CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-24 00:43:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: CSEC_PUBLIC:2.4.40-20240116
Branches Tags
CSEC_PUBLIC:master CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:reyesj2/patch-falsepos CSEC_PUBLIC:bravo CSEC_PUBLIC:fstes CSEC_PUBLIC:cogburn/gemini CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:mwright/assistant-case-reports CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:foxtrot CSEC_PUBLIC:TOoSmOotH-patch-1 CSEC_PUBLIC:fixsource CSEC_PUBLIC:certtest CSEC_PUBLIC:delta CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:dev CSEC_PUBLIC:kilo CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3
...
compare: CSEC_PUBLIC:2.4.60-20240320
Branches Tags
CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:reyesj2/patch-falsepos CSEC_PUBLIC:bravo CSEC_PUBLIC:fstes CSEC_PUBLIC:cogburn/gemini CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:mwright/assistant-case-reports CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:foxtrot CSEC_PUBLIC:TOoSmOotH-patch-1 CSEC_PUBLIC:fixsource CSEC_PUBLIC:certtest CSEC_PUBLIC:delta CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:master CSEC_PUBLIC:dev CSEC_PUBLIC:kilo CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3

365 Commits
2.4.40-202 ... 2.4.60-202

Author SHA1 Message Date
Mike Reeves
b658c82cdc Merge pull request #12616 from Security-Onion-Solutions/2.4/dev 
2.4.60
 2024-03-20 10:55:42 -04:00
Mike Reeves
7779a95341 Merge pull request #12617 from Security-Onion-Solutions/2.4/main 
fix merges
 2024-03-20 10:53:09 -04:00
Mike Reeves
68ea2836dd Merge pull request #12615 from Security-Onion-Solutions/2.4.60 
2.4.260
 2024-03-20 10:43:08 -04:00
Mike Reeves
bb3bbd749c 2.4.260 2024-03-20 10:20:04 -04:00
Mike Reeves
4237210f0b Merge pull request #12587 from Security-Onion-Solutions/TOoSmOotH-patch-10 
Update soc_suricata.yaml
 2024-03-14 11:37:35 -04:00
Mike Reeves
fd835f6394 Update soc_suricata.yaml 2024-03-14 11:36:45 -04:00
Mike Reeves
284e0d8435 Update soc_suricata.yaml 2024-03-14 11:33:47 -04:00
Jason Ertel
09bff01d79 Merge pull request #12584 from Security-Onion-Solutions/jertel/suripcap 
handle airgap when detections not enabled
 2024-03-13 21:35:06 -04:00
Jason Ertel
844cfe55cd handle airgap when detections not enabled 2024-03-13 20:52:17 -04:00
Jason Ertel
927fe9039d handle airgap when detections not enabled 2024-03-13 20:50:03 -04:00
Jason Ertel
cc1356c823 Merge pull request #12581 from Security-Onion-Solutions/jertel/suripcap 
removed unused property
 2024-03-13 14:20:22 -04:00
Jason Ertel
275a678fa1 removed unused property 2024-03-13 13:49:44 -04:00
Josh Patterson
3d33c99f53 Merge pull request #12579 from Security-Onion-Solutions/m0duspwnens-patch-1-dontshowchanges 
Update init.sls
 2024-03-13 11:26:20 -04:00
Josh Patterson
b9702d02db Update init.sls 2024-03-13 11:24:26 -04:00
Josh Patterson
292ab0e378 Merge pull request #12577 from Security-Onion-Solutions/jppsocerino 
remove modules if detections disabled
 2024-03-13 10:30:00 -04:00
m0duspwnens
1a829190ac remove modules if detections disabled 2024-03-13 09:46:44 -04:00
Josh Brower
dc3eace718 Merge pull request #12576 from Security-Onion-Solutions/2.4/regenpackages 
Gen packages post-SOUP
 2024-03-13 07:53:08 -04:00
DefensiveDepth
06013e2c6f Gen packages post-SOUP 2024-03-13 07:23:43 -04:00
Mike Reeves
603483148d Merge pull request #12567 from Security-Onion-Solutions/TOoSmOotH-patch-9 
Update so-saltstack-update to use 2.4/main
 2024-03-12 10:20:41 -04:00
Mike Reeves
3e0fb3f8bb Update so-saltstack-update 2024-03-12 10:18:27 -04:00
Mike Reeves
5deebe07d8 Merge pull request #12564 from Security-Onion-Solutions/TOoSmOotH-patch-8 
Update soc_suricata.yaml
 2024-03-12 09:24:56 -04:00
Josh Brower
197791f8ed Merge pull request #12565 from Security-Onion-Solutions/2.4/detections-defaults 
2.4/detections defaults
 2024-03-12 06:17:30 -04:00
Mike Reeves
72acb11925 Update soc_suricata.yaml 2024-03-11 19:04:51 -04:00
DefensiveDepth
0f41f07dc9 Merge remote-tracking branch 'origin/2.4/dev' into 2.4/detections-defaults 2024-03-11 16:41:26 -04:00
Josh Brower
47ab1f5b95 Merge pull request #12563 from Security-Onion-Solutions/kilo 
Add yara update back
 2024-03-11 16:39:31 -04:00
Josh Patterson
b7f058a8ca Merge pull request #12561 from Security-Onion-Solutions/jppnocap 
transitional pcap
 2024-03-11 15:57:16 -04:00
DefensiveDepth
61a183b7fc Add regex defaults 2024-03-11 15:55:39 -04:00
m0duspwnens
ba32b3e6e9 fix bpf for transition 2024-03-11 14:07:45 -04:00
Jason Ertel
8c54a19698 Merge pull request #12560 from Security-Onion-Solutions/jertel/email 
auto-convert email addresses to lowercase during setup
 2024-03-11 14:06:52 -04:00
Jason Ertel
cd28c00d67 auto-convert email addresses to lowercase during setup 2024-03-11 13:47:31 -04:00
Jason Ertel
b5d8df7fb2 auto-convert email addresses to lowercase during setup 2024-03-11 13:45:57 -04:00
m0duspwnens
907cf9f992 transition pcap 2024-03-11 12:20:28 -04:00
Josh Patterson
4355d5b659 Merge pull request #12544 from Security-Onion-Solutions/jertel/status 
pcap improvements
 2024-03-11 10:29:33 -04:00
Jorge Reyes
2ca96c7f4c Merge pull request #12555 from Security-Onion-Solutions/reyesj2-patch-osc 
Create local salt directory
 2024-03-11 09:40:20 -04:00
reyesj2
a8403c63c7 Create local salt dir for stig 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-03-11 09:35:54 -04:00
weslambert
34d5954e16 Fix indent 2024-03-11 09:12:05 -04:00
Jorge Reyes
f4725bf6d4 Merge pull request #12553 from Security-Onion-Solutions/reyesj2-patch-osc 
Run scan against default scap security guide so that resulting score is accurate
 2024-03-11 07:52:07 -04:00
Doug Burks
b622cf8d23 Merge pull request #12545 from Security-Onion-Solutions/dougburks-patch-1 
Update soc_pcap.yaml
 2024-03-08 16:45:29 -05:00
Doug Burks
a892352b61 Update soc_pcap.yaml 2024-03-08 16:43:29 -05:00
Jason Ertel
a55e04e64a pcap improvements 2024-03-08 15:48:53 -05:00
Josh Brower
4a9e8265ce Merge remote-tracking branch 'origin/2.4/dev' into kilo 2024-03-08 14:48:04 -05:00
coreyogburn
68ba9a89cf Merge pull request #12542 from Security-Onion-Solutions/cogburn/yara-license 
Updated RulesRepo for New Strelka Structure
 2024-03-08 11:42:49 -07:00
Corey Ogburn
6f05c3976b Updated RulesRepo for New Strelka Structure 2024-03-08 11:29:46 -07:00
Doug Burks
b6b6fc45e7 Merge pull request #12527 from Security-Onion-Solutions/TOoSmOotH-patch-7 
Fix Space Free for Steno
 2024-03-08 12:40:15 -05:00
Doug Burks
e1b27a930e Merge pull request #12540 from Security-Onion-Solutions/dougburks-patch-1 
FIX: Update SOC annotations for Stenographer PCAP #12539
 2024-03-08 12:32:15 -05:00
Doug Burks
6680e023e4 Update soc_pcap.yaml 2024-03-08 12:16:59 -05:00
Wes
e8ae609012 Add Strelka rules watch back 2024-03-08 16:27:17 +00:00
Wes
fc66a54902 Add Strelka download and update scripts back 2024-03-08 16:26:14 +00:00
Wes
4e32935991 Add Strelka config back 2024-03-08 16:24:37 +00:00
Josh Patterson
7ec887a327 Merge pull request #12537 from Security-Onion-Solutions/issue/12535 
allow managersearch to receiver redis and 5644
 2024-03-08 10:13:27 -05:00
m0duspwnens
3eb6fe2df9 allow managersearch to receiver redis and 5644 2024-03-08 09:52:12 -05:00
Jason Ertel
6d06aa8ed6 Merge pull request #12526 from Security-Onion-Solutions/jertel/status 
unswap files
 2024-03-07 14:49:17 -05:00
Mike Reeves
06257b9c4a Update so-minion 2024-03-07 14:32:46 -05:00
Jason Ertel
40574982e4 unswap files 2024-03-07 14:25:43 -05:00
Jason Ertel
e2567dcf8d Merge pull request #12521 from Security-Onion-Solutions/jertel/status 
gracefully handle status check failure on ubuntu
 2024-03-07 13:29:48 -05:00
Jason Ertel
fffef9b621 gracefully handle status check failure on ubuntu 2024-03-07 12:31:51 -05:00
weslambert
1633527695 Merge pull request #12519 from Security-Onion-Solutions/fix/error_message_system_syslog 
Add error.message mapping for system.syslog
 2024-03-07 10:47:33 -05:00
Wes
005930f7fd Add error.message mapping for system.syslog 2024-03-07 15:41:23 +00:00
Mike Reeves
b5f1733e97 Merge pull request #12513 from Security-Onion-Solutions/newsuripcap 
Change Factoring for so-minion pcap disk space
 2024-03-07 10:14:34 -05:00
m0duspwnens
70f3ce0536 change how maxfiles is calculated 2024-03-06 17:32:06 -05:00
reyesj2
17a75d5bd2 Run stig post remediate scan against default ol9 scap-security-guide. 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-03-06 17:19:01 -05:00
m0duspwnens
583227290f fix max-files calc 2024-03-06 15:18:22 -05:00
m0duspwnens
cf232534ca move suricata.pcap to suricata.config.outputs.pcap-log 2024-03-06 14:42:07 -05:00
Mike Reeves
7f1e786e3d Consolidate PCAP settings 2024-03-06 12:56:09 -05:00
Mike Reeves
9a413a2e31 Fix location of repo 2024-03-06 12:42:22 -05:00
Jason Ertel
8f36a8a4b6 Merge pull request #12514 from Security-Onion-Solutions/jertel/annotations 
detections annotations
 2024-03-06 11:10:21 -05:00
Jason Ertel
1cbac11fae detections annotations 2024-03-06 11:08:03 -05:00
Mike Reeves
ad12093429 Fix percent calc 2024-03-06 11:05:06 -05:00
Jason Ertel
167aff24f6 detections annotations 2024-03-06 11:03:52 -05:00
Josh Brower
9e671621db Merge pull request #12510 from Security-Onion-Solutions/2.4/excludedetections 
Add Exclusion toggle
 2024-03-06 10:56:29 -05:00
Mike Reeves
4dfa1a5626 Move Suricata around 2024-03-06 10:35:10 -05:00
Mike Reeves
f836d6a61d Update so-minion 2024-03-06 10:06:17 -05:00
Mike Reeves
a63fca727c Update soc_suricata.yaml 2024-03-06 10:02:06 -05:00
Mike Reeves
f58c104d89 Update so-minion 2024-03-06 09:51:56 -05:00
Jason Ertel
5acefb5d18 Merge pull request #12511 from Security-Onion-Solutions/jertel/annotations 
PCAP annotations
 2024-03-06 08:40:24 -05:00
Jason Ertel
0f12297f50 add new pcap annotations 2024-03-06 08:19:42 -05:00
Jason Ertel
12653eec8c add new pcap annotations 2024-03-06 08:14:33 -05:00
Josh Brower
1b47537a3f Add Exclusion toggle 2024-03-06 07:16:50 -05:00
Josh Patterson
73b45cfaf8 Merge pull request #12508 from Security-Onion-Solutions/jppsensoroni 
fix pcapspace function
 2024-03-05 17:53:28 -05:00
Josh Patterson
eaef076eba Update so-minion 2024-03-05 17:52:24 -05:00
Josh Patterson
ac9db8a392 Merge branch '2.4/dev' into jppsensoroni 2024-03-05 17:51:32 -05:00
m0duspwnens
5687fdcf57 fix pcapspace function 2024-03-05 17:46:43 -05:00
Jason Ertel
d5b08142a0 Merge pull request #12507 from Security-Onion-Solutions/jertel/annotations 
fix oinkcodes with leading zeros
 2024-03-05 16:44:56 -05:00
Jason Ertel
4b5f00cef4 fix oinkcodes with leading zeros 2024-03-05 16:42:20 -05:00
weslambert
185a160df0 Merge pull request #12500 from Security-Onion-Solutions/feature/additional_integrations_5 
Additional Integrations #5
 2024-03-05 16:12:05 -05:00
Mike Reeves
b9707fc8ea Merge pull request #12502 from Security-Onion-Solutions/TOoSmOotH-patch-5 
Update so-minion
 2024-03-05 15:10:02 -05:00
Mike Reeves
a686d46322 Update so-minion 2024-03-05 15:09:02 -05:00
Mike Reeves
6eb608c3f5 Update so-minion 2024-03-05 15:05:03 -05:00
weslambert
b9ebe6c40b Update VERSION 2024-03-05 12:58:34 -05:00
Josh Patterson
781f96a74e Merge pull request #12497 from Security-Onion-Solutions/jppsensoroni 
fix sensoroni for non sensor
 2024-03-05 10:36:12 -05:00
m0duspwnens
c0d19e11b9 fix } placement 2024-03-05 10:07:32 -05:00
m0duspwnens
1a58aa61a0 only import pcap and suricata if sensor 2024-03-05 09:54:40 -05:00
m0duspwnens
08f2b8251b add GLOBALS.is_sensor 2024-03-05 09:53:35 -05:00
weslambert
bed42208b1 Add journald integration 2024-03-05 09:49:55 -05:00
weslambert
2a7e5b096f Change version for foxtrot 2024-03-05 09:48:59 -05:00
weslambert
d8e8933ea0 Add AWS Security Hub template 2024-03-05 09:25:41 -05:00
weslambert
d85ac39e28 Add AWS Inspector template 2024-03-05 09:23:17 -05:00
weslambert
1514f1291e Add AWS GuardDuty template 2024-03-05 09:21:48 -05:00
weslambert
b64d61065a Add AWS Cloudfront template 2024-03-05 09:19:43 -05:00
Mike Reeves
58d222284e Merge pull request #12271 from Security-Onion-Solutions/suripcap 
Suricata PCAP
 2024-03-04 17:27:38 -05:00
Mike Reeves
fe238755e9 Fix df 2024-03-04 16:52:51 -05:00
Mike Reeves
018e099111 Modify setup 2024-03-04 14:53:15 -05:00
Josh Brower
9fd1653914 Merge pull request #12487 from Security-Onion-Solutions/2.4/elastic-agent-fim 
Fix FIM
 2024-03-04 07:41:36 -05:00
Josh Brower
f28f269bb1 Fix FIM 2024-03-04 07:38:32 -05:00
Josh Brower
f3dce66f03 Merge pull request #12482 from Security-Onion-Solutions/2.4/sigma-pipeline 
2.4/sigma pipeline
 2024-03-01 15:29:13 -05:00
Josh Brower
d832158cc5 Drop Hashes field 2024-03-01 15:26:02 -05:00
Josh Brower
b017157d21 Add antivirus mapping 2024-03-01 14:04:56 -05:00
Jorge Reyes
d911b7bfc4 Merge pull request #12469 from Security-Onion-Solutions/reyesj2-patch-4 
FIX: EA installers not downloadable from SOC & fix logging
 2024-02-29 16:21:44 -05:00
reyesj2
53761d4dba FIX: EA installers not downloadable from SOC + fix stg logging 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-02-29 16:15:26 -05:00
Mike Reeves
1fe8f3d9e4 Merge pull request #12405 from Security-Onion-Solutions/repochange 
Manage the repo files
 2024-02-29 14:01:48 -05:00
Josh Brower
aa3b917368 Merge pull request #12456 from Security-Onion-Solutions/feature/detections-airgap 
Feature/detections airgap
 2024-02-28 09:41:13 -05:00
Josh Brower
e2dd0f8cf1 Only update rule files if AG 2024-02-28 09:39:23 -05:00
weslambert
d1e55d5ab7 Merge pull request #12450 from Security-Onion-Solutions/fix/suricata_max_age 
Roll Suricata logs daily to prevent alerts from being deleted when not meeting size threshold
 2024-02-27 17:28:07 -05:00
weslambert
df3943b465 Daily rollover 2024-02-27 17:24:27 -05:00
Josh Patterson
d5fc6ddd2c Merge pull request #12449 from Security-Onion-Solutions/issue/12391 
Issue/12391
 2024-02-27 15:38:33 -05:00
m0duspwnens
fcc0f9d14f redo classifications 2024-02-27 13:20:58 -05:00
Josh Brower
59af547838 Fix download location 2024-02-27 09:49:54 -05:00
Josh Brower
a817bae1e5 Merge pull request #12437 from Security-Onion-Solutions/feature/detections-airgap 
Airgap Support - Detections module
 2024-02-26 16:47:26 -05:00
Josh Brower
c6baa4be1b Airgap Support - Detections module 2024-02-26 16:19:32 -05:00
m0duspwnens
8b7f7933bd suricata container watch classification.config 2024-02-26 15:29:13 -05:00
m0duspwnens
466dac30bb soup for classifications 2024-02-26 12:15:17 -05:00
Doug Burks
52580fb8c4 Merge pull request #12434 from Security-Onion-Solutions/feature/improve-endpoint-columns 
Add multiple endpoint features
 2024-02-26 12:05:30 -05:00
weslambert
acf7dbdabe Merge pull request #12432 from Security-Onion-Solutions/fix/endpoint_diag_template 
Update pattern for endpoint diagnostic template
 2024-02-26 12:01:29 -05:00
weslambert
1d099f97d2 Update pattern for endpoint diagnostic template 2024-02-26 11:27:56 -05:00
Doug Burks
f8424f3dad Update defaults.yaml 2024-02-26 11:22:09 -05:00
m0duspwnens
9a7e2153ee add classification.config 2024-02-26 11:01:53 -05:00
Doug Burks
c8a95a8706 FEATURE: Add new endpoint dashboards #12428 2024-02-26 09:59:07 -05:00
Doug Burks
4df21148fc FEATURE: Add default columns for endpoint.events datasets #12425 2024-02-26 09:40:51 -05:00
Doug Burks
ca249312ba FEATURE: Add new SOC action for Process Info #12421 2024-02-26 09:38:14 -05:00
Josh Brower
66b815d4b2 Merge pull request #12431 from Security-Onion-Solutions/feature/brower-detections 
Add Detection AutoUpdate config
 2024-02-26 08:43:33 -05:00
Josh Brower
a6bb7216f9 Add Detection AutoUpdate config 2024-02-26 08:18:42 -05:00
Josh Brower
77cb5748f6 Merge pull request #12430 from Security-Onion-Solutions/feature/sigma-pipeline 
Feature/sigma pipeline
 2024-02-26 08:00:00 -05:00
Doug Burks
d6cb8ab928 update events_x_process in defaults.yaml 2024-02-23 17:09:40 -05:00
Doug Burks
daf96d7934 fix new eventFields in merged.map.jinja 2024-02-23 17:07:48 -05:00
Doug Burks
58f4fb87d0 fix new eventFields in soc_soc.yaml 2024-02-23 17:06:29 -05:00
Doug Burks
b7ef1e8af1 add more endpoint.events.x fields to soc_soc.yaml 2024-02-23 15:38:53 -05:00
Doug Burks
7da0ccf5a6 add more endpoint.events.x entries to merged.map.jinja 2024-02-23 15:35:53 -05:00
Doug Burks
65cdc1dc86 Merge pull request #12423 from Security-Onion-Solutions/jppfiec 
convert _x_ to . for soc ui to config
 2024-02-23 15:22:16 -05:00
m0duspwnens
573d565976 convert _x_ to . for soc ui to config 2024-02-23 15:03:44 -05:00
Doug Burks
b8baca417b add endpoint_x_events_x_process to defaults.yaml 2024-02-23 14:03:04 -05:00
Josh Brower
d04aa06455 Fix source.ip 2024-02-22 14:01:02 -05:00
Mike Reeves
1824d7b36d Merge pull request #12416 from Security-Onion-Solutions/TOoSmOotH-patch-2 
Fix Loss Calculation for Stenographer
 2024-02-22 12:52:36 -05:00
Mike Reeves
e7914fc5a1 Update stenoloss.sh 2024-02-22 12:49:06 -05:00
Mike Reeves
759b2ff59e Manage the repos 2024-02-22 10:03:51 -05:00
Josh Brower
c886e72793 Imphash mappings 2024-02-22 08:59:33 -05:00
Josh Brower
0a9022ba6a Add hash mappings 2024-02-21 17:07:08 -05:00
Josh Patterson
d2f7946377 Merge pull request #12411 from Security-Onion-Solutions/issue/12382 
nest under policy
 2024-02-21 16:28:04 -05:00
coreyogburn
eb3432fb8b Merge pull request #12412 from Security-Onion-Solutions/kilo 
Initial Support for Detections Module
 2024-02-21 14:08:11 -07:00
Josh Brower
927ea0c9ec Update VERSION 2024-02-21 15:56:12 -05:00
m0duspwnens
162785575c nest under policy 2024-02-21 15:28:24 -05:00
Jason Ertel
152e7937db Merge pull request #12408 from Security-Onion-Solutions/jertel/24template 
add missing template
 2024-02-21 13:24:34 -05:00
Jason Ertel
25570e6ec2 add missing template 2024-02-21 13:18:39 -05:00
Josh Brower
1952f0f232 Merge remote-tracking branch 'origin/2.4/dev' into kilo 2024-02-21 13:11:49 -05:00
Mike Reeves
9ca0f586ae Manage the repos 2024-02-21 11:45:02 -05:00
Jason Ertel
29778438f0 Merge pull request #12396 from Security-Onion-Solutions/jertel/glm 
add lock threads
 2024-02-21 07:18:05 -05:00
Jason Ertel
6c6a362fcc add lock threads 2024-02-20 19:14:18 -05:00
Mike Reeves
89010dacab Merge pull request #12348 from Security-Onion-Solutions/TOoSmOotH-patch-4 
Update soup
 2024-02-20 12:10:09 -05:00
Jason Ertel
78d41c5342 Merge pull request #12386 from Security-Onion-Solutions/jertel/corricon 
replace correlate icon to avoid confusion with searcheng.in
 2024-02-20 10:39:38 -05:00
Jason Ertel
4b314c8715 replace correlate icon to avoid confusion with searcheng.in 2024-02-20 10:30:09 -05:00
Mike Reeves
ed0773604c Merge pull request #12385 from Security-Onion-Solutions/TOoSmOotH-patch-1 
Update VERSION
 2024-02-20 10:14:45 -05:00
Mike Reeves
07fcfab7ec Update VERSION 2024-02-20 10:14:11 -05:00
Mike Reeves
84c5fa6a58 Merge pull request #12353 from Security-Onion-Solutions/2.4/dev 
2.4.50
 2024-02-20 10:04:01 -05:00
Mike Reeves
5c96e30087 Merge pull request #12383 from Security-Onion-Solutions/2.4.50 
2.4.50
 2024-02-20 09:50:09 -05:00
Mike Reeves
18b4fcca75 2.4.50 2024-02-20 09:47:05 -05:00
Josh Brower
ffb3cc87b7 Default ruleset; Descriptions 2024-02-16 11:55:10 -05:00
Josh Brower
e4dcb4a8dd Merge remote-tracking branch 'origin/cogburn/detection_playbooks' into kilo 2024-02-15 17:50:37 -05:00
Corey Ogburn
c64f37ab67 sigmaRulePackages is now a string array 2024-02-15 10:34:07 -07:00
Josh Brower
686304f24a Merge remote-tracking branch 'origin/2.4/dev' into kilo 2024-02-15 09:47:51 -05:00
Josh Patterson
0765320839 Merge pull request #12360 from Security-Onion-Solutions/2450soup 
`2450soup
 2024-02-14 14:37:28 -05:00
m0duspwnens
a2b17d2348 move jinja to top 2024-02-14 14:27:41 -05:00
m0duspwnens
c1f467a068 handle airgap 2024-02-14 14:22:18 -05:00
m0duspwnens
7d5932ee5e Merge remote-tracking branch 'origin/2.4/dev' into 2450soup 2024-02-14 13:29:39 -05:00
m0duspwnens
79e98e508f pass in UPDATE_DIR as a pillar 2024-02-14 13:28:12 -05:00
Josh Patterson
cf6266a92b Merge pull request #12354 from Security-Onion-Solutions/2450soup 
modify soup to update soup scripts using salt
 2024-02-13 16:23:57 -05:00
m0duspwnens
2e9fa2438b add back comment 2024-02-13 16:19:50 -05:00
Corey Ogburn
a5db9f87dd Merge branch 'kilo' into cogburn/detection_playbooks 2024-02-13 14:08:44 -07:00
Corey Ogburn
f321e734eb Added so-detection mapping in elasticsearch 2024-02-13 14:05:27 -07:00
Corey Ogburn
8800b7e878 WIP: Detections Changes 
Removed some strelka/yara rules from salt.

Removed yara scripts for downloading and updating rules. This will be managed by SOC.

Added a new compile_yara.py script.

Added the strelka repos folder.
 2024-02-13 14:05:27 -07:00
Corey Ogburn
031ee078c5 socsigmarepo 
Need write permissions on the /opt/so/rules dir so I can clone the sigma repo there.
 2024-02-13 14:05:27 -07:00
m0duspwnens
00f2374582 fix path for so-firewall 2024-02-13 15:43:02 -05:00
m0duspwnens
468eedfaeb add soup script update retru 2024-02-13 15:30:24 -05:00
m0duspwnens
88786e8342 use file.copy to preserve perms 2024-02-13 15:05:09 -05:00
Corey Ogburn
c933627a71 Merge branch 'kilo' of github.com:security-onion-solutions/securityonion into kilo 2024-02-13 12:53:29 -07:00
Corey Ogburn
0d297274c8 DetectionComment Mapping Defined 2024-02-13 12:53:18 -07:00
m0duspwnens
141fd49f02 use rsync 2024-02-13 14:27:22 -05:00
m0duspwnens
7112337c85 fix copy 2024-02-13 13:52:14 -05:00
Josh Brower
0c6c6ba2d5 Various UI tweaks 2024-02-13 13:38:43 -05:00
m0duspwnens
d6ac7a3286 fix the jinja 2024-02-13 13:31:34 -05:00
m0duspwnens
9175a73456 dont need $ for vars 2024-02-13 13:08:09 -05:00
Doug Burks
14209ad99d Merge pull request #12355 from Security-Onion-Solutions/dougburks-patch-1 
Add table columns to process dashboard in defaults.yaml
 2024-02-13 12:59:34 -05:00
m0duspwnens
1bde002f20 update case 2024-02-13 12:51:53 -05:00
Doug Burks
0741ae370a Update defaults.yaml 2024-02-13 12:51:26 -05:00
m0duspwnens
d7f853b5b2 comment out script copy in soup 2024-02-13 12:50:22 -05:00
m0duspwnens
5c9b1ab38b copy with cp 2024-02-13 12:48:31 -05:00
m0duspwnens
b713771494 add back common soup_scripts state 2024-02-13 12:30:36 -05:00
Doug Burks
8060751a66 Add table columns to process dashboard in defaults.yaml 2024-02-13 12:24:33 -05:00
m0duspwnens
c1258f9a92 Merge remote-tracking branch 'origin/2.4/dev' into 2450soup 2024-02-13 11:09:24 -05:00
m0duspwnens
92634724c4 move rm 2024-02-13 11:09:08 -05:00
m0duspwnens
3efaba1104 modify soup to update soup scripts without using salt 2024-02-13 11:04:26 -05:00
Doug Burks
d072d431b3 Merge pull request #12350 from Security-Onion-Solutions/feature/process-ancestry-action 
FEATURE: Add new SOC action to show process ancestry #12345
 2024-02-13 08:51:38 -05:00
Josh Brower
ea80469c2d Detection Default queries 2024-02-12 19:39:55 -05:00
Doug Burks
0ad39a7e32 FEATURE: Add new SOC action to show process ancestry #12345 2024-02-12 19:18:29 -05:00
Doug Burks
20d2f3b97e Update Sublime action in defaults.yaml to use i18n 2024-02-12 19:13:32 -05:00
Josh Brower
64726a2785 Merge pull request #12349 from Security-Onion-Solutions/2.4/conflictingfix 
Fix conflicting id
 2024-02-12 19:07:07 -05:00
Josh Brower
ccb14485a3 Fix conflicting id 2024-02-12 19:06:19 -05:00
Josh Brower
5102269440 Update defaults 2024-02-12 16:44:54 -05:00
Mike Reeves
5a4e11b2f8 Update soup 
Remove a function that isn't used any more
 2024-02-12 16:09:47 -05:00
Mike Reeves
e713b4c660 Merge pull request #12346 from Security-Onion-Solutions/reyesj2-patch-1 
Remove unused file
 2024-02-12 16:07:31 -05:00
Mike Reeves
2db5f4dd41 Merge pull request #12308 from petiepooo/feat-es-ownfs 
FEATURE: Check for mountpoint during Elastic size limit calculations
 2024-02-12 16:03:36 -05:00
Mike Reeves
f91cb5b81f Merge pull request #12290 from petiepooo/fix-remove-intca-symlink 
fix: also remove intca symlink
 2024-02-12 12:33:13 -05:00
Jorge Reyes
4b697b2406 Remove unused file 2024-02-12 09:28:48 -05:00
Josh Brower
c04f5a3f0f Merge pull request #12268 from Security-Onion-Solutions/feature/fleet-artifacts 
Feature/fleet artifacts
 2024-02-12 08:58:14 -05:00
Josh Brower
b1de6abc17 Merge pull request #12343 from Security-Onion-Solutions/fix/anothercheck 
Wait for ES to be ready
 2024-02-12 08:58:05 -05:00
Josh Brower
cc0f25a4f7 Wait for ES to be ready 2024-02-11 13:30:20 -05:00
Josh Brower
eafb5cf15e Change to file_root 2024-02-11 13:18:20 -05:00
Jorge Reyes
2b2aa30ac1 Merge pull request #12332 from Security-Onion-Solutions/reyesj2/sod-putty 
Add putty to SOD
 2024-02-10 20:41:03 -05:00
Josh Brower
66ac36a944 Update soup 2024-02-10 11:07:26 -05:00
Josh Brower
feabb7c51f Merge remote-tracking branch 'origin/2.4/dev' into feature/fleet-artifacts 2024-02-10 10:57:46 -05:00
Corey Ogburn
64f6d0fba9 Updated Detection's ES Mappings 
Detection's now have a License field and the Comment model is defined now.
 2024-02-09 14:20:07 -07:00
Josh Patterson
94b6e781bb Merge pull request #12337 from Security-Onion-Solutions/salt3006.6v2 
Salt3006.6v2
 2024-02-09 15:45:39 -05:00
m0duspwnens
304ae49251 fix source 2024-02-09 12:41:23 -05:00
m0duspwnens
213ac822a8 create dir and chown 2024-02-09 10:54:07 -05:00
m0duspwnens
2143881c0b specify *.rules 2024-02-09 10:22:25 -05:00
m0duspwnens
5903ae596c move suricata rules to /opt/so/rules/nids/suri 2024-02-09 09:47:23 -05:00
Josh Brower
0c423c9329 Merge pull request #12333 from Security-Onion-Solutions/fix/shell 
Fixup shell
 2024-02-09 09:31:47 -05:00
Josh Brower
654602bf80 Fixup shell 2024-02-09 09:30:18 -05:00
reyesj2
3c9d6da1d8 add putty to sod packages.sls 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-02-08 22:05:37 -05:00
Josh Brower
683abf0179 Rework naming 2024-02-08 13:24:25 -05:00
Corey Ogburn
29174566f3 WIP: Updated Detection Mappings, Changed Engine to Language 
Detection mappings updated to include the removal of Note and the addition of Tags, Ruleset, and Language.

SOC defaults updated to use language based queries rather than engine and show the language column instead of the engine column in results.
 2024-02-08 09:44:56 -07:00
Josh Brower
8d0e8789bd Use salt file roots 2024-02-08 09:54:51 -05:00
Josh Brower
503a09f150 Merge remote-tracking branch 'origin/2.4/dev' into feature/fleet-artifacts 2024-02-08 09:45:21 -05:00
Josh Brower
81a3e95914 Fixup sigma pipelines 2024-02-07 16:42:16 -05:00
Josh Patterson
f02f61c6dd Merge pull request #12325 from Security-Onion-Solutions/salt3006.6 
Salt3006.6
 2024-02-07 16:33:56 -05:00
Doug Burks
8c5dafa058 Merge pull request #12324 from Security-Onion-Solutions/feature/dashboards-communityid-firewall 
FEATURE: Add new dashboards for community_id and firewall auth #12323
 2024-02-07 16:15:21 -05:00
Doug Burks
d3d2305f00 FEATURE: Add new dashboards for community_id and firewall auth #12323 2024-02-07 16:08:27 -05:00
Josh Brower
7e3187c0b8 Fixup sigma pipelines 2024-02-07 15:35:31 -05:00
Josh Brower
b7b501d289 Add Sigma pipelines 2024-02-07 15:02:52 -05:00
m0duspwnens
6534f392a9 update backup filename 2024-02-07 14:25:28 -05:00
m0duspwnens
478fb6261e Merge remote-tracking branch 'origin/2.4/dev' into salt3006.6 2024-02-07 14:15:11 -05:00
m0duspwnens
e42e07b245 update salt mine after salt-master restarts 2024-02-07 13:05:45 -05:00
m0duspwnens
f97d0f2f36 add /opt/so/rules/ to files_roots 2024-02-07 09:25:56 -05:00
m0duspwnens
24fd3ef8cc uopdate error message 2024-02-06 16:22:13 -05:00
m0duspwnens
b3f6153667 update so-yaml tests 2024-02-06 16:15:54 -05:00
Doug Burks
d800d59304 Merge pull request #12316 from Security-Onion-Solutions/feature/improve-soc-actions 
FEATURE: Improve Correlate and Hunt actions on SOC Actions menu #12315
 2024-02-06 15:46:31 -05:00
Doug Burks
7106095128 FEATURE: Improve Correlate and Hunt actions on SOC Actions menu #12315 2024-02-06 15:39:23 -05:00
m0duspwnens
9d62ade32e update so-yaml tests 2024-02-06 11:14:27 -05:00
m0duspwnens
2643ae08a7 add append to list 2024-02-05 17:54:30 -05:00
Josh Brower
378c99ae88 Fix bindings 2024-02-02 18:27:49 -05:00
Corey Ogburn
8f81c9eb68 Updating config for Detection(s) 2024-02-02 11:49:58 -07:00
Pete
cf83d1cb86 feat: use mountpoint for Elastic log limit 
Instead of just existence, this checks if the directories are separate mountpoints when determining disk size and log_size_limit calculations.

It also sets the percentage to 80 if /nsm/elasticsearch is a separate mountpoint.  This allows for better disk utilization on server configurations where /nsm is based on large slow HDDs for increased PCAP retention but /nsm/elasticsearch is based on SSDs for faster Elasticsearch performance.
 2024-02-02 12:25:16 -05:00
Pete
7a29b3a529 call salt before stopping salt services 
salt-call does not work when the salt-master is not running.  If these calls are to succeed, they should occur before the salt services are stopped.
 2024-02-02 08:45:01 -05:00
Josh Brower
fe196b5661 Add SOC Config for Detections 2024-02-01 12:22:50 -05:00
m0duspwnens
61ee41e431 Merge remote-tracking branch 'origin/2.4/dev' into salt3006.6 2024-02-01 11:07:06 -05:00
m0duspwnens
0d5db58c86 upgrade salt3006.6 2024-02-01 10:32:41 -05:00
Josh Brower
3d478b92b2 Merge pull request #12294 from Security-Onion-Solutions/jppffa 
Jppffa
 2024-02-01 09:47:18 -05:00
Josh Brower
e090518b59 Refactor script 2024-02-01 09:46:53 -05:00
weslambert
91c1e595ef Merge pull request #12297 from Security-Onion-Solutions/feature/pipeline_config_ui 
Manage custom Elasticsearch and Logstash pipelines in UI
 2024-02-01 09:18:30 -05:00
Wes
1818e134ca Change numbers for Logstash 2024-02-01 14:01:55 +00:00
Wes
182667bafb Change numbers for Elasticsearch 2024-02-01 13:59:23 +00:00
Josh Brower
49b5788ac1 add bindings 2024-02-01 07:21:49 -05:00
Josh Brower
881d6b313e Update VERSION - kilo 2024-01-31 17:04:11 -05:00
Josh Brower
db057b4dfa Merge pull request #12296 from Security-Onion-Solutions/cogburn/detection_playbooks 
Cogburn/detection playbooks
 2024-01-31 16:48:51 -05:00
Wes
136097f981 Custom Logstash pipeline annotations 2024-01-31 21:47:09 +00:00
Wes
bc502cc065 Custom Elasticserach pipeline annotations 2024-01-31 21:46:33 +00:00
m0duspwnens
ae32ac40c2 add fleet node nginx to docker annotations 2024-01-31 16:28:45 -05:00
m0duspwnens
2f03248612 use different nginx defaults for so-fleet node hosting artifacts 2024-01-31 16:25:09 -05:00
Mike Reeves
a094d1007b Merge pull request #12293 from Security-Onion-Solutions/TOoSmOotH-patch-3 
fix salt lock for airgap version mismatches
 2024-01-31 16:21:16 -05:00
Mike Reeves
341ff5b564 Update so-functions 2024-01-31 16:18:51 -05:00
Josh Brower
0fe96bfc2d switch to symlink 2024-01-31 16:17:40 -05:00
Wes
4672a5b8eb Custom pipeline configuration in UI 2024-01-31 20:18:17 +00:00
Wes
1853dc398b Custom pipeline configuration 2024-01-31 20:17:33 +00:00
Wes
bc75be9402 Custom pipelines in UI 2024-01-31 20:16:48 +00:00
Wes
cd4bd6460a Custom pipelines 2024-01-31 20:16:18 +00:00
Corey Ogburn
585147d1de Added so-detection mapping in elasticsearch 2024-01-31 10:39:47 -07:00
Mike Reeves
0d01d09d2e fix pcap paths 2024-01-31 09:15:35 -05:00
Pete
1192dbd530 also remove intca symlink 
The symlink is created in init.sls; it should be removed here.
 2024-01-31 09:01:56 -05:00
Mike Reeves
00289c201e fix pcap paths 2024-01-31 08:58:57 -05:00
Corey Ogburn
858166bcae WIP: Detections Changes 
Removed some strelka/yara rules from salt.

Removed yara scripts for downloading and updating rules. This will be managed by SOC.

Added a new compile_yara.py script.

Added the strelka repos folder.
 2024-01-30 15:43:51 -07:00
m0duspwnens
4be1214bab pcap engine logic for sensoroni 2024-01-30 16:53:57 -05:00
Corey Ogburn
0fa4d92f8f socsigmarepo 
Need write permissions on the /opt/so/rules dir so I can clone the sigma repo there.
 2024-01-30 14:49:05 -07:00
m0duspwnens
8a25748e33 grammar 2024-01-30 16:06:24 -05:00
m0duspwnens
8b503e2ffa telegraf dont run stenoloss script if suricata is pcap engine 2024-01-30 15:58:11 -05:00
Jorge Reyes
4dd0b4a4fd Merge pull request #12283 from Security-Onion-Solutions/reyesj2-patch-6 
Remove remediate from initial oscap scan
 2024-01-30 15:56:13 -05:00
reyesj2
b5ffa186fb Remove remediate from initial oscap scan 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-30 15:54:23 -05:00
m0duspwnens
f32cb1f115 fix find to work with steno and suri pcap 2024-01-30 15:48:10 -05:00
m0duspwnens
8ed66ea468 disable stenographer if suricata is pcap engine 2024-01-30 15:22:32 -05:00
m0duspwnens
0522dc180a map pcap dir to container. enable pcap-log in map 2024-01-30 13:39:35 -05:00
m0duspwnens
37dcb84a09 add missing comma 2024-01-30 10:50:01 -05:00
m0duspwnens
d118ff4728 add GLOBALS.pcap_engine 2024-01-29 16:54:08 -05:00
Mike Reeves
88d2ddba8b add placeholder for telegraf 2024-01-29 15:53:54 -05:00
Mike Reeves
ab551a747d Threads placeholder logic 2024-01-29 15:44:57 -05:00
Mike Reeves
88c01a22d6 Add annotation logic 2024-01-29 15:27:28 -05:00
Mike Reeves
0c969312e2 Add Globals 2024-01-29 15:22:20 -05:00
Mike Reeves
5b05aec96a Target sspecific minion 2024-01-29 14:56:51 -05:00
Mike Reeves
1a2245a1ed Add so-minion modifications 2024-01-29 13:44:53 -05:00
Josh Brower
0d08bb0a91 Finalize script 2024-01-29 11:37:28 -05:00
Jorge Reyes
cb5e111a00 Merge pull request #12267 from Security-Onion-Solutions/reyesj2-patch-6 
Update soup
 2024-01-29 10:22:35 -05:00
reyesj2
7c08b348aa Add comment for soup update w/ STIGs enabled 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-29 10:16:34 -05:00
Josh Brower
afa98fa147 update artifacts URL automatically 2024-01-28 14:20:52 -05:00
Josh Brower
1847e5c3c0 Enable nginx on Fleet Node 2024-01-28 11:37:18 -05:00
Josh Brower
cfc33b1a34 Sync Elastic Agent Artifacts 2024-01-28 10:12:25 -05:00
weslambert
dc5ea89255 Merge pull request #12260 from Security-Onion-Solutions/fix/endpoint_diagnostic 
Add template for endpoint.diagnostic.collection
 2024-01-26 16:13:30 -05:00
reyesj2
c4301d7cc1 Soup script update locations 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-26 15:51:06 -05:00
reyesj2
91c7b8144d soup logic 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-26 15:43:42 -05:00
reyesj2
2e026b637d Update soup to retry modified salt command on failure to update soup scripts. 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-26 11:36:33 -05:00
reyesj2
cd6e387bcb remove --local from soup common.soup_scripts update. 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-25 16:15:53 -05:00
Wes
12ab6338db Add diagnostic 2024-01-25 20:16:52 +00:00
weslambert
cd54d4becb Fix indent 2024-01-25 13:57:02 -05:00
Mike Reeves
762a3bea17 Defaults and Annotations 2024-01-25 09:59:26 -05:00
weslambert
5f1c76f6ec endpoint.diagnostic.collection 2024-01-25 09:46:25 -05:00
weslambert
d2d70d1c5b Merge pull request #12250 from Security-Onion-Solutions/fix/scan_pe_flags 
Fix PE Flags
 2024-01-24 14:29:23 -05:00
Jason Ertel
e53030feef Merge pull request #12248 from Security-Onion-Solutions/jertel/pfeat 
standardize feature names
 2024-01-24 12:12:16 -05:00
Jason Ertel
9f17bd2255 lks/fps 2024-01-24 11:17:32 -05:00
Wes
8426aad56d Text mapping for scan.pe.flags 2024-01-24 15:10:42 +00:00
Wes
d23d367058 Make scan.pe.flags a string 2024-01-24 15:08:38 +00:00
weslambert
cbdaf2e9a1 Merge pull request #12242 from Security-Onion-Solutions/upgrade/strelka_0.24.01.18 
Fix quote
 2024-01-23 14:02:35 -05:00
weslambert
4d7af21dd5 Fix quote 2024-01-23 13:55:37 -05:00
weslambert
8348506acc Merge pull request #12240 from Security-Onion-Solutions/upgrade/strelka_0.24.01.18 
UPGRADE: Strelka 0.24.01.18
 2024-01-23 13:50:15 -05:00
weslambert
1698d95efe Use PLACEHOLDER for key values 2024-01-23 13:45:26 -05:00
weslambert
b1052ddcce Merge pull request #12241 from Security-Onion-Solutions/fix/leak_test 
Exclude specific Strelka key values
 2024-01-23 13:43:18 -05:00
weslambert
0cb36bb0aa Exclude StrelkaHexDump and PLACEHOLDER values 2024-01-23 13:39:59 -05:00
weslambert
0ccdfcb07c Exclude only offset_meta_key 2024-01-23 13:11:43 -05:00
weslambert
63ba97306c Exclude Strelka defaults 2024-01-23 13:05:58 -05:00
weslambert
72319e33db Avoid leak test triggering 2024-01-23 12:38:09 -05:00
weslambert
34bb37e415 Merge pull request #12227 from Security-Onion-Solutions/feature/rita_logs 
RITA Logs
 2024-01-23 12:32:32 -05:00
Wes
3bcb0bc132 Update defaults 2024-01-23 17:18:54 +00:00
Jorge Reyes
d25a2d4c30 Merge pull request #12230 from Security-Onion-Solutions/reyesj2-patch-sl 
Handle non-zero
 2024-01-23 08:31:48 -05:00
reyesj2
350b0df3bf Handle non-zero 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-22 22:48:15 -05:00
Wes
5542db0aac Leave package version null 2024-01-22 21:07:46 +00:00
Wes
b08db3e05a Add RITA policy 2024-01-22 20:16:43 +00:00
Wes
80a3942245 Rename RITA pipelines 2024-01-22 20:15:48 +00:00
weslambert
de6151fbe2 Merge pull request #12221 from Security-Onion-Solutions/feature/additional_integrations_4 
Additional integrations #4 - Part 1
 2024-01-19 17:32:37 -05:00
Wes
7118cc8dee Add additional integration SOC configuration 2024-01-19 22:04:07 +00:00
Wes
05aa8b013a Add additional integration to templates 2024-01-19 22:02:39 +00:00
Wes
d0457cb61e Add additional integrations to defaults 2024-01-19 22:00:38 +00:00
Jorge Reyes
c2b44985c7 Merge pull request #12220 from Security-Onion-Solutions/reyesj2-patch-sl 
Disable stigs setting/verifying umask is set to 077. Known issue with …
 2024-01-19 16:06:10 -05:00
reyesj2
8f8c250ed3 Disable stigs setting/verifing umask is set to 077. Known issue with running SOUP 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-19 16:04:21 -05:00
Mike Reeves
6db32885eb Merge pull request #12216 from Security-Onion-Solutions/TOoSmOotH-patch-2 
Update suricata.common
 2024-01-19 13:56:48 -05:00
Mike Reeves
efe8cfda95 Update suricata.common 2024-01-19 13:39:28 -05:00
Mike Reeves
08486e279c Update suricata.common 2024-01-19 13:36:43 -05:00
Jorge Reyes
40d0411441 Merge pull request #12214 from Security-Onion-Solutions/reyesj2-patch-sl 
Add stig pillar dir during soup
 2024-01-19 10:55:13 -05:00
reyesj2
2b6927da82 Add stig pillar dir during soup 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-19 09:55:23 -05:00
Jorge Reyes
0786806f8f Merge pull request #12213 from Security-Onion-Solutions/reyesj2-patch-sl 
Update soup
 2024-01-19 08:59:34 -05:00
reyesj2
ca4f2f1dd6 Add creation of additional pillars to soup for stig state 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-19 08:31:20 -05:00
Jorge Reyes
97e2721754 Merge pull request #12208 from Security-Onion-Solutions/reyesj2-patch-sl 2024-01-18 16:53:14 -05:00
reyesj2
07602076f1 Update telegraf script 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-18 16:48:16 -05:00
reyesj2
caf4036dbf Update features check 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-18 16:06:53 -05:00
Jorge Reyes
4a898619a6 Merge pull request #12206 from Security-Onion-Solutions/reyesj2-patch-sl 
Remove need for stig script
 2024-01-18 12:49:28 -05:00
reyesj2
65d46ea27d Merge remote-tracking branch 'remotes/origin/2.4/dev' into reyesj2-patch-sl 2024-01-18 12:24:35 -05:00
reyesj2
67445de4ee Remove need for stig script 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-18 12:24:01 -05:00
Jorge Reyes
6a8bf0b953 Merge pull request #12202 from Security-Onion-Solutions/reyesj2-patch-sl 
Add stig state
 2024-01-18 09:25:21 -05:00
weslambert
33d74098bd Merge pull request #12201 from Security-Onion-Solutions/fix/suricata_ike 
Add Suricata IKE pipeline
 2024-01-17 16:50:19 -05:00
reyesj2
3173f9a26f Merge remote-tracking branch 'remotes/origin/2.4/dev' into reyesj2-patch-sl 2024-01-17 16:28:13 -05:00
reyesj2
df921892a3 Remove post scan from remediate log. 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-17 16:23:20 -05:00
reyesj2
739feb25a4 Add telegraf script to import featuresdetected 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-17 15:55:00 -05:00
reyesj2
4e6924610d Add additional status checks to so-common-status-check for telegraf 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-17 15:37:52 -05:00
Mike Reeves
880f2a3e1b Merge pull request #12197 from Security-Onion-Solutions/TOoSmOotH-patch-1 
Update VERSION
 2024-01-17 14:19:30 -05:00
Mike Reeves
958c827fd5 Update VERSION 2024-01-17 14:18:37 -05:00
Wes
e70ce50912 Change description 2024-01-17 14:06:16 +00:00
Wes
f6590ac0bf Remove Suricata IKEv2 pipeline 2024-01-16 18:10:00 +00:00
Wes
ea64ce92d3 Add Suricata IKE pipeline 2024-01-16 18:09:46 +00:00
Wes
8a92b023b2 Add interface name 2024-01-16 18:09:16 +00:00
reyesj2
6cf0b365e6 Modify yum.conf.jinja to include localpkg_gpgcheck rather than modifying it with so-stig 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-15 21:30:31 -05:00
reyesj2
4bffd8e27c Merge remote-tracking branch 'remotes/origin/2.4/dev' into reyesj2-patch-sl 2024-01-15 21:19:37 -05:00
reyesj2
a73d78300a Add initial stig state 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-01-15 21:17:17 -05:00
121 changed files with 248679 additions and 696 deletions
Expand all files Collapse all files

3
.github/.gitleaks.toml vendored
View File

@@ -536,11 +536,10 @@ secretGroup = 4
[allowlist]
description = "global allow lists"
regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''']
regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''', '''.*:.*StrelkaHexDump.*''', '''.*:.*PLACEHOLDER.*''']
paths = [
'''gitleaks.toml''',
'''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',
'''(go.mod|go.sum)$''',
'''salt/nginx/files/enterprise-attack.json'''
]

190
.github/DISCUSSION_TEMPLATE/2-4.yml vendored Normal file
View File

@@ -0,0 +1,190 @@
body:
- type: markdown
attributes:
value: |
⚠️ This category is solely for conversations related to Security Onion 2.4 ⚠️
If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
- type: dropdown
attributes:
label: Version
description: Which version of Security Onion 2.4.x are you asking about?
options:
-
- 2.4 Pre-release (Beta, Release Candidate)
- 2.4.10
- 2.4.20
- 2.4.30
- 2.4.40
- 2.4.50
- 2.4.60
- 2.4.70
- 2.4.80
- 2.4.90
- 2.4.100
- Other (please provide detail below)
validations:
required: true
- type: dropdown
attributes:
label: Installation Method
description: How did you install Security Onion?
options:
-
- Security Onion ISO image
- Network installation on Red Hat derivative like Oracle, Rocky, Alma, etc.
- Network installation on Ubuntu
- Network installation on Debian
- Other (please provide detail below)
validations:
required: true
- type: dropdown
attributes:
label: Description
description: >
Is this discussion about installation, configuration, upgrading, or other?
options:
-
- installation
- configuration
- upgrading
- other (please provide detail below)
validations:
required: true
- type: dropdown
attributes:
label: Installation Type
description: >
When you installed, did you choose Import, Eval, Standalone, Distributed, or something else?
options:
-
- Import
- Eval
- Standalone
- Distributed
- other (please provide detail below)
validations:
required: true
- type: dropdown
attributes:
label: Location
description: >
Is this deployment in the cloud, on-prem with Internet access, or airgap?
options:
-
- cloud
- on-prem with Internet access
- airgap
- other (please provide detail below)
validations:
required: true
- type: dropdown
attributes:
label: Hardware Specs
description: >
Does your hardware meet or exceed the minimum requirements for your installation type as shown at https://docs.securityonion.net/en/2.4/hardware.html?
options:
-
- Meets minimum requirements
- Exceeds minimum requirements
- Does not meet minimum requirements
- other (please provide detail below)
validations:
required: true
- type: input
attributes:
label: CPU
description: How many CPU cores do you have?
validations:
required: true
- type: input
attributes:
label: RAM
description: How much RAM do you have?
validations:
required: true
- type: input
attributes:
label: Storage for /
description: How much storage do you have for the / partition?
validations:
required: true
- type: input
attributes:
label: Storage for /nsm
description: How much storage do you have for the /nsm partition?
validations:
required: true
- type: dropdown
attributes:
label: Network Traffic Collection
description: >
Are you collecting network traffic from a tap or span port?
options:
-
- tap
- span port
- other (please provide detail below)
validations:
required: true
- type: dropdown
attributes:
label: Network Traffic Speeds
description: >
How much network traffic are you monitoring?
options:
-
- Less than 1Gbps
- 1Gbps to 10Gbps
- more than 10Gbps
validations:
required: true
- type: dropdown
attributes:
label: Status
description: >
Does SOC Grid show all services on all nodes as running OK?
options:
-
- Yes, all services on all nodes are running OK
- No, one or more services are failed (please provide detail below)
validations:
required: true
- type: dropdown
attributes:
label: Salt Status
description: >
Do you get any failures when you run "sudo salt-call state.highstate"?
options:
-
- Yes, there are salt failures (please provide detail below)
- No, there are no failures
validations:
required: true
- type: dropdown
attributes:
label: Logs
description: >
Are there any additional clues in /opt/so/log/?
options:
-
- Yes, there are additional clues in /opt/so/log/ (please provide detail below)
- No, there are no additional clues
validations:
required: true
- type: textarea
attributes:
label: Detail
description: Please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and then provide detailed information to help us help you.
placeholder: |-
STOP! Before typing, please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 in their entirety!
If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
validations:
required: true
- type: checkboxes
attributes:
label: Guidelines
options:
- label: I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines.
required: true

42
.github/workflows/lock-threads.yml vendored Normal file
View File

@@ -0,0 +1,42 @@
name: 'Lock Threads'
on:
schedule:
- cron: '50 1 * * *'
workflow_dispatch:
permissions:
issues: write
pull-requests: write
discussions: write
concurrency:
group: lock-threads
jobs:
close-threads:
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- uses: actions/stale@v5
with:
days-before-issue-stale: -1
days-before-issue-close: 60
stale-issue-message: "This issue is stale because it has been inactive for an extended period. Stale issues convey that the issue, while important to someone, is not critical enough for the author, or other community members to work on, sponsor, or otherwise shepherd the issue through to a resolution."
close-issue-message: "This issue was closed because it has been stale for an extended period. It will be automatically locked in 30 days, after which no further commenting will be available."
days-before-pr-stale: 45
days-before-pr-close: 60
stale-pr-message: "This PR is stale because it has been inactive for an extended period. The longer a PR remains stale the more out of date with the main branch it becomes."
close-pr-message: "This PR was closed because it has been stale for an extended period. It will be automatically locked in 30 days. If there is still a commitment to finishing this PR re-open it before it is locked."
lock-threads:
runs-on: ubuntu-latest
steps:
- uses: jertel/lock-threads@main
with:
include-discussion-currently-open: true
discussion-inactive-days: 90
issue-inactive-days: 30
pr-inactive-days: 30

22
DOWNLOAD_AND_VERIFY_ISO.md
View File

@@ -1,17 +1,17 @@
### 2.4.40-20240116 ISO image released on 2024/01/17
### 2.4.60-20240320 ISO image released on 2024/03/20
### Download and Verify
2.4.40-20240116 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.40-20240116.iso
2.4.60-20240320 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.60-20240320.iso
MD5: AC55D027B663F3CE0878FEBDAD9DD78B
SHA1: C2B51723B17F3DC843CC493EB80E93B123E3A3E1
SHA256: C5F135FCF45A836BBFF58C231F95E1EA0CD894898322187AD5FBFCD24BC2F123
MD5: 178DD42D06B2F32F3870E0C27219821E
SHA1: 73EDCD50817A7F6003FE405CF1808A30D034F89D
SHA256: DD334B8D7088A7B78160C253B680D645E25984BA5CCAB5CC5C327CA72137FC06
Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.40-20240116.iso.sig
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.60-20240320.iso.sig
Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
Download the signature file for the ISO:
```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.40-20240116.iso.sig
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.60-20240320.iso.sig
```
Download the ISO image:
```
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.40-20240116.iso
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.60-20240320.iso
```
Verify the downloaded ISO image using the signature file:
```
gpg --verify securityonion-2.4.40-20240116.iso.sig securityonion-2.4.40-20240116.iso
gpg --verify securityonion-2.4.60-20240320.iso.sig securityonion-2.4.60-20240320.iso
```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
```
gpg: Signature made Tue 16 Jan 2024 07:34:40 PM EST using RSA key ID FE507013
gpg: Signature made Tue 19 Mar 2024 03:17:58 PM EDT using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

2
VERSION
View File

@@ -1 +1 @@
2.4.40
2.4.60

3
files/salt/master/master
View File

@@ -41,7 +41,8 @@ file_roots:
base:
- /opt/so/saltstack/local/salt
- /opt/so/saltstack/default/salt
- /nsm/elastic-fleet/artifacts
- /opt/so/rules/nids
# The master_roots setting configures a master-only copy of the file_roots dictionary,
# used by the state compiler.

6
pillar/top.sls
View File

@@ -65,6 +65,7 @@ base:
- soctopus.adv_soctopus
- minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
- stig.soc_stig
'*_sensor':
- healthcheck.sensor
@@ -80,6 +81,8 @@ base:
- suricata.adv_suricata
- minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
- stig.soc_stig
- soc.license
'*_eval':
- secrets
@@ -180,6 +183,7 @@ base:
- suricata.adv_suricata
- minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
- stig.soc_stig
'*_heavynode':
- elasticsearch.auth
@@ -222,6 +226,8 @@ base:
- redis.adv_redis
- minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
- stig.soc_stig
- soc.license
'*_receiver':
- logstash.nodes

16
salt/allowed_states.map.jinja
View File

@@ -102,7 +102,8 @@
'utility',
'schedule',
'soctopus',
'docker_clean'
'docker_clean',
'stig'
],
'so-managersearch': [
'salt.master',
@@ -123,7 +124,8 @@
'utility',
'schedule',
'soctopus',
'docker_clean'
'docker_clean',
'stig'
],
'so-searchnode': [
'ssl',
@@ -131,7 +133,8 @@
'telegraf',
'firewall',
'schedule',
'docker_clean'
'docker_clean',
'stig'
],
'so-standalone': [
'salt.master',
@@ -156,7 +159,8 @@
'schedule',
'soctopus',
'tcpreplay',
'docker_clean'
'docker_clean',
'stig'
],
'so-sensor': [
'ssl',
@@ -168,13 +172,15 @@
'healthcheck',
'schedule',
'tcpreplay',
'docker_clean'
'docker_clean',
'stig'
],
'so-fleet': [
'ssl',
'telegraf',
'firewall',
'logstash',
'nginx',
'healthcheck',
'schedule',
'elasticfleet',

17
salt/bpf/pcap.map.jinja
View File

@@ -1,7 +1,10 @@
{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
{% import 'bpf/macros.jinja' as MACROS %}
{{ MACROS.remove_comments(BPFMERGED, 'pcap') }}
{% set PCAPBPF = BPFMERGED.pcap %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if GLOBALS.pcap_engine == "TRANSITION" %}
{% set PCAPBPF = ["ip and host 255.255.255.1 and port 1"] %}
{% else %}
{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
{% import 'bpf/macros.jinja' as MACROS %}
{{ MACROS.remove_comments(BPFMERGED, 'pcap') }}
{% set PCAPBPF = BPFMERGED.pcap %}
{% endif %}

13
salt/common/init.sls
View File

@@ -4,7 +4,6 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
- common.soup_scripts
- common.packages
{% if GLOBALS.role in GLOBALS.manager_roles %}
- manager.elasticsearch # needed for elastic_curl_config state
@@ -134,6 +133,18 @@ common_sbin_jinja:
- file_mode: 755
- template: jinja
{% if not GLOBALS.is_manager%}
# prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
# these two states remove the scripts from non manager nodes
remove_soup:
file.absent:
- name: /usr/sbin/soup
remove_so-firewall:
file.absent:
- name: /usr/sbin/so-firewall
{% endif %}
so-status_script:
file.managed:
- name: /usr/sbin/so-status

91
salt/common/soup_scripts.sls
View File

@@ -1,23 +1,70 @@
# Sync some Utilities
soup_scripts:
file.recurse:
- name: /usr/sbin
- user: root
- group: root
- file_mode: 755
- source: salt://common/tools/sbin
- include_pat:
- so-common
- so-image-common
{% import_yaml '/opt/so/saltstack/local/pillar/global/soc_global.sls' as SOC_GLOBAL %}
{% if SOC_GLOBAL.global.airgap %}
{% set UPDATE_DIR='/tmp/soagupdate/SecurityOnion' %}
{% else %}
{% set UPDATE_DIR='/tmp/sogh/securityonion' %}
{% endif %}
soup_manager_scripts:
file.recurse:
- name: /usr/sbin
- user: root
- group: root
- file_mode: 755
- source: salt://manager/tools/sbin
- include_pat:
- so-firewall
- so-repo-sync
- soup
remove_common_soup:
file.absent:
- name: /opt/so/saltstack/default/salt/common/tools/sbin/soup
remove_common_so-firewall:
file.absent:
- name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall
copy_so-common_common_tools_sbin:
file.copy:
- name: /opt/so/saltstack/default/salt/common/tools/sbin/so-common
- source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-common
- force: True
- preserve: True
copy_so-image-common_common_tools_sbin:
file.copy:
- name: /opt/so/saltstack/default/salt/common/tools/sbin/so-image-common
- source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-image-common
- force: True
- preserve: True
copy_soup_manager_tools_sbin:
file.copy:
- name: /opt/so/saltstack/default/salt/manager/tools/sbin/soup
- source: {{UPDATE_DIR}}/salt/manager/tools/sbin/soup
- force: True
- preserve: True
copy_so-firewall_manager_tools_sbin:
file.copy:
- name: /opt/so/saltstack/default/salt/manager/tools/sbin/so-firewall
- source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-firewall
- force: True
- preserve: True
copy_so-common_sbin:
file.copy:
- name: /usr/sbin/so-common
- source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-common
- force: True
- preserve: True
copy_so-image-common_sbin:
file.copy:
- name: /usr/sbin/so-image-common
- source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-image-common
- force: True
- preserve: True
copy_soup_sbin:
file.copy:
- name: /usr/sbin/soup
- source: {{UPDATE_DIR}}/salt/manager/tools/sbin/soup
- force: True
- preserve: True
copy_so-firewall_sbin:
file.copy:
- name: /usr/sbin/so-firewall
- source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-firewall
- force: True
- preserve: True

15
salt/common/tools/sbin/so-common
View File

@@ -366,6 +366,13 @@ is_feature_enabled() {
return 1
}
read_feat() {
if [ -f /opt/so/log/sostatus/lks_enabled ]; then
lic_id=$(cat /opt/so/saltstack/local/pillar/soc/license.sls | grep license_id: | awk '{print $2}')
echo "$lic_id/$(cat /opt/so/log/sostatus/lks_enabled)/$(cat /opt/so/log/sostatus/fps_enabled)"
fi
}
require_manager() {
if is_manager_node; then
echo "This is a manager, so we can proceed."
@@ -559,6 +566,14 @@ status () {
printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n"
}
sync_options() {
set_version
set_os
salt_minion_count
echo "$VERSION/$OS/$(uname -r)/$MINIONCOUNT/$(read_feat)"
}
systemctl_func() {
local action=$1
local echo_action=$1

55
salt/common/tools/sbin/so-common-status-check
View File

@@ -8,6 +8,7 @@
import sys
import subprocess
import os
import json
sys.path.append('/opt/saltstack/salt/lib/python3.10/site-packages/')
import salt.config
@@ -36,17 +37,67 @@ def check_needs_restarted():
with open(outfile, 'w') as f:
f.write(val)
def check_for_fps():
feat = 'fps'
feat_full = feat.replace('ps', 'ips')
fps = 0
try:
result = subprocess.run([feat_full + '-mode-setup', '--is-enabled'], stdout=subprocess.PIPE)
if result.returncode == 0:
fps = 1
except FileNotFoundError:
fn = '/proc/sys/crypto/' + feat_full + '_enabled'
try:
with open(fn, 'r') as f:
contents = f.read()
if '1' in contents:
fps = 1
except:
# Unknown, so assume 0
fps = 0
with open('/opt/so/log/sostatus/fps_enabled', 'w') as f:
f.write(str(fps))
def check_for_lks():
feat = 'Lks'
feat_full = feat.replace('ks', 'uks')
lks = 0
result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
data = json.loads(result.stdout)
for device in data['blockdevices']:
if 'children' in device:
for gc in device['children']:
if 'children' in gc:
try:
arg = 'is' + feat_full
result = subprocess.run(['cryptsetup', arg, gc['name']], stdout=subprocess.PIPE)
if result.returncode == 0:
lks = 1
except FileNotFoundError:
for ggc in gc['children']:
if 'crypt' in ggc['type']:
lks = 1
if lks:
break
with open('/opt/so/log/sostatus/lks_enabled', 'w') as f:
f.write(str(lks))
def fail(msg):
print(msg, file=sys.stderr)
sys.exit(1)
def main():
proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
if proc.stdout.strip() != "0":
fail("This program must be run as root")
# Ensure that umask is 0022 so that files created by this script have rw-r-r permissions
org_umask = os.umask(0o022)
check_needs_restarted()
check_for_fps()
check_for_lks()
# Restore umask to whatever value was set before this script was run. SXIG sets to 0077 rw---
os.umask(org_umask)
if __name__ == "__main__":
main()

1
salt/desktop/packages.sls
View File

@@ -334,6 +334,7 @@ desktop_packages:
- pulseaudio-libs
- pulseaudio-libs-glib2
- pulseaudio-utils
- putty
- sane-airscan
- sane-backends
- sane-backends-drivers-cameras

7
salt/docker/defaults.yaml
View File

@@ -84,6 +84,13 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
'so-nginx-fleet-node':
final_octet: 31
port_bindings:
- 8443:8443
custom_bind_mounts: []
extra_hosts: []
extra_env: []
'so-playbook':
final_octet: 32
port_bindings:

1
salt/docker/soc_docker.yaml
View File

@@ -48,6 +48,7 @@ docker:
so-logstash: *dockerOptions
so-mysql: *dockerOptions
so-nginx: *dockerOptions
so-nginx-fleet-node: *dockerOptions
so-playbook: *dockerOptions
so-redis: *dockerOptions
so-sensoroni: *dockerOptions

5
salt/elasticfleet/defaults.yaml
View File

@@ -45,6 +45,8 @@ elasticfleet:
- cisco_ise
- cisco_meraki
- cisco_umbrella
- citrix_adc
- citrix_waf
- cloudflare
- crowdstrike
- darktrace
@@ -63,6 +65,7 @@ elasticfleet:
- http_endpoint
- httpjson
- iis
- journald
- juniper
- juniper_srx
- kafka_log
@@ -75,6 +78,7 @@ elasticfleet:
- mimecast
- mysql
- netflow
- nginx
- o365
- okta
- osquery_manager
@@ -103,6 +107,7 @@ elasticfleet:
- udp
- vsphere
- windows
- winlog
- zscaler_zia
- zscaler_zpa
- 1password

21
salt/elasticfleet/enabled.sls
View File

@@ -17,6 +17,11 @@ include:
- elasticfleet.sostatus
- ssl
# Wait for Elasticsearch to be ready - no reason to try running Elastic Fleet server if ES is not ready
wait_for_elasticsearch_elasticfleet:
cmd.run:
- name: so-elasticsearch-wait
# If enabled, automatically update Fleet Logstash Outputs
{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %}
so-elastic-fleet-auto-configure-logstash-outputs:
@@ -33,12 +38,26 @@ so-elastic-fleet-auto-configure-server-urls:
- retry: True
{% endif %}
# Automatically update Fleet Server Elasticsearch URLs
# Automatically update Fleet Server Elasticsearch URLs & Agent Artifact URLs
{% if grains.role not in ['so-fleet'] %}
so-elastic-fleet-auto-configure-elasticsearch-urls:
cmd.run:
- name: /usr/sbin/so-elastic-fleet-es-url-update
- retry: True
so-elastic-fleet-auto-configure-artifact-urls:
cmd.run:
- name: /usr/sbin/so-elastic-fleet-artifacts-url-update
- retry: True
{% endif %}
# Sync Elastic Agent artifacts to Fleet Node
{% if grains.role in ['so-fleet'] %}
elasticagent_syncartifacts:
file.recurse:
- name: /nsm/elastic-fleet/artifacts/beats
- source: salt://beats
{% endif %}
{% if SERVICETOKEN != '' %}

34
salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json Normal file
View File

@@ -0,0 +1,34 @@
{
"package": {
"name": "log",
"version": ""
},
"name": "rita-logs",
"namespace": "so",
"description": "RITA Logs",
"policy_id": "so-grid-nodes_general",
"vars": {},
"inputs": {
"logs-logfile": {
"enabled": true,
"streams": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [
"/nsm/rita/beacons.csv",
"/nsm/rita/exploded-dns.csv",
"/nsm/rita/long-connections.csv"
],
"exclude_files": [],
"ignore_older": "72h",
"data_stream.dataset": "rita",
"tags": [],
"processors": "- dissect:\n tokenizer: \"/nsm/rita/%{pipeline}.csv\"\n field: \"log.file.path\"\n trim_chars: \".csv\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\").split(\"-\");\n if (pl.length > 1) {\n pl = pl[1];\n }\n else {\n pl = pl[0];\n }\n event.Put(\"@metadata.pipeline\", \"rita.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: rita",
"custom": "exclude_lines: ['^Score', '^Source', '^Domain', '^No results']"
}
}
}
}
}
}

2
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
View File

@@ -46,7 +46,7 @@ do
done
printf "\n### Stripping out unused components"
find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -maxdepth 1 -regex '.*fleet.*\|.*packet.*\|.*apm.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete
find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -maxdepth 1 -regex '.*fleet.*\|.*packet.*\|.*apm.*\|.*heart.*\|.*cloud.*' -delete
printf "\n### Tarring everything up again"
for OS in "${OSARCH[@]}"

2
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
View File

@@ -1,3 +1,5 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.

90
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-artifacts-url-update Normal file
View File

@@ -0,0 +1,90 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
. /usr/sbin/so-common
# Only run on Managers
if ! is_manager_node; then
printf "Not a Manager Node... Exiting"
exit 0
fi
# Function to check if an array contains a value
array_contains () {
local array="$1[@]"
local seeking=$2
local in=1
for element in "${!array}"; do
if [[ $element == "$seeking" ]]; then
in=0
break
fi
done
return $in
}
# Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes)
LOGSTASHNODES='{{ salt['pillar.get']('logstash:nodes', {}) | tojson }}'
# Initialize an array for new hosts from Fleet Nodes
declare -a NEW_LIST=()
# Query for Fleet Nodes & add them to the list (Hostname)
if grep -q "fleet" <<< "$LOGSTASHNODES"; then
readarray -t FLEETNODES < <(jq -r '.fleet | keys_unsorted[]' <<< "$LOGSTASHNODES")
for NODE in "${FLEETNODES[@]}"; do
URL="http://$NODE:8443/artifacts/"
NAME="FleetServer_$NODE"
NEW_LIST+=("$URL=$NAME")
done
fi
# Create an array for expected hosts and their names
declare -A expected_urls=(
["http://{{ GLOBALS.url_base }}:8443/artifacts/"]="FleetServer_{{ GLOBALS.hostname }}"
["https://artifacts.elastic.co/downloads/"]="Elastic Artifacts"
)
# Merge NEW_LIST into expected_urls
for entry in "${NEW_LIST[@]}"; do
# Extract URL and Name from each entry
IFS='=' read -r URL NAME <<< "$entry"
# Add to expected_urls, automatically handling URL as key and NAME as value
expected_urls["$URL"]="$NAME"
done
# Fetch the current hosts from the API
current_urls=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/agent_download_sources' | jq -r .items[].host)
# Convert current hosts to an array
IFS=$'\n' read -rd '' -a current_urls_array <<<"$current_urls"
# Flag to track if any host was added
any_url_added=0
# Check each expected host
for host in "${!expected_urls[@]}"; do
array_contains current_urls_array "$host" || {
echo "$host (${expected_urls[$host]}) is missing. Adding it..."
# Prepare the JSON payload
JSON_STRING=$( jq -n \
--arg NAME "${expected_urls[$host]}" \
--arg URL "$host" \
'{"name":$NAME,"host":$URL}' )
# Create the missing host
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_download_sources" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
# Flag that an artifact URL was added
any_url_added=1
}
done
if [[ $any_url_added -eq 0 ]]; then
echo "All expected artifact URLs are present. No updates needed."
fi

2
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update
View File

@@ -1,3 +1,5 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.

2
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
View File

@@ -1,3 +1,5 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.

2
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update
View File

@@ -1,3 +1,5 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.

13
salt/elasticsearch/config.sls
View File

@@ -118,6 +118,19 @@ esingestconf:
- user: 930
- group: 939
# Auto-generate Elasticsearch ingest node pipelines from pillar
{% for pipeline, config in ELASTICSEARCHMERGED.pipelines.items() %}
es_ingest_conf_{{pipeline}}:
file.managed:
- name: /opt/so/conf/elasticsearch/ingest/{{ pipeline }}
- source: salt://elasticsearch/base-template.json.jinja
- defaults:
TEMPLATE_CONFIG: {{ config }}
- template: jinja
- onchanges_in:
- file: so-pipelines-reload
{% endfor %}
eslog4jfile:
file.managed:
- name: /opt/so/conf/elasticsearch/log4j2.properties

830
salt/elasticsearch/defaults.yaml
View File

@@ -55,6 +55,87 @@ elasticsearch:
key: /usr/share/elasticsearch/config/elasticsearch.key
verification_mode: none
enabled: false
pipelines:
custom001:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom001
- pipeline:
name: common
custom002:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom002
- pipeline:
name: common
custom003:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom003
- pipeline:
name: common
custom004:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom004
- pipeline:
name: common
custom005:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom005
- pipeline:
name: common
custom006:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom006
- pipeline:
name: common
custom007:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom007
- pipeline:
name: common
custom008:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom008
- pipeline:
name: common
custom009:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom009
- pipeline:
name: common
custom010:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom010
- pipeline:
name: common
index_settings:
global_overrides:
index_template:
@@ -117,6 +198,35 @@ elasticsearch:
sort:
field: '@timestamp'
order: desc
so-detection:
index_sorting: false
index_template:
composed_of:
- detection-mappings
- detection-settings
index_patterns:
- so-detection*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
mapping:
total_fields:
limit: 1500
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
so-common:
close: 30
delete: 365
@@ -997,6 +1107,50 @@ elasticsearch:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_cloudfront_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.cloudfront_logs-*"
template:
settings:
index:
lifecycle:
name: so-logs-aws.cloudfront_logs-logs
number_of_replicas: 0
composed_of:
- "logs-aws.cloudfront_logs@package"
- "logs-aws.cloudfront_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_cloudtrail:
index_sorting: false
index_template:
@@ -1217,6 +1371,94 @@ elasticsearch:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_guardduty:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.guardduty-*"
template:
settings:
index:
lifecycle:
name: so-logs-aws.guardduty-logs
number_of_replicas: 0
composed_of:
- "logs-aws.guardduty@package"
- "logs-aws.guardduty@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_inspector:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.inspector-*"
template:
settings:
index:
lifecycle:
name: so-logs-aws.inspector-logs
number_of_replicas: 0
composed_of:
- "logs-aws.inspector@package"
- "logs-aws.inspector@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_route53_public_logs:
index_sorting: false
index_template:
@@ -1349,6 +1591,94 @@ elasticsearch:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_securityhub_findings:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.securityhub_findings-*"
template:
settings:
index:
lifecycle:
name: so-logs-aws.securityhub_findings-logs
number_of_replicas: 0
composed_of:
- "logs-aws.securityhub_findings@package"
- "logs-aws.securityhub_findings@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_securityhub_insights:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.securityhub_insights-*"
template:
settings:
index:
lifecycle:
name: so-logs-aws.securityhub_insights-logs
number_of_replicas: 0
composed_of:
- "logs-aws.securityhub_insights@package"
- "logs-aws.securityhub_insights@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_vpcflow:
index_sorting: false
index_template:
@@ -2537,6 +2867,270 @@ elasticsearch:
set_priority:
priority: 50
min_age: 30d
so-logs-citrix_adc_x_interface:
index_sorting: False
index_template:
index_patterns:
- "logs-citrix_adc.interface-*"
template:
settings:
index:
lifecycle:
name: so-logs-citrix_adc.interface-logs
number_of_replicas: 0
composed_of:
- "logs-citrix_adc.interface@package"
- "logs-citrix_adc.interface@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-citrix_adc_x_lbvserver:
index_sorting: False
index_template:
index_patterns:
- "logs-citrix_adc.lbvserver-*"
template:
settings:
index:
lifecycle:
name: so-logs-citrix_adc.lbvserver-logs
number_of_replicas: 0
composed_of:
- "logs-citrix_adc.lbvserver@package"
- "logs-citrix_adc.lbvserver@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-citrix_adc_x_service:
index_sorting: False
index_template:
index_patterns:
- "logs-citrix_adc.service-*"
template:
settings:
index:
lifecycle:
name: so-logs-citrix_adc.service-logs
number_of_replicas: 0
composed_of:
- "logs-citrix_adc.service@package"
- "logs-citrix_adc.service@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-citrix_adc_x_system:
index_sorting: False
index_template:
index_patterns:
- "logs-citrix_adc.system-*"
template:
settings:
index:
lifecycle:
name: so-logs-citrix_adc.system-logs
number_of_replicas: 0
composed_of:
- "logs-citrix_adc.system@package"
- "logs-citrix_adc.system@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-citrix_adc_x_vpn:
index_sorting: False
index_template:
index_patterns:
- "logs-citrix_adc.vpn-*"
template:
settings:
index:
lifecycle:
name: so-logs-citrix_adc.vpn-logs
number_of_replicas: 0
composed_of:
- "logs-citrix_adc.vpn@package"
- "logs-citrix_adc.vpn@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-citrix_waf_x_log:
index_sorting: False
index_template:
index_patterns:
- "logs-citrix_waf.log-*"
template:
settings:
index:
lifecycle:
name: so-logs-citrix_waf.log-logs
number_of_replicas: 0
composed_of:
- "logs-citrix_waf.log@package"
- "logs-citrix_waf.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_x_audit:
index_sorting: false
index_template:
@@ -3539,6 +4133,62 @@ elasticsearch:
set_priority:
priority: 50
min_age: 30d
so-logs-endpoint_x_diagnostic_x_collection:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-endpoint.diagnostic.collection@custom
- logs-endpoint.diagnostic.collection@package
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
index_patterns:
- .logs-endpoint.diagnostic.collection-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-endpoint.diagnostic.collection-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-endpoint_x_events_x_api:
index_sorting: false
index_template:
@@ -6659,6 +7309,138 @@ elasticsearch:
set_priority:
priority: 50
min_age: 30d
so-logs-nginx_x_access:
index_sorting: False
index_template:
index_patterns:
- "logs-nginx.access-*"
template:
settings:
index:
lifecycle:
name: so-logs-nginx.access-logs
number_of_replicas: 0
composed_of:
- "logs-nginx.access@package"
- "logs-nginx.access@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-nginx_x_error:
index_sorting: False
index_template:
index_patterns:
- "logs-nginx.error-*"
template:
settings:
index:
lifecycle:
name: so-logs-nginx.error-logs
number_of_replicas: 0
composed_of:
- "logs-nginx.error@package"
- "logs-nginx.error@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-metrics-nginx_x_stubstatus:
index_sorting: False
index_template:
index_patterns:
- "metrics-nginx.stubstatus-*"
template:
settings:
index:
lifecycle:
name: so-metrics-nginx.stubstatus-logs
number_of_replicas: 0
composed_of:
- "metrics-nginx.stubstatus@package"
- "metrics-nginx.stubstatus@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-o365_x_audit:
index_sorting: false
index_template:
@@ -8457,7 +9239,7 @@ elasticsearch:
actions:
set_priority:
priority: 50
min_age: 30d
min_age: 30d
so-logs-ti_otx_x_threat:
index_sorting: false
index_template:
@@ -8854,6 +9636,50 @@ elasticsearch:
set_priority:
priority: 50
min_age: 30d
so-logs-winlog_x_winlog:
index_sorting: False
index_template:
index_patterns:
- "logs-winlog.winlog-*"
template:
settings:
index:
lifecycle:
name: so-logs-winlog.winlog-logs
number_of_replicas: 0
composed_of:
- "logs-winlog.winlog@package"
- "logs-winlog.winlog@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-zscaler_zia_x_alerts:
index_sorting: false
index_template:
@@ -9991,7 +10817,7 @@ elasticsearch:
hot:
actions:
rollover:
max_age: 30d
max_age: 1d
max_primary_shard_size: 50gb
set_priority:
priority: 100

0
salt/elasticsearch/files/ingest/rita.beacon → salt/elasticsearch/files/ingest/rita.beacons
View File

0
salt/elasticsearch/files/ingest/rita.connection → salt/elasticsearch/files/ingest/rita.connections
View File

5
salt/elasticsearch/files/ingest/strelka.file
View File

@@ -67,7 +67,8 @@
{ "set": { "if": "ctx.scan?.pe?.image_version == '0'", "field": "scan.pe.image_version", "value": "0.0", "override": true } },
{ "set": { "field": "observer.name", "value": "{{agent.name}}" }},
{ "convert" : { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
{ "remove": { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"], "ignore_missing": true } },
{ "pipeline": { "name": "common" } }
{ "convert" : { "field" : "scan.pe.flags","type": "string", "ignore_missing":true }},
{ "remove": { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"], "ignore_missing": true } },
{ "pipeline": { "name": "common" } }
]
}

2
salt/elasticsearch/files/ingest/suricata.common
View File

@@ -4,6 +4,7 @@
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.pkt_src", "target_field": "network.packet_source","ignore_failure": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } },
{ "rename": { "field": "message2.in_iface", "target_field": "observer.ingress.interface.name", "ignore_failure": true } },
{ "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } },
{ "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } },
{ "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } },
@@ -12,6 +13,7 @@
{ "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } },
{ "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } },
{ "rename": { "field": "message2.xff", "target_field": "xff.ip", "ignore_missing": true } },
{ "lowercase": { "field": "network.transport", "ignore_failure": true } },
{ "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } },
{ "set": { "field": "observer.name", "value": "{{agent.name}}" } },
{ "set": { "field": "event.ingested", "value": "{{@timestamp}}" } },

21
salt/elasticsearch/files/ingest/suricata.ike Normal file
View File

@@ -0,0 +1,21 @@
{
"description" : "suricata.ike",
"processors" : [
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.alg_auth", "target_field": "ike.algorithm.authentication", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.alg_enc", "target_field": "ike.algorithm.encryption", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.alg_esn", "target_field": "ike.algorithm.esn", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.alg_dh", "target_field": "ike.algorithm.dh", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.alg_prf", "target_field": "ike.algorithm.prf", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.exchange_type", "target_field": "ike.exchange_type", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.payload", "target_field": "ike.payload", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.role", "target_field": "ike.role", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.init_spi", "target_field": "ike.spi.initiator", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.resp_spi", "target_field": "ike.spi.responder", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.version_major", "target_field": "ike.version.major", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.version_minor", "target_field": "ike.version.minor", "ignore_missing": true } },
{ "rename": { "field": "message2.ike.ikev2.errors", "target_field": "ike.ikev2.errors", "ignore_missing": true } },
{ "pipeline": { "name": "common" } }
]
}

8
salt/elasticsearch/files/ingest/suricata.ikev2
View File

@@ -1,8 +0,0 @@
{
"description" : "suricata.ikev2",
"processors" : [
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "pipeline": { "name": "common" } }
]
}

33
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -45,6 +45,28 @@ elasticsearch:
description: Max number of boolean clauses per query.
global: True
helpLink: elasticsearch.html
pipelines:
custom001: &pipelines
description:
description: Description of the ingest node pipeline
global: True
advanced: True
helpLink: elasticsearch.html
processors:
description: Processors for the ingest node pipeline
global: True
advanced: True
multiline: True
helpLink: elasticsearch.html
custom002: *pipelines
custom003: *pipelines
custom004: *pipelines
custom005: *pipelines
custom006: *pipelines
custom007: *pipelines
custom008: *pipelines
custom009: *pipelines
custom010: *pipelines
index_settings:
global_overrides:
index_template:
@@ -73,6 +95,7 @@ elasticsearch:
description: The order to sort by. Must set index_sorting to True.
global: True
helpLink: elasticsearch.html
policy:
phases:
hot:
max_age:
@@ -318,6 +341,7 @@ elasticsearch:
so-logs-windows_x_powershell: *indexSettings
so-logs-windows_x_powershell_operational: *indexSettings
so-logs-windows_x_sysmon_operational: *indexSettings
so-logs-winlog_x_winlog: *indexSettings
so-logs-apache_x_access: *indexSettings
so-logs-apache_x_error: *indexSettings
so-logs-auditd_x_log: *indexSettings
@@ -346,6 +370,12 @@ elasticsearch:
so-logs-cisco_ftd_x_log: *indexSettings
so-logs-cisco_ios_x_log: *indexSettings
so-logs-cisco_ise_x_log: *indexSettings
so-logs-citrix_adc_x_interface: *indexSettings
so-logs-citrix_adc_x_lbvserver: *indexSettings
so-logs-citrix_adc_x_service: *indexSettings
so-logs-citrix_adc_x_system: *indexSettings
so-logs-citrix_adc_x_vpn: *indexSettings
so-logs-citrix_waf_x_log: *indexSettings
so-logs-cloudflare_x_audit: *indexSettings
so-logs-cloudflare_x_logpull: *indexSettings
so-logs-crowdstrike_x_falcon: *indexSettings
@@ -406,6 +436,8 @@ elasticsearch:
so-logs-mysql_x_error: *indexSettings
so-logs-mysql_x_slowlog: *indexSettings
so-logs-netflow_x_log: *indexSettings
so-logs-nginx_x_access: *indexSettings
so-logs-nginx_x_error: *indexSettings
so-logs-o365_x_audit: *indexSettings
so-logs-okta_x_system: *indexSettings
so-logs-panw_x_panos: *indexSettings
@@ -471,6 +503,7 @@ elasticsearch:
so-metrics-endpoint_x_metadata: *indexSettings
so-metrics-endpoint_x_metrics: *indexSettings
so-metrics-endpoint_x_policy: *indexSettings
so-metrics-nginx_x_stubstatus: *indexSettings
so-case: *indexSettings
so-common: *indexSettings
so-endgame: *indexSettings

733
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json
View File

@@ -1,382 +1,383 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent-1.13.1",
"mapping": {
"total_fields": {
"limit": "10000"
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent-1.13.1",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version",
"component.id",
"component.type",
"component.binary",
"component.state",
"component.old_state",
"unit.id",
"unit.type",
"unit.state",
"unit.old_state"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version",
"component.id",
"component.type",
"component.binary",
"component.state",
"component.old_state",
"unit.id",
"unit.type",
"unit.state",
"unit.old_state"
]
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
],
"properties": {
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "text"
},
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
},
"message": {
"type": "text"
},
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"component": {
"properties": {
"binary": {
"ignore_above": 1024,
"type": "keyword"
},
"old_state": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "wildcard"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"unit": {
"properties": {
"old_state": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "wildcard"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
"component": {
"properties": {
"binary": {
"ignore_above": 1024,
"type": "keyword"
},
"old_state": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "wildcard"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"unit": {
"properties": {
"old_state": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "wildcard"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "endpoint"
},
"managed_by": "fleet",
"managed": true
}
}

132
salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json Normal file
View File

@@ -0,0 +1,132 @@
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs-endpoint.collection-diagnostic"
},
"codec": "best_compression",
"default_pipeline": "logs-endpoint.diagnostic.collection-8.10.2",
"mapping": {
"total_fields": {
"limit": "10000"
},
"ignore_malformed": "true"
},
"query": {
"default_field": [
"ecs.version",
"event.action",
"event.category",
"event.code",
"event.dataset",
"event.hash",
"event.id",
"event.kind",
"event.module",
"event.outcome",
"event.provider",
"event.type"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"@timestamp": {
"ignore_malformed": false,
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"event": {
"properties": {
"severity": {
"type": "long"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"sequence": {
"type": "long"
},
"ingested": {
"type": "date"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
},
"_meta": {
"package": {
"name": "endpoint"
},
"managed_by": "fleet",
"managed": true
}
}

22
salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json Normal file
View File

@@ -0,0 +1,22 @@
{
"template": {
"mappings": {
"properties": {
"error": {
"properties": {
"message": {
"type": "match_only_text"
}
}
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

138
salt/elasticsearch/templates/component/so/detection-mappings.json Normal file
View File

@@ -0,0 +1,138 @@
{
"template": {
"mappings": {
"properties": {
"so_audit_doc_id": {
"ignore_above": 1024,
"type": "keyword"
},
"@timestamp": {
"type": "date"
},
"so_kind": {
"ignore_above": 1024,
"type": "keyword"
},
"so_operation": {
"ignore_above": 1024,
"type": "keyword"
},
"so_detection": {
"properties": {
"publicId": {
"type": "text"
},
"title": {
"type": "text"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"author": {
"type": "text"
},
"description": {
"type": "text"
},
"content": {
"type": "text"
},
"isEnabled": {
"type": "boolean"
},
"isReporting": {
"type": "boolean"
},
"isCommunity": {
"type": "boolean"
},
"tags": {
"type": "text"
},
"ruleset": {
"ignore_above": 1024,
"type": "keyword"
},
"engine": {
"ignore_above": 1024,
"type": "keyword"
},
"language": {
"ignore_above": 1024,
"type": "keyword"
},
"license": {
"ignore_above": 1024,
"type": "keyword"
},
"overrides": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"isEnabled": {
"type": "boolean"
},
"createdAt": {
"type": "date"
},
"updatedAt": {
"type": "date"
},
"regex": {
"type": "text"
},
"value": {
"type": "text"
},
"thresholdType": {
"ignore_above": 1024,
"type": "keyword"
},
"track": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "text"
},
"count": {
"type": "long"
},
"seconds": {
"type": "long"
},
"customFilter": {
"type": "text"
}
}
}
}
},
"so_detectioncomment": {
"properties": {
"createTime": {
"type": "date"
},
"detectionId": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"type": "text"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
},
"_meta": {
"ecs_version": "1.12.2"
}
}

7
salt/elasticsearch/templates/component/so/detection-settings.json Normal file
View File

@@ -0,0 +1,7 @@
{
"template": {},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion Detections indices"
}
}

13
salt/elasticsearch/templates/component/so/so-scan-mappings.json
View File

@@ -14,16 +14,19 @@
},
"pe": {
"properties": {
"sections": {
"flags": {
"type": "text"
},
"image_version": {
"type": "float"
},
"sections": {
"properties": {
"entropy": {
"type": "float"
}
}
},
"image_version": {
"type": "float"
}
}
}
},
"elf": {

1
salt/firewall/containers.map.jinja
View File

@@ -95,6 +95,7 @@
{% set NODE_CONTAINERS = [
'so-elastic-fleet',
'so-logstash',
'so-nginx-fleet-node'
] %}
{% elif GLOBALS.role == 'so-sensor' %}

4
salt/firewall/defaults.yaml
View File

@@ -1295,6 +1295,10 @@ firewall:
portgroups:
- redis
- beats_5644
managersearch:
portgroups:
- redis
- beats_5644
self:
portgroups:
- redis

2
salt/global/defaults.yaml Normal file
View File

@@ -0,0 +1,2 @@
global:
pcapengine: STENO

2
salt/global/map.jinja Normal file
View File

@@ -0,0 +1,2 @@
{% import_yaml 'global/defaults.yaml' as GLOBALDEFAULTS %}
{% set GLOBALMERGED = salt['pillar.get']('global', GLOBALDEFAULTS.global, merge=True) %}

7
salt/global/soc_global.yaml
View File

@@ -10,10 +10,15 @@ global:
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
mdengine:
description: What engine to use for meta data generation. Options are ZEEK and SURICATA.
description: Which engine to use for meta data generation. Options are ZEEK and SURICATA.
regex: ^(ZEEK|SURICATA)$
regexFailureMessage: You must enter either ZEEK or SURICATA.
global: True
pcapengine:
description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION.
regex: ^(STENO|SURICATA|TRANSITION)$
regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION.
global: True
ids:
description: Which IDS engine to use. Currently only Suricata is supported.
global: True

2
salt/idstools/enabled.sls
View File

@@ -39,7 +39,7 @@ so-idstools:
{% endif %}
- binds:
- /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro
- /opt/so/rules/nids:/opt/so/rules/nids:rw
- /opt/so/rules/nids/suri:/opt/so/rules/nids/suri:rw
- /nsm/rules/:/nsm/rules/:rw
{% if DOCKER.containers['so-idstools'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-idstools'].custom_bind_mounts %}

8
salt/idstools/etc/rulecat.conf
View File

@@ -1,10 +1,10 @@
{%- from 'vars/globals.map.jinja' import GLOBALS -%}
{%- from 'idstools/map.jinja' import IDSTOOLSMERGED -%}
--merged=/opt/so/rules/nids/all.rules
--local=/opt/so/rules/nids/local.rules
--merged=/opt/so/rules/nids/suri/all.rules
--local=/opt/so/rules/nids/suri/local.rules
{%- if GLOBALS.md_engine == "SURICATA" %}
--local=/opt/so/rules/nids/extraction.rules
--local=/opt/so/rules/nids/filters.rules
--local=/opt/so/rules/nids/suri/extraction.rules
--local=/opt/so/rules/nids/suri/filters.rules
{%- endif %}
--url=http://{{ GLOBALS.manager }}:7788/suricata/emerging-all.rules
--disable=/opt/so/idstools/etc/disable.conf

3
salt/idstools/soc_idstools.yaml
View File

@@ -6,9 +6,10 @@ idstools:
description: Enter your registration code or oinkcode for paid NIDS rulesets.
title: Registration Code
global: True
forcedType: string
helpLink: rules.html
ruleset:
description: Defines the ruleset you want to run. Options are ETOPEN or ETPRO.
description: 'Defines the ruleset you want to run. Options are ETOPEN or ETPRO. WARNING! Changing the ruleset will remove all existing Suricata rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
global: True
regex: ETPRO\b|ETOPEN\b
helpLink: rules.html

4
salt/idstools/sync_files.sls
View File

@@ -21,7 +21,7 @@ idstoolsetcsync:
rulesdir:
file.directory:
- name: /opt/so/rules/nids
- name: /opt/so/rules/nids/suri
- user: 939
- group: 939
- makedirs: True
@@ -29,7 +29,7 @@ rulesdir:
# Don't show changes because all.rules can be large
synclocalnidsrules:
file.recurse:
- name: /opt/so/rules/nids/
- name: /opt/so/rules/nids/suri/
- source: salt://idstools/rules/
- user: 939
- group: 939

2
salt/kratos/map.jinja
View File

@@ -21,7 +21,7 @@
{% set KRATOSMERGED = salt['pillar.get']('kratos', default=KRATOSDEFAULTS.kratos, merge=true) %}
{% if KRATOSMERGED.oidc.enabled and 'oidc' in salt['pillar.get']('features') %}
{% if KRATOSMERGED.oidc.enabled and 'odc' in salt['pillar.get']('features') %}
{% do KRATOSMERGED.config.selfservice.methods.update({'oidc': {'enabled': true, 'config': {'providers': [KRATOSMERGED.oidc.config]}}}) %}
{% endif %}

14
salt/logstash/config.sls
View File

@@ -63,6 +63,20 @@ lspipelinedir:
- user: 931
- group: 939
# Auto-generate Logstash pipeline config
{% for pipeline, config in LOGSTASH_MERGED.pipeline_config.items() %}
{% for assigned_pipeline in ASSIGNED_PIPELINES %}
{% set custom_pipeline = 'custom/' + pipeline + '.conf' %}
{% if custom_pipeline in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %}
ls_custom_pipeline_conf_{{assigned_pipeline}}_{{pipeline}}:
file.managed:
- name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}}/{{ pipeline }}.conf
- contents: LOGSTASH_MERGED.pipeline_config.{{pipeline}}
{% endif %}
{% endfor %}
{% endfor %}
{% for assigned_pipeline in ASSIGNED_PIPELINES %}
{% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %}
ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}:

18
salt/logstash/defaults.yaml
View File

@@ -42,6 +42,24 @@ logstash:
custom2: []
custom3: []
custom4: []
pipeline_config:
custom001: |-
filter {
if [event][module] =~ "zeek" {
mutate {
add_tag => ["network_stuff"]
}
}
}
custom002: PLACEHOLDER
custom003: PLACEHOLDER
custom004: PLACEHOLDER
custom005: PLACEHOLDER
custom006: PLACEHOLDER
custom007: PLACEHOLDER
custom008: PLACEHOLDER
custom009: PLACEHOLDER
custom010: PLACEHOLDER
settings:
lsheap: 500m
config:

16
salt/logstash/soc_logstash.yaml
View File

@@ -31,6 +31,22 @@ logstash:
custom2: *defined_pipelines
custom3: *defined_pipelines
custom4: *defined_pipelines
pipeline_config:
custom001: &pipeline_config
description: Pipeline configuration for Logstash
advanced: True
multiline: True
forcedType: string
helpLink: logstash.html
custom002: *pipeline_config
custom003: *pipeline_config
custom004: *pipeline_config
custom005: *pipeline_config
custom006: *pipeline_config
custom007: *pipeline_config
custom008: *pipeline_config
custom009: *pipeline_config
custom010: *pipeline_config
settings:
lsheap:
description: Heap size to use for logstash

2
salt/manager/files/mirror.txt Normal file
View File

@@ -0,0 +1,2 @@
https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9
https://repo-alt.securityonion.net/prod/2.4/oracle/9

13
salt/manager/files/repodownload.conf Normal file
View File

@@ -0,0 +1,13 @@
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False
cachedir=/opt/so/conf/reposync/cache
keepcache=0
[securityonionsync]
name=Security Onion Repo repo
mirrorlist=file:///opt/so/conf/reposync/mirror.txt
enabled=1
gpgcheck=1

46
salt/manager/init.sls
View File

@@ -1,5 +1,5 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
@@ -61,7 +61,7 @@ manager_sbin:
- user: 939
- group: 939
- file_mode: 755
- exclude_pat:
- exclude_pat:
- "*_test.py"
yara_update_scripts:
@@ -75,6 +75,20 @@ yara_update_scripts:
- defaults:
EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}
so-repo-file:
file.managed:
- name: /opt/so/conf/reposync/repodownload.conf
- source: salt://manager/files/repodownload.conf
- user: socore
- group: socore
so-repo-mirrorlist:
file.managed:
- name: /opt/so/conf/reposync/mirror.txt
- source: salt://manager/files/mirror.txt
- user: socore
- group: socore
so-repo-sync:
{% if MANAGERMERGED.reposync.enabled %}
cron.present:
@@ -103,55 +117,51 @@ rules_dir:
- group: socore
- makedirs: True
{% if STRELKAMERGED.rules.enabled %}
{% if STRELKAMERGED.rules.enabled %}
strelkarepos:
file.managed:
- name: /opt/so/conf/strelka/repos.txt
- source: salt://strelka/rules/repos.txt.jinja
- template: jinja
- defaults:
STRELKAREPOS: {{ STRELKAMERGED.rules.repos }}
STRELKAREPOS: {{ STRELKAMERGED.rules.repos }}
- makedirs: True
strelka-yara-update:
{% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %}
{% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %}
cron.present:
{% else %}
{% else %}
cron.absent:
{% endif %}
{% endif %}
- user: socore
- name: '/usr/sbin/so-yara-update >> /opt/so/log/yarasync/yara-update.log 2>&1'
- identifier: strelka-yara-update
- hour: '7'
- minute: '1'
strelka-yara-download:
{% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %}
{% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %}
cron.present:
{% else %}
{% else %}
cron.absent:
{% endif %}
{% endif %}
- user: socore
- name: '/usr/sbin/so-yara-download >> /opt/so/log/yarasync/yara-download.log 2>&1'
- identifier: strelka-yara-download
- hour: '7'
- minute: '1'
{% if not GLOBALS.airgap %}
{% if not GLOBALS.airgap %}
update_yara_rules:
cmd.run:
- name: /usr/sbin/so-yara-update
- onchanges:
- file: yara_update_scripts
download_yara_rules:
cmd.run:
- name: /usr/sbin/so-yara-download
- onchanges:
- file: yara_update_scripts
{% endif %}
{% endif %}
{% endif %}
{% endif %}
{% else %}
{{sls}}_state_not_allowed:

41
salt/manager/tools/sbin/so-minion
View File

@@ -79,6 +79,32 @@ function getinstallinfo() {
source <(echo $INSTALLVARS)
}
function pcapspace() {
if [[ "$OPERATION" == "setup" ]]; then
# Use 25% for PCAP
PCAP_PERCENTAGE=1
DFREEPERCENT=21
local SPACESIZE=$(df -k /nsm | tail -1 | awk '{print $2}' | tr -d \n)
else
local NSMSIZE=$(salt "$MINION_ID" disk.usage --out=json | jq -r '.[]."/nsm"."1K-blocks" ')
local ROOTSIZE=$(salt "$MINION_ID" disk.usage --out=json | jq -r '.[]."/"."1K-blocks" ')
if [[ "$NSMSIZE" == "null" ]]; then
# Looks like there is no dedicated nsm partition. Using root
local SPACESIZE=$ROOTSIZE
else
local SPACESIZE=$NSMSIZE
fi
fi
local s=$(( $SPACESIZE / 1000000 ))
local s1=$(( $s / 4 * $PCAP_PERCENTAGE ))
MAX_PCAP_SPACE=$s1
}
function testMinion() {
# Always run on the host, since this is going to be the manager of a distributed grid, or an eval/standalone.
# Distributed managers must run this in order for the sensor nodes to have access to the so-tcpreplay image.
@@ -244,6 +270,10 @@ function add_sensor_to_minion() {
echo " lb_procs: '$CORECOUNT'" >> $PILLARFILE
echo "suricata:" >> $PILLARFILE
echo " enabled: True " >> $PILLARFILE
if [[ $is_pcaplimit ]]; then
echo " pcap:" >> $PILLARFILE
echo " maxsize: $MAX_PCAP_SPACE" >> $PILLARFILE
fi
echo " config:" >> $PILLARFILE
echo " af-packet:" >> $PILLARFILE
echo " threads: '$CORECOUNT'" >> $PILLARFILE
@@ -251,7 +281,7 @@ function add_sensor_to_minion() {
echo " enabled: True" >> $PILLARFILE
if [[ $is_pcaplimit ]]; then
echo " config:" >> $PILLARFILE
echo " diskfreepercentage: 60" >> $PILLARFILE
echo " diskfreepercentage: $DFREEPERCENT" >> $PILLARFILE
fi
echo " " >> $PILLARFILE
}
@@ -422,6 +452,7 @@ function updateMine() {
function createEVAL() {
is_pcaplimit=true
pcapspace
add_elasticsearch_to_minion
add_sensor_to_minion
add_strelka_to_minion
@@ -442,6 +473,7 @@ function createEVAL() {
function createSTANDALONE() {
is_pcaplimit=true
pcapspace
add_elasticsearch_to_minion
add_logstash_to_minion
add_sensor_to_minion
@@ -531,6 +563,9 @@ function createIDH() {
function createHEAVYNODE() {
is_pcaplimit=true
PCAP_PERCENTAGE=1
DFREEPERCENT=21
pcapspace
add_elasticsearch_to_minion
add_elastic_agent_to_minion
add_logstash_to_minion
@@ -541,6 +576,10 @@ function createHEAVYNODE() {
}
function createSENSOR() {
is_pcaplimit=true
DFREEPERCENT=10
PCAP_PERCENTAGE=3
pcapspace
add_sensor_to_minion
add_strelka_to_minion
add_telegraf_to_minion

6
salt/manager/tools/sbin/so-repo-sync
View File

@@ -7,12 +7,8 @@
NOROOT=1
. /usr/sbin/so-common
set_version
set_os
salt_minion_count
set -e
curl --retry 5 --retry-delay 60 -A "reposync/$VERSION/$OS/$(uname -r)/$MINIONCOUNT" https://sigs.securityonion.net/checkup --output /tmp/checkup
curl --retry 5 --retry-delay 60 -A "reposync/$(sync_options)" https://sigs.securityonion.net/checkup --output /tmp/checkup
dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/
createrepo /nsm/repo

2
salt/manager/tools/sbin/so-saltstack-update
View File

@@ -47,7 +47,7 @@ got_root(){
got_root
if [ $# -ne 1 ] ; then
BRANCH=master
BRANCH=2.4/main
else
BRANCH=$1
fi

2
salt/manager/tools/sbin/so-user
View File

@@ -347,7 +347,7 @@ function syncElastic() {
[[ $? != 0 ]] && fail "Unable to read credential hashes from database"
user_data_formatted=$(echo "${userData}" | jq -r '.user + ":" + .data.hashed_password')
if lookup_salt_value "licensed_features" "" "pillar" | grep -x oidc; then
if lookup_salt_value "features" "" "pillar" | grep -x odc; then
# generate random placeholder salt/hash for users without passwords
random_crypt=$(get_random_value 53)
user_data_formatted=$(echo "${user_data_formatted}" | sed -r "s/^(.+:)\$/\\1\$2a\$12${random_crypt}/")

32
salt/manager/tools/sbin/so-yaml.py
View File

@@ -16,12 +16,14 @@ lockFile = "/tmp/so-yaml.lock"
def showUsage(args):
print('Usage: {} <COMMAND> <YAML_FILE> [ARGS...]'.format(sys.argv[0]))
print(' General commands:')
print(' append - Append a list item to a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.')
print(' remove - Removes a yaml key, if it exists. Requires KEY arg.')
print(' help - Prints this usage information.')
print('')
print(' Where:')
print(' YAML_FILE - Path to the file that will be modified. Ex: /opt/so/conf/service/conf.yaml')
print(' KEY - YAML key, does not support \' or " characters at this time. Ex: level1.level2')
print(' LISTITEM - Item to add to the list.')
sys.exit(1)
@@ -35,6 +37,35 @@ def writeYaml(filename, content):
file = open(filename, "w")
return yaml.dump(content, file)
def appendItem(content, key, listItem):
pieces = key.split(".", 1)
if len(pieces) > 1:
appendItem(content[pieces[0]], pieces[1], listItem)
else:
try:
content[key].append(listItem)
except AttributeError:
print("The existing value for the given key is not a list. No action was taken on the file.")
return 1
except KeyError:
print("The key provided does not exist. No action was taken on the file.")
return 1
def append(args):
if len(args) != 3:
print('Missing filename, key arg, or list item to append', file=sys.stderr)
showUsage(None)
return
filename = args[0]
key = args[1]
listItem = args[2]
content = loadYaml(filename)
appendItem(content, key, listItem)
writeYaml(filename, content)
return 0
def removeKey(content, key):
pieces = key.split(".", 1)
@@ -69,6 +100,7 @@ def main():
commands = {
"help": showUsage,
"append": append,
"remove": remove,
}

96
salt/manager/tools/sbin/so-yaml_test.py
View File

@@ -105,3 +105,99 @@ class TestRemove(unittest.TestCase):
self.assertEqual(actual, expected)
sysmock.assert_called_once_with(1)
self.assertIn(mock_stdout.getvalue(), "Missing filename or key arg\n")
def test_append(self):
filename = "/tmp/so-yaml_test-remove.yaml"
file = open(filename, "w")
file.write("{key1: { child1: 123, child2: abc }, key2: false, key3: [a,b,c]}")
file.close()
soyaml.append([filename, "key3", "d"])
file = open(filename, "r")
actual = file.read()
file.close()
expected = "key1:\n child1: 123\n child2: abc\nkey2: false\nkey3:\n- a\n- b\n- c\n- d\n"
self.assertEqual(actual, expected)
def test_append_nested(self):
filename = "/tmp/so-yaml_test-remove.yaml"
file = open(filename, "w")
file.write("{key1: { child1: 123, child2: [a,b,c] }, key2: false, key3: [e,f,g]}")
file.close()
soyaml.append([filename, "key1.child2", "d"])
file = open(filename, "r")
actual = file.read()
file.close()
expected = "key1:\n child1: 123\n child2:\n - a\n - b\n - c\n - d\nkey2: false\nkey3:\n- e\n- f\n- g\n"
self.assertEqual(actual, expected)
def test_append_nested_deep(self):
filename = "/tmp/so-yaml_test-remove.yaml"
file = open(filename, "w")
file.write("{key1: { child1: 123, child2: { deep1: 45, deep2: [a,b,c] } }, key2: false, key3: [e,f,g]}")
file.close()
soyaml.append([filename, "key1.child2.deep2", "d"])
file = open(filename, "r")
actual = file.read()
file.close()
expected = "key1:\n child1: 123\n child2:\n deep1: 45\n deep2:\n - a\n - b\n - c\n - d\nkey2: false\nkey3:\n- e\n- f\n- g\n"
self.assertEqual(actual, expected)
def test_append_key_noexist(self):
filename = "/tmp/so-yaml_test-append.yaml"
file = open(filename, "w")
file.write("{key1: { child1: 123, child2: { deep1: 45, deep2: [a,b,c] } }, key2: false, key3: [e,f,g]}")
file.close()
with patch('sys.exit', new=MagicMock()) as sysmock:
with patch('sys.stdout', new=StringIO()) as mock_stdout:
sys.argv = ["cmd", "append", filename, "key4", "h"]
soyaml.main()
sysmock.assert_called()
self.assertEqual(mock_stdout.getvalue(), "The key provided does not exist. No action was taken on the file.\n")
def test_append_key_noexist_deep(self):
filename = "/tmp/so-yaml_test-append.yaml"
file = open(filename, "w")
file.write("{key1: { child1: 123, child2: { deep1: 45, deep2: [a,b,c] } }, key2: false, key3: [e,f,g]}")
file.close()
with patch('sys.exit', new=MagicMock()) as sysmock:
with patch('sys.stdout', new=StringIO()) as mock_stdout:
sys.argv = ["cmd", "append", filename, "key1.child2.deep3", "h"]
soyaml.main()
sysmock.assert_called()
self.assertEqual(mock_stdout.getvalue(), "The key provided does not exist. No action was taken on the file.\n")
def test_append_key_nonlist(self):
filename = "/tmp/so-yaml_test-append.yaml"
file = open(filename, "w")
file.write("{key1: { child1: 123, child2: { deep1: 45, deep2: [a,b,c] } }, key2: false, key3: [e,f,g]}")
file.close()
with patch('sys.exit', new=MagicMock()) as sysmock:
with patch('sys.stdout', new=StringIO()) as mock_stdout:
sys.argv = ["cmd", "append", filename, "key1", "h"]
soyaml.main()
sysmock.assert_called()
self.assertEqual(mock_stdout.getvalue(), "The existing value for the given key is not a list. No action was taken on the file.\n")
def test_append_key_nonlist_deep(self):
filename = "/tmp/so-yaml_test-append.yaml"
file = open(filename, "w")
file.write("{key1: { child1: 123, child2: { deep1: 45, deep2: [a,b,c] } }, key2: false, key3: [e,f,g]}")
file.close()
with patch('sys.exit', new=MagicMock()) as sysmock:
with patch('sys.stdout', new=StringIO()) as mock_stdout:
sys.argv = ["cmd", "append", filename, "key1.child2.deep1", "h"]
soyaml.main()
sysmock.assert_called()
self.assertEqual(mock_stdout.getvalue(), "The existing value for the given key is not a list. No action was taken on the file.\n")

164
salt/manager/tools/sbin/soup
View File

@@ -247,67 +247,6 @@ check_sudoers() {
fi
}
check_log_size_limit() {
local num_minion_pillars
num_minion_pillars=$(find /opt/so/saltstack/local/pillar/minions/ -type f | wc -l)
if [[ $num_minion_pillars -gt 1 ]]; then
if find /opt/so/saltstack/local/pillar/minions/ -type f | grep -q "_heavynode"; then
lsl_msg='distributed'
fi
else
local minion_id
minion_id=$(lookup_salt_value "id" "" "grains" "" "local")
local minion_arr
IFS='_' read -ra minion_arr <<< "$minion_id"
local node_type="${minion_arr[0]}"
local current_limit
# since it is possible for the salt-master service to be stopped when this is run, we need to check the pillar values locally
# we need to combine default local and default pillars before doing this so we can define --pillar-root in salt-call
local epoch_date=$(date +%s%N)
mkdir -vp /opt/so/saltstack/soup_tmp_${epoch_date}/
cp -r /opt/so/saltstack/default/pillar/ /opt/so/saltstack/soup_tmp_${epoch_date}/
# use \cp here to overwrite any pillar files from default with those in local for the tmp directory
\cp -r /opt/so/saltstack/local/pillar/ /opt/so/saltstack/soup_tmp_${epoch_date}/
current_limit=$(salt-call pillar.get elasticsearch:log_size_limit --local --pillar-root=/opt/so/saltstack/soup_tmp_${epoch_date}/pillar --out=newline_values_only)
rm -rf /opt/so/saltstack/soup_tmp_${epoch_date}/
local percent
case $node_type in
'standalone' | 'eval')
percent=50
;;
*)
percent=80
;;
esac
local disk_dir="/"
if [ -d /nsm ]; then
disk_dir="/nsm"
fi
local disk_size_1k
disk_size_1k=$(df $disk_dir | grep -v "^Filesystem" | awk '{print $2}')
local ratio="1048576"
local disk_size_gb
disk_size_gb=$( echo "$disk_size_1k" "$ratio" | awk '{print($1/$2)}' )
local new_limit
new_limit=$( echo "$disk_size_gb" "$percent" | awk '{printf("%.0f", $1 * ($2/100))}')
if [[ $current_limit != "$new_limit" ]]; then
lsl_msg='single-node'
lsl_details=( "$current_limit" "$new_limit" "$minion_id" )
fi
fi
}
check_os_updates() {
# Check to see if there are OS updates
echo "Checking for OS updates."
@@ -372,6 +311,17 @@ enable_highstate() {
echo ""
}
get_soup_script_hashes() {
CURRENTSOUP=$(md5sum /usr/sbin/soup | awk '{print $1}')
GITSOUP=$(md5sum $UPDATE_DIR/salt/manager/tools/sbin/soup | awk '{print $1}')
CURRENTCMN=$(md5sum /usr/sbin/so-common | awk '{print $1}')
GITCMN=$(md5sum $UPDATE_DIR/salt/common/tools/sbin/so-common | awk '{print $1}')
CURRENTIMGCMN=$(md5sum /usr/sbin/so-image-common | awk '{print $1}')
GITIMGCMN=$(md5sum $UPDATE_DIR/salt/common/tools/sbin/so-image-common | awk '{print $1}')
CURRENTSOFIREWALL=$(md5sum /usr/sbin/so-firewall | awk '{print $1}')
GITSOFIREWALL=$(md5sum $UPDATE_DIR/salt/manager/tools/sbin/so-firewall | awk '{print $1}')
}
highstate() {
# Run a highstate.
salt-call state.highstate -l info queue=True
@@ -405,6 +355,8 @@ preupgrade_changes() {
[[ "$INSTALLEDVERSION" == 2.4.10 ]] && up_to_2.4.20
[[ "$INSTALLEDVERSION" == 2.4.20 ]] && up_to_2.4.30
[[ "$INSTALLEDVERSION" == 2.4.30 ]] && up_to_2.4.40
[[ "$INSTALLEDVERSION" == 2.4.40 ]] && up_to_2.4.50
[[ "$INSTALLEDVERSION" == 2.4.50 ]] && up_to_2.4.60
true
}
@@ -419,6 +371,8 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.4.10 ]] && post_to_2.4.20
[[ "$POSTVERSION" == 2.4.20 ]] && post_to_2.4.30
[[ "$POSTVERSION" == 2.4.30 ]] && post_to_2.4.40
[[ "$POSTVERSION" == 2.4.40 ]] && post_to_2.4.50
[[ "$POSTVERSION" == 2.4.50 ]] && post_to_2.4.60
true
}
@@ -470,6 +424,17 @@ post_to_2.4.40() {
POSTVERSION=2.4.40
}
post_to_2.4.50() {
echo "Nothing to apply"
POSTVERSION=2.4.50
}
post_to_2.4.60() {
echo "Regenerating Elastic Agent Installers..."
so-elastic-agent-gen-installers
POSTVERSION=2.4.60
}
repo_sync() {
echo "Sync the local repo."
su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -570,6 +535,45 @@ up_to_2.4.40() {
INSTALLEDVERSION=2.4.40
}
up_to_2.4.50() {
echo "Creating additional pillars.."
mkdir -p /opt/so/saltstack/local/pillar/stig/
mkdir -p /opt/so/saltstack/local/salt/stig/
chown socore:socore /opt/so/saltstack/local/salt/stig/
touch /opt/so/saltstack/local/pillar/stig/adv_stig.sls
touch /opt/so/saltstack/local/pillar/stig/soc_stig.sls
# the file_roots need to be update due to salt 3006.6 upgrade not allowing symlinks outside the file_roots
# put new so-yaml in place
echo "Updating so-yaml"
\cp -v "$UPDATE_DIR/salt/manager/tools/sbin/so-yaml.py" "$DEFAULT_SALT_DIR/salt/manager/tools/sbin/"
\cp -v "$UPDATE_DIR/salt/manager/tools/sbin/so-yaml.py" /usr/sbin/
echo "Creating a backup of the salt-master config."
# INSTALLEDVERSION is 2.4.40 at this point, but we want the backup to have the version
# so was at prior to starting upgrade. use POSTVERSION here since it doesnt change until
# post upgrade changes. POSTVERSION set to INSTALLEDVERSION at start of soup
cp -v /etc/salt/master "/etc/salt/master.so-$POSTVERSION.bak"
echo "Adding /opt/so/rules to file_roots in /etc/salt/master using so-yaml"
so-yaml.py append /etc/salt/master file_roots.base /opt/so/rules/nids
echo "Moving Suricata rules"
mkdir /opt/so/rules/nids/suri
chown socore:socore /opt/so/rules/nids/suri
mv -v /opt/so/rules/nids/*.rules /opt/so/rules/nids/suri/.
echo "Adding /nsm/elastic-fleet/artifacts to file_roots in /etc/salt/master using so-yaml"
so-yaml.py append /etc/salt/master file_roots.base /nsm/elastic-fleet/artifacts
INSTALLEDVERSION=2.4.50
}
up_to_2.4.60() {
echo "Creating directory to store Suricata classification.config"
mkdir -vp /opt/so/saltstack/local/salt/suricata/classification
chown socore:socore /opt/so/saltstack/local/salt/suricata/classification
INSTALLEDVERSION=2.4.60
}
determine_elastic_agent_upgrade() {
if [[ $is_airgap -eq 0 ]]; then
update_elastic_agent_airgap
@@ -617,6 +621,10 @@ update_airgap_rules() {
if [ -d /nsm/repo/rules/sigma ]; then
rsync -av $UPDATE_DIR/agrules/sigma/* /nsm/repo/rules/sigma/
fi
# SOC Detections Airgap
rsync -av $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
rsync -av $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
}
update_airgap_repo() {
@@ -742,31 +750,29 @@ upgrade_salt() {
}
verify_latest_update_script() {
# Check to see if the update scripts match. If not run the new one.
CURRENTSOUP=$(md5sum /usr/sbin/soup | awk '{print $1}')
GITSOUP=$(md5sum $UPDATE_DIR/salt/manager/tools/sbin/soup | awk '{print $1}')
CURRENTCMN=$(md5sum /usr/sbin/so-common | awk '{print $1}')
GITCMN=$(md5sum $UPDATE_DIR/salt/common/tools/sbin/so-common | awk '{print $1}')
CURRENTIMGCMN=$(md5sum /usr/sbin/so-image-common | awk '{print $1}')
GITIMGCMN=$(md5sum $UPDATE_DIR/salt/common/tools/sbin/so-image-common | awk '{print $1}')
CURRENTSOFIREWALL=$(md5sum /usr/sbin/so-firewall | awk '{print $1}')
GITSOFIREWALL=$(md5sum $UPDATE_DIR/salt/manager/tools/sbin/so-firewall | awk '{print $1}')
get_soup_script_hashes
if [[ "$CURRENTSOUP" == "$GITSOUP" && "$CURRENTCMN" == "$GITCMN" && "$CURRENTIMGCMN" == "$GITIMGCMN" && "$CURRENTSOFIREWALL" == "$GITSOFIREWALL" ]]; then
echo "This version of the soup script is up to date. Proceeding."
else
echo "You are not running the latest soup version. Updating soup and its components. This might take multiple runs to complete."
cp $UPDATE_DIR/salt/manager/tools/sbin/soup $DEFAULT_SALT_DIR/salt/common/tools/sbin/
cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
cp $UPDATE_DIR/salt/common/tools/sbin/so-image-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
cp $UPDATE_DIR/salt/manager/tools/sbin/so-firewall $DEFAULT_SALT_DIR/salt/common/tools/sbin/
salt-call state.apply common.soup_scripts queue=True -linfo --file-root=$UPDATE_DIR/salt --local
# Verify that soup scripts updated as expected
get_soup_script_hashes
if [[ "$CURRENTSOUP" == "$GITSOUP" && "$CURRENTCMN" == "$GITCMN" && "$CURRENTIMGCMN" == "$GITIMGCMN" && "$CURRENTSOFIREWALL" == "$GITSOFIREWALL" ]]; then
echo "Succesfully updated soup scripts."
else
echo "There was a problem updating soup scripts. Trying to rerun script update."
salt-call state.apply common.soup_scripts queue=True -linfo --file-root=$UPDATE_DIR/salt --local
fi
echo ""
echo "The soup script has been modified. Please run soup again to continue the upgrade."
exit 0
fi
}
}
# Keeping this block in case we need to do a hotfix that requires salt update
apply_hotfix() {
if [[ "$INSTALLEDVERSION" == "2.4.20" ]] ; then
@@ -909,9 +915,6 @@ main() {
systemctl_func "stop" "$cron_service_name"
# update mine items prior to stopping salt-minion and salt-master
update_salt_mine
echo "Updating dockers to $NEWVERSION."
if [[ $is_airgap -eq 0 ]]; then
airgap_update_dockers
@@ -987,6 +990,9 @@ main() {
salt-call state.apply salt.minion -l info queue=True
echo ""
# ensure the mine is updated and populated before highstates run, following the salt-master restart
update_salt_mine
enable_highstate
echo ""

0
salt/manager/tools/sbin_jinja/so-yara-update Executable file → Normal file
View File

28
salt/nginx/enabled.sls
View File

@@ -14,6 +14,9 @@ include:
- nginx.config
- nginx.sostatus
{% if grains.role not in ['so-fleet'] %}
{# if the user has selected to replace the crt and key in the ui #}
{% if NGINXMERGED.ssl.replace_cert %}
@@ -88,6 +91,15 @@ make-rule-dir-nginx:
- recurse:
- user
- group
{% endif %}
{# if this is an so-fleet node then we want to use the port bindings, custom bind mounts defined for fleet #}
{% if GLOBALS.role == 'so-fleet' %}
{% set container_config = 'so-nginx-fleet-node' %}
{% else %}
{% set container_config = 'so-nginx' %}
{% endif %}
so-nginx:
docker_container.running:
@@ -95,11 +107,11 @@ so-nginx:
- hostname: so-nginx
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-nginx'].ip }}
- ipv4_address: {{ DOCKER.containers[container_config].ip }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKER.containers['so-nginx'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-nginx'].extra_hosts %}
{% if DOCKER.containers[container_config].extra_hosts %}
{% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
@@ -119,20 +131,20 @@ so-nginx:
- /nsm/repo:/opt/socore/html/repo:ro
- /nsm/rules:/nsm/rules:ro
{% endif %}
{% if DOCKER.containers['so-nginx'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-nginx'].custom_bind_mounts %}
{% if DOCKER.containers[container_config].custom_bind_mounts %}
{% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-nginx'].extra_env %}
{% if DOCKER.containers[container_config].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-nginx'].extra_env %}
{% for XTRAENV in DOCKER.containers[container_config].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- cap_add: NET_BIND_SERVICE
- port_bindings:
{% for BINDING in DOCKER.containers['so-nginx'].port_bindings %}
{% for BINDING in DOCKER.containers[container_config].port_bindings %}
- {{ BINDING }}
{% endfor %}
- watch:

20
salt/nginx/etc/nginx.conf
View File

@@ -39,6 +39,26 @@ http {
include /etc/nginx/conf.d/*.conf;
{%- if role in ['fleet'] %}
server {
listen 8443;
server_name {{ GLOBALS.hostname }};
root /opt/socore/html;
location /artifacts/ {
try_files $uri =206;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Proto $scheme;
}
}
{%- endif %}
{%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %}
server {

8
salt/pcap/config.map.jinja
View File

@@ -2,6 +2,12 @@
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'pcap/defaults.yaml' as PCAPDEFAULTS %}
{% set PCAPMERGED = salt['pillar.get']('pcap', PCAPDEFAULTS.pcap, merge=True) %}
{# disable stenographer if the pcap engine is set to SURICATA #}
{% if GLOBALS.pcap_engine == "SURICATA" %}
{% do PCAPMERGED.update({'enabled': False}) %}
{% endif %}

7
salt/pcap/config.sls
View File

@@ -72,13 +72,6 @@ stenoca:
- user: 941
- group: 939
pcapdir:
file.directory:
- name: /nsm/pcap
- user: 941
- group: 941
- makedirs: True
pcaptmpdir:
file.directory:
- name: /nsm/pcaptmp

9
salt/pcap/init.sls
View File

@@ -15,3 +15,12 @@ include:
{% else %}
- pcap.disabled
{% endif %}
# This directory needs to exist regardless of whether STENO is enabled or not, in order for
# Sensoroni to be able to look at old steno PCAP data
pcapdir:
file.directory:
- name: /nsm/pcap
- user: 941
- group: 941
- makedirs: True

16
salt/pcap/soc_pcap.yaml
View File

@@ -4,32 +4,32 @@ pcap:
helpLink: stenographer.html
config:
maxdirectoryfiles:
description: The maximum number of packet/index files to create before deleting old files.
description: By default, Stenographer limits the number of files in the pcap directory to 30000 to avoid limitations with the ext3 filesystem. However, if you're using the ext4 or xfs filesystems, then it is safe to increase this value. So if you have a large amount of storage and find that you only have 3 weeks worth of PCAP on disk while still having plenty of free space, then you may want to increase this default setting.
helpLink: stenographer.html
diskfreepercentage:
description: The disk space percent to always keep free for PCAP
description: Stenographer will purge old PCAP on a regular basis to keep the disk free percentage at this level. If you have a distributed deployment with dedicated forward nodes, then the default value of 10 should be reasonable since Stenographer should be the main consumer of disk space in the /nsm partition. However, if you have systems that run both Stenographer and Elasticsearch at the same time (like eval and standalone installations), then youll want to make sure that this value is no lower than 21 so that you avoid Elasticsearch hitting its watermark setting at 80% disk usage. If you have an older standalone installation, then you may need to manually change this value to 21.
helpLink: stenographer.html
blocks:
description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this.
description: The number of 1MB packet blocks used by Stenographer and AF_PACKET to store packets in memory, per thread. You shouldn't need to change this.
advanced: True
helpLink: stenographer.html
preallocate_file_mb:
description: File size to pre-allocate for individual PCAP files. You shouldn't need to change this.
description: File size to pre-allocate for individual Stenographer PCAP files. You shouldn't need to change this.
advanced: True
helpLink: stenographer.html
aiops:
description: The max number of async writes to allow at once.
description: The max number of async writes to allow for Stenographer at once.
advanced: True
helpLink: stenographer.html
pin_to_cpu:
description: Enable CPU pinning for PCAP.
description: Enable CPU pinning for Stenographer PCAP.
advanced: True
helpLink: stenographer.html
cpus_to_pin_to:
description: CPU to pin PCAP to. Currently only a single CPU is supported.
description: CPU to pin Stenographer PCAP to. Currently only a single CPU is supported.
advanced: True
helpLink: stenographer.html
disks:
description: List of disks to use for PCAP. This is currently not used.
description: List of disks to use for Stenographer PCAP. This is currently not used.
advanced: True
helpLink: stenographer.html

1
salt/repo/client/files/oracle/yum.conf.jinja
View File

@@ -7,6 +7,7 @@ logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
localpkg_gpgcheck=1
plugins=1
installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum

1
salt/salt/init.sls
View File

@@ -10,3 +10,4 @@ salt_bootstrap:
- name: /usr/sbin/bootstrap-salt.sh
- source: salt://salt/scripts/bootstrap-salt.sh
- mode: 755
- show_changes: False

2
salt/salt/master.defaults.yaml
View File

@@ -1,4 +1,4 @@
# version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
salt:
master:
version: 3006.5
version: 3006.6

2
salt/salt/minion.defaults.yaml
View File

@@ -1,6 +1,6 @@
# version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
salt:
minion:
version: 3006.5
version: 3006.6
check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
service_start_delay: 30 # in seconds.

118
salt/sensoroni/defaults.yaml
View File

@@ -1,58 +1,60 @@
sensoroni:
enabled: False
config:
analyze:
enabled: False
timeout_ms: 900000
parallel_limit: 5
node_checkin_interval_ms: 10000
sensoronikey:
soc_host:
analyzers:
echotrail:
base_url: https://api.echotrail.io/insights/
api_key:
elasticsearch:
base_url:
auth_user:
auth_pwd:
num_results: 10
api_key:
index: _all
time_delta_minutes: 14400
timestamp_field_name: '@timestamp'
map: {}
cert_path:
emailrep:
base_url: https://emailrep.io/
api_key:
greynoise:
base_url: https://api.greynoise.io/
api_key:
api_version: community
localfile:
file_path: []
otx:
base_url: https://otx.alienvault.com/api/v1/
api_key:
pulsedive:
base_url: https://pulsedive.com/api/
api_key:
spamhaus:
lookup_host: zen.spamhaus.org
nameservers: []
sublime_platform:
base_url: https://api.platform.sublimesecurity.com
api_key:
live_flow: False
mailbox_email_address:
message_source_id:
urlscan:
base_url: https://urlscan.io/api/v1/
api_key:
enabled: False
visibility: public
timeout: 180
virustotal:
base_url: https://www.virustotal.com/api/v3/search?query=
api_key:
sensoroni:
enabled: False
config:
analyze:
enabled: False
timeout_ms: 900000
parallel_limit: 5
node_checkin_interval_ms: 10000
sensoronikey:
soc_host:
suripcap:
pcapMaxCount: 999999
analyzers:
echotrail:
base_url: https://api.echotrail.io/insights/
api_key:
elasticsearch:
base_url:
auth_user:
auth_pwd:
num_results: 10
api_key:
index: _all
time_delta_minutes: 14400
timestamp_field_name: '@timestamp'
map: {}
cert_path:
emailrep:
base_url: https://emailrep.io/
api_key:
greynoise:
base_url: https://api.greynoise.io/
api_key:
api_version: community
localfile:
file_path: []
otx:
base_url: https://otx.alienvault.com/api/v1/
api_key:
pulsedive:
base_url: https://pulsedive.com/api/
api_key:
spamhaus:
lookup_host: zen.spamhaus.org
nameservers: []
sublime_platform:
base_url: https://api.platform.sublimesecurity.com
api_key:
live_flow: False
mailbox_email_address:
message_source_id:
urlscan:
base_url: https://urlscan.io/api/v1/
api_key:
enabled: False
visibility: public
timeout: 180
virustotal:
base_url: https://www.virustotal.com/api/v3/search?query=
api_key:

1
salt/sensoroni/enabled.sls
View File

@@ -23,6 +23,7 @@ so-sensoroni:
- /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw
- /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
- /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
- {{ BIND }}

16
salt/sensoroni/files/sensoroni.json
View File

@@ -1,6 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'sensoroni/map.jinja' import SENSORONIMERGED %}
{%- from 'pcap/config.map.jinja' import PCAPMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'sensoroni/map.jinja' import SENSORONIMERGED -%}
{
"logFilename": "/opt/sensoroni/logs/sensoroni.log",
"logLevel":"info",
@@ -23,16 +22,19 @@
"importer": {},
"statickeyauth": {
"apiKey": "{{ GLOBALS.sensoroni_key }}"
{%- if PCAPMERGED.enabled %}
{% if GLOBALS.is_sensor %}
},
"stenoquery": {
"executablePath": "/opt/sensoroni/scripts/stenoquery.sh",
"pcapInputPath": "/nsm/pcap",
"pcapOutputPath": "/nsm/pcapout"
}
{%- else %}
}
},
"suriquery": {
"pcapInputPath": "/nsm/suripcap",
"pcapOutputPath": "/nsm/pcapout",
"pcapMaxCount": {{ SENSORONIMERGED.config.suripcap.pcapMaxCount }}
{%- endif %}
}
}
}
}

5
salt/sensoroni/soc_sensoroni.yaml
View File

@@ -37,6 +37,11 @@ sensoroni:
helpLink: grid.html
global: True
advanced: True
suripcap:
pcapMaxCount:
description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface.
helpLink: sensoroni.html
advanced: True
analyzers:
echotrail:
api_key:

32
salt/soc/config.sls
View File

@@ -9,9 +9,16 @@
include:
- manager.sync_es_users
socdirtest:
file.directory:
- name: /opt/so/rules/elastalert/rules
- user: 939
- group: 939
- makedirs: True
socdir:
file.directory:
- name: /opt/so/conf/soc
- name: /opt/so/conf/soc/fingerprints
- user: 939
- group: 939
- makedirs: True
@@ -57,6 +64,22 @@ socmotd:
- mode: 600
- template: jinja
socsigmafinalpipeline:
file.managed:
- name: /opt/so/conf/soc/sigma_final_pipeline.yaml
- source: salt://soc/files/soc/sigma_final_pipeline.yaml
- user: 939
- group: 939
- mode: 600
socsigmasopipeline:
file.managed:
- name: /opt/so/conf/soc/sigma_so_pipeline.yaml
- source: salt://soc/files/soc/sigma_so_pipeline.yaml
- user: 939
- group: 939
- mode: 600
socbanner:
file.managed:
- name: /opt/so/conf/soc/banner.md
@@ -114,6 +137,13 @@ socuploaddir:
- group: 939
- makedirs: True
socsigmarepo:
file.directory:
- name: /opt/so/rules
- user: 939
- group: 939
- mode: 775
{% else %}
{{sls}}_state_not_allowed:

205
salt/soc/defaults.yaml
View File

@@ -9,7 +9,7 @@ soc:
icon: fa-crosshairs
target:
links:
- '/#/hunt?q="{value|escape}" | groupby event.module* event.dataset'
- '/#/hunt?q="{value|escape}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- name: actionAddToCase
description: actionAddToCaseHelp
icon: fa-briefcase
@@ -20,16 +20,16 @@ soc:
- dashboards
- name: actionCorrelate
description: actionCorrelateHelp
icon: fab fa-searchengin
icon: fa-magnifying-glass-arrow-right
target: ''
links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module* event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module* event.dataset'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* event.dataset'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module* event.dataset'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module* event.dataset'
- '/#/hunt?q="{:network.community_id}" | groupby event.module* event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- '/#/hunt?q="{:network.community_id}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- name: actionPcap
description: actionPcapHelp
icon: fa-stream
@@ -59,12 +59,24 @@ soc:
target: _blank
links:
- 'https://www.virustotal.com/gui/search/{value}'
- name: Sublime Platform Email Review
description: Review email in Sublime Platform
- name: actionSublime
description: actionSublimeHelp
icon: fa-external-link-alt
target: _blank
links:
- 'https://{:sublime.url}/messages/{:sublime.message_group_id}'
- 'https://{:sublime.url}/messages/{:sublime.message_group_id}'
- name: actionProcessInfo
description: actionProcessInfoHelp
icon: fa-person-running
target: ''
links:
- '/#/hunt?q=(process.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
- name: actionProcessAncestors
description: actionProcessAncestorsHelp
icon: fa-people-roof
target: ''
links:
- '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
eventFields:
default:
- soc_timestamp
@@ -989,6 +1001,69 @@ soc:
- tds.header_type
- log.id.uid
- event.dataset
':endpoint:events_x_api':
- soc_timestamp
- host.name
- user.name
- process.name
- process.Ext.api.name
- process.thread.Ext.call_stack_final_user_module.path
- event.dataset
':endpoint:events_x_file':
- soc_timestamp
- host.name
- user.name
- process.name
- event.action
- file.path
- event.dataset
':endpoint:events_x_library':
- soc_timestamp
- host.name
- user.name
- process.name
- event.action
- dll.path
- dll.code_signature.status
- dll.code_signature.subject_name
- event.dataset
':endpoint:events_x_network':
- soc_timestamp
- host.name
- user.name
- process.name
- event.action
- source.ip
- source.port
- destination.ip
- destination.port
- network.community_id
- event.dataset
':endpoint:events_x_process':
- soc_timestamp
- host.name
- user.name
- process.parent.name
- process.name
- event.action
- process.working_directory
- event.dataset
':endpoint:events_x_registry':
- soc_timestamp
- host.name
- user.name
- process.name
- event.action
- registry.path
- event.dataset
':endpoint:events_x_security':
- soc_timestamp
- host.name
- user.name
- process.executable
- event.action
- event.outcome
- event.dataset
server:
bindAddress: 0.0.0.0:9822
baseUrl: /
@@ -1002,6 +1077,16 @@ soc:
jobDir: jobs
kratos:
hostUrl:
elastalertengine:
allowRegex: ''
autoUpdateEnabled: false
communityRulesImportFrequencySeconds: 86400
denyRegex: ''
elastAlertRulesFolder: /opt/sensoroni/elastalert
rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
sigmaRulePackages:
- core
- emerging_threats_addon
elastic:
hostUrl:
remoteHostUrls: []
@@ -1020,6 +1105,7 @@ soc:
esSearchOffsetMs: 1800000
maxLogLength: 1024
asyncThreshold: 10
lookupTunnelParent: true
influxdb:
hostUrl:
token:
@@ -1043,6 +1129,21 @@ soc:
- rbac/custom_roles
userFiles:
- rbac/users_roles
strelkaengine:
allowRegex: ''
autoUpdateEnabled: false
compileYaraPythonScriptPath: /opt/so/conf/strelka/compile_yara.py
denyRegex: '.*'
reposFolder: /opt/sensoroni/yara/repos
rulesRepos:
- repo: https://github.com/Security-Onion-Solutions/securityonion-yara
license: DRL
yaraRulesFolder: /opt/sensoroni/yara/rules
suricataengine:
allowRegex: ''
communityRulesFile: /nsm/rules/suricata/emerging-all.rules
denyRegex: '.*'
rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
client:
enableReverseLookup: false
docsUrl: /docs/
@@ -1053,6 +1154,7 @@ soc:
tipTimeoutMs: 6000
cacheExpirationMs: 300000
casesEnabled: true
detectionsEnabled: false
inactiveTools: ['toolUnused']
tools:
- name: toolKibana
@@ -1108,6 +1210,9 @@ soc:
- name: caseExcludeToggle
filter: 'NOT _index:"*:so-case*"'
enabled: true
- name: detectionsExcludeToggle
filter: 'NOT _index:"*:so-detection*"'
enabled: true
- name: socExcludeToggle
filter: 'NOT event.module:"soc"'
enabled: true
@@ -1378,6 +1483,9 @@ soc:
- name: caseExcludeToggle
filter: 'NOT _index:"*:so-case*"'
enabled: true
- name: detectionsExcludeToggle
filter: 'NOT _index:"*:so-detection*"'
enabled: true
- name: socExcludeToggle
filter: 'NOT event.module:"soc"'
enabled: true
@@ -1411,21 +1519,33 @@ soc:
query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data'
- name: Host Process Activity
description: Process activity captured on an endpoint
query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable'
query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable | table soc_timestamp host.name user.name process.parent.name process.name event.action process.working_directory event.dataset'
- name: Host File Activity
description: File activity captured on an endpoint
query: 'event.category: file AND _exists_:process.executable | groupby -sankey host.name process.executable | groupby host.name | groupby event.dataset event.action event.type | groupby file.name | groupby process.executable'
- name: Host Network & Process Mappings
description: Network activity mapped to originating processes
query: 'event.category: network AND _exists_:process.executable | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby event.dataset* event.type* event.action* | groupby host.name | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Host API Events
description: API (Application Programming Interface) events from endpoints
query: 'event.dataset:endpoint.events.api | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby process.name | groupby process.Ext.api.name'
- name: Host Library Events
description: Library events from endpoints
query: 'event.dataset:endpoint.events.library | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby process.name | groupby event.action | groupby dll.path | groupby dll.code_signature.status | groupby dll.code_signature.subject_name'
- name: Host Security Events
description: Security events from endpoints
query: 'event.dataset:endpoint.events.security | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby process.executable | groupby event.action | groupby event.outcome'
- name: Strelka
description: Strelka file analysis
query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name'
- name: Zeek Notice
description: Zeek notice logs
query: 'event.dataset:zeek.notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Connections
description: Network connection metadata
- name: Connections and Metadata with community_id
description: Network connections that include community_id
query: '_exists_:network.community_id | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- name: Connections seen by Zeek or Suricata
description: Network connections logged by Zeek or Suricata
query: 'tags:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui'
- name: DCE_RPC
description: DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata
@@ -1562,6 +1682,9 @@ soc:
- name: Firewall
description: Firewall logs
query: 'observer.type:firewall | groupby -sankey event.action observer.ingress.interface.name | groupby event.action | groupby observer.ingress.interface.name | groupby network.type | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Firewall Auth
description: Firewall authentication logs
query: 'observer.type:firewall AND event.category:authentication | groupby user.name | groupby -sankey user.name source.ip | groupby source.ip | table soc_timestamp user.name source.ip message'
- name: VLAN
description: VLAN (Virtual Local Area Network) tagged logs
query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name'
@@ -1742,3 +1865,55 @@ soc:
- amber+strict
- red
customEnabled: false
detections:
viewEnabled: true
createLink: /detection/create
eventFetchLimit: 500
eventItemsPerPage: 50
groupFetchLimit: 50
mostRecentlyUsedLimit: 5
safeStringMaxLength: 100
queryBaseFilter: '_index:"*:so-detection" AND so_kind:detection'
eventFields:
default:
- so_detection.title
- so_detection.isEnabled
- so_detection.language
- so_detection.severity
queries:
- name: "All Detections"
query: "_id:*"
- name: "Custom Detections"
query: "so_detection.isCommunity:false"
- name: "All Detections - Enabled"
query: "so_detection.isEnabled:true"
- name: "All Detections - Disabled"
query: "so_detection.isEnabled:false"
- name: "Detection Type - Suricata (NIDS)"
query: "so_detection.language:suricata"
- name: "Detection Type - Sigma - All"
query: "so_detection.language:sigma"
- name: "Detection Type - Sigma - Windows"
query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"'
- name: "Detection Type - Yara (Strelka)"
query: "so_detection.language:yara"
detection:
presets:
severity:
customEnabled: false
labels:
- unknown
- informational
- low
- medium
- high
- critical
language:
customEnabled: false
labels:
- suricata
- sigma
- yara
severityTranslations:
minor: low
major: high

6
salt/soc/enabled.sls
View File

@@ -22,12 +22,18 @@ so-soc:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
- binds:
- /nsm/rules:/nsm/rules:rw
- /opt/so/conf/strelka:/opt/sensoroni/yara:rw
- /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
- /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw
- /nsm/soc/jobs:/opt/sensoroni/jobs:rw
- /nsm/soc/uploads:/nsm/soc/uploads:rw
- /opt/so/log/soc/:/opt/sensoroni/logs/:rw
- /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro
- /opt/so/conf/soc/banner.md:/opt/sensoroni/html/login/banner.md:ro
- /opt/so/conf/soc/sigma_so_pipeline.yaml:/opt/sensoroni/sigma_so_pipeline.yaml:ro
- /opt/so/conf/soc/sigma_final_pipeline.yaml:/opt/sensoroni/sigma_final_pipeline.yaml:rw
- /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
- /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
- /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw

14
salt/soc/files/bin/compile_yara.py Normal file
View File

@@ -0,0 +1,14 @@
import os
import yara
import glob
import sys
def compile_yara_rules(rules_dir: str) -> None:
compiled_rules_path: str = os.path.join(rules_dir, "rules.yar.compiled")
rule_files: list[str] = glob.glob(os.path.join(rules_dir, '**/*.yar'), recursive=True)
if rule_files:
rules: yara.Rules = yara.compile(filepaths={os.path.basename(f): f for f in rule_files})
rules.save(compiled_rules_path)
compile_yara_rules(sys.argv[1])

7
salt/soc/files/soc/sigma_final_pipeline.yaml Normal file
View File

@@ -0,0 +1,7 @@
name: Security Onion - Final Pipeline
priority: 95
transformations:
- id: override_field_name_mapping
type: field_name_mapping
mapping:
FieldNameToOverride: NewFieldName

81
salt/soc/files/soc/sigma_so_pipeline.yaml Normal file
View File

@@ -0,0 +1,81 @@
name: Security Onion Baseline Pipeline
priority: 90
transformations:
- id: baseline_field_name_mapping
type: field_name_mapping
mapping:
cs-method: http.method
c-uri: http.uri
c-useragent: http.useragent
cs-version: http.version
uid: user.uid
sid: rule.uuid
answer: answers
query: dns.query.name
src_ip: source.ip.keyword
src_port: source.port
dst_ip: destination.ip.keyword
dst_port: destination.port
winlog.event_data.User: user.name
# Maps "antivirus" category to Windows Defender logs shipped by Elastic Agent Winlog Integration
# winlog.event_data.threat_name has to be renamed prior to ingestion, it is originally winlog.event_data.Threat Name
- id: antivirus_field-mappings_windows-defender
type: field_name_mapping
mapping:
Signature: winlog.event_data.threat_name
rule_conditions:
- type: logsource
category: antivirus
- id: antivirus_add-fields_windows-defender
type: add_condition
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
winlog.provider_name: 'Microsoft-Windows-Windows Defender'
event.code: "1116"
rule_conditions:
- type: logsource
category: antivirus
# Drops the Hashes field which is specific to Sysmon logs
# Ingested sysmon logs will have the Hashes field mapped to ECS specific fields
- id: hashes_drop_sysmon-specific-field
type: drop_detection_item
field_name_conditions:
- type: include_fields
fields:
- winlog.event_data.Hashes
rule_conditions:
- type: logsource
product: windows
- id: hashes_process-creation
type: field_name_mapping
mapping:
winlog.event_data.sha256: process.hash.sha256
winlog.event_data.sha1: process.hash.sha1
winlog.event_data.md5: process.hash.md5
winlog.event_data.Imphash: process.pe.imphash
rule_conditions:
- type: logsource
product: windows
category: process_creation
- id: hashes_image-load
type: field_name_mapping
mapping:
winlog.event_data.sha256: dll.hash.sha256
winlog.event_data.sha1: dll.hash.sha1
winlog.event_data.md5: dll.hash.md5
winlog.event_data.Imphash: dll.pe.imphash
rule_conditions:
- type: logsource
product: windows
category: image_load
- id: hashes_driver-load
type: field_name_mapping
mapping:
winlog.event_data.sha256: dll.hash.sha256
winlog.event_data.sha1: dll.hash.sha1
winlog.event_data.md5: dll.hash.md5
winlog.event_data.Imphash: dll.pe.imphash
rule_conditions:
- type: logsource
product: windows
category: driver_load

19
salt/soc/merged.map.jinja
View File

@@ -30,6 +30,17 @@
{# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
{% do SOCMERGED.config.server.modules.pop('cases') %}
{# remove these modules if detections is disabled #}
{% if not SOCMERGED.config.server.client.detectionsEnabled %}
{% do SOCMERGED.config.server.modules.pop('elastalertengine') %}
{% do SOCMERGED.config.server.modules.pop('strelkaengine') %}
{% do SOCMERGED.config.server.modules.pop('suricataengine') %}
{% elif pillar.global.airgap %}
{# if system is Airgap, don't autoupdate Yara & Sigma rules #}
{% do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %}
{% do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %}
{% endif %}
{% if pillar.manager.playbook == 0 %}
{% do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %}
{% endif %}
@@ -66,6 +77,14 @@
{% do SOCMERGED.config.server.client.alerts.update({'actions': standard_actions}) %}
{% do SOCMERGED.config.server.client.cases.update({'actions': standard_actions}) %}
{# replace the _x_ with . for soc ui to config conversion #}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.api': SOCMERGED.config.eventFields.pop(':endpoint:events_x_api') }) %}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.file': SOCMERGED.config.eventFields.pop(':endpoint:events_x_file') }) %}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.library': SOCMERGED.config.eventFields.pop(':endpoint:events_x_library') }) %}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.network': SOCMERGED.config.eventFields.pop(':endpoint:events_x_network') }) %}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.process': SOCMERGED.config.eventFields.pop(':endpoint:events_x_process') }) %}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.registry': SOCMERGED.config.eventFields.pop(':endpoint:events_x_registry') }) %}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.security': SOCMERGED.config.eventFields.pop(':endpoint:events_x_security') }) %}
{% set standard_eventFields = SOCMERGED.config.pop('eventFields') %}
{% do SOCMERGED.config.server.client.hunt.update({'eventFields': standard_eventFields}) %}
{% do SOCMERGED.config.server.client.dashboards.update({'eventFields': standard_eventFields}) %}

39
salt/soc/soc_soc.yaml
View File

@@ -32,6 +32,14 @@ soc:
global: True
advanced: True
helpLink: soc-customization.html
sigma_final_pipeline__yaml:
title: Final Sigma Pipeline
description: Final Processing Pipeline for Sigma Rules (future use, not yet complete)
syntax: yaml
file: True
global: True
advanced: True
helpLink: soc-customization.html
config:
licenseKey:
title: License Key
@@ -47,10 +55,17 @@ soc:
global: True
forcedType: "[]{}"
eventFields:
default:
description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. This 'default' entry is used for all events that do not match an existing mapping defined in the list to the left.
default: &eventFields
description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left.
global: True
advanced: True
':endpoint:events_x_api': *eventFields
':endpoint:events_x_file': *eventFields
':endpoint:events_x_library': *eventFields
':endpoint:events_x_network': *eventFields
':endpoint:events_x_process': *eventFields
':endpoint:events_x_registry': *eventFields
':endpoint:events_x_security': *eventFields
server:
srvKey:
description: Unique key for protecting the integrity of user submitted data via the web browser.
@@ -62,6 +77,15 @@ soc:
global: True
advanced: True
modules:
elastalertengine:
sigmaRulePackages:
description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone. (future use, not yet complete)'
global: True
advanced: False
autoUpdateEnabled:
description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false. (future use, not yet complete)'
global: True
advanced: True
elastic:
index:
description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
@@ -102,6 +126,9 @@ soc:
description: Maximum number of events that can be acknowledged synchronously. When acknowledging large numbers of events, where the count exceeds this value, the acknowledge update will be performed in the background, as it can take several minutes to complete.
global: True
advanced: True
lookupTunnelParent:
description: When true, if a pivoted event appears to be encapsulated, such as in a VXLAN packet, then SOC will pivot to the VXLAN packet stream. When false, SOC will attempt to pivot to the encapsulated packet stream itself, but at the risk that it may be unable to locate it in the stored PCAP data.
global: True
sostatus:
refreshIntervalMs:
description: Duration (in milliseconds) between refreshes of the grid status. Shortening this duration may not have expected results, as the backend systems feeding this sostatus data will continue their updates as scheduled.
@@ -120,6 +147,11 @@ soc:
description: Duration (in milliseconds) to wait for a response from the Salt API when executing common grid management tasks before giving up and showing an error on the SOC UI.
global: True
advanced: True
strelkaengine:
autoUpdateEnabled:
description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false. (future use, not yet complete)'
global: True
advanced: True
client:
enableReverseLookup:
description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.
@@ -142,6 +174,9 @@ soc:
casesEnabled:
description: Set to true to enable case management in SOC.
global: True
detectionsEnabled:
description: Set to true to enable the Detections module in SOC. (future use, not yet complete)
global: True
inactiveTools:
description: List of external tools to remove from the SOC UI.
global: True

4
salt/ssl/remove.sls
View File

@@ -2,6 +2,10 @@ trusttheca:
file.absent:
- name: /etc/pki/tls/certs/intca.crt
symlinkca:
file.absent:
- name: /etc/ssl/certs/intca.crt
influxdb_key:
file.absent:
- name: /etc/pki/influxdb.key

3
salt/stig/defaults.yaml Normal file
View File

@@ -0,0 +1,3 @@
stig:
enabled: False
run_interval: 12

15
salt/stig/disabled.sls Normal file
View File

@@ -0,0 +1,15 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
stig_remediate_schedule:
schedule.absent
remove_stig_script:
file.absent:
- name: /usr/sbin/so-stig
{% endif %}

107
salt/stig/enabled.sls Normal file
View File

@@ -0,0 +1,107 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
#
# Note: Per the Elastic License 2.0, the second limitation states:
#
# "You may not move, change, disable, or circumvent the license key functionality
# in the software, and you may not remove or obscure any functionality in the
# software that is protected by the license key."
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %}
{% if 'stg' in salt['pillar.get']('features', []) %}
{% set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig' %}
{% set OSCAP_PROFILE_LOCATION = '/opt/so/conf/stig/sos-oscap.xml' %}
{% set OSCAP_OUTPUT_DIR = '/opt/so/log/stig' %}
oscap_packages:
pkg.installed:
- skip_suggestions: True
- pkgs:
- openscap
- openscap-scanner
- scap-security-guide
make_some_dirs:
file.directory:
- name: /opt/so/log/stig
- user: socore
- group: socore
- makedirs: True
make_more_dir:
file.directory:
- name: /opt/so/conf/stig
- user: socore
- group: socore
- makedirs: True
update_stig_profile:
file.managed:
- name: /opt/so/conf/stig/sos-oscap.xml
- source: salt://stig/files/sos-oscap.xml
- user: socore
- group: socore
- mode: 0644
{% if not salt['file.file_exists'](OSCAP_OUTPUT_DIR ~ '/pre-oscap-report.html') %}
run_initial_scan:
cmd.run:
- name: 'oscap xccdf eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
- success_retcodes:
- 2
{% endif %}
run_remediate:
cmd.run:
- name: 'oscap xccdf eval --remediate --profile {{ OSCAP_PROFILE_NAME }} {{ OSCAP_PROFILE_LOCATION }}'
- success_retcodes:
- 2
{# OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction #}
disable_ctrl_alt_del_action:
file.replace:
- name: /etc/systemd/system.conf
- pattern: '^#CtrlAltDelBurstAction=none'
- repl: 'CtrlAltDelBurstAction=none'
- backup: '.bak'
{# OSCAP rule id: xccdf_org.ssgproject.content_rule_no_empty_passwords #}
remove_nullok_from_password_auth:
file.replace:
- name: /etc/pam.d/password-auth
- pattern: ' nullok'
- repl: ''
- backup: '.bak'
remove_nullok_from_system_auth_auth:
file.replace:
- name: /etc/pam.d/system-auth
- pattern: ' nullok'
- repl: ''
- backup: '.bak'
run_post_scan:
cmd.run:
- name: 'oscap xccdf eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/post-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml'
- success_retcodes:
- 2
{% else %}
{{sls}}_no_license_detected:
test.fail_without_changes:
- name: {{sls}}_no_license_detected
- comment:
- "The application of STIGs is a feature supported only for customers with a valid license.
Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com
for more information about purchasing a license to enable this feature."
{% endif %}
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

244945
salt/stig/files/sos-oscap.xml Normal file
View File

File diff suppressed because one or more lines are too long

16
salt/stig/init.sls Normal file
View File

@@ -0,0 +1,16 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'stig/map.jinja' import STIGMERGED %}
include:
{% if STIGMERGED.enabled %}
- stig.schedule
{% if not salt['schedule.is_enabled'](name="stig_remediate_schedule") %}
- stig.enabled
{% endif %}
{% else %}
- stig.disabled
{% endif %}

7
salt/stig/map.jinja Normal file
View File

@@ -0,0 +1,7 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% import_yaml 'stig/defaults.yaml' as STIGDEFAULTS with context %}
{% set STIGMERGED = salt['pillar.get']('stig', STIGDEFAULTS.stig, merge=True) %}

24
salt/stig/schedule.sls Normal file
View File

@@ -0,0 +1,24 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'stig/map.jinja' import STIGMERGED %}
{% if 'stg' in salt['pillar.get']('features', []) %}
stig_remediate_schedule:
schedule.present:
- function: state.apply
- job_args:
- stig.enabled
- hours: {{ STIGMERGED.run_interval }}
- maxrunning: 1
- enabled: true
{% else %}
{{sls}}_no_license_detected:
test.fail_without_changes:
- name: {{sls}}_no_license_detected
- comment:
- "The application of STIGs is a feature supported only for customers with a valid license.
Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com
for more information about purchasing a license to enable this feature."
{% endif %}

11
salt/stig/soc_stig.yaml Normal file
View File

@@ -0,0 +1,11 @@
stig:
enabled:
description: You can enable or disable the application of STIGS using oscap. Note that the actions performed by OSCAP are not automatically reversible.
forcedType: bool
advanced: True
run_interval:
description: The interval in hours between OSCAP remediate executions.
forcedType: int
regex: ^([1-9][0-9]{0,2})$
regexFailureMessage: The value must be an integer between 1 and 999.
advanced: True

16
salt/strelka/backend/config.sls
View File

@@ -50,15 +50,15 @@ backend_taste:
- user: 939
- group: 939
{% if STRELKAMERGED.rules.enabled %}
{% if STRELKAMERGED.rules.enabled %}
strelkarules:
file.recurse:
- name: /opt/so/conf/strelka/rules
- source: salt://strelka/rules
- user: 939
- group: 939
- clean: True
{% endif %}
file.recurse:
- name: /opt/so/conf/strelka/rules
- source: salt://strelka/rules
- user: 939
- group: 939
- clean: True
{% endif %}
{% else %}

9
salt/strelka/config.sls
View File

@@ -1,5 +1,5 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
@@ -21,6 +21,13 @@ strelkarulesdir:
- group: 939
- makedirs: True
strelkareposdir:
file.directory:
- name: /opt/so/conf/strelka/repos
- user: 939
- group: 939
- makedirs: True
strelkadatadir:
file.directory:
- name: /nsm/strelka

197
salt/strelka/defaults.yaml
View File

@@ -17,9 +17,10 @@ strelka:
mime_db: '/usr/lib/file/magic.mgc'
yara_rules: '/etc/strelka/taste/'
scanners:
'ScanBase64':
'ScanBase64PE':
- positive:
filename: '^base64_'
flavors:
- 'base64_pe'
priority: 5
'ScanBatch':
- positive:
@@ -27,12 +28,27 @@ strelka:
- 'text/x-msdos-batch'
- 'batch_file'
priority: 5
'ScanBmpEof':
- positive:
flavors:
- 'image/x-ms-bmp'
- 'bmp_file'
negative:
source:
- 'ScanTranscode'
priority: 5
'ScanBzip2':
- positive:
flavors:
- 'application/x-bzip2'
- 'bzip2_file'
priority: 5
'ScanDmg':
- positive:
flavors:
- 'dmg_disk_image'
- 'hfsplus_disk_image'
priority: 5
'ScanDocx':
- positive:
flavors:
@@ -40,6 +56,11 @@ strelka:
priority: 5
options:
extract_text: False
'ScanDonut':
- positive:
flavors:
- 'hacktool_win_shellcode_donut'
priority: 5
'ScanElf':
- positive:
flavors:
@@ -56,6 +77,26 @@ strelka:
- 'message/rfc822'
- 'email_file'
priority: 5
'ScanEncryptedDoc':
- positive:
flavors:
- 'encrypted_word_document'
priority: 5
options:
max_length: 5
scanner_timeout: 150
log_pws: True
password_file: "/etc/strelka/passwords.dat"
'ScanEncryptedZip':
- positive:
flavors:
- 'encrypted_zip'
priority: 5
options:
max_length: 5
scanner_timeout: 150
log_pws: True
password_file: '/etc/strelka/passwords.dat'
'ScanEntropy':
- positive:
flavors:
@@ -111,6 +152,16 @@ strelka:
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanFooter':
- positive:
flavors:
- '*'
priority: 5
options:
length: 50
encodings:
- classic
- backslash
'ScanGif':
- positive:
flavors:
@@ -144,13 +195,25 @@ strelka:
- 'html_file'
priority: 5
options:
parser: "html5lib"
max_hyperlinks: 50
'ScanIqy':
- positive:
flavors:
- 'iqy_file'
priority: 5
'ScanIni':
- positive:
filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
flavors:
- 'ini_file'
priority: 5
'ScanIso':
- positive:
flavors:
- 'application/x-iso9660-image'
priority: 5
options:
limit: 50
'ScanJarManifest':
- positive:
flavors:
@@ -198,6 +261,25 @@ strelka:
priority: 5
options:
limit: 1000
'ScanLNK':
- positive:
flavors:
- 'lnk_file'
priority: 5
'ScanLsb':
- positive:
flavors:
- 'image/png'
- 'png_file'
- 'image/jpeg'
- 'jpeg_file'
- 'image/x-ms-bmp'
- 'bmp_file'
- 'image/webp'
negative:
source:
- 'ScanTranscode'
priority: 5
'ScanLzma':
- positive:
flavors:
@@ -214,6 +296,36 @@ strelka:
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanManifest':
- positive:
flavors:
- 'browser_manifest'
priority: 5
'ScanMsi':
- positive:
flavors:
- "image/vnd.fpx"
- "application/vnd.ms-msi"
- "application/x-msi"
priority: 5
options:
tmp_directory: '/dev/shm/'
keys:
- 'Author'
- 'Characters'
- 'Company'
- 'CreateDate'
- 'LastModifiedBy'
- 'Lines'
- 'ModifyDate'
- 'Pages'
- 'Paragraphs'
- 'RevisionNumber'
- 'Software'
- 'Template'
- 'Title'
- 'TotalEditTime'
- 'Words'
'ScanOcr':
- positive:
flavors:
@@ -236,6 +348,13 @@ strelka:
- 'application/msword'
- 'olecf_file'
priority: 5
'ScanOnenote':
- positive:
flavors:
- 'application/onenote'
- 'application/msonenote'
- 'onenote_file'
priority: 5
'ScanPdf':
- positive:
flavors:
@@ -285,6 +404,30 @@ strelka:
- 'ProgramArguments'
- 'RunAtLoad'
- 'StartInterval'
'ScanPngEof':
- positive:
flavors:
- 'image/png'
- 'png_file'
negative:
source:
- 'ScanTranscode'
priority: 5
'ScanQr':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
- 'image/webp'
priority: 5
options:
support_inverted: True
'ScanRar':
- positive:
flavors:
@@ -309,6 +452,19 @@ strelka:
priority: 5
options:
limit: 1000
'ScanSevenZip':
- positive:
flavors:
- 'application/x-7z-compressed'
- '_7zip_file'
- "image/vnd.fpx"
- "application/vnd.ms-msi"
- "application/x-msi"
priority: 5
options:
scanner_timeout: 150
crack_pws: True
log_pws: True
'ScanSwf':
- positive:
flavors:
@@ -351,6 +507,7 @@ strelka:
flavors:
- 'vb_file'
- 'vbscript'
- 'hta_file'
priority: 5
'ScanVba':
- positive:
@@ -362,6 +519,20 @@ strelka:
priority: 5
options:
analyze_macros: True
'ScanVhd':
- positive:
flavors:
- 'application/x-vhd'
- 'vhd_file'
- 'vhdx_file'
priority: 5
options:
limit: 100
'ScanVsto':
- positive:
flavors:
- 'vsto_file'
priority: 5
'ScanX509':
- positive:
flavors:
@@ -391,6 +562,12 @@ strelka:
priority: 5
options:
location: '/etc/yara/'
compiled:
enabled: False
filename: "rules.compiled"
store_offset: True
offset_meta_key: "StrelkaHexDump"
offset_padding: 32
'ScanZip':
- positive:
flavors:
@@ -530,6 +707,20 @@ strelka:
ttl: 1h
response:
log: "/var/log/strelka/strelka.log"
broker:
bootstrap: "PLACEHOLDER"
protocol: "PLACEHOLDER"
certlocation: "PLACEHOLDER"
keylocation: "PLACEHOLDER"
calocation: "PLACEHOLDER"
topic: "PLACEHOLDER"
s3redundancy: "PLACEHOLDER - This should be a boolean value"
s3:
accesskey: "PLACEHOLDER"
secretkey: "PLACEHOLDER"
bucketName: "PLACEHOLDER"
region: "PLACEHOLDER"
endpoint: "PLACEHOLDER"
manager:
enabled: False
config:

51
salt/suricata/classification/classification.config Normal file
View File

@@ -0,0 +1,51 @@
#
# config classification:shortname,short description,priority
#
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2
# Update
config classification: targeted-activity,Targeted Malicious Activity was Detected,1
config classification: exploit-kit,Exploit Kit Activity Detected,1
config classification: external-ip-check,Device Retrieving External IP Address Detected,2
config classification: domain-c2,Domain Observed Used for C2 Detected,1
config classification: pup-activity,Possibly Unwanted Program Detected,2
config classification: credential-theft,Successful Credential Theft Detected,1
config classification: social-engineering,Possible Social Engineering Attempted,2
config classification: coin-mining,Crypto Currency Mining Activity Detected,2
config classification: command-and-control,Malware Command and Control Activity Detected,1

Some files were not shown because too many files have changed in this diff Show More