterson
ba699b8d06 Merge pull request #13863 from Security-Onion-Solutions/issue/13851 
Issue/13851
 2024-10-24 11:00:28 -04:00
m0duspwnens
a0558ace16 replace: False to remove state warning 2024-10-24 10:33:16 -04:00
m0duspwnens
ca793966a8 set retry and interval to remove state warning 2024-10-24 10:32:42 -04:00
Jason Ertel
d9273ec369 exec bit 2024-10-24 09:40:47 -04:00
Jason Ertel
cacd5b0643 connect 2024-10-24 09:36:09 -04:00
Jason Ertel
7c405ff9d7 connect 2024-10-24 08:47:52 -04:00
Jason Ertel
5e6dd2e8b3 connect 2024-10-23 16:49:02 -04:00
Josh Patterson
dbc533e976 Merge pull request #13859 from Security-Onion-Solutions/stpndfls 
call airgap_rules if airgap. log rsync and git commands
 2024-10-23 16:44:41 -04:00
m0duspwnens
4d902da931 call airgap_rules if airgap. log rsync and git commands 2024-10-23 15:58:11 -04:00
Josh Patterson
578a18acbe Merge pull request #13853 from Security-Onion-Solutions/agcr 
install createrepo for airgap
 2024-10-23 14:21:26 -04:00
m0duspwnens
17ba048b50 use manager state to install createrepo_c for airgap 2024-10-23 10:40:26 -04:00
Josh Patterson
36a2bffdc7 Merge pull request #13855 from Security-Onion-Solutions/issue/204 
fix HELD for debian families
 2024-10-23 09:40:25 -04:00
m0duspwnens
8cc530dd4c fix HELD for debian families 2024-10-23 09:36:17 -04:00
m0duspwnens
1df104967e fix pkg name 2024-10-22 16:50:23 -04:00
m0duspwnens
7a0f6d5e93 fix pkg name 2024-10-22 16:42:01 -04:00
m0duspwnens
8d2ae23ae6 install createrepo on airgap and non airgap 2024-10-22 13:56:38 -04:00
m0duspwnens
21f359456c install createrepo for airgap 2024-10-22 11:35:08 -04:00
Jorge Reyes
2b4dfbe2ca Merge pull request #13849 from Security-Onion-Solutions/revert-13841-reyesj2/eaintegration 
Revert "Add support for cybereason integration"
 2024-10-21 15:26:15 -04:00
Jorge Reyes
cf95af66c6 Revert "Add support for cybereason integration" 2024-10-21 15:23:05 -04:00
Josh Patterson
b95563bdf1 Merge pull request #13842 from Security-Onion-Solutions/issue/204 
prevent state from failing if versionlock plugin not installed
 2024-10-18 14:48:03 -04:00
m0duspwnens
4d093735ec prevent state from failing if versionlock plugin not installed 2024-10-18 14:41:23 -04:00
Jorge Reyes
cd5d5b4bb0 Merge pull request #13841 from Security-Onion-Solutions/reyesj2/eaintegration 
Add support for cybereason integration
 2024-10-18 13:40:31 -04:00
reyesj2
8b11019712 Add support for cybereason integration 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-10-18 11:56:47 -04:00
Josh Patterson
1930740d10 Merge pull request #13836 from Security-Onion-Solutions/issue/204 
Issue/204
 2024-10-17 12:23:50 -04:00
m0duspwnens
39230159ae update description 2024-10-17 12:10:49 -04:00
Jason Ertel
4611ef3713 connect wip 2024-10-17 11:39:36 -04:00
Jason Ertel
1537b69457 connect wip 2024-10-17 11:25:40 -04:00
Jason Ertel
25fe83cd40 connect wip 2024-10-17 11:22:10 -04:00
Jason Ertel
435b9b14e3 connect wip 2024-10-17 10:49:39 -04:00
m0duspwnens
76ff0c56cd create versionlock pillar dir/files during soup to 120 2024-10-17 10:06:40 -04:00
m0duspwnens
17870bcab8 Merge remote-tracking branch 'origin/2.4/dev' into issue/204 2024-10-17 09:59:36 -04:00
m0duspwnens
5fb660bc9a remove kernel bool option, just use list 2024-10-17 09:29:03 -04:00
Jason Ertel
f713dbacf8 connect 2024-10-16 17:53:57 -04:00
m0duspwnens
73ce526467 allow users to lock pkgs from upgrade 2024-10-16 17:06:03 -04:00
Jorge Reyes
0ba6df3b23 Merge pull request #13834 from Security-Onion-Solutions/reyesj2/eaintegration 
FEATURE: add support for trend micro integrations
 2024-10-16 17:03:49 -04:00
reyesj2
322199358d add support for trendmicro integration 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-10-16 16:45:46 -04:00
defensivedepth
dcdfaf66f4 Add process and file creation mappings 2024-10-16 15:20:52 -04:00
Jason Ertel
d8546bf747 connect upgrade 2024-10-16 14:59:15 -04:00
Jason Ertel
1e5bf3aa98 connect upgrade 2024-10-16 14:21:11 -04:00
Jason Ertel
647f057714 Merge branch '2.4/dev' into jertel/wip 2024-10-16 13:44:20 -04:00
Jason Ertel
523ff66389 connect work 2024-10-16 13:44:01 -04:00
Jason Ertel
15c32f9103 connect routes 2024-10-16 12:33:14 -04:00
Jason Ertel
12168531a1 avoid double SSO clicks on initial OIDC login 2024-10-16 12:33:03 -04:00
coreyogburn
a3933bdc79 Merge pull request #13826 from Security-Onion-Solutions/cogburn/ai-switch-flip 
Changes to allow reviews to start showing
 2024-10-15 16:03:18 -06:00
Josh Patterson
ebd21f3f53 Merge pull request #13825 from Security-Onion-Solutions/issue/13808 
Issue/13808
 2024-10-15 17:18:56 -04:00
m0duspwnens
ce6c7c3b91 Merge remote-tracking branch 'origin/2.4/dev' into issue/13808 2024-10-15 13:14:18 -04:00
m0duspwnens
c2e46932ee fix array def 2024-10-15 12:01:53 -04:00
m0duspwnens
c46fb7e74c check if service is running before trying to start it 2024-10-15 11:46:09 -04:00
m0duspwnens
ac6637c6ab set vars global 2024-10-15 09:56:50 -04:00
m0duspwnens
cc19b60146 restore services/top at start of soup 2024-10-15 09:32:14 -04:00
Corey Ogburn
d2bd9c0e26 Changes to allow reviews to start showing 2024-10-10 09:48:59 -06:00
Jason Ertel
7a1edb3833 Merge pull request #13798 from Security-Onion-Solutions/jertel/hfm2 
main to dev
 2024-10-10 11:33:39 -04:00
Jason Ertel
ec7fa5e24a clear hotfix file 2024-10-10 11:24:10 -04:00
Jason Ertel
295353e804 Merge branch '2.4/main' into jertel/hfm2 2024-10-10 11:23:43 -04:00
Doug Burks
2381260a55 Merge pull request #13783 from Security-Onion-Solutions/dougburks-patch-1 
Add 2.4.120 for next release
 2024-10-07 16:06:39 -04:00
Doug Burks
ba4fbb9953 Update 2-4.yml 2024-10-07 16:05:45 -04:00
Mike Reeves
7b006fb721 Merge pull request #13780 from Security-Onion-Solutions/TOoSmOotH-patch-1 
Update VERSION
 2024-10-07 15:34:25 -04:00
Mike Reeves
f42d82e8df Update VERSION 2024-10-07 15:30:49 -04:00
Mike Reeves
38619ae023 Merge branch '2.4/dev' of github.com:Security-Onion-Solutions/securityonion into 2.4/dev 2024-09-09 18:31:58 -04:00
Mike Reeves
306bd8faaa Merge branch '2.4/dev' of github.com:Security-Onion-Solutions/securityonion into 2.4/dev 2024-08-29 12:39:41 -04:00
Mike Reeves
e664f2df28 Merge branch '2.4/dev' of github.com:Security-Onion-Solutions/securityonion into 2.4/dev 2024-08-15 15:35:20 -04:00
Mike Reeves
72146d9566 Merge branch '2.4/dev' of github.com:Security-Onion-Solutions/securityonion into 2.4/dev 2024-06-27 10:42:07 -04:00
Mike Reeves
9af3e364aa Merge branch '2.4/main' of github.com:Security-Onion-Solutions/securityonion into 2.4/dev 2024-06-25 08:23:10 -04:00
Mike Reeves
229cb1e9ef Merge branch '2.4/main' of github.com:Security-Onion-Solutions/securityonion into 2.4/main 2024-06-21 14:06:51 -04:00
Mike Reeves
21f78a039a Merge branch '2.4/main' of github.com:Security-Onion-Solutions/securityonion into 2.4/main 2024-04-02 08:47:08 -04:00
Mike Reeves
6069c586d3 Merge branch '2.4/main' of github.com:Security-Onion-Solutions/securityonion into 2.4/main 2024-01-24 16:07:31 -05:00
Mike Reeves
3bdc0340b8 Merge branch 'hotfix/2.4.30' into 2.4/main 2023-12-19 13:21:33 -05:00
121 changed files with 5983 additions and 531600 deletions
Expand all files Collapse all files

2
.github/DISCUSSION_TEMPLATE/2-4.yml vendored
View File

@@ -22,6 +22,8 @@ body:
- 2.4.90
- 2.4.100
- 2.4.110
- 2.4.111
- 2.4.120
- Other (please provide detail below)
validations:
required: true

2
.github/workflows/contrib.yml vendored
View File

@@ -18,7 +18,7 @@ jobs:
with:
path-to-signatures: 'signatures_v1.json'
path-to-document: 'https://securityonionsolutions.com/cla'
allowlist: dependabot[bot],jertel,dougburks,TOoSmOotH,weslambert,defensivedepth,m0duspwnens
allowlist: dependabot[bot],jertel,dougburks,TOoSmOotH,defensivedepth,m0duspwnens
remote-organization-name: Security-Onion-Solutions
remote-repository-name: licensing

22
DOWNLOAD_AND_VERIFY_ISO.md
View File

@@ -1,17 +1,17 @@
### 2.4.110-20241010 ISO image released on 2024/10/10
### 2.4.120-20250212 ISO image released on 2025/02/12
### Download and Verify
2.4.110-20241010 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.110-20241010.iso
2.4.120-20250212 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.120-20250212.iso
MD5: A8003DEBC4510D538F06238D9DBB86C0
SHA1: 441DE90A192C8FE8BEBAB9ACE1A3CC18F71A2B1F
SHA256: B087A0D12FC2CA3CCD02BD52E52421F4F60DC09BF826337A057E05A04D114CCE
MD5: 3FF09F50AB1C9318CF0862DE9816102D
SHA1: 197AFA5A85C5CF95D0289FCD21BED7615FB8DB5C
SHA256: A59D94B09EEB39D8C2B6D0808792EC479B13D96FA7B32C3BEEFB6709C93F6692
Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.110-20241010.iso.sig
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.120-20250212.iso.sig
Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
Download the signature file for the ISO:
```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.110-20241010.iso.sig
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.120-20250212.iso.sig
```
Download the ISO image:
```
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.110-20241010.iso
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.120-20250212.iso
```
Verify the downloaded ISO image using the signature file:
```
gpg --verify securityonion-2.4.110-20241010.iso.sig securityonion-2.4.110-20241010.iso
gpg --verify securityonion-2.4.120-20250212.iso.sig securityonion-2.4.120-20250212.iso
```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
```
gpg: Signature made Thu 10 Oct 2024 07:05:30 AM EDT using RSA key ID FE507013
gpg: Signature made Tue 11 Feb 2025 05:26:33 PM EST using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

1
HOTFIX
View File

@@ -1 +0,0 @@
20241010

2
VERSION
View File

@@ -1 +1 @@
2.4.110
2.4.120

16
pillar/top.sls
View File

@@ -16,6 +16,8 @@ base:
- sensoroni.adv_sensoroni
- telegraf.soc_telegraf
- telegraf.adv_telegraf
- versionlock.soc_versionlock
- versionlock.adv_versionlock
'* and not *_desktop':
- firewall.soc_firewall
@@ -47,6 +49,8 @@ base:
- kibana.adv_kibana
- kratos.soc_kratos
- kratos.adv_kratos
- hydra.soc_hydra
- hydra.adv_hydra
- redis.nodes
- redis.soc_redis
- redis.adv_redis
@@ -96,6 +100,7 @@ base:
- kibana.secrets
{% endif %}
- kratos.soc_kratos
- kratos.adv_kratos
- elasticsearch.soc_elasticsearch
- elasticsearch.adv_elasticsearch
- elasticfleet.soc_elasticfleet
@@ -113,8 +118,8 @@ base:
- kibana.adv_kibana
- strelka.soc_strelka
- strelka.adv_strelka
- kratos.soc_kratos
- kratos.adv_kratos
- hydra.soc_hydra
- hydra.adv_hydra
- redis.soc_redis
- redis.adv_redis
- influxdb.soc_influxdb
@@ -149,6 +154,8 @@ base:
- idstools.adv_idstools
- kratos.soc_kratos
- kratos.adv_kratos
- hydra.soc_hydra
- hydra.adv_hydra
- redis.nodes
- redis.soc_redis
- redis.adv_redis
@@ -262,6 +269,7 @@ base:
- kibana.secrets
{% endif %}
- kratos.soc_kratos
- kratos.adv_kratos
- elasticsearch.soc_elasticsearch
- elasticsearch.adv_elasticsearch
- elasticfleet.soc_elasticfleet
@@ -277,8 +285,8 @@ base:
- kibana.adv_kibana
- backup.soc_backup
- backup.adv_backup
- kratos.soc_kratos
- kratos.adv_kratos
- hydra.soc_hydra
- hydra.adv_hydra
- redis.soc_redis
- redis.adv_redis
- influxdb.soc_influxdb

5
salt/allowed_states.map.jinja
View File

@@ -24,6 +24,7 @@
'influxdb',
'soc',
'kratos',
'hydra',
'elasticfleet',
'elastic-fleet-package-registry',
'firewall',
@@ -68,6 +69,7 @@
'strelka.manager',
'soc',
'kratos',
'hydra',
'influxdb',
'telegraf',
'firewall',
@@ -95,6 +97,7 @@
'strelka.manager',
'soc',
'kratos',
'hydra',
'elasticfleet',
'elastic-fleet-package-registry',
'firewall',
@@ -117,6 +120,7 @@
'strelka.manager',
'soc',
'kratos',
'hydra',
'elastic-fleet-package-registry',
'elasticfleet',
'firewall',
@@ -151,6 +155,7 @@
'influxdb',
'soc',
'kratos',
'hydra',
'elastic-fleet-package-registry',
'elasticfleet',
'firewall',

1
salt/backup/defaults.yaml
View File

@@ -4,4 +4,5 @@ backup:
- /etc/pki
- /etc/salt
- /nsm/kratos
- /nsm/hydra
destination: "/nsm/backup"

1
salt/common/init.sls
View File

@@ -182,6 +182,7 @@ sostatus_log:
file.managed:
- name: /opt/so/log/sostatus/status.log
- mode: 644
- replace: False
# Install sostatus check cron. This is used to populate Grid.
so-status_check_cron:

12
salt/common/soup_scripts.sls
View File

@@ -11,6 +11,7 @@
{% else %}
{% set UPDATE_DIR='/tmp/sogh/securityonion' %}
{% endif %}
{% set SOVERSION = salt['file.read']('/etc/soversion').strip() %}
remove_common_soup:
file.absent:
@@ -107,6 +108,17 @@ copy_so-repo-sync_sbin:
- force: True
- preserve: True
{# this is added in 2.4.120 to remove salt repo files pointing to saltproject.io to accomodate the move to broadcom and new bootstrap-salt script #}
{% if salt['pkg.version_cmp'](SOVERSION, '2.4.120') == -1 %}
{% set saltrepofile = '/etc/yum.repos.d/salt.repo' %}
{% if grains.os_family == 'Debian' %}
{% set saltrepofile = '/etc/apt/sources.list.d/salt.list' %}
{% endif %}
remove_saltproject_io_repo_manager:
file.absent:
- name: {{ saltrepofile }}
{% endif %}
{% else %}
fix_23_soup_sbin:
cmd.run:

2
salt/common/tools/sbin/so-image-common
View File

@@ -29,6 +29,7 @@ container_list() {
"so-influxdb"
"so-kibana"
"so-kratos"
"so-hydra"
"so-nginx"
"so-pcaptools"
"so-soc"
@@ -53,6 +54,7 @@ container_list() {
"so-kafka"
"so-kibana"
"so-kratos"
"so-hydra"
"so-logstash"
"so-nginx"
"so-pcaptools"

6
salt/common/tools/sbin/so-log-check
View File

@@ -125,6 +125,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error" # Docker registry container when new node comes onlines
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process already finished" # Telegraf script finished just as the auto kill timeout kicked in
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|No shard available" # Typical error when making a query before ES has finished loading all indices
fi
if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
@@ -150,6 +151,7 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|app_layer.error" # false positive (suricata 7) in stats.log e.g. app_layer.error.imap.parser | Total | 0
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|is not an ip string literal" # false positive (Open Canary logging out blank IP addresses)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|syncing rule" # false positive (rule sync log line includes rule name which can contain 'error')
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request_unauthorized" # false positive (login failures to Hydra result in an 'error' log)
fi
if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
@@ -210,6 +212,7 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|integrity check failed" # Detections: Exclude false positive due to automated testing
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|syncErrors" # Detections: Not an actual error
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Initialized license manager" # SOC log: before fields.status was changed to fields.licenseStatus
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|from NIC checksum offloading" # zeek reporter.log
fi
RESULT=0
@@ -248,6 +251,9 @@ exclude_log "agentstatus.log" # ignore this log since it tracks agents in error
exclude_log "detections_runtime-status_yara.log" # temporarily ignore this log until Detections is more stable
exclude_log "/nsm/kafka/data/" # ignore Kafka data directory from log check.
# Include Zeek reporter.log to detect errors after running known good pcap(s) through sensor
echo "/nsm/zeek/spool/logger/reporter.log" >> /tmp/log_check_files
for log_file in $(cat /tmp/log_check_files); do
status "Checking log file $log_file"
tail -n $RECENT_LOG_LINES $log_file > /tmp/log_check

9
salt/docker/defaults.yaml
View File

@@ -51,6 +51,14 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
'so-hydra':
final_octet: 30
port_bindings:
- 0.0.0.0:4444:4444
- 0.0.0.0:4445:4445
custom_bind_mounts: []
extra_hosts: []
extra_env: []
'so-logstash':
final_octet: 29
port_bindings:
@@ -74,6 +82,7 @@ docker:
- 443:443
- 8443:8443
- 7788:7788
- 7789:7789
custom_bind_mounts: []
extra_hosts: []
extra_env: []

1
salt/docker/soc_docker.yaml
View File

@@ -45,6 +45,7 @@ docker:
so-influxdb: *dockerOptions
so-kibana: *dockerOptions
so-kratos: *dockerOptions
so-hydra: *dockerOptions
so-logstash: *dockerOptions
so-nginx: *dockerOptions
so-nginx-fleet-node: *dockerOptions

17
salt/elasticfleet/config.sls
View File

@@ -63,6 +63,14 @@ eastatedir:
- group: 939
- makedirs: True
custommappingsdir:
file.directory:
- name: /nsm/custom-mappings
- user: 947
- group: 939
- makedirs: True
eapackageupgrade:
file.managed:
- name: /usr/sbin/so-elastic-fleet-package-upgrade
@@ -73,14 +81,7 @@ eapackageupgrade:
- template: jinja
{% if GLOBALS.role != "so-fleet" %}
soresourcesrepoconfig:
git.config_set:
- name: safe.directory
- value: /nsm/securityonion-resources
- global: True
- user: socore
{% if not GLOBALS.airgap %}
soresourcesrepoclone:
git.latest:

6
salt/elasticfleet/defaults.yaml
View File

@@ -48,10 +48,12 @@ elasticfleet:
- cisco_ios
- cisco_ise
- cisco_meraki
- cisco_secure_email_gateway
- cisco_umbrella
- citrix_adc
- citrix_waf
- cloudflare
- cloudflare_logpush
- crowdstrike
- darktrace
- elastic_agent
@@ -107,9 +109,13 @@ elasticfleet:
- ti_anomali
- ti_cybersixgill
- ti_misp
- ti_opencti
- ti_otx
- ti_rapid7_threat_command
- ti_recordedfuture
- ti_threatq
- trendmicro
- trend_micro_vision_one
- udp
- vsphere
- windows

4
salt/elasticfleet/enabled.sls
View File

@@ -143,7 +143,9 @@ so-elastic-fleet-integrations:
so-elastic-agent-grid-upgrade:
cmd.run:
- name: /usr/sbin/so-elastic-agent-grid-upgrade
- retry: True
- retry:
attempts: 12
interval: 5
so-elastic-fleet-integration-upgrade:
cmd.run:

30
salt/elasticfleet/files/integrations/grid-nodes_general/hydra-logs.json Normal file
View File

@@ -0,0 +1,30 @@
{
"package": {
"name": "log",
"version": ""
},
"name": "hydra-logs",
"namespace": "so",
"description": "Hydra logs",
"policy_id": "so-grid-nodes_general",
"inputs": {
"logs-logfile": {
"enabled": true,
"streams": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [
"/opt/so/log/hydra/hydra.log"
],
"data_stream.dataset": "hydra",
"tags": ["so-hydra"],
"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: hydra",
"custom": "pipeline: hydra"
}
}
}
}
},
"force": true
}

35
salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json Normal file
View File

@@ -0,0 +1,35 @@
{
"package": {
"name": "log",
"version": ""
},
"name": "so-ip-mappings",
"namespace": "so",
"description": "IP Description mappings",
"policy_id": "so-grid-nodes_general",
"vars": {},
"inputs": {
"logs-logfile": {
"enabled": true,
"streams": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [
"/nsm/custom-mappings/ip-descriptions.csv"
],
"data_stream.dataset": "hostnamemappings",
"tags": [
"so-ip-mappings"
],
"processors": "- decode_csv_fields:\n fields:\n message: decoded.csv\n separator: \",\"\n ignore_missing: false\n overwrite_keys: true\n trim_leading_space: true\n fail_on_error: true\n\n- extract_array:\n field: decoded.csv\n mappings:\n so.ip_address: '0'\n so.description: '1'\n\n- script:\n lang: javascript\n source: >\n function process(event) {\n var ip = event.Get('so.ip_address');\n var validIpRegex = /^((25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)$/\n if (!validIpRegex.test(ip)) {\n event.Cancel();\n }\n }\n- fingerprint:\n fields: [\"so.ip_address\"]\n target_field: \"@metadata._id\"\n",
"custom": ""
}
}
}
}
},
"force": true
}

7
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
View File

@@ -76,5 +76,12 @@ do
printf "\n### $GOOS/$GOARCH Installer Generated...\n"
done
printf "\n\n### Generating MSI...\n"
cp /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/so-elastic-agent_windows_amd64 /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/so-elastic-agent_windows_amd64.exe
docker run \
--mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ -w /output \
{{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} wixl -o so-elastic-agent_windows_amd64_msi --arch x64 /workspace/so-elastic-agent.wxs
printf "\n### MSI Generated...\n"
printf "\n### Cleaning up temp files in /nsm/elastic-agent-workspace\n"
rm -rf /nsm/elastic-agent-workspace

1523
salt/elasticsearch/defaults.yaml
View File

File diff suppressed because it is too large Load Diff

2
salt/elasticsearch/enabled.sls
View File

@@ -38,7 +38,7 @@ so-elasticsearch:
{% endfor %}
{% endif %}
- environment:
{% if ELASTICSEARCH_SEED_HOSTS | length == 1 or GLOBALS.role == 'so-heavynode' %}
{% if (GLOBALS.role in GLOBALS.manager_roles and ELASTICSEARCH_SEED_HOSTS | length == 1) or GLOBALS.role == 'so-heavynode' %}
- discovery.type=single-node
{% endif %}
- ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true

6
salt/elasticsearch/files/ingest/global@custom
View File

@@ -10,13 +10,13 @@
{ "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } },
{ "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } },
{ "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } },
{ "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}" } },
{ "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}", "allow_duplicates": false } },
{ "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } },
{ "set": { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } },
{ "set": { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } },
{ "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } },
{ "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } },
{ "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } },
{ "set": { "if": "ctx.tags != null && ctx.tags.contains('import')", "override": true, "field": "data_stream.dataset", "value": "import" } },
{ "set": { "if": "ctx.tags != null && ctx.tags.contains('import')", "override": true, "field": "data_stream.namespace", "value": "so" } },
{ "date": { "if": "ctx.event?.module == 'system'", "field": "event.created", "target_field": "@timestamp","ignore_failure": true, "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSX","yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"] } },
{ "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } },
{ "set": { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } },

9
salt/elasticsearch/files/ingest/hydra Normal file
View File

@@ -0,0 +1,9 @@
{
"description" : "hydra",
"processors" : [
{"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}},
{"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"hydra.{{{audience}}}","media_type":"text/plain"}},
{"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg" }},
{ "pipeline": { "name": "common" } }
]
}

2
salt/elasticsearch/files/ingest/suricata.alert
View File

@@ -1,7 +1,7 @@
{
"description" : "suricata.alert",
"processors" : [
{ "set": { "field": "_index", "value": "logs-suricata.alerts-so" } },
{ "set": { "if": "ctx.event?.imported != true", "field": "_index", "value": "logs-suricata.alerts-so" } },
{ "set": { "field": "tags","value": "alert" }},
{ "rename":{ "field": "message2.alert", "target_field": "rule", "ignore_failure": true } },
{ "rename":{ "field": "rule.signature", "target_field": "rule.name", "ignore_failure": true } },

1
salt/elasticsearch/files/ingest/zeek.common
View File

@@ -18,6 +18,7 @@
{ "set": { "if": "ctx.destination?.ip != null", "field": "server.ip", "value": "{{destination.ip}}" } },
{ "set": { "if": "ctx.destination?.port != null", "field": "server.port", "value": "{{destination.port}}" } },
{ "set": { "field": "observer.name", "value": "{{agent.name}}" } },
{ "append": { "if": "ctx.network?.protocol != null && ctx.network?.protocol.contains(\"openvpn\")","field": "tags","value": ["{{network.protocol}}"],"allow_duplicates": false,"ignore_failure": true}},
{ "date": { "field": "message2.ts", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "ignore_failure": true } },
{ "remove": { "field": ["agent"], "ignore_failure": true } },
{ "pipeline": { "name": "common" } }

2
salt/elasticsearch/files/ingest/zeek.conn
View File

@@ -38,6 +38,8 @@
{ "set": { "if": "ctx.connection?.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
{ "set": { "if": "ctx.connection?.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
{ "set": { "if": "ctx.connection?.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
{ "set": { "if": "ctx.network?.protocol != null && ctx.network?.protocol.contains(\"ipsec\")", "field": "network.protocol", "value": "ipsec"}},
{ "set": { "if": "ctx.network?.protocol != null && ctx.network?.protocol.contains(\"openvpn\")", "field": "network.protocol", "value": "openvpn"}},
{ "pipeline": { "name": "zeek.common" } }
]
}

37
salt/elasticsearch/files/ingest/zeek.http2 Normal file
View File

@@ -0,0 +1,37 @@
{
"description" : "zeek.http2",
"processors" : [
{ "set": { "field": "event.dataset", "value": "http2" } },
{ "set": { "field": "network.transport", "value": "tcp" } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.trans_depth", "target_field": "http.trans_depth", "ignore_missing": true } },
{ "rename": { "field": "message2.method", "target_field": "http.method", "ignore_missing": true } },
{ "rename": { "field": "message2.host", "target_field": "http.virtual_host", "ignore_missing": true } },
{ "rename": { "field": "message2.uri", "target_field": "http.uri", "ignore_missing": true } },
{ "rename": { "field": "message2.referrer", "target_field": "http.referrer", "ignore_missing": true } },
{ "rename": { "field": "message2.version", "target_field": "http.version", "ignore_missing": true } },
{ "rename": { "field": "message2.user_agent", "target_field": "http.useragent", "ignore_missing": true } },
{ "rename": { "field": "message2.request_body_len", "target_field": "http.request.body.length", "ignore_missing": true } },
{ "rename": { "field": "message2.response_body_len", "target_field": "http.response.body.length", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code", "target_field": "http.status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.status_msg", "target_field": "http.status_message", "ignore_missing": true } },
{ "rename": { "field": "message2.info_code", "target_field": "http.info_code", "ignore_missing": true } },
{ "rename": { "field": "message2.info_msg", "target_field": "http.info_message", "ignore_missing": true } },
{ "rename": { "field": "message2.username", "target_field": "http.user", "ignore_missing": true } },
{ "rename": { "field": "message2.password", "target_field": "http.password", "ignore_missing": true } },
{ "rename": { "field": "message2.proxied", "target_field": "http.proxied", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_fuids", "target_field": "log.id.orig_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_filenames", "target_field": "file.orig_filenames", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_mime_types", "target_field": "file.orig_mime_types", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_fuids", "target_field": "log.id.resp_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_filenames", "target_field": "file.resp_filenames", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_mime_types", "target_field": "file.resp_mime_types", "ignore_missing": true } },
{ "rename": { "field": "message2.stream_id", "target_field": "http2.stream_id", "ignore_missing": true } },
{ "remove": { "field": "message2.tags", "ignore_failure": true } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "script": { "lang": "painless", "source": "ctx.uri_length = ctx.uri.length()", "ignore_failure": true } },
{ "script": { "lang": "painless", "source": "ctx.useragent_length = ctx.useragent.length()", "ignore_failure": true } },
{ "script": { "lang": "painless", "source": "ctx.virtual_host_length = ctx.virtual_host.length()", "ignore_failure": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

38
salt/elasticsearch/files/ingest/zeek.ipsec Normal file
View File

@@ -0,0 +1,38 @@
{
"description": "zeek.ipsec",
"processors": [
{"set": { "field": "event.dataset","value": "ipsec"}},
{"json": { "field": "message","target_field": "message2","ignore_failure": true}},
{"rename": {"field": "message2.initiator_spi","target_field": "ipsec.initiator_spi","ignore_missing": true}},
{"rename": {"field": "message2.responder_spi","target_field": "ipsec.responder_spi","ignore_missing": true}},
{"rename": {"field": "message2.maj_ver","target_field": "ipsec.maj_version","ignore_missing": true}},
{"rename": {"field": "message2.min_ver","target_field": "ipsec.min_version","ignore_missing": true}},
{"set": {"ignore_failure": true,"field": "ipsec.version","value": "{{ipsec.maj_version}}.{{ipsec.min_version}}"}},
{"rename": {"field": "message2.exchange_type","target_field": "ipsec.exchange_type","ignore_missing": true}},
{"rename": {"field": "message2.flag_e","target_field": "ipsec.flag_e","ignore_missing": true}},
{"rename": {"field": "message2.flag_c","target_field": "ipsec.flag_c","ignore_missing": true}},
{"rename": {"field": "message2.flag_a","target_field": "ipsec.flag_a","ignore_missing": true}},
{"rename": {"field": "message2.flag_i","target_field": "ipsec.flag_i","ignore_missing": true}},
{"rename": {"field": "message2.flag_v","target_field": "ipsec.flag_v","ignore_missing": true}},
{"rename": {"field": "message2.flag_r","target_field": "ipsec.flag_r","ignore_missing": true}},
{"rename": {"field": "message2.message_id","target_field": "ipsec.message_id","ignore_missing": true}},
{"rename": {"field": "message2.vendor_ids","target_field": "ipsec.vendor_ids","ignore_missing": true}},
{"rename": {"field": "message2.notify_messages","target_field": "ipsec.notify_messages","ignore_missing": true}},
{"rename": {"field": "message2.transforms","target_field": "ipsec.transforms","ignore_missing": true}},
{"rename": {"field": "message2.ke_dh_groups","target_field": "ipsec.ke_dh_groups","ignore_missing": true}},
{"rename": {"field": "message2.proposals","target_field": "ipsec.proposals","ignore_missing": true}},
{"rename": {"field": "message2.certificates","target_field": "ipsec.certificates","ignore_missing": true}},
{"rename": {"field": "message2.transform_attributes","target_field": "ipsec.transform_attributes","ignore_missing": true}},
{"rename": {"field": "message2.length","target_field": "ipsec.length","ignore_missing": true}},
{"rename": {"field": "message2.hash","target_field": "ipsec.hash","ignore_missing": true}},
{"rename": {"field": "message2.doi","target_field": "ipsec.doi","ignore_missing": true}},
{"rename": {"field": "message2.situation","target_field": "ipsec.situation","ignore_missing": true}},
{"script": {
"lang": "painless",
"description": "Remove ipsec fields with empty arrays",
"source": "if (ctx.containsKey('ipsec') && ctx.ipsec instanceof Map) {\n for (String field : ['certificates', 'ke_dh_groups', 'notify_messages', 'proposals', 'transforms', 'transform_attributes', 'vendor_ids']) {\n if (ctx.ipsec[field] instanceof List && ctx.ipsec[field].isEmpty()) {\n ctx.ipsec.remove(field);\n }\n }\n }",
"ignore_failure": true
}},
{"pipeline": {"name": "zeek.common"}}
]
}

25
salt/elasticsearch/files/ingest/zeek.ldap Normal file
View File

@@ -0,0 +1,25 @@
{
"description": "zeek.ldap",
"processors": [
{"set": {"field": "event.dataset", "value": "ldap"}},
{"json": {"field": "message", "target_field": "message2", "ignore_failure": true}},
{"rename": {"field": "message2.message_id", "target_field": "ldap.message_id", "ignore_missing": true}},
{"rename": {"field": "message2.opcode", "target_field": "ldap.opcode", "ignore_missing": true}},
{"rename": {"field": "message2.result", "target_field": "ldap.result", "ignore_missing": true}},
{"rename": {"field": "message2.diagnostic_message", "target_field": "ldap.diagnostic_message", "ignore_missing": true}},
{"rename": {"field": "message2.version", "target_field": "ldap.version", "ignore_missing": true}},
{"rename": {"field": "message2.object", "target_field": "ldap.object", "ignore_missing": true}},
{"rename": {"field": "message2.argument", "target_field": "ldap.argument", "ignore_missing": true}},
{"rename": {"field": "message2.scope", "target_field": "ldap_search.scope", "ignore_missing":true}},
{"rename": {"field": "message2.deref_aliases", "target_field": "ldap_search.deref_aliases", "ignore_missing":true}},
{"rename": {"field": "message2.base_object", "target_field": "ldap.object", "ignore_missing":true}},
{"rename": {"field": "message2.result_count", "target_field": "ldap_search.result_count", "ignore_missing":true}},
{"rename": {"field": "message2.filter", "target_field": "ldap_search.filter", "ignore_missing":true}},
{"rename": {"field": "message2.attributes", "target_field": "ldap_search.attributes", "ignore_missing":true}},
{"script": {"source": "if (ctx.containsKey('ldap') && ctx.ldap.containsKey('diagnostic_message') && ctx.ldap.diagnostic_message != null) {\n String message = ctx.ldap.diagnostic_message;\n\n // get user and property from SASL success\n if (message.toLowerCase().contains(\"sasl(0): successful result\")) {\n Pattern pattern = /user:\\s*([^ ]+)\\s*property:\\s*([^ ]+)/i;\n Matcher matcher = pattern.matcher(message);\n if (matcher.find()) {\n ctx.ldap.user_email = matcher.group(1); // Extract user email\n ctx.ldap.property = matcher.group(2); // Extract property\n }\n }\n if (message.toLowerCase().contains(\"ldaperr:\")) {\n Pattern pattern = /comment:\\s*([^,]+)/i;\n Matcher matcher = pattern.matcher(message);\n\n if (matcher.find()) {\n ctx.ldap.comment = matcher.group(1);\n }\n }\n }","ignore_failure": true}},
{"script": {"source": "if (ctx.containsKey('ldap') && ctx.ldap.containsKey('object') && ctx.ldap.object != null) {\n String message = ctx.ldap.object;\n\n // parse common name from ldap object\n if (message.toLowerCase().contains(\"cn=\")) {\n Pattern pattern = /cn=([^,]+)/i;\n Matcher matcher = pattern.matcher(message);\n if (matcher.find()) {\n ctx.ldap.common_name = matcher.group(1); // Extract CN\n }\n }\n // build domain from ldap object\n if (message.toLowerCase().contains(\"dc=\")) {\n Pattern dcPattern = /dc=([^,]+)/i;\n Matcher dcMatcher = dcPattern.matcher(message);\n\n StringBuilder domainBuilder = new StringBuilder();\n while (dcMatcher.find()) {\n if (domainBuilder.length() > 0 ){\n domainBuilder.append(\".\");\n }\n domainBuilder.append(dcMatcher.group(1));\n }\n if (domainBuilder.length() > 0) {\n ctx.ldap.domain = domainBuilder.toString();\n }\n }\n // create list of any organizational units from ldap object\n if (message.toLowerCase().contains(\"ou=\")) {\n Pattern ouPattern = /ou=([^,]+)/i;\n Matcher ouMatcher = ouPattern.matcher(message);\n ctx.ldap.organizational_unit = [];\n\n while (ouMatcher.find()) {\n ctx.ldap.organizational_unit.add(ouMatcher.group(1));\n }\n if(ctx.ldap.organizational_unit.isEmpty()) {\n ctx.remove(\"ldap.organizational_unit\");\n }\n }\n}\n","ignore_failure": true}},
{"remove": {"field": "message2.tags","ignore_failure": true}},
{"remove": {"field": ["host"],"ignore_failure": true}},
{"pipeline": {"name": "zeek.common"}}
]
}

9
salt/elasticsearch/files/ingest/zeek.ldap_search Normal file
View File

@@ -0,0 +1,9 @@
{
"description":"zeek.ldap_search",
"processors":[
{"pipeline": {"name": "zeek.ldap", "ignore_missing_pipeline":true,"ignore_failure":true}},
{"set": {"field": "event.dataset", "value":"ldap_search"}},
{"remove": {"field": "tags", "ignore_missing":true}},
{"pipeline": {"name": "zeek.common"}}
]
}

18
salt/elasticsearch/files/ingest/zeek.quic Normal file
View File

@@ -0,0 +1,18 @@
{
"description" : "zeek.quic",
"processors" : [
{ "set": { "field": "event.dataset", "value": "quic" } },
{ "set": { "field": "network.transport", "value": "udp" } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version", "target_field": "quic.version", "ignore_missing": true } },
{ "rename": { "field": "message2.client_initial_dcid", "target_field": "quic.client_initial_dcid", "ignore_missing": true } },
{ "rename": { "field": "message2.client_scid", "target_field": "quic.client_scid", "ignore_missing": true } },
{ "rename": { "field": "message2.server_scid", "target_field": "quic.server_scid", "ignore_missing": true } },
{ "rename": { "field": "message2.server_name", "target_field": "quic.server_name", "ignore_missing": true } },
{ "rename": { "field": "message2.client_protocol", "target_field": "quic.client_protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.history", "target_field": "quic.history", "ignore_missing": true } },
{ "remove": { "field": "message2.tags", "ignore_failure": true } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

2
salt/elasticsearch/files/ingest/zeek.software
View File

@@ -11,7 +11,7 @@
{ "dot_expander": { "field": "version.minor2", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version.minor2", "target_field": "software.version.minor2", "ignore_missing": true } },
{ "dot_expander": { "field": "version.minor3", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version.minor3", "target_field": "version.minor3", "ignore_missing": true } },
{ "rename": { "field": "message2.version.minor3", "target_field": "software.version.minor3", "ignore_missing": true } },
{ "dot_expander": { "field": "version.addl", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version.addl", "target_field": "software.version.additional_info", "ignore_missing": true } },
{ "rename": { "field": "message2.host", "target_field": "source.ip", "ignore_missing": true } },

8
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -396,8 +396,10 @@ elasticsearch:
so-logs-citrix_waf_x_log: *indexSettings
so-logs-cloudflare_x_audit: *indexSettings
so-logs-cloudflare_x_logpull: *indexSettings
so-logs-crowdstrike_x_alert: *indexSettings
so-logs-crowdstrike_x_falcon: *indexSettings
so-logs-crowdstrike_x_fdr: *indexSettings
so-logs-crowdstrike_x_host: *indexSettings
so-logs-darktrace_x_ai_analyst_alert: *indexSettings
so-logs-darktrace_x_model_breach_alert: *indexSettings
so-logs-darktrace_x_system_status_alert: *indexSettings
@@ -489,11 +491,16 @@ elasticsearch:
so-logs-ti_cybersixgill_x_threat: *indexSettings
so-logs-ti_misp_x_threat: *indexSettings
so-logs-ti_misp_x_threat_attributes: *indexSettings
so-logs-ti_opencti_x_indicator: *indexSettings
so-logs-ti_otx_x_pulses_subscribed: *indexSettings
so-logs-ti_otx_x_threat: *indexSettings
so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings
so-logs-ti_recordedfuture_x_threat: *indexSettings
so-logs-ti_threatq_x_threat: *indexSettings
so-logs-trend_micro_vision_one_x_alert: *indexSettings
so-logs-trend_micro_vision_one_x_audit: *indexSettings
so-logs-trend_micro_vision_one_x_detection: *indexSettings
so-logs-trendmicro_x_deep_security: *indexSettings
so-logs-zscaler_zia_x_alerts: *indexSettings
so-logs-zscaler_zia_x_dns: *indexSettings
so-logs-zscaler_zia_x_firewall: *indexSettings
@@ -539,6 +546,7 @@ elasticsearch:
so-suricata_x_alerts: *indexSettings
so-import: *indexSettings
so-kratos: *indexSettings
so-hydra: *indexSettings
so-kismet: *indexSettings
so-logstash: *indexSettings
so-redis: *indexSettings

190
salt/elasticsearch/templates/component/ecs/zeek.json
View File

@@ -603,6 +603,89 @@
}
}
},
"ipsec": {
"properties": {
"certificates": {
"ignore_above": 1024,
"type": "keyword"
},
"exchange_type": {
"type": "short"
},
"flag_a": {
"type": "boolean"
},
"flag_c": {
"type": "boolean"
},
"flag_e": {
"type": "boolean"
},
"flag_i": {
"type": "boolean"
},
"flag_r": {
"type": "boolean"
},
"flag_v": {
"type": "boolean"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"initiator_spi": {
"ignore_above": 1024,
"type": "keyword"
},
"ke_dh_groups": {
"type": "short"
},
"length": {
"type": "long"
},
"maj_version": {
"type": "short"
},
"message_id": {
"type": "long"
},
"min_version": {
"type": "short"
},
"notify_messages": {
"ignore_above": 1024,
"type": "keyword"
},
"proposals": {
"type": "long"
},
"responder_spi": {
"ignore_above": 1024,
"type": "keyword"
},
"situation": {
"ignore_above": 1024,
"type": "keyword"
},
"transform_attributes": {
"ignore_above": 1024,
"type": "keyword"
},
"transforms": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor_ids": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"irc": {
"properties": {
"addl": {
@@ -751,6 +834,81 @@
}
}
},
"ldap": {
"type": "object",
"properties": {
"message_id": {
"type": "short"
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"diagnostic_message": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "short"
},
"object": {
"ignore_above": 1024,
"type": "keyword"
},
"argument": {
"ignore_above": 1024,
"type": "keyword"
},
"user_email": {
"ignore_above": 1024,
"type": "keyword"
},
"property": {
"ignore_above": 1024,
"type": "keyword"
},
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ldap_search": {
"type": "object",
"properties": {
"scope": {
"ignore_above": 1024,
"type": "keyword"
},
"deref_aliases": {
"ignore_above": 1024,
"type": "keyword"
},
"result_count": {
"type": "long"
},
"filter": {
"ignore_above": 1024,
"type": "keyword"
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"modbus": {
"properties": {
"exception": {
@@ -1089,6 +1247,38 @@
}
}
},
"quic": {
"type": "object",
"properties": {
"server_name": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "short"
},
"client_initial_dcid": {
"ignore_above": 1024,
"type": "keyword"
},
"client_scid": {
"ignore_above": 1024,
"type": "keyword"
},
"server_scid": {
"ignore_above": 1024,
"type": "keyword"
},
"client_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"history": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"radius": {
"properties": {
"connect_info": {

36
salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

21
salt/elasticsearch/templates/component/so/detection-mappings.json
View File

@@ -21,10 +21,10 @@
"properties": {
"publicId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword"
},
"title": {
"ignore_above": 1024,
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
@@ -38,15 +38,15 @@
"description": {
"type": "text"
},
"category": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"service": {
"ignore_above": 1024,
"type": "keyword"
},
@@ -64,7 +64,7 @@
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword"
},
"ruleset": {
"ignore_above": 1024,
@@ -82,6 +82,12 @@
"ignore_above": 1024,
"type": "keyword"
},
"sourceCreated": {
"type": "date"
},
"sourceUpdated": {
"type": "date"
},
"overrides": {
"properties": {
"type": {
@@ -97,6 +103,9 @@
"updatedAt": {
"type": "date"
},
"note": {
"type": "text"
},
"regex": {
"type": "text"
},

25
salt/elasticsearch/templates/component/so/so-ip-mappings.json Normal file
View File

@@ -0,0 +1,25 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"so": {
"properties": {
"ip_address": {
"type": "ip"
},
"description": {
"type": "text"
}
}
}
}
}
}
}

3
salt/firewall/containers.map.jinja
View File

@@ -9,6 +9,7 @@
'so-influxdb',
'so-kibana',
'so-kratos',
'so-hydra',
'so-nginx',
'so-redis',
'so-soc',
@@ -30,6 +31,7 @@
'so-kafka',
'so-kibana',
'so-kratos',
'so-hydra',
'so-logstash',
'so-nginx',
'so-redis',
@@ -73,6 +75,7 @@
'so-influxdb',
'so-kibana',
'so-kratos',
'so-hydra',
'so-nginx',
'so-soc'
] %}

51
salt/hydra/config.sls Normal file
View File

@@ -0,0 +1,51 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from "hydra/map.jinja" import HYDRAMERGED %}
hydradir:
file.directory:
- name: /nsm/hydra
- user: 928
- group: 928
- mode: 700
- makedirs: True
hydradbdir:
file.directory:
- name: /nsm/hydra/db
- user: 928
- group: 928
- mode: 700
- makedirs: True
hydralogdir:
file.directory:
- name: /opt/so/log/hydra
- user: 928
- group: 928
- makedirs: True
hydraconfig:
file.managed:
- name: /opt/so/conf/hydra/hydra.yaml
- source: salt://hydra/files/hydra.yaml.jinja
- user: 928
- group: 928
- mode: 600
- template: jinja
- makedirs: True
- defaults:
HYDRAMERGED: {{ HYDRAMERGED }}
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

30
salt/hydra/defaults.yaml Normal file
View File

@@ -0,0 +1,30 @@
hydra:
enabled: False
config:
serve:
public:
port: 4444
admin:
port: 4445
urls:
self:
issuer: https://URL_BASE/connect
public: https://URL_BASE/connect
admin: http://localhost:4445
secrets:
system: []
ttl:
access_token: 1h
oidc:
subject_identifiers:
supported_types:
- pairwise
- public
pairwise:
salt: ""
log:
level: debug
format: json
sqa:
opt_out: true

27
salt/hydra/disabled.sls Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- hydra.sostatus
so-hydra:
docker_container.absent:
- force: True
so-hydra_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-hydra$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

103
salt/hydra/enabled.sls Normal file
View File

@@ -0,0 +1,103 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
#
# Note: Per the Elastic License 2.0, the second limitation states:
#
# "You may not move, change, disable, or circumvent the license key functionality
# in the software, and you may not remove or obscure any functionality in the
# software that is protected by the license key."
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if 'api' in salt['pillar.get']('features', []) %}
include:
- hydra.config
- hydra.sostatus
so-hydra:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-hydra:{{ GLOBALS.so_version }}
- hostname: hydra
- name: so-hydra
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
- binds:
- /opt/so/conf/hydra/:/hydra-conf:ro
- /opt/so/log/hydra/:/hydra-log:rw
- /nsm/hydra/db:/hydra-data:rw
{% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKER.containers['so-hydra'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-hydra'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- restart_policy: unless-stopped
- watch:
- file: hydraconfig
- require:
- file: hydraconfig
- file: hydralogdir
- file: hydradir
delete_so-hydra_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-hydra$
wait_for_hydra:
http.wait_for_successful_query:
- name: 'http://{{ GLOBALS.manager }}:4444/'
- ssl: True
- verify_ssl: False
- status:
- 200
- 301
- 302
- 404
- status_type: list
- wait_for: 300
- request_interval: 10
- require:
- docker_container: so-hydra
{% else %}
{{sls}}_no_license_detected:
test.fail_without_changes:
- name: {{sls}}_no_license_detected
- comment:
- "This is a feature supported only for customers with a valid license.
Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com
for more information about purchasing a license to enable this feature."
include:
- hydra.disabled
{% endif %}
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

1
salt/hydra/files/hydra.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ HYDRAMERGED.config | yaml(false) }}

13
salt/hydra/init.sls Normal file
View File

@@ -0,0 +1,13 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'hydra/map.jinja' import HYDRAMERGED %}
include:
{% if HYDRAMERGED.enabled %}
- hydra.enabled
{% else %}
- hydra.disabled
{% endif %}

13
salt/hydra/map.jinja Normal file
View File

@@ -0,0 +1,13 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'hydra/defaults.yaml' as HYDRADEFAULTS %}
{% do HYDRADEFAULTS.hydra.config.urls.self.update({'issuer': HYDRADEFAULTS.hydra.config.urls.self.issuer | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do HYDRADEFAULTS.hydra.config.urls.self.update({'public': HYDRADEFAULTS.hydra.config.urls.self.public | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do HYDRADEFAULTS.hydra.config.urls.self.update({'admin': HYDRADEFAULTS.hydra.config.urls.self.admin | replace("URL_BASE", GLOBALS.url_base)}) %}
{% set HYDRAMERGED = salt['pillar.get']('hydra', default=HYDRADEFAULTS.hydra, merge=true) %}

28
salt/hydra/soc_hydra.yaml Normal file
View File

@@ -0,0 +1,28 @@
hydra:
enabled:
description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False.
helpLink: connect.html
config:
ttl:
access_token:
description: Amount of time that the generated access token will be valid. Specified in the form of 2h, which means 2 hours.
global: True
forcedType: string
helpLink: connect.html
log:
level:
description: Log level to use for Kratos logs.
global: True
helpLink: connect.html
format:
description: Log output format for Kratos logs.
global: True
helpLink: connect.html
secrets:
system:
description: Secrets used for token generation. Generated during installation.
global: True
sensitive: True
advanced: True
forcedType: "[]string"
helpLink: connect.html

21
salt/hydra/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-hydra_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-hydra
- unless: grep -q so-hydra /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

4
salt/kibana/files/saved_objects.ndjson
View File

File diff suppressed because one or more lines are too long

4
salt/kratos/defaults.yaml
View File

@@ -50,6 +50,10 @@ kratos:
ui_url: https://URL_BASE/login/
registration:
ui_url: https://URL_BASE/login/
after:
oidc:
hooks:
- hook: session
default_browser_return_url: https://URL_BASE/
allowed_return_urls:
- http://127.0.0.1

3
salt/kratos/soc_kratos.yaml
View File

@@ -11,7 +11,7 @@ kratos:
helpLink: oidc.html
config:
id:
description: Customize the OIDC provider name. This name appears on the login page. Required.
description: Customize the OIDC provider name. This name appears on the login page. Required. It is strongly recommended to leave this to the default value, unless you are aware of the other configuration pieces that will be affected by changing it.
global: True
forcedType: string
helpLink: oidc.html
@@ -126,7 +126,6 @@ kratos:
issuer:
description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address.
global: True
advanced: True
helpLink: kratos.html
webauthn:
enabled:

10
salt/logrotate/defaults.yaml
View File

@@ -40,6 +40,16 @@ logrotate:
- extension .log
- dateext
- dateyesterday
/opt/so/log/hydra/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/kibana/*_x_log:
- daily
- rotate 14

7
salt/logrotate/soc_logrotate.yaml
View File

@@ -28,6 +28,13 @@ logrotate:
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/hydra/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/hydra/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/kibana/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/kibana/*.log

19
salt/logstash/map.jinja
View File

@@ -1,5 +1,5 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
@@ -33,13 +33,22 @@
{# Append Kafka input pipeline when Kafka is enabled #}
{% if GLOBALS.pipeline == 'KAFKA' %}
{% do LOGSTASH_MERGED.defined_pipelines.search.remove('so/0900_input_redis.conf.jinja') %}
{% do LOGSTASH_MERGED.defined_pipelines.search.append('so/0800_input_kafka.conf.jinja') %}
{% do LOGSTASH_MERGED.defined_pipelines.manager.append('so/0800_input_kafka.conf.jinja') %}
{% if 'so/0900_input_redis.conf.jinja' in LOGSTASH_MERGED.defined_pipelines.search %}
{% do LOGSTASH_MERGED.defined_pipelines.search.remove('so/0900_input_redis.conf.jinja') %}
{% endif %}
{% if 'so/0800_input_kafka.conf.jinja' not in LOGSTASH_MERGED.defined_pipelines.search %}
{% do LOGSTASH_MERGED.defined_pipelines.search.append('so/0800_input_kafka.conf.jinja') %}
{% endif %}
{% if 'so/0800_input_kafka.conf.jinja' not in LOGSTASH_MERGED.defined_pipelines.manager %}
{% do LOGSTASH_MERGED.defined_pipelines.manager.append('so/0800_input_kafka.conf.jinja') %}
{% endif %}
{% if 'so/9999_output_redis.conf.jinja' in LOGSTASH_MERGED.defined_pipelines.manager %}
{% do LOGSTASH_MERGED.defined_pipelines.manager.remove('so/9999_output_redis.conf.jinja') %}
{% endif %}
{# Disable logstash on manager & receiver nodes unless it has an override configured #}
{% if not KAFKA_LOGSTASH %}
{% if GLOBALS.role in ['so-manager', 'so-receiver'] and GLOBALS.hostname not in KAFKA_LOGSTASH %}
{% do LOGSTASH_MERGED.update({'enabled': False}) %}
{% endif %}
{% endif %}
{% endif %}
{% endif %}

67
salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja
View File

@@ -1,18 +1,45 @@
output {
if "elastic-agent" in [tags] {
if [metadata][pipeline] {
if [metadata][_id] {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
ecs_compatibility => v8
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
document_id => "%{[metadata][_id]}"
pipeline => "%{[metadata][pipeline]}"
silence_errors_in_log => ["version_conflict_engine_exception"]
ssl => true
ssl_certificate_verification => false
if "elastic-agent" in [tags] and "so-ip-mappings" in [tags] {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
data_stream => false
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
document_id => "%{[metadata][_id]}"
index => "so-ip-mappings"
silence_errors_in_log => ["version_conflict_engine_exception"]
ssl => true
ssl_certificate_verification => false
}
}
else {
if "elastic-agent" in [tags] {
if [metadata][pipeline] {
if [metadata][_id] {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
ecs_compatibility => v8
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
document_id => "%{[metadata][_id]}"
pipeline => "%{[metadata][pipeline]}"
silence_errors_in_log => ["version_conflict_engine_exception"]
ssl => true
ssl_certificate_verification => false
}
}
else {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
ecs_compatibility => v8
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
pipeline => "%{[metadata][pipeline]}"
ssl => true
ssl_certificate_verification => false
}
}
}
else {
@@ -22,22 +49,10 @@ output {
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
pipeline => "%{[metadata][pipeline]}"
ssl => true
ssl_certificate_verification => false
}
}
}
else {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
ecs_compatibility => v8
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
ssl => true
ssl_certificate_verification => false
}
}
}
}

21
salt/manager/init.sls
View File

@@ -6,10 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'strelka/map.jinja' import STRELKAMERGED %}
{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %}
{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=true) %}
{% from 'strelka/map.jinja' import STRELKAMERGED %}
{% from 'manager/map.jinja' import MANAGERMERGED %}
include:
- salt.minion
@@ -45,6 +42,12 @@ yara_log_dir:
- user
- group
{% if GLOBALS.os_family == 'RedHat' %}
install_createrepo:
pkg.installed:
- name: createrepo_c
{% endif %}
repo_conf_dir:
file.directory:
- name: /opt/so/conf/reposync
@@ -135,6 +138,16 @@ rules_dir:
- group: socore
- makedirs: True
git_config_set_safe_dirs:
git.config_set:
- name: safe.directory
- global: True
- user: socore
- multivar:
- /nsm/rules/custom-local-repos/local-sigma
- /nsm/rules/custom-local-repos/local-yara
- /nsm/securityonion-resources
- /opt/so/conf/soc/ai_summary_repos/securityonion-resources
{% else %}
{{sls}}_state_not_allowed:

6
salt/manager/map.jinja
View File

@@ -4,4 +4,8 @@
Elastic License 2.0. #}
{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %}
{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=True) %}
{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=True) %}
{% if grains.os != 'OEL' %}
{% do MANAGERMERGED.reposync.update({'enabled': False}) %}
{% endif %}

4
salt/manager/sync_es_users.sls
View File

@@ -6,6 +6,10 @@ so-user.lock:
file.missing:
- name: /var/tmp/so-user.lock
so-client.lock:
file.missing:
- name: /var/tmp/so-client.lock
# Must run before elasticsearch docker container is started!
sync_es_users:
cmd.run:

411
salt/manager/tools/sbin/so-client Executable file
View File

@@ -0,0 +1,411 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
if [[ -f /usr/sbin/so-common ]]; then
source /usr/sbin/so-common
else
source $(dirname $0)/../../../common/tools/sbin/so-common
fi
function usage() {
cat <<USAGE_EOF
Usage: $0 <operation> [supporting parameters]
where <operation> is one of the following:
list: Lists all client IDs and permissions currently defined in the oauth2 system
add: Adds a new client to the oauth2 system and outputs the generated secret
Required parameters:
--name <name>
Optional parameters:
--note <note> (defaults to blank)
--json output as JSON
delete: Deletes a client from the oauth2 system
Required parameters:
--id <id>
addperm: Grants a permission to an existing client
Required parameters:
--id <id>
--permission <permission>
delperm: Removes a permission from an existing client
Required parameters:
--id <id>
--permission <permission>
update: Updates a client name and note.
Required parameters:
--id <id>
--name <name>
--note <note>
--searchusername <run-as username>
generate-secret: Regenerates a client's secret and outputs the new secret.
Required parameters:
--id <id>
Optional parameters:
--json output as JSON
USAGE_EOF
exit 1
}
if [[ $# -lt 1 || $1 == --help || $1 == -h || $1 == -? || $1 == --h ]]; then
usage
fi
operation=$1
shift
searchUsername=__MISSING__
note=__MISSING__
while [[ $# -gt 0 ]]; do
param=$1
shift
case "$param" in
--id)
id=$(echo $1 | sed 's/"/\\"/g')
[[ ${#id} -gt 55 ]] && fail "id cannot be longer than 55 characters"
shift
;;
--permission)
perm=$(echo $1 | sed 's/"/\\"/g')
[[ ${#perm} -gt 50 ]] && fail "permission cannot be longer than 50 characters"
shift
;;
--name)
name=$(echo $1 | sed 's/"/\\"/g')
[[ ${#name} -gt 50 ]] && fail "name cannot be longer than 50 characters"
shift
;;
--note)
note=$(echo $1 | sed 's/"/\\"/g')
[[ ${#note} -gt 100 ]] && fail "note cannot be longer than 100 characters"
shift
;;
--searchusername)
searchUsername=$(echo $1 | sed 's/"/\\"/g')
[[ ${#searchUsername} -gt 50 ]] && fail "search username cannot be longer than 50 characters"
shift
;;
--json)
json=1
;;
*)
echo "Encountered unexpected parameter: $param"
usage
;;
esac
done
hydraUrl=${HYDRA_URL:-http://127.0.0.1:4445}
socRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_clients_roles}
soUID=${SOCORE_UID:-939}
soGID=${SOCORE_GID:-939}
function lock() {
# Obtain file descriptor lock
exec 99>/var/tmp/so-client.lock || fail "Unable to create lock descriptor; if the system was not shutdown gracefully you may need to remove /var/tmp/so-client.lock manually."
flock -w 10 99 || fail "Another process is using so-client; if the system was not shutdown gracefully you may need to remove /var/tmp/so-client.lock manually."
trap 'rm -f /var/tmp/so-client.lock' EXIT
}
function fail() {
msg=$1
echo "$1"
exit 1
}
function require() {
cmd=$1
which "$1" 2>&1 > /dev/null
[[ $? != 0 ]] && fail "This script requires the following command be installed: ${cmd}"
}
# Verify this environment is capable of running this script
function verifyEnvironment() {
require "jq"
require "curl"
response=$(curl -Ss -L ${hydraUrl}/)
[[ "$response" != *"Error 404"* ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
}
function createFile() {
filename=$1
uid=$2
gid=$3
mkdir -p $(dirname "$filename")
truncate -s 0 "$filename"
chmod 600 "$filename"
chown "${uid}:${gid}" "$filename"
}
function ensureRoleFileExists() {
if [[ ! -f "$socRolesFile" ]]; then
# Generate the new roles file
rolesTmpFile="${socRolesFile}.tmp"
createFile "$rolesTmpFile" "$soUID" "$soGID"
if [[ -d "$socRolesFile" ]]; then
echo "Removing invalid roles directory created by Docker"
rm -fr "$socRolesFile"
fi
mv "${rolesTmpFile}" "${socRolesFile}"
fi
}
function listClients() {
response=$(curl -Ss -L -f ${hydraUrl}/admin/clients)
[[ $? != 0 ]] && fail "Unable to communicate with Hydra"
clientIds=$(echo "${response}" | jq -r ".[] | .client_id" | sort)
for clientId in $clientIds; do
perms=$(grep ":$clientId\$" "$socRolesFile" | cut -d: -f1 | tr '\n' ' ')
echo "$clientId: $perms"
done
}
function addClientPermission() {
id=$1
perm=$2
adjustClientPermission "$id" "$perm" "add"
}
function deleteClientPermission() {
id=$1
perm=$2
adjustClientPermission "$id" "$perm" "del"
}
function adjustClientPermission() {
identityId=$1
perm=$2
op=$3
[[ ${identityId} == "" ]] && fail "Client not found"
ensureRoleFileExists
filename="$socRolesFile"
hasPerm=0
grep "^$perm:" "$socRolesFile" | grep -q "$identityId" && hasPerm=1
if [[ "$op" == "add" ]]; then
if [[ "$hasPerm" == "1" ]]; then
echo "Client '$identityId' already has the permission: $perm"
return 1
else
echo "$perm:$identityId" >> "$filename"
fi
elif [[ "$op" == "del" ]]; then
if [[ "$hasPerm" -ne 1 ]]; then
fail "Client '$identityId' does not have the permission: $perm"
else
sed -e "\!^$perm:$identityId\$!d" "$filename" > "$filename.tmp"
cat "$filename".tmp > "$filename"
rm -f "$filename".tmp
fi
else
fail "Unsupported permission adjustment operation: $op"
fi
return 0
}
function convertNameToId() {
name=$1
name=${name//[^[:alnum:]]/_}
echo "socl_$name" | tr '[:upper:]' '[:lower:]'
}
function createClient() {
name=$1
note=$2
id=$(convertNameToId "$name")
now=$(date -u +%FT%TZ)
secret=$(get_random_value)
body=$(cat <<EOF
{
"access_token_strategy": "opaque",
"client_id": "$id",
"client_secret": "$secret",
"client_name": "$name",
"grant_types": [ "client_credentials" ],
"response_types": [ "code" ],
"metadata": {
"note": "$note",
"searchUsername": ""
}
}
EOF
)
response=$(curl -Ss -L --fail-with-body -X POST ${hydraUrl}/admin/clients -d "$body")
if [[ $? != 0 ]]; then
error=$(echo $response | jq .error)
fail "Failed to submit request to Hydra: $error"
fi
}
function update() {
clientId=$1
name=$2
note=$3
username=$4
body=$(cat <<EOF
[
{
"op": "replace",
"path": "/client_name",
"value": "$name"
},
{
"op": "replace",
"path": "/metadata",
"value": {
"note": "$note",
"searchUsername": "$username"
}
}
]
EOF
)
response=$(curl -Ss -L --fail-with-body -X PATCH ${hydraUrl}/admin/clients/$id -d "$body")
if [[ $? != 0 ]]; then
error=$(echo $response | jq .error)
fail "Failed to submit request to Hydra: $error"
fi
}
function generateSecret() {
clientId=$1
secret=$(get_random_value)
body=$(cat <<EOF
[
{
"op": "replace",
"path": "/client_secret",
"value": "$secret"
}
]
EOF
)
response=$(curl -Ss -L --fail-with-body -X PATCH ${hydraUrl}/admin/clients/$id -d "$body")
if [[ $? != 0 ]]; then
error=$(echo $response | jq .error)
fail "Failed to submit request to Hydra: $error"
fi
}
function deleteClient() {
identityId=$1
[[ ${identityId} == "" ]] && fail "Client not found"
response=$(curl -Ss -XDELETE -L --fail-with-body "${hydraUrl}/admin/clients/$identityId")
if [[ $? != 0 ]]; then
error=$(echo $response | jq .error)
fail "Failed to submit request to Hydra: $error"
fi
rolesTmpFile="${socRolesFile}.tmp"
createFile "$rolesTmpFile" "$soUID" "$soGID"
grep -v "$identityId" "$socRolesFile" > "$rolesTmpFile"
cat "$rolesTmpFile" > "$socRolesFile"
}
case "${operation}" in
"add")
verifyEnvironment
[[ "$name" == "" ]] && fail "A short client name must be provided"
lock
createClient "$name" "$note"
if [[ "$json" == "1" ]]; then
echo "{\"id\":\"$id\",\"secret\":\"$secret\"}"
else
echo "Successfully added client ID $id with generated secret: $secret"
fi
;;
"list")
verifyEnvironment
listClients
;;
"addperm")
verifyEnvironment
[[ "$id" == "" ]] && fail "Id must be provided"
[[ "$perm" == "" ]] && fail "Permission must be provided"
lock
if addClientPermission "$id" "$perm"; then
echo "Successfully added permission to client"
fi
;;
"delperm")
verifyEnvironment
[[ "$id" == "" ]] && fail "Id must be provided"
[[ "$perm" == "" ]] && fail "Permission must be provided"
lock
deleteClientPermission "$id" "$perm"
echo "Successfully removed permission from client"
;;
"update")
verifyEnvironment
[[ "$id" == "" ]] && fail "Id must be provided"
[[ "$name" == "" ]] && fail "Name must be provided"
[[ "$note" == "__MISSING__" ]] && fail "Note must be provided"
[[ "$searchUsername" == "__MISSING__" ]] && fail "Search Username must be provided"
lock
update "$id" "$name" "$note" "$searchUsername"
echo "Successfully updated client"
;;
"generate-secret")
verifyEnvironment
[[ "$id" == "" ]] && fail "Id must be provided"
lock
generateSecret "$id"
if [[ "$json" == "1" ]]; then
echo "{\"secret\":\"$secret\"}"
else
echo "Successfully generated secret: $secret"
fi
;;
"delete")
verifyEnvironment
[[ "$id" == "" ]] && fail "Id must be provided"
lock
deleteClient "$id"
echo "Successfully deleted client."
;;
*)
fail "Unsupported operation: $operation"
usage
;;
esac
exit 0

16
salt/manager/tools/sbin/so-user
View File

@@ -100,23 +100,23 @@ while [[ $# -gt 0 ]]; do
shift
case "$param" in
--email)
email=$1
email=$(echo $1 | sed 's/"/\\"/g')
shift
;;
--role)
role=$1
role=$(echo $1 | sed 's/"/\\"/g')
shift
;;
--firstName)
firstName=$1
firstName=$(echo $1 | sed 's/"/\\"/g')
shift
;;
--lastName)
lastName=$1
lastName=$(echo $1 | sed 's/"/\\"/g')
shift
;;
--note)
note=$1
note=$(echo $1 | sed 's/"/\\"/g')
shift
;;
--skip-sync)
@@ -241,6 +241,10 @@ function updatePassword() {
[[ $? != 0 ]] && fail "Unable to clear aal2 identity IDs"
echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id in (select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
[[ $? != 0 ]] && fail "Unable to clear aal2 identity credentials"
echo "delete from session_devices where session_id in (select id from sessions where identity_id='${identityId}');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
[[ $? != 0 ]] && fail "Unable to clear session devices"
echo "delete from sessions where identity_id='${identityId}';" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
[[ $? != 0 ]] && fail "Unable to clear sessions"
echo "update identities set available_aal='aal1' where id='${identityId}';" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
[[ $? != 0 ]] && fail "Unable to reset aal"
fi
@@ -357,7 +361,6 @@ function syncElastic() {
random_crypt=$(get_random_value 53)
user_data_formatted=$(echo "${user_data_formatted}" | sed -r "s/^(.+:)\$/\\1\$2a\$12${random_crypt}/")
fi
echo "${user_data_formatted}" >> "$usersTmpFile"
# Append the user roles
@@ -373,7 +376,6 @@ function syncElastic() {
sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" >> "$rolesTmpFile"
[[ $? != 0 ]] && fail "Unable to read role identities from database"
done < "$socRolesFile"
else
echo "Database file or soc roles file does not exist yet, skipping users export"
fi

148
salt/manager/tools/sbin/soup
View File

@@ -19,6 +19,8 @@ SOUP_LOG=/root/soup.log
WHATWOULDYOUSAYYAHDOHERE=soup
whiptail_title='Security Onion UPdater'
NOTIFYCUSTOMELASTICCONFIG=false
TOPFILE=/opt/so/saltstack/default/salt/top.sls
BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup
# used to display messages to the user at the end of soup
declare -a FINAL_MESSAGE_QUEUE=()
@@ -32,10 +34,7 @@ check_err() {
if [[ $exit_code -ne 0 ]]; then
set +e
systemctl_func "start" "$cron_service_name"
systemctl_func "start" "salt-master"
systemctl_func "start" "salt-minion"
enable_highstate
failed_soup_restore_items
printf '%s' "Soup failed with error $exit_code: "
case $exit_code in
@@ -347,8 +346,6 @@ highstate() {
masterlock() {
echo "Locking Salt Master"
TOPFILE=/opt/so/saltstack/default/salt/top.sls
BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup
mv -v $TOPFILE $BACKUPTOPFILE
echo "base:" > $TOPFILE
echo " $MINIONID:" >> $TOPFILE
@@ -358,8 +355,12 @@ masterlock() {
}
masterunlock() {
echo "Unlocking Salt Master"
mv -v $BACKUPTOPFILE $TOPFILE
if [ -f $BACKUPTOPFILE ]; then
echo "Unlocking Salt Master"
mv -v $BACKUPTOPFILE $TOPFILE
else
echo "Salt Master does not need unlocked."
fi
}
phases_pillar_2_4_80() {
@@ -403,6 +404,8 @@ preupgrade_changes() {
[[ "$INSTALLEDVERSION" == 2.4.80 ]] && up_to_2.4.90
[[ "$INSTALLEDVERSION" == 2.4.90 ]] && up_to_2.4.100
[[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110
[[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.111
[[ "$INSTALLEDVERSION" == 2.4.111 ]] && up_to_2.4.120
true
}
@@ -424,6 +427,8 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.4.80 ]] && post_to_2.4.90
[[ "$POSTVERSION" == 2.4.90 ]] && post_to_2.4.100
[[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110
[[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111
[[ "$POSTVERSION" == 2.4.111 ]] && post_to_2.4.120
true
}
@@ -506,8 +511,7 @@ post_to_2.4.90() {
}
post_to_2.4.100() {
echo "Regenerating Elastic Agent Installers"
/sbin/so-elastic-agent-gen-installers
echo "Nothing to apply"
POSTVERSION=2.4.100
}
@@ -516,6 +520,23 @@ post_to_2.4.110() {
POSTVERSION=2.4.110
}
post_to_2.4.111() {
echo "Nothing to apply"
POSTVERSION=2.4.111
}
post_to_2.4.120() {
update_elasticsearch_index_settings
# Manually rollover suricata alerts index to ensure data_stream.dataset expected mapping is set to 'suricata'
rollover_index "logs-suricata.alerts-so"
echo "Regenerating Elastic Agent Installers"
/sbin/so-elastic-agent-gen-installers
POSTVERSION=2.4.120
}
repo_sync() {
echo "Sync the local repo."
su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -693,17 +714,58 @@ up_to_2.4.90() {
INSTALLEDVERSION=2.4.90
}
up_to_2.4.100() {
# Elastic Update for this release, so download Elastic Agent files
determine_elastic_agent_upgrade
INSTALLEDVERSION=2.4.100
}
up_to_2.4.110() {
echo "Nothing to do for 2.4.110"
INSTALLEDVERSION=2.4.110
}
up_to_2.4.111() {
echo "Nothing to do for 2.4.111"
INSTALLEDVERSION=2.4.111
}
up_to_2.4.120() {
add_hydra_pillars
# this is needed for the new versionlock state
mkdir -p /opt/so/saltstack/local/pillar/versionlock
touch /opt/so/saltstack/local/pillar/versionlock/adv_versionlock.sls /opt/so/saltstack/local/pillar/versionlock/soc_versionlock.sls
# New Grid Integration added this release
rm -f /opt/so/state/eaintegrations.txt
INSTALLEDVERSION=2.4.120
}
add_hydra_pillars() {
mkdir -p /opt/so/saltstack/local/pillar/hydra
touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
chmod 660 /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
touch /opt/so/saltstack/local/pillar/hydra/adv_hydra.sls
HYDRAKEY=$(get_random_value)
HYDRASALT=$(get_random_value)
printf '%s\n'\
"hydra:"\
" config:"\
" secrets:"\
" system:"\
" - '$HYDRAKEY'"\
" oidc:"\
" subject_identifiers:"\
" pairwise:"\
" salt: '$HYDRASALT'"\
"" > /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
}
add_detection_test_pillars() {
if [[ -n "$SOUP_INTERNAL_TESTING" ]]; then
echo "Adding detection pillar values for automated testing"
@@ -750,6 +812,22 @@ ASSIST_EOF
fi
}
rollover_index() {
idx=$1
exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
if [[ $exists -eq 200 ]]; then
rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
if [[ $rollover -eq 200 ]]; then
echo "Successfully triggered rollover for $idx..."
else
echo "Could not trigger rollover for $idx..."
fi
else
echo "Could not find index $idx..."
fi
}
suricata_idstools_migration() {
#Backup the pillars for idstools
mkdir -p /nsm/backup/detections-migration/idstools
@@ -901,7 +979,7 @@ update_airgap_rules() {
rsync -av $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
rsync -av $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
# Copy the securityonion-resorces repo over for SOC Detection Summaries and checkout the published summaries branch
rsync -av --chown=socore:socore $UPDATE_DIR/agrules/securityonion-resources /opt/so/conf/soc/ai_summary_repos
rsync -av --delete --chown=socore:socore $UPDATE_DIR/agrules/securityonion-resources /opt/so/conf/soc/ai_summary_repos
git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources
git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published
# Copy the securityonion-resorces repo over to nsm
@@ -913,10 +991,34 @@ update_airgap_repo() {
echo "Syncing new updates to /nsm/repo"
rsync -av $AGREPO/* /nsm/repo/
echo "Creating repo"
dnf -y install yum-utils createrepo
dnf -y install yum-utils createrepo_c
createrepo /nsm/repo
}
update_elasticsearch_index_settings() {
# Update managed indices to reflect latest index template
for idx in "so-detection" "so-detectionhistory" "so-case" "so-casehistory"; do
ilm_name=$idx
if [ "$idx" = "so-detectionhistory" ]; then
ilm_name="so-detection"
elif [ "$idx" = "so-casehistory" ]; then
ilm_name="so-case"
fi
JSON_STRING=$( jq -n --arg ILM_NAME "$ilm_name" '{"settings": {"index.auto_expand_replicas":"0-2","index.lifecycle.name":($ILM_NAME + "-logs")}}')
echo "Checking if index \"$idx\" exists"
exists=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -o /dev/null -w "%{http_code}" -k -L -H "Content-Type: application/json" "https://localhost:9200/$idx")
if [ $exists -eq 200 ]; then
echo "$idx index found..."
echo "Updating $idx index settings"
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -H "Content-Type: application/json" "https://localhost:9200/$idx/_settings" -d "$JSON_STRING" -XPUT
echo -e "\n"
else
echo -e "Skipping $idx... index does not exist\n"
fi
done
}
update_salt_mine() {
echo "Populating the mine with mine_functions for each host."
set +e
@@ -982,12 +1084,12 @@ upgrade_salt() {
# if oracle run with -r to ignore repos set by bootstrap
if [[ $OS == 'oracle' ]]; then
run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
"Could not update salt, please check $SOUP_LOG for details."
# if another rhel family variant we want to run without -r to allow the bootstrap script to manage repos
else
run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M -x python3 stable \"$NEWSALTVERSION\"" \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
"Could not update salt, please check $SOUP_LOG for details."
fi
set -e
@@ -1007,7 +1109,7 @@ upgrade_salt() {
echo ""
set +e
run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M -x python3 stable \"$NEWSALTVERSION\"" \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
"Could not update salt, please check $SOUP_LOG for details."
set -e
echo "Applying apt hold for Salt."
@@ -1091,6 +1193,16 @@ apply_hotfix() {
fi
}
failed_soup_restore_items() {
local services=("$cron_service_name" "salt-master" "salt-minion")
for SERVICE_NAME in "${services[@]}"; do
if ! systemctl is-active --quiet "$SERVICE_NAME"; then
systemctl_func "start" "$SERVICE_NAME"
fi
done
enable_highstate
masterunlock
}
#upgrade salt to 3004.1
#2_3_10_hotfix_1() {
@@ -1130,6 +1242,8 @@ main() {
echo ""
require_manager
failed_soup_restore_items
check_pillar_items
echo "Checking to see if this is an airgap install."
@@ -1301,6 +1415,10 @@ main() {
echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
(wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
# Stop long-running scripts to allow potentially updated scripts to load on the next execution.
killall salt-relay.sh
highstate
postupgrade_changes
[[ $is_airgap -eq 0 ]] && unmount_update

27
salt/nginx/config.sls
View File

@@ -49,33 +49,12 @@ navigatorconfig:
- makedirs: True
- template: jinja
navigatordefaultlayer:
file.managed:
- name: /opt/so/conf/navigator/layers/nav_layer_playbook.json
- source: salt://nginx/files/nav_layer_playbook.json
navigatorlayersdir:
file.directory:
- name: /opt/so/conf/navigator/layers/
- user: 939
- group: 939
- makedirs: True
- replace: False
- template: jinja
navigatorpreattack:
file.managed:
- name: /opt/so/conf/navigator/layers/pre-attack.json
- source: salt://nginx/files/pre-attack.json
- user: 939
- group: 939
- makedirs: True
- replace: False
navigatorenterpriseattack:
file.managed:
- name: /opt/so/conf/navigator/layers/enterprise-attack.json
- source: salt://nginx/files/enterprise-attack.json
- user: 939
- group: 939
- makedirs: True
- replace: False
nginx_sbin:
file.recurse:

1
salt/nginx/enabled.sls
View File

@@ -164,7 +164,6 @@ so-nginx:
- x509: managerssl_crt
{% endif%}
- file: navigatorconfig
- file: navigatordefaultlayer
{% endif %}
delete_so-nginx_so-status.disabled:

61
salt/nginx/etc/nginx.conf
View File

@@ -89,11 +89,18 @@ http {
server_name _;
return 307 https://{{ GLOBALS.url_base }}$request_uri;
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'";
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header referrer-Policy no-referrer;
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256;
ssl_ecdh_curve secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
@@ -123,11 +130,19 @@ http {
http2 on;
server_name {{ GLOBALS.url_base }};
root /surirules;
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'";
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header referrer-Policy no-referrer;
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
location / {
@@ -153,13 +168,14 @@ http {
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header referrer-Policy no-referrer;
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
@@ -219,6 +235,37 @@ http {
proxy_set_header X-Forwarded-Proto $scheme;
}
{% if 'api' in salt['pillar.get']('features', []) %}
location ~* (^/oauth2/token.*|^.well-known/jwks.json|^.well-known/openid-configuration) {
limit_req zone=auth_throttle burst={{ NGINXMERGED.config.throttle_login_burst }} nodelay;
limit_req_status 429;
proxy_pass http://{{ GLOBALS.manager }}:4444;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Proto $scheme;
}
location /connect/ {
if ($http_authorization !~ "Bearer .*") {
return 401;
}
rewrite /connect/(.*) /api/$1 break;
proxy_pass http://{{ GLOBALS.manager }}:9822/;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_set_header x-user-id "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Proto $scheme;
}
{%- endif %}
location /cyberchef/ {
auth_request /auth/sessions/whoami;
proxy_read_timeout 90;
@@ -329,6 +376,9 @@ http {
error_page 429 = @error429;
location @error401 {
if ($request_uri ~* (^/connect/.*|^/oauth2/.*)) {
return 401;
}
if ($request_uri ~* ^/(?!(^/api/.*))) {
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
}
@@ -336,6 +386,9 @@ http {
}
location @error403 {
if ($request_uri ~* (^/connect/.*|^/oauth2/.*)) {
return 403;
}
add_header Set-Cookie "ory_kratos_session=;Path=/;Max-Age=0;expires=Thu, 01 Jan 1970 00:00:00 GMT;";
return 302 /auth/self-service/login/browser;
}

519616
salt/nginx/files/enterprise-attack.json
View File

File diff suppressed because it is too large Load Diff

65
salt/nginx/files/nav_layer_playbook.json
View File

@@ -1,65 +0,0 @@
{
"name": "Playbook Coverage",
"versions": {
"attack": "14",
"navigator": "4.9.1",
"layer": "4.5"
},
"domain": "enterprise-attack",
"description": "",
"filters": {
"platforms": [
"Linux",
"macOS",
"Windows",
"Network",
"PRE",
"Containers",
"Office 365",
"SaaS",
"Google Workspace",
"IaaS",
"Azure AD"
]
},
"sorting": 0,
"layout": {
"layout": "side",
"aggregateFunction": "average",
"showID": false,
"showName": true,
"showAggregateScores": false,
"countUnscored": false,
"expandedSubtechniques": "none"
},
"hideDisabled": false,
"techniques": [
{
"techniqueID": "T1197",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
}
],
"gradient": {
"colors": [
"#ffffff00",
"#66b1ffff"
],
"minValue": 0,
"maxValue": 100
},
"legendItems": [],
"metadata": [],
"links": [],
"showTacticRowBackground": false,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": true,
"selectSubtechniquesWithParent": false,
"selectVisibleTechniques": false
}

40
salt/nginx/files/navigator_config.json
View File

@@ -1,33 +1,53 @@
{%- set URL_BASE = salt['pillar.get']('global:url_base', '') %}
{
"versions": [
"collection_index_url": "",
"versions": {
"enabled": true,
"entries": [
{
"name": "ATT&CK v14",
"version": "14",
"name": "MITRE ATT&CK",
"version": "16",
"domains": [
{
{
"name": "Enterprise",
"identifier": "enterprise-attack",
"data": ["assets/so/enterprise-attack.json"]
"data": ["assets/mitre/enterprise-attack.json"]
}
]
}
],
]
},
"custom_context_menu_items": [ {"label": "view related plays","url": " https://{{URL_BASE}}/playbook/projects/detection-playbooks/issues?utf8=%E2%9C%93&set_filter=1&sort=id%3Adesc&f%5B%5D=cf_15&op%5Bcf_15%5D=%3D&f%5B%5D=&c%5B%5D=status&c%5B%5D=cf_10&c%5B%5D=cf_13&c%5B%5D=cf_18&c%5B%5D=cf_19&c%5B%5D=cf_1&c%5B%5D=updated_on&v%5Bcf_15%5D%5B%5D=~Technique_ID~"}],
"custom_context_menu_items": [
{"label": "View related Detections","url": " https://{{URL_BASE}}/#/detections?q=*{{ "{{technique_attackID}}" }}*+|+groupby+so_detection.language+|+groupby+so_detection.ruleset+so_detection.isEnabled+|+groupby+%22so_detection.category%22&z=America/New_York&el=500&gl=50&rt=0&rtu=hours"},
{"label": "View related Alerts","url": " https://{{URL_BASE}}/#/alerts?q=*{{ "{{technique_attackID}}" }}*+|+groupby+rule.name+event.module*+event.severity_label+rule.uuid&z=America/New_York&el=500&gl=500&rt=15&rtu=days"}
],
"default_layers": {
"enabled": true,
"urls": ["assets/so/nav_layer_playbook.json"]
"urls": ["assets/so/navigator_layer_all_detections.json","assets/so/navigator_layer_sigma.json","assets/so/navigator_layer_suricata.json","assets/so/navigator_layer_alerts.json"]
},
"comment_color": "yellow",
"link_color": "blue",
"banner": "",
"customize_features": [
{"name": "multiselect", "enabled": true, "description": "Disable to remove the multiselect panel from interface."},
{"name": "export_render", "enabled": true, "description": "Disable to remove the button to render the current layer."},
{"name": "export_excel", "enabled": true, "description": "Disable to remove the button to export the current layer to MS Excel (.xlsx) format."},
{"name": "legend", "enabled": true, "description": "Disable to remove the legend panel from the interface."},
{"name": "background_color", "enabled": true, "description": "Disable to remove the background color effect on manually assigned colors."},
{"name": "non_aggregate_score_color", "enabled": true, "description": "Disable to remove the color effect on non-aggregate scores."},
{"name": "aggregate_score_color", "enabled": true, "description": "Disable to remove the color effect on aggregate scores."},
{"name": "comment_underline", "enabled": true, "description": "Disable to remove the comment underline effect on techniques."},
{"name": "metadata_underline", "enabled": true, "description": "Disable to remove the metadata underline effect on techniques."},
{"name": "link_underline", "enabled": true, "description": "Disable to remove the hyperlink underline effect on techniques."}
],
"features": [
{"name": "leave_site_dialog", "enabled": true, "description": "Disable to remove the dialog prompt when leaving site."},
{"name": "tabs", "enabled": true, "description": "Disable to remove the ability to open new tabs."},
{"name": "leave_site_dialog", "enabled": false, "description": "Disable to remove the dialog prompt when leaving site."},
{"name": "tabs", "disabled": true, "description": "Disable to remove the ability to open new tabs."},
{"name": "selecting_techniques", "enabled": true, "description": "Disable to remove the ability to select techniques."},
{"name": "header", "enabled": true, "description": "Disable to remove the header containing banner."},
{"name": "subtechniques", "enabled": true, "description": "Disable to remove all sub-technique features from the interface."},

8724
salt/nginx/files/pre-attack.json
View File

File diff suppressed because it is too large Load Diff

4
salt/salt/map.jinja
View File

@@ -15,9 +15,9 @@
{% if grains.saltversion|string != SALTVERSION|string %}
{% if grains.os_family|lower == 'redhat' %}
{% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -s 120 -r -F -x python3 stable ' ~ SALTVERSION %}
{% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -s 120 -r -F stable ' ~ SALTVERSION %}
{% elif grains.os_family|lower == 'debian' %}
{% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -s 120 -F -x python3 stable ' ~ SALTVERSION %}
{% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -s 120 -F stable ' ~ SALTVERSION %}
{% endif %}
{% else %}
{% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}

11
salt/salt/minion.sls
View File

@@ -19,6 +19,17 @@ include:
{% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}
{# this is added in 2.4.120 to remove salt repo files pointing to saltproject.io to accomodate the move to broadcom and new bootstrap-salt script #}
{% if salt['pkg.version_cmp'](GLOBALS.so_version, '2.4.120') == -1 %}
{% set saltrepofile = '/etc/yum.repos.d/salt.repo' %}
{% if grains.os_family == 'Debian' %}
{% set saltrepofile = '/etc/apt/sources.list.d/salt.list' %}
{% endif %}
remove_saltproject_io_repo_minion:
file.absent:
- name: {{ saltrepofile }}
{% endif %}
unhold_salt_packages:
pkg.unheld:
- pkgs:

4188
salt/salt/scripts/bootstrap-salt.sh
View File

File diff suppressed because it is too large Load Diff

52
salt/soc/config.sls
View File

@@ -176,6 +176,15 @@ socusersroles:
- require:
- sls: manager.sync_es_users
socclientsroles:
file.managed:
- name: /opt/so/conf/soc/soc_clients_roles
- user: 939
- group: 939
- mode: 600
- allow_empty: true
- create: true
socuploaddir:
file.directory:
- name: /nsm/soc/uploads
@@ -198,6 +207,49 @@ socsensoronirepos:
- mode: 775
- makedirs: True
create_custom_local_yara_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-yara
- bare: False
- force: True
add_readme_custom_local_yara_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-yara/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "yara"
create_custom_local_sigma_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-sigma
- bare: False
- force: True
add_readme_custom_local_sigma_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-sigma/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "sigma"
socore_own_custom_repos:
file.directory:
- name: /nsm/rules/custom-local-repos/
- user: socore
- group: socore
- recurse:
- user
- group
{% else %}
{{sls}}_state_not_allowed:

Some files were not shown because too many files have changed in this diff Show More