CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-23 21:12:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: CSEC_PUBLIC:zeek-websocket
Branches Tags
CSEC_PUBLIC:master CSEC_PUBLIC:3/dev CSEC_PUBLIC:reyesj2-361 CSEC_PUBLIC:delta CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:zeek-websocket CSEC_PUBLIC:quickfixes CSEC_PUBLIC:customulimit CSEC_PUBLIC:ulimits CSEC_PUBLIC:reyesj2-449 CSEC_PUBLIC:reyesj2-15601 CSEC_PUBLIC:zeekload CSEC_PUBLIC:moreja CSEC_PUBLIC:analyzer-cp314-wheels CSEC_PUBLIC:moresoup CSEC_PUBLIC:mreeves/remove-non-oracle9-salt CSEC_PUBLIC:mreeves/remove-non-oracle9-support CSEC_PUBLIC:TOoSmOotH-patch-6 CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.211 CSEC_PUBLIC:TOoSmOotH-patch-5 CSEC_PUBLIC:stenoclean CSEC_PUBLIC:fix/suricatatest CSEC_PUBLIC:bravo CSEC_PUBLIC:kilo CSEC_PUBLIC:foxtrot CSEC_PUBLIC:3/dev-merge-fix CSEC_PUBLIC:2.4.210 CSEC_PUBLIC:TOoSmOotH-patch-2 CSEC_PUBLIC:3/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:dev CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.211-20260312 CSEC_PUBLIC:2.4.210-20260302 CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3
..
compare: CSEC_PUBLIC:jertel/wip
Branches Tags
CSEC_PUBLIC:3/dev CSEC_PUBLIC:reyesj2-361 CSEC_PUBLIC:delta CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:zeek-websocket CSEC_PUBLIC:quickfixes CSEC_PUBLIC:customulimit CSEC_PUBLIC:ulimits CSEC_PUBLIC:reyesj2-449 CSEC_PUBLIC:reyesj2-15601 CSEC_PUBLIC:zeekload CSEC_PUBLIC:moreja CSEC_PUBLIC:analyzer-cp314-wheels CSEC_PUBLIC:moresoup CSEC_PUBLIC:mreeves/remove-non-oracle9-salt CSEC_PUBLIC:mreeves/remove-non-oracle9-support CSEC_PUBLIC:TOoSmOotH-patch-6 CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.211 CSEC_PUBLIC:TOoSmOotH-patch-5 CSEC_PUBLIC:stenoclean CSEC_PUBLIC:fix/suricatatest CSEC_PUBLIC:bravo CSEC_PUBLIC:kilo CSEC_PUBLIC:foxtrot CSEC_PUBLIC:3/dev-merge-fix CSEC_PUBLIC:2.4.210 CSEC_PUBLIC:TOoSmOotH-patch-2 CSEC_PUBLIC:3/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:master CSEC_PUBLIC:dev CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.211-20260312 CSEC_PUBLIC:2.4.210-20260302 CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3

1 Commits
zeek-webso ... jertel/wip

Author SHA1 Message Date
Jason Ertel
2f9a2e15b3 do not attempt to redirect to a source map after login 2026-03-23 09:48:06 -04:00
72 changed files with 553 additions and 1117 deletions
Expand all files Collapse all files

19
salt/common/files/daemon.json Normal file
View File

@@ -0,0 +1,19 @@
{
"registry-mirrors": [
"https://:5000"
],
"bip": "172.17.0.1/24",
"default-address-pools": [
{
"base": "172.17.0.0/24",
"size": 24
}
],
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Soft": 1048576,
"Hard": 1048576
}
}
}

16
salt/common/tools/sbin/so-common
View File

@@ -545,22 +545,6 @@ retry() {
return $exitcode
}
rollover_index() {
idx=$1
exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
if [[ $exists -eq 200 ]]; then
rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
if [[ $rollover -eq 200 ]]; then
echo "Successfully triggered rollover for $idx..."
else
echo "Could not trigger rollover for $idx..."
fi
else
echo "Could not find index $idx..."
fi
}
run_check_net_err() {
local cmd=$1
local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable

45
salt/docker/defaults.yaml
View File

@@ -1,10 +1,6 @@
docker:
range: '172.17.1.0/24'
gateway: '172.17.1.1'
ulimits:
- name: nofile
soft: 1048576
hard: 1048576
containers:
'so-dockerregistry':
final_octet: 20
@@ -13,7 +9,6 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elastic-fleet':
final_octet: 21
port_bindings:
@@ -21,7 +16,6 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elasticsearch':
final_octet: 22
port_bindings:
@@ -30,16 +24,6 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits:
- name: memlock
soft: -1
hard: -1
- name: nofile
soft: 65536
hard: 65536
- name: nproc
soft: 4096
hard: 4096
'so-influxdb':
final_octet: 26
port_bindings:
@@ -47,7 +31,6 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-kibana':
final_octet: 27
port_bindings:
@@ -55,7 +38,6 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-kratos':
final_octet: 28
port_bindings:
@@ -64,7 +46,6 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-hydra':
final_octet: 30
port_bindings:
@@ -73,7 +54,6 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-logstash':
final_octet: 29
port_bindings:
@@ -90,7 +70,6 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-nginx':
final_octet: 31
port_bindings:
@@ -102,7 +81,6 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-nginx-fleet-node':
final_octet: 31
port_bindings:
@@ -110,7 +88,6 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-redis':
final_octet: 33
port_bindings:
@@ -119,13 +96,11 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-sensoroni':
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-soc':
final_octet: 34
port_bindings:
@@ -133,19 +108,16 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-backend':
final_octet: 36
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-filestream':
final_octet: 37
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-frontend':
final_octet: 38
port_bindings:
@@ -153,13 +125,11 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-manager':
final_octet: 39
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-gatekeeper':
final_octet: 40
port_bindings:
@@ -167,7 +137,6 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-coordinator':
final_octet: 41
port_bindings:
@@ -175,13 +144,11 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elastalert':
final_octet: 42
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elastic-fleet-package-registry':
final_octet: 44
port_bindings:
@@ -189,13 +156,11 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-idh':
final_octet: 45
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elastic-agent':
final_octet: 46
port_bindings:
@@ -204,28 +169,23 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-telegraf':
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-suricata':
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
ulimits:
- memlock=524288000
'so-zeek':
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits:
- name: core
soft: 0
hard: 0
'so-kafka':
final_octet: 88
port_bindings:
@@ -236,4 +196,3 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []

8
salt/docker/docker.map.jinja
View File

@@ -1,8 +1,8 @@
{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
{% set RANGESPLIT = DOCKERMERGED.range.split('.') %}
{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
{% set RANGESPLIT = DOCKER.range.split('.') %}
{% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
{% for container, vals in DOCKERMERGED.containers.items() %}
{% do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %}
{% for container, vals in DOCKER.containers.items() %}
{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %}
{% endfor %}

24
salt/docker/files/daemon.json.jinja
View File

@@ -1,24 +0,0 @@
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{
"registry-mirrors": [
"https://:5000"
],
"bip": "172.17.0.1/24",
"default-address-pools": [
{
"base": "172.17.0.0/24",
"size": 24
}
]
{%- if DOCKERMERGED.ulimits %},
"default-ulimits": {
{%- for ULIMIT in DOCKERMERGED.ulimits %}
"{{ ULIMIT.name }}": {
"Name": "{{ ULIMIT.name }}",
"Soft": {{ ULIMIT.soft }},
"Hard": {{ ULIMIT.hard }}
}{{ "," if not loop.last else "" }}
{%- endfor %}
}
{%- endif %}
}

9
salt/docker/init.sls
View File

@@ -3,7 +3,7 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
# docker service requires the ca.crt
@@ -41,9 +41,10 @@ dockeretc:
file.directory:
- name: /etc/docker
# Manager daemon.json
docker_daemon:
file.managed:
- source: salt://docker/files/daemon.json.jinja
- source: salt://common/files/daemon.json
- name: /etc/docker/daemon.json
- template: jinja
@@ -74,8 +75,8 @@ dockerreserveports:
sos_docker_net:
docker_network.present:
- name: sobridge
- subnet: {{ DOCKERMERGED.range }}
- gateway: {{ DOCKERMERGED.gateway }}
- subnet: {{ DOCKER.range }}
- gateway: {{ DOCKER.gateway }}
- options:
com.docker.network.bridge.name: 'sobridge'
com.docker.network.driver.mtu: '1500'

76
salt/docker/soc_docker.yaml
View File

@@ -7,25 +7,6 @@ docker:
description: Default docker IP range for containers.
helpLink: docker
advanced: True
ulimits:
description: |
Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
forcedType: "[]{}"
syntax: json
advanced: True
helpLink: docker.html
uiElements:
- field: name
label: Resource Name
required: True
regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
- field: soft
label: Soft Limit
forcedType: int
- field: hard
label: Hard Limit
forcedType: int
containers:
so-dockerregistry: &dockerOptions
final_octet:
@@ -58,25 +39,6 @@ docker:
helpLink: docker
multiline: True
forcedType: "[]string"
ulimits:
description: |
Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
advanced: True
helpLink: docker.html
forcedType: "[]{}"
syntax: json
uiElements:
- field: name
label: Resource Name
required: True
regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
- field: soft
label: Soft Limit
forcedType: int
- field: hard
label: Hard Limit
forcedType: int
so-elastic-fleet: *dockerOptions
so-elasticsearch: *dockerOptions
so-influxdb: *dockerOptions
@@ -100,6 +62,42 @@ docker:
so-idh: *dockerOptions
so-elastic-agent: *dockerOptions
so-telegraf: *dockerOptions
so-suricata: *dockerOptions
so-suricata:
final_octet:
description: Last octet of the container IP address.
helpLink: docker
readonly: True
advanced: True
global: True
port_bindings:
description: List of port bindings for the container.
helpLink: docker
advanced: True
multiline: True
forcedType: "[]string"
custom_bind_mounts:
description: List of custom local volume bindings.
advanced: True
helpLink: docker
multiline: True
forcedType: "[]string"
extra_hosts:
description: List of additional host entries for the container.
advanced: True
helpLink: docker
multiline: True
forcedType: "[]string"
extra_env:
description: List of additional ENV entries for the container.
advanced: True
helpLink: docker
multiline: True
forcedType: "[]string"
ulimits:
description: Ulimits for the container, in bytes.
advanced: True
helpLink: docker
multiline: True
forcedType: "[]string"
so-zeek: *dockerOptions
so-kafka: *dockerOptions

22
salt/elastalert/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- elastalert.config
@@ -24,7 +24,7 @@ so-elastalert:
- user: so-elastalert
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }}
- ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
- detach: True
- binds:
- /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
@@ -33,30 +33,24 @@ so-elastalert:
- /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
- /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
- /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
{% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
{% if DOCKER.containers['so-elastalert'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
{% if DOCKER.containers['so-elastalert'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastalert'].extra_env %}
{% if DOCKER.containers['so-elastalert'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastalert'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- require:
- cmd: wait_for_elasticsearch
- file: elastarules

41
salt/elastalert/soc_elastalert.yaml
View File

@@ -1,7 +1,6 @@
elastalert:
enabled:
description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery.
forcedType: bool
helpLink: elastalert
alerter_parameters:
title: Custom Configuration Parameters
@@ -97,15 +96,8 @@ elastalert:
file: True
helpLink: elastalert
config:
scan_subdirectories:
description: Recursively scan subdirectories for rules.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
disable_rules_on_error:
description: Disable rules on failure.
forcedType: bool
global: True
helpLink: elastalert
run_every:
@@ -131,18 +123,6 @@ elastalert:
description: The maximum number of documents that will be returned from Elasticsearch in a single query.
global: True
helpLink: elastalert
use_ssl:
description: Use SSL to connect to Elasticsearch.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
verify_certs:
description: Verify TLS certificates when connecting to Elasticsearch.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
alert_time_limit:
days:
description: The retry window for failed alerts.
@@ -157,24 +137,3 @@ elastalert:
description: The number of replicas for elastalert indices.
global: True
helpLink: elastalert
logging:
incremental:
description: When incremental is false (the default), the logging configuration is applied in full, replacing any existing logging setup. When true, only the level attributes of existing loggers and handlers are updated, leaving the rest of the logging configuration unchanged.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
disable_existing_loggers:
description: Disable existing loggers.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
loggers:
'':
propagate:
description: Propagate log messages to parent loggers.
forcedType: bool
advanced: True
global: True
helpLink: elastalert

24
salt/elastic-fleet-package-registry/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- elastic-fleet-package-registry.config
@@ -21,36 +21,30 @@ so-elastic-fleet-package-registry:
- user: 948
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }}
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %}
{% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
- binds:
{% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
delete_so-elastic-fleet-package-registry_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf

1
salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml
View File

@@ -1,5 +1,4 @@
elastic_fleet_package_registry:
enabled:
description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated.
forcedType: bool
advanced: True

24
salt/elasticagent/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- ca
@@ -22,17 +22,17 @@ so-elastic-agent:
- user: 949
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }}
- ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
{% if DOCKER.containers['so-elastic-agent'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %}
{% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -41,25 +41,19 @@ so-elastic-agent:
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /nsm:/nsm:ro
- /opt/so/log:/opt/so/log:ro
{% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
{% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- environment:
- FLEET_CA=/etc/pki/tls/certs/intca.crt
- LOGS_PATH=logs
{% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
{% if DOCKER.containers['so-elastic-agent'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- require:
- file: create-elastic-agent-config
- file: trusttheca

1
salt/elasticagent/soc_elasticagent.yaml
View File

@@ -1,5 +1,4 @@
elasticagent:
enabled:
description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events.
forcedType: bool
advanced: True

24
salt/elasticfleet/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
{# This value is generated during node install and stored in minion pillar #}
@@ -94,17 +94,17 @@ so-elastic-fleet:
- user: 947
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }}
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
{% if DOCKER.containers['so-elastic-fleet'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %}
{% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -112,8 +112,8 @@ so-elastic-fleet:
- /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs
{% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
{% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
@@ -128,17 +128,11 @@ so-elastic-fleet:
- FLEET_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
- LOGS_PATH=logs
{% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
{% if DOCKER.containers['so-elastic-fleet'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: trusttheca
- x509: etc_elasticfleet_key

3
salt/elasticfleet/soc_elasticfleet.yaml
View File

@@ -1,7 +1,6 @@
elasticfleet:
enabled:
description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents.
forcedType: bool
advanced: True
helpLink: elastic-fleet
enable_manager_output:
@@ -38,7 +37,6 @@ elasticfleet:
defend_filters:
enable_auto_configuration:
description: Enable auto-configuration and management of the Elastic Defend Exclusion filters.
forcedType: bool
global: True
helpLink: elastic-fleet
advanced: True
@@ -101,7 +99,6 @@ elasticfleet:
forcedType: "[]string"
enable_auto_configuration:
description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
forcedType: bool
global: True
helpLink: elastic-fleet
advanced: True

118
salt/elasticsearch/defaults.yaml
View File

@@ -119,7 +119,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- so-case*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -131,6 +131,8 @@ elasticsearch:
match_mapping_type: string
settings:
index:
lifecycle:
name: so-case-logs
mapping:
total_fields:
limit: 1500
@@ -141,7 +143,14 @@ elasticsearch:
sort:
field: '@timestamp'
order: desc
policy:
phases:
hot:
actions: {}
min_age: 0ms
so-common:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -205,9 +214,7 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- winlog-mappings
data_stream:
allow_custom_routing: false
hidden: false
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-*-so*
@@ -267,7 +274,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- so-detection*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -279,6 +286,8 @@ elasticsearch:
match_mapping_type: string
settings:
index:
lifecycle:
name: so-detection-logs
mapping:
total_fields:
limit: 1500
@@ -289,6 +298,11 @@ elasticsearch:
sort:
field: '@timestamp'
order: desc
policy:
phases:
hot:
actions: {}
min_age: 0ms
sos-backup:
index_sorting: false
index_template:
@@ -448,7 +462,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- endgame*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -496,6 +510,8 @@ elasticsearch:
priority: 50
min_age: 30d
so-idh:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -550,13 +566,10 @@ elasticsearch:
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-idh-so*
priority: 501
- so-idh-*
priority: 500
template:
mappings:
date_detection: false
@@ -666,13 +679,11 @@ elasticsearch:
- common-dynamic-mappings
- winlog-mappings
- hash-mappings
data_stream:
allow_custom_routing: false
hidden: false
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-import-so*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -727,7 +738,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- so-ip*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -742,12 +753,19 @@ elasticsearch:
mapping:
total_fields:
limit: 1500
lifecycle:
name: so-ip-mappings-logs
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
hot:
actions: {}
min_age: 0ms
so-items:
index_sorting: false
index_template:
@@ -756,7 +774,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- .items-default-**
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -835,6 +853,8 @@ elasticsearch:
priority: 50
min_age: 30d
so-kratos:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -855,7 +875,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- logs-kratos-so*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -903,6 +923,8 @@ elasticsearch:
priority: 50
min_age: 30d
so-hydra:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -963,7 +985,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- logs-hydra-so*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -1018,7 +1040,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- .lists-default-**
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -1504,9 +1526,6 @@ elasticsearch:
- so-fleet_integrations.ip_mappings-1
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.cloudbeat@custom
index_patterns:
@@ -1742,9 +1761,6 @@ elasticsearch:
- so-fleet_integrations.ip_mappings-1
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.heartbeat@custom
index_patterns:
@@ -3004,6 +3020,8 @@ elasticsearch:
priority: 50
min_age: 30d
so-logs-soc:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -3058,13 +3076,11 @@ elasticsearch:
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-soc-so*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -3654,13 +3670,10 @@ elasticsearch:
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-logstash-default*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -3958,13 +3971,10 @@ elasticsearch:
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-redis.log*
priority: 501
- logs-redis-default*
priority: 500
template:
mappings:
date_detection: false
@@ -4075,13 +4085,11 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- hash-mappings
data_stream:
allow_custom_routing: false
hidden: false
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-strelka-so*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -4191,13 +4199,11 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- hash-mappings
data_stream:
allow_custom_routing: false
hidden: false
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-suricata-so*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -4307,13 +4313,11 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- hash-mappings
data_stream:
allow_custom_routing: false
hidden: false
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-suricata.alerts-*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -4423,13 +4427,11 @@ elasticsearch:
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-syslog-so*
priority: 501
priority: 500
template:
mappings:
date_detection: false
@@ -4541,13 +4543,11 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- hash-mappings
data_stream:
allow_custom_routing: false
hidden: false
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-zeek-so*
priority: 501
priority: 500
template:
mappings:
date_detection: false

28
salt/elasticsearch/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
@@ -28,15 +28,15 @@ so-elasticsearch:
- user: elasticsearch
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }}
- ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
- extra_hosts:
{% for node in ELASTICSEARCH_NODES %}
{% for hostname, ip in node.items() %}
- {{hostname}}:{{ip}}
{% endfor %}
{% endfor %}
{% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
{% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
@@ -45,19 +45,17 @@ so-elasticsearch:
- discovery.type=single-node
{% endif %}
- ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
{% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
ulimits:
- memlock=-1:-1
- nofile=65536:65536
- nproc=4096
{% if DOCKER.containers['so-elasticsearch'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %}
{% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -77,8 +75,8 @@ so-elasticsearch:
- {{ repo }}:{{ repo }}:rw
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
{% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}

18
salt/elasticsearch/files/ingest/zeek.websocket
View File

@@ -1,18 +0,0 @@
{
"description" : "zeek.websocket",
"processors" : [
{ "set": { "field": "event.dataset", "value": "websocket" } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.host", "target_field": "websocket.host", "ignore_missing": true } },
{ "rename": { "field": "message2.uri", "target_field": "websocket.uri", "ignore_missing": true } },
{ "rename": { "field": "message2.user_agent", "target_field": "websocket.user_agent", "ignore_missing": true } },
{ "rename": { "field": "message2.subprotocol", "target_field": "websocket.subprotocol", "ignore_missing": true } },
{ "rename": { "field": "message2.client_protocols", "target_field": "websocket.client_protocols", "ignore_missing": true } },
{ "rename": { "field": "message2.client_extensions", "target_field": "websocket.client_extensions", "ignore_missing": true } },
{ "rename": { "field": "message2.server_extensions", "target_field": "websocket.server_extensions", "ignore_missing": true } },
{ "remove": { "field": "message2.tags", "ignore_failure": true } },
{ "set": { "field": "network.transport", "value": "tcp" } },
{ "pipeline": { "name": "zeek.common" } }
]
}

60
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -1,7 +1,6 @@
elasticsearch:
enabled:
description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported.
forcedType: bool
advanced: True
helpLink: elasticsearch
version:
@@ -43,9 +42,8 @@ elasticsearch:
routing:
allocation:
disk:
threshold_enabled:
threshold_enabled:
description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster.
forcedType: bool
helpLink: elasticsearch
watermark:
low:
@@ -57,64 +55,18 @@ elasticsearch:
flood_stage:
description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events.
helpLink: elasticsearch
action:
destructive_requires_name:
description: Requires explicit index names when deleting indices. Prevents accidental deletion of indices via wildcard patterns.
advanced: True
forcedType: bool
helpLink: elasticsearch
script:
max_compilations_rate:
max_compilations_rate:
description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources.
global: True
helpLink: elasticsearch
indices:
id_field_data:
enabled:
description: Enables or disables loading of field data on the _id field.
advanced: True
forcedType: bool
helpLink: elasticsearch
query:
bool:
max_clause_count:
max_clause_count:
description: Max number of boolean clauses per query.
global: True
helpLink: elasticsearch
xpack:
ml:
enabled:
description: Enables or disables machine learning on the node.
forcedType: bool
advanced: True
helpLink: elasticsearch
security:
enabled:
description: Enables or disables Elasticsearch security features.
forcedType: bool
advanced: True
helpLink: elasticsearch
authc:
anonymous:
authz_exception:
description: Controls whether an authorization exception is thrown when anonymous user does not have the required privileges.
advanced: True
forcedType: bool
helpLink: elasticsearch
http:
ssl:
enabled:
description: Enables or disables TLS/SSL for the HTTP layer.
advanced: True
forcedType: bool
helpLink: elasticsearch
transport:
ssl:
enabled:
description: Enables or disables TLS/SSL for the transport layer.
advanced: True
forcedType: bool
helpLink: elasticsearch
pipelines:
custom001: &pipelines
description:
@@ -312,9 +264,8 @@ elasticsearch:
global: True
helpLink: elasticsearch
so-logs: &indexSettings
index_sorting:
index_sorting:
description: Sorts the index by event time, at the cost of additional processing resource consumption.
forcedType: bool
global: True
advanced: True
helpLink: elasticsearch
@@ -658,7 +609,6 @@ elasticsearch:
so-metrics-fleet_server_x_agent_status: &fleetMetricsSettings
index_sorting:
description: Sorts the index by event time, at the cost of additional processing resource consumption.
forcedType: bool
advanced: True
readonly: True
helpLink: elasticsearch
@@ -699,13 +649,11 @@ elasticsearch:
data_stream:
hidden:
description: Hide the data stream.
forcedType: bool
advanced: True
readonly: True
helpLink: elasticsearch
allow_custom_routing:
description: Allow custom routing for the data stream.
forcedType: bool
advanced: True
readonly: True
helpLink: elasticsearch

18
salt/firewall/iptables.jinja
View File

@@ -1,5 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
{%- from 'docker/docker.map.jinja' import DOCKER %}
{%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
{%- set role = GLOBALS.role.split('-')[1] %}
{%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
@@ -8,9 +8,9 @@
{%- set D1 = [] %}
{%- set D2 = [] %}
{%- for container in NODE_CONTAINERS %}
{%- set IP = DOCKERMERGED.containers[container].ip %}
{%- if DOCKERMERGED.containers[container].port_bindings is defined %}
{%- for binding in DOCKERMERGED.containers[container].port_bindings %}
{%- set IP = DOCKER.containers[container].ip %}
{%- if DOCKER.containers[container].port_bindings is defined %}
{%- for binding in DOCKER.containers[container].port_bindings %}
{#- cant split int so we convert to string #}
{%- set binding = binding|string %}
{#- split the port binding by /. if proto not specified, default is tcp #}
@@ -33,13 +33,13 @@
{%- set hostPort = bsa[0] %}
{%- set containerPort = bsa[1] %}
{%- endif %}
{%- do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
{%- do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
{%- if bindip | length and bindip != '0.0.0.0' %}
{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
{%- else %}
{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
{%- endif %}
{%- do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
{%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
{%- endfor %}
{%- endif %}
{%- endfor %}
@@ -52,7 +52,7 @@
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE
-A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
{%- for rule in PR %}
{{ rule }}
{%- endfor %}

4
salt/firewall/map.jinja
View File

@@ -1,11 +1,11 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
{# add our ip to self #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
{# add dockernet range #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %}
{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}
{% if GLOBALS.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}

24
salt/hydra/enabled.sls
View File

@@ -11,7 +11,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if 'api' in salt['pillar.get']('features', []) %}
@@ -26,38 +26,32 @@ so-hydra:
- name: so-hydra
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }}
- ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
- binds:
- /opt/so/conf/hydra/:/hydra-conf:ro
- /opt/so/log/hydra/:/hydra-log:rw
- /nsm/hydra/db:/hydra-data:rw
{% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
{% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %}
{% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-hydra'].extra_hosts %}
{% if DOCKER.containers['so-hydra'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-hydra'].extra_env %}
{% if DOCKER.containers['so-hydra'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-hydra'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- restart_policy: unless-stopped
- watch:
- file: hydraconfig

3
salt/hydra/soc_hydra.yaml
View File

@@ -1,7 +1,6 @@
hydra:
enabled:
description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False.
forcedType: bool
description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False.
helpLink: connect-api
global: True
config:

20
salt/idh/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- idh.config
@@ -22,29 +22,23 @@ so-idh:
- /nsm/idh:/var/tmp:rw
- /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
- /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
{% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
{% if DOCKER.containers['so-idh'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-idh'].extra_hosts %}
{% if DOCKER.containers['so-idh'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-idh'].extra_env %}
{% if DOCKER.containers['so-idh'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-idh'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-idh'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: opencanary_config
- require:

11
salt/idh/soc_idh.yaml
View File

@@ -1,11 +1,6 @@
idh:
enabled:
description: Enables or disables the Intrusion Detection Honeypot (IDH) process.
forcedType: bool
helpLink: idh
restrict_management_ip:
description: Restricts management IP access to the IDH node.
forcedType: bool
description: Enables or disables the Intrusion Detection Honeypot (IDH) process.
helpLink: idh
opencanary:
config:
@@ -29,7 +24,6 @@ idh:
filename: *loggingOptions
portscan_x_enabled: &serviceOptions
description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid.
forcedType: bool
helpLink: idh
portscan_x_logfile: *loggingOptions
portscan_x_synrate:
@@ -131,9 +125,8 @@ idh:
vnc_x_enabled: *serviceOptions
vnc_x_port: *portOptions
openssh:
enable:
enable:
description: This is the real SSH service for the host machine.
forcedType: bool
helpLink: idh
config:
port:

24
salt/influxdb/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
{% set TOKEN = salt['pillar.get']('influxdb:token') %}
@@ -21,7 +21,7 @@ so-influxdb:
- hostname: influxdb
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }}
- ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
- environment:
- INFLUXD_CONFIG_PATH=/conf/config.yaml
- INFLUXDB_HTTP_LOG_ENABLED=false
@@ -31,8 +31,8 @@ so-influxdb:
- DOCKER_INFLUXDB_INIT_ORG=Security Onion
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
{% if DOCKERMERGED.containers['so-influxdb'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %}
{% if DOCKER.containers['so-influxdb'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
@@ -43,27 +43,21 @@ so-influxdb:
- /nsm/influxdb:/var/lib/influxdb2:rw
- /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
- /etc/pki/influxdb.key:/conf/influxdb.key:ro
{% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
{% if DOCKER.containers['so-influxdb'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %}
{% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
{% if DOCKER.containers['so-influxdb'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-influxdb'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: influxdbconf
- x509: influxdb_key

18
salt/influxdb/soc_influxdb.yaml
View File

@@ -1,7 +1,6 @@
influxdb:
enabled:
description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
forcedType: bool
helpLink: influxdb
config:
assets-path:
@@ -26,13 +25,11 @@ influxdb:
helpLink: influxdb
flux-log-enabled:
description: Controls whether detailed flux query logging is enabled.
forcedType: bool
global: True
advanced: True
helpLink: influxdb
hardening-enabled:
description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address.
forcedType: bool
global: True
advanced: True
helpLink: influxdb
@@ -89,19 +86,16 @@ influxdb:
helpLink: influxdb
metrics-disabled:
description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible.
forcedType: bool
global: True
advanced: True
helpLink: influxdb
no-tasks:
description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems.
forcedType: bool
global: True
advanced: True
helpLink: influxdb
pprof-disabled:
description: If true, the profiling data HTTP endpoint will be inaccessible.
forcedType: bool
global: True
advanced: True
helpLink: influxdb
@@ -132,7 +126,6 @@ influxdb:
helpLink: influxdb
reporting-disabled:
description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers.
forcedType: bool
global: True
advanced: True
helpLink: influxdb
@@ -149,7 +142,6 @@ influxdb:
helpLink: influxdb
session-renew-disabled:
description: If true, user login sessions will renew after each request.
forcedType: bool
global: True
advanced: True
helpLink: influxdb
@@ -195,7 +187,6 @@ influxdb:
helpLink: influxdb
storage-no-validate-field-size:
description: If true, incoming requests will skip the field size validation.
forcedType: bool
global: True
advanced: True
helpLink: influxdb
@@ -226,13 +217,11 @@ influxdb:
helpLink: influxdb
storage-tsm-use-madv-willneed:
description: If true, InfluxDB will manage TSM memory paging.
forcedType: bool
global: True
advanced: True
helpLink: influxdb
storage-validate-keys:
description: If true, validates incoming requests for supported characters.
forcedType: bool
global: True
advanced: True
helpLink: influxdb
@@ -279,7 +268,6 @@ influxdb:
helpLink: influxdb
tls-strict-ciphers:
description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA.
forcedType: bool
global: True
advanced: True
helpLink: influxdb
@@ -288,9 +276,8 @@ influxdb:
global: True
advanced: True
helpLink: influxdb
ui-disabled:
ui-disabled:
description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations.
forcedType: bool
global: True
advanced: True
helpLink: influxdb
@@ -329,9 +316,8 @@ influxdb:
global: True
advanced: True
helpLink: influxdb
vault-skip-verify:
vault-skip-verify:
description: Skip certification validation of the Vault server.
forcedType: bool
global: True
advanced: True
helpLink: influxdb

18
salt/kafka/enabled.sls
View File

@@ -12,7 +12,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
{% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
{% if 'gmd' in salt['pillar.get']('features', []) %}
@@ -31,22 +31,22 @@ so-kafka:
- name: so-kafka
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }}
- ipv4_address: {{ DOCKER.containers['so-kafka'].ip }}
- user: kafka
- environment:
KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
- extra_hosts:
{% for node in KAFKANODES %}
- {{ node }}:{{ KAFKANODES[node].ip }}
{% endfor %}
{% if DOCKERMERGED.containers['so-kafka'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %}
{% if DOCKER.containers['so-kafka'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %}
{% for BINDING in DOCKER.containers['so-kafka'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -60,12 +60,6 @@ so-kafka:
{% if KAFKA_EXTERNAL_ACCESS %}
- /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
{% endif %}
{% if DOCKERMERGED.containers['so-kafka'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
{% for sc in ['server', 'client'] %}
- file: kafka_kraft_{{sc}}_properties

1
salt/kafka/soc_kafka.yaml
View File

@@ -1,7 +1,6 @@
kafka:
enabled:
description: Set to True to enable Kafka. To avoid grid problems, do not enable Kafka until the related configuration is in place. Requires a valid Security Onion license key.
forcedType: bool
helpLink: kafka
cluster_id:
description: The ID of the Kafka cluster.

24
salt/kibana/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -20,20 +20,20 @@ so-kibana:
- user: kibana
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }}
- ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
- environment:
- ELASTICSEARCH_HOST={{ GLOBALS.manager }}
- ELASTICSEARCH_PORT=9200
- MANAGER={{ GLOBALS.manager }}
{% if DOCKERMERGED.containers['so-kibana'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %}
{% if DOCKER.containers['so-kibana'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKERMERGED.containers['so-kibana'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %}
{% if DOCKER.containers['so-kibana'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
@@ -42,21 +42,15 @@ so-kibana:
- /opt/so/log/kibana:/var/log/kibana:rw
- /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
- /sys/fs/cgroup:/sys/fs/cgroup:ro
{% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
{% if DOCKER.containers['so-kibana'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %}
{% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-kibana'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: kibanaconfig

38
salt/kibana/soc_kibana.yaml
View File

@@ -1,46 +1,10 @@
kibana:
enabled:
enabled:
description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
forcedType: bool
helpLink: kibana
config:
server:
rewriteBasePath:
description: Specifies whether Kibana should rewrite requests that are prefixed with the server basePath.
forcedType: bool
global: True
advanced: True
helpLink: kibana
elasticsearch:
requestTimeout:
description: The length of time before the request reaches timeout.
global: True
helpLink: kibana
telemetry:
enabled:
description: Enables or disables telemetry data collection in Kibana.
forcedType: bool
global: True
advanced: True
helpLink: kibana
xpack:
security:
secureCookies:
description: Sets the secure flag on session cookies. Cookies are only sent over HTTPS when enabled.
forcedType: bool
global: True
advanced: True
helpLink: kibana
showInsecureClusterWarning:
description: Shows a warning in Kibana when the cluster does not have security enabled.
forcedType: bool
global: True
advanced: True
helpLink: kibana
apm:
enabled:
description: Enables or disables the APM agent in Kibana.
forcedType: bool
global: True
advanced: True
helpLink: kibana

24
salt/kratos/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -19,38 +19,32 @@ so-kratos:
- name: so-kratos
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }}
- ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
- binds:
- /opt/so/conf/kratos/:/kratos-conf:ro
- /opt/so/log/kratos/:/kratos-log:rw
- /nsm/kratos/db:/kratos-data:rw
{% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
{% if DOCKER.containers['so-kratos'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %}
{% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-kratos'].extra_hosts %}
{% if DOCKER.containers['so-kratos'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-kratos'].extra_env %}
{% if DOCKER.containers['so-kratos'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-kratos'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- restart_policy: unless-stopped
- watch:
- file: kratosschema

16
salt/kratos/soc_kratos.yaml
View File

@@ -1,14 +1,12 @@
kratos:
enabled:
description: Enables or disables the Kratos authentication system. WARNING - Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH.
forcedType: bool
advanced: True
helpLink: kratos
oidc:
enabled:
enabled:
description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key.
forcedType: bool
global: True
helpLink: oidc
config:
@@ -82,7 +80,6 @@ kratos:
email:
essential:
description: Specifies whether the email claim is necessary. Typically leave this value set to true.
forcedType: bool
advanced: True
global: True
helpLink: oidc
@@ -110,22 +107,19 @@ kratos:
selfservice:
methods:
password:
enabled:
enabled:
description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled.
forcedType: bool
global: True
advanced: True
helpLink: oidc
config:
haveibeenpwned_enabled:
description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
forcedType: bool
global: True
helpLink: kratos
totp:
enabled:
enabled:
description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
forcedType: bool
global: True
helpLink: kratos
config:
@@ -136,13 +130,11 @@ kratos:
webauthn:
enabled:
description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
forcedType: bool
global: True
helpLink: kratos
config:
passwordless:
passwordless:
description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in.
forcedType: bool
global: True
helpLink: kratos
rp:

24
salt/logstash/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
{% from 'logstash/map.jinja' import LOGSTASH_NODES %}
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
@@ -32,7 +32,7 @@ so-logstash:
- name: so-logstash
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }}
- ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
- user: logstash
- extra_hosts:
{% for node in LOGSTASH_NODES %}
@@ -40,20 +40,20 @@ so-logstash:
- {{hostname}}:{{ip}}
{% endfor %}
{% endfor %}
{% if DOCKERMERGED.containers['so-logstash'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %}
{% if DOCKER.containers['so-logstash'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- environment:
- LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
{% if DOCKERMERGED.containers['so-logstash'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %}
{% if DOCKER.containers['so-logstash'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-logstash'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %}
{% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -91,17 +91,11 @@ so-logstash:
- /opt/so/log/fleet/:/osquery/logs:ro
- /opt/so/log/strelka:/strelka:ro
{% endif %}
{% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
{% if DOCKER.containers['so-logstash'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-logstash'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: lsetcsync
- file: trusttheca

3
salt/logstash/soc_logstash.yaml
View File

@@ -1,7 +1,6 @@
logstash:
enabled:
enabled:
description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend.
forcedType: bool
helpLink: logstash
assigned_pipelines:
roles:

1
salt/manager/soc_manager.yaml
View File

@@ -2,7 +2,6 @@ manager:
reposync:
enabled:
description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis.
forcedType: bool
global: True
helpLink: soup
hour:

86
salt/manager/tools/sbin/soup
View File

@@ -383,67 +383,6 @@ check_minimum_version() {
### 3.0.0 Scripts ###
convert_suricata_yes_no() {
echo "Starting suricata yes/no values to true/false conversion."
local SURICATA_FILE=/opt/so/saltstack/local/pillar/suricata/soc_suricata.sls
local MINIONDIR=/opt/so/saltstack/local/pillar/minions
local pillar_files=()
[[ -f "$SURICATA_FILE" ]] && pillar_files+=("$SURICATA_FILE")
for suffix in _eval _heavynode _sensor _standalone; do
for f in "$MINIONDIR"/*${suffix}.sls; do
[[ -f "$f" ]] && pillar_files+=("$f")
done
done
for pillar_file in "${pillar_files[@]}"; do
echo "Checking $pillar_file for suricata yes/no values."
local yaml_output
yaml_output=$(so-yaml.py get -r "$pillar_file" suricata 2>/dev/null) || continue
local keys_to_fix
keys_to_fix=$(python3 -c "
import yaml, sys
def find(d, prefix=''):
if isinstance(d, dict):
for k, v in d.items():
path = f'{prefix}.{k}' if prefix else k
if isinstance(v, dict):
find(v, path)
elif isinstance(v, str) and v.lower() in ('yes', 'no'):
print(f'{path} {v.lower()}')
find(yaml.safe_load(sys.stdin) or {})
" <<< "$yaml_output") || continue
while IFS=' ' read -r key value; do
[[ -z "$key" ]] && continue
if [[ "$value" == "yes" ]]; then
echo "Replacing suricata.${key} yes -> true in $pillar_file"
so-yaml.py replace "$pillar_file" "suricata.${key}" true
else
echo "Replacing suricata.${key} no -> false in $pillar_file"
so-yaml.py replace "$pillar_file" "suricata.${key}" false
fi
done <<< "$keys_to_fix"
done
echo "Completed suricata yes/no conversion."
}
migrate_pcap_to_suricata() {
echo "Starting pillar pcap.enabled to suricata.pcap.enabled migration."
local MINIONDIR=/opt/so/saltstack/local/pillar/minions
local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
[[ -f "$pillar_file" ]] || continue
pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
echo "Migrating pcap.enabled -> suricata.pcap.enabled in $pillar_file"
so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
so-yaml.py remove "$pillar_file" pcap
done
echo "Completed pcap.enabled to suricata.pcap.enabled pillar migration."
}
up_to_3.0.0() {
determine_elastic_agent_upgrade
migrate_pcap_to_suricata
@@ -451,19 +390,20 @@ up_to_3.0.0() {
INSTALLEDVERSION=3.0.0
}
migrate_pcap_to_suricata() {
local MINIONDIR=/opt/so/saltstack/local/pillar/minions
local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
[[ -f "$pillar_file" ]] || continue
pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
so-yaml.py remove "$pillar_file" pcap
done
}
post_to_3.0.0() {
for idx in "logs-idh-so" "logs-redis.log-default"; do
rollover_index "$idx"
done
# Remove ILM for so-case and so-detection indices
for idx in "so-case" "so-casehistory" "so-detection" "so-detectionhistory"; do
so-elasticsearch-query $idx/_ilm/remove -XPOST
done
# convert yes/no in suricata pillars to true/false
convert_suricata_yes_no
echo "Nothing to apply"
POSTVERSION=3.0.0
}

24
salt/nginx/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'nginx/map.jinja' import NGINXMERGED %}
include:
@@ -37,11 +37,11 @@ so-nginx:
- hostname: so-nginx
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }}
- ipv4_address: {{ DOCKER.containers[container_config].ip }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKERMERGED.containers[container_config].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %}
{% if DOCKER.containers[container_config].extra_hosts %}
{% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
@@ -64,26 +64,20 @@ so-nginx:
- /opt/so/rules/nids/suri:/surirules:ro
{% endif %}
{% endif %}
{% if DOCKERMERGED.containers[container_config].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %}
{% if DOCKER.containers[container_config].custom_bind_mounts %}
{% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers[container_config].extra_env %}
{% if DOCKER.containers[container_config].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %}
{% for XTRAENV in DOCKER.containers[container_config].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers[container_config].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- cap_add: NET_BIND_SERVICE
- port_bindings:
{% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %}
{% for BINDING in DOCKER.containers[container_config].port_bindings %}
- {{ BINDING }}
{% endfor %}
- watch:

4
salt/nginx/etc/nginx.conf
View File

@@ -1,5 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
{%- from 'docker/docker.map.jinja' import DOCKER %}
{%- from 'nginx/map.jinja' import NGINXMERGED %}
{%- set role = grains.id.split('_') | last %}
{%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
@@ -387,7 +387,7 @@ http {
error_page 429 = @error429;
location @error401 {
if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) {
return 401;
}

3
salt/nginx/soc_nginx.yaml
View File

@@ -1,7 +1,6 @@
nginx:
enabled:
enabled:
description: Enables or disables the Nginx web server and reverse proxy. WARNING - Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support.
forcedType: bool
advanced: True
helpLink: nginx
external_suricata:

1
salt/patch/soc_patch.yaml
View File

@@ -2,7 +2,6 @@ patch:
os:
enabled:
description: Enable OS updates. WARNING - Disabling this setting will prevent important operating system updates from being applied on a scheduled basis.
forcedType: bool
helpLink: soup
schedule_to_run:
description: Currently running schedule for updates.

24
salt/redis/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -21,9 +21,9 @@ so-redis:
- user: socore
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }}
- ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %}
{% for BINDING in DOCKER.containers['so-redis'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -34,29 +34,23 @@ so-redis:
- /etc/pki/redis.crt:/certs/redis.crt:ro
- /etc/pki/redis.key:/certs/redis.key:ro
- /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
{% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
{% if DOCKER.containers['so-redis'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-redis'].extra_hosts %}
{% if DOCKER.containers['so-redis'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-redis'].extra_env %}
{% if DOCKER.containers['so-redis'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-redis'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-redis'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
- watch:
- file: trusttheca

3
salt/redis/soc_redis.yaml
View File

@@ -1,7 +1,6 @@
redis:
enabled:
enabled:
description: Enables the log event in-memory buffering process. This process might already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events.
forcedType: bool
helpLink: redis
config:
bind:

24
salt/registry/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- registry.ssl
@@ -20,10 +20,10 @@ so-dockerregistry:
- hostname: so-registry
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }}
- ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
- restart_policy: always
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %}
{% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -32,31 +32,25 @@ so-dockerregistry:
- /nsm/docker-registry/docker:/var/lib/registry/docker:rw
- /etc/pki/registry.crt:/etc/pki/registry.crt:ro
- /etc/pki/registry.key:/etc/pki/registry.key:ro
{% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
{% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
{% if DOCKER.containers['so-dockerregistry'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- client_timeout: 180
- environment:
- HOME=/root
{% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
{% if DOCKER.containers['so-dockerregistry'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- retry:
attempts: 5
interval: 30

1
salt/registry/soc_registry.yaml
View File

@@ -1,5 +1,4 @@
registry:
enabled:
description: Enables or disables the Docker registry on the manager node. WARNING - If this process is disabled the grid will malfunction and a manual effort may be needed to re-enable the setting.
forcedType: bool
advanced: True

20
salt/sensoroni/enabled.sls
View File

@@ -4,7 +4,7 @@
# Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
@@ -23,29 +23,23 @@ so-sensoroni:
- /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
- /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
- /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
{% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
{% if DOCKER.containers['so-sensoroni'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-sensoroni'].extra_env %}
{% if DOCKER.containers['so-sensoroni'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-sensoroni'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: /opt/so/conf/sensoroni/sensoroni.json
- require:

2
salt/sensoroni/soc_sensoroni.yaml
View File

@@ -1,14 +1,12 @@
sensoroni:
enabled:
description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid.
forcedType: bool
advanced: True
helpLink: grid
config:
analyze:
enabled:
description: Enable or disable the analyzer.
forcedType: bool
advanced: True
helpLink: cases
timeout_ms:

4
salt/soc/defaults.map.jinja
View File

@@ -5,7 +5,7 @@
{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{% from 'docker/docker.map.jinja' import DOCKER -%}
{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
{% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
@@ -32,7 +32,7 @@
{% endif %}
{% endfor %}
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
{% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
{% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}

12
salt/soc/defaults.yaml
View File

@@ -584,18 +584,6 @@ soc:
- destination.port
- event.action
- tunnel.type
'::websocket':
- soc_timestamp
- event.dataset
- source.ip
- source.port
- destination.ip
- destination.port
- websocket.host
- websocket.uri
- websocket.user_agent
- log.id.uid
- network.community_id
'::weird':
- soc_timestamp
- event.dataset

20
salt/soc/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
{% from 'soc/merged.map.jinja' import SOCMERGED %}
@@ -22,7 +22,7 @@ so-soc:
- name: so-soc
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-soc'].ip }}
- ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
- binds:
- /nsm/rules:/nsm/rules:rw
- /opt/so/conf/strelka:/opt/sensoroni/yara:rw
@@ -63,27 +63,21 @@ so-soc:
- {{hostname}}:{{ip}}
{% endfor %}
{% endfor %}
{% if DOCKERMERGED.containers['so-soc'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-soc'].extra_hosts %}
{% if DOCKER.containers['so-soc'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-soc'].port_bindings %}
{% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-soc'].extra_env %}
{% if DOCKER.containers['so-soc'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-soc'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-soc'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-soc'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: trusttheca
- file: /opt/so/conf/soc/*

1
salt/soc/soc_soc.yaml
View File

@@ -1,7 +1,6 @@
soc:
enabled:
description: Enables or disables SOC. WARNING - Disabling this setting is unsupported and will cause the grid to malfunction. Re-enabling this setting is a manual effort via SSH.
forcedType: bool
advanced: True
telemetryEnabled:
title: SOC Telemetry

22
salt/strelka/backend/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,35 +18,29 @@ strelka_backend:
- binds:
- /opt/so/conf/strelka/backend/:/etc/strelka/:ro
- /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro
{% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
{% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- name: so-strelka-backend
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }}
- ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
- command: strelka-backend
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
{% if DOCKER.containers['so-strelka-backend'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-backend'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
{% if DOCKER.containers['so-strelka-backend'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-strelka-backend'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- restart_policy: on-failure
- watch:
- file: strelkasensorcompiledrules

24
salt/strelka/coordinator/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,38 +18,32 @@ strelka_coordinator:
- name: so-strelka-coordinator
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-coordinator'].ip }}
- ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
- entrypoint: redis-server --save "" --appendonly no
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
{% if DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-strelka-coordinator'].port_bindings %}
{% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
{% if DOCKER.containers['so-strelka-coordinator'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-strelka-coordinator'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- binds:
- /nsm/strelka/coord-redis-data:/data:rw
{% if DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
{% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
delete_so-strelka-coordinator_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf

22
salt/strelka/filestream/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,35 +18,29 @@ strelka_filestream:
- binds:
- /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
- /nsm/strelka:/nsm/strelka
{% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
{% if DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- name: so-strelka-filestream
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }}
- ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
- command: strelka-filestream
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
{% if DOCKER.containers['so-strelka-filestream'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-filestream'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
{% if DOCKER.containers['so-strelka-filestream'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-strelka-filestream'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: filestream_config

24
salt/strelka/frontend/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,8 +18,8 @@ strelka_frontend:
- binds:
- /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
- /nsm/strelka/log/:/var/log/strelka/:rw
{% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
{% if DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
@@ -27,31 +27,25 @@ strelka_frontend:
- name: so-strelka-frontend
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }}
- ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
- command: strelka-frontend
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
{% if DOCKER.containers['so-strelka-frontend'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-frontend'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %}
{% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
{% if DOCKER.containers['so-strelka-frontend'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-strelka-frontend'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: frontend_config

26
salt/strelka/gatekeeper/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,38 +18,32 @@ strelka_gatekeeper:
- name: so-strelka-gatekeeper
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }}
- ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
- entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
{% if DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %}
{% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
- /nsm/strelka/gk-redis-data:/data:rw
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
{% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
{% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
{% endif %}
delete_so-strelka-gatekeeper_so-status.disabled:
file.uncomment:

22
salt/strelka/manager/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -17,35 +17,29 @@ strelka_manager:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
- binds:
- /opt/so/conf/strelka/manager/:/etc/strelka/:ro
{% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
{% if DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- name: so-strelka-manager
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }}
- ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
- command: strelka-manager
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
{% if DOCKER.containers['so-strelka-manager'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-manager'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
{% if DOCKER.containers['so-strelka-manager'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-strelka-manager'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: manager_config

21
salt/strelka/soc_strelka.yaml
View File

@@ -1,8 +1,7 @@
strelka:
backend:
enabled:
enabled:
description: Enables or disables the Strelka file analysis process.
forcedType: bool
helpLink: strelka
config:
backend:
@@ -421,9 +420,8 @@ strelka:
helpLink: strelka
multiline: True
filestream:
enabled:
enabled:
description: You can enable or disable Strelka filestream.
forcedType: bool
helpLink: strelka
config:
conn:
@@ -480,14 +478,12 @@ strelka:
advanced: True
delete:
description: Boolean that determines if files should be deleted after being sent for scanning.
forcedType: bool
readonly: False
global: False
helpLink: strelka
advanced: True
gatekeeper:
description: Boolean that determines if events should be pulled from the temporary event cache.
forcedType: bool
readonly: False
global: False
helpLink: strelka
@@ -518,9 +514,8 @@ strelka:
helpLink: strelka
advanced: True
frontend:
enabled:
enabled:
description: You can enable or disable Strelka frontend.
forcedType: bool
helpLink: strelka
config:
server:
@@ -569,9 +564,8 @@ strelka:
helpLink: strelka
advanced: True
manager:
enabled:
enabled:
description: You can enable or disable Strelka manager.
forcedType: bool
helpLink: strelka
config:
coordinator:
@@ -588,19 +582,16 @@ strelka:
helpLink: strelka
advanced: True
coordinator:
enabled:
enabled:
description: You can enable or disable Strelka coordinator.
forcedType: bool
helpLink: strelka
gatekeeper:
enabled:
enabled:
description: You can enable or disable Strelka gatekeeper.
forcedType: bool
helpLink: strelka
rules:
enabled:
description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes.
forcedType: bool
readonly: False
global: False
helpLink: strelka

184
salt/suricata/defaults.yaml
View File

@@ -1,20 +1,20 @@
suricata:
enabled: False
pcap:
enabled: false
enabled: "no"
filesize: 1000mb
maxsize: 25
compression: "none"
lz4-checksum: false
lz4-checksum: "no"
lz4-level: 8
filename: "%n/so-pcap.%t"
mode: "multi"
use-stream-depth: false
use-stream-depth: "no"
conditional: "all"
dir: "/nsm/suripcap"
config:
threading:
set-cpu-affinity: false
set-cpu-affinity: "no"
cpu-affinity:
management-cpu-set:
cpu:
@@ -29,17 +29,17 @@ suricata:
interface: bond0
cluster-id: 59
cluster-type: cluster_flow
defrag: true
use-mmap: true
mmap-locked: false
defrag: "yes"
use-mmap: "yes"
mmap-locked: "no"
threads: 1
tpacket-v3: true
tpacket-v3: "yes"
ring-size: 5000
block-size: 69632
block-timeout: 10
use-emergency-flush: true
use-emergency-flush: "yes"
buffer-size: 32768
disable-promisc: false
disable-promisc: "no"
checksum-checks: kernel
vars:
address-groups:
@@ -105,15 +105,15 @@ suricata:
- 6081
default-log-dir: /var/log/suricata/
stats:
enabled: true
enabled: "yes"
interval: 30
outputs:
fast:
enabled: false
enabled: "no"
filename: fast.log
append: true
append: "yes"
eve-log:
enabled: true
enabled: "yes"
filetype: regular
filename: /nsm/eve-%Y-%m-%d-%H:%M.json
rotate-interval: hour
@@ -122,104 +122,104 @@ suricata:
community-id-seed: 0
types:
alert:
payload: false
payload: "no"
payload-buffer-size: 4kb
payload-printable: true
packet: true
payload-printable: "yes"
packet: "yes"
metadata:
app-layer: false
flow: false
rule:
metadata: true
raw: true
tagged-packets: false
tagged-packets: "no"
xff:
enabled: false
enabled: "no"
mode: extra-data
deployment: reverse
header: X-Forwarded-For
unified2-alert:
enabled: false
enabled: "no"
tls-store:
enabled: false
enabled: "no"
alert-debug:
enabled: false
enabled: "no"
alert-prelude:
enabled: false
enabled: "no"
stats:
enabled: true
enabled: "yes"
filename: stats.log
append: true
totals: true
threads: false
null-values: true
append: "yes"
totals: "yes"
threads: "no"
null-values: "yes"
drop:
enabled: false
enabled: "no"
file-store:
version: 2
enabled: false
enabled: "no"
xff:
enabled: false
enabled: "no"
mode: extra-data
deployment: reverse
header: X-Forwarded-For
tcp-data:
enabled: false
enabled: "no"
type: file
filename: tcp-data.log
http-body-data:
enabled: false
enabled: "no"
type: file
filename: http-data.log
lua:
enabled: false
enabled: "no"
scripts:
logging:
default-log-level: notice
outputs:
- console:
enabled: true
enabled: "yes"
- file:
enabled: true
enabled: "yes"
level: info
filename: suricata.log
- syslog:
enabled: false
enabled: "no"
facility: local5
format: "[%i] <%d> -- "
app-layer:
protocols:
krb5:
enabled: true
enabled: "yes"
snmp:
enabled: true
enabled: "yes"
ikev2:
enabled: true
enabled: "yes"
tls:
enabled: true
enabled: "yes"
detection-ports:
dp: 443
ja3-fingerprints: auto
ja4-fingerprints: auto
encryption-handling: track-only
dcerpc:
enabled: true
enabled: "yes"
ftp:
enabled: true
enabled: "yes"
rdp:
enabled: true
enabled: "yes"
ssh:
enabled: true
enabled: "yes"
smtp:
enabled: true
raw-extraction: false
enabled: "yes"
raw-extraction: "no"
mime:
decode-mime: true
decode-base64: true
decode-quoted-printable: true
decode-mime: "yes"
decode-base64: "yes"
decode-quoted-printable: "yes"
header-value-depth: 2000
extract-urls: true
body-md5: false
extract-urls: "yes"
body-md5: "no"
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
@@ -227,27 +227,27 @@ suricata:
imap:
enabled: detection-only
smb:
enabled: true
enabled: "yes"
detection-ports:
dp: 139, 445
nfs:
enabled: true
enabled: "yes"
tftp:
enabled: true
enabled: "yes"
dns:
global-memcap: 16mb
state-memcap: 512kb
request-flood: 500
tcp:
enabled: true
enabled: "yes"
detection-ports:
dp: 53
udp:
enabled: true
enabled: "yes"
detection-ports:
dp: 53
http:
enabled: true
enabled: "yes"
libhtp:
default-config:
personality: IDS
@@ -260,43 +260,43 @@ suricata:
response-body-decompress-layer-limit: 2
http-body-inline: auto
swf-decompression:
enabled: false
enabled: "no"
type: both
compress-depth: 100 KiB
decompress-depth: 100 KiB
randomize-inspection-sizes: true
randomize-inspection-sizes: "yes"
randomize-inspection-range: 10
double-decode-path: false
double-decode-query: false
double-decode-path: "no"
double-decode-query: "no"
server-config:
modbus:
enabled: true
enabled: "yes"
detection-ports:
dp: 502
stream-depth: 0
dnp3:
enabled: true
enabled: "yes"
detection-ports:
dp: 20000
enip:
enabled: true
enabled: "yes"
detection-ports:
dp: 44818
sp: 44818
ntp:
enabled: true
enabled: "yes"
dhcp:
enabled: true
enabled: "yes"
sip:
enabled: true
enabled: "yes"
rfb:
enabled: true
enabled: 'yes'
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt:
enabled: false
enabled: 'no'
http2:
enabled: true
enabled: 'yes'
asn1-max-frames: 256
run-as:
user: suricata
@@ -312,8 +312,8 @@ suricata:
legacy:
uricontent: enabled
engine-analysis:
rules-fast-pattern: true
rules: true
rules-fast-pattern: "yes"
rules: "yes"
pcre:
match-limit: 3500
match-limit-recursion: 1500
@@ -336,7 +336,7 @@ suricata:
hash-size: 65536
trackers: 65535
max-frags: 65535
prealloc: true
prealloc: "yes"
timeout: 60
flow:
memcap: 128mb
@@ -380,14 +380,14 @@ suricata:
emergency-bypassed: 50
stream:
memcap: 64mb
checksum-validation: true
checksum-validation: "yes"
inline: auto
reassembly:
memcap: 256mb
depth: 1mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: true
randomize-chunk-size: "yes"
host:
hash-size: 4096
prealloc: 1000
@@ -432,38 +432,38 @@ suricata:
allow-restricted-functions: false
profiling:
rules:
enabled: true
enabled: "yes"
filename: rule_perf.log
append: true
append: "yes"
limit: 10
json: true
json: "yes"
keywords:
enabled: true
enabled: "yes"
filename: keyword_perf.log
append: true
append: "yes"
prefilter:
enabled: true
enabled: "yes"
filename: prefilter_perf.log
append: true
append: "yes"
rulegroups:
enabled: true
enabled: "yes"
filename: rule_group_perf.log
append: true
append: "yes"
packets:
enabled: true
enabled: "yes"
filename: packet_stats.log
append: true
append: "yes"
csv:
enabled: false
enabled: "no"
filename: packet_stats.csv
locks:
enabled: false
enabled: "no"
filename: lock_stats.log
append: true
append: "yes"
pcap-log:
enabled: false
enabled: "no"
filename: pcaplog_stats.log
append: true
append: "yes"
default-rule-path: /etc/suricata/rules
rule-files:
- all-rulesets.rules

21
salt/suricata/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'suricata/map.jinja' import SURICATAMERGED %}
@@ -20,15 +20,16 @@ so-suricata:
- privileged: True
- environment:
- INTERFACE={{ GLOBALS.sensor.interface }}
{% if DOCKERMERGED.containers['so-suricata'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-suricata'].extra_env %}
{% if DOCKER.containers['so-suricata'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-suricata'].ulimits %}
{# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
{% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- binds:
@@ -41,15 +42,15 @@ so-suricata:
- /nsm/suricata/extracted:/var/log/suricata//filestore:rw
- /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
- /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
{% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- network_mode: host
{% if DOCKERMERGED.containers['so-suricata'].extra_hosts %}
{% if DOCKER.containers['so-suricata'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-suricata'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}

16
salt/suricata/map.jinja
View File

@@ -43,18 +43,22 @@
- interface: {{ GLOBALS.sensor.interface }}
cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
defrag: {{ SURICATAMERGED.config['af-packet'].defrag }}
use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }}
mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}
defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}"
use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}"
mmap-locked: "{{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}"
threads: {{ SURICATAMERGED.config['af-packet'].threads }}
tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}
tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}"
ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
use-emergency-flush: {{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}
use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
disable-promisc: {{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}
disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
{% if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %}
checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}"
{% else %}
checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
{% endif %}
{% endload %}
{% do SURICATAMERGED.config.pop('af-packet') %}
{% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}

131
salt/suricata/soc_suricata.yaml
View File

@@ -1,7 +1,6 @@
suricata:
enabled:
enabled:
description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture.
forcedType: bool
helpLink: suricata
thresholding:
sids__yaml:
@@ -38,9 +37,8 @@ suricata:
description: Enable compression of Suricata PCAP files.
advanced: True
helpLink: suricata
lz4-checksum:
lz4-checksum:
description: Enable PCAP lz4 checksum.
forcedType: bool
advanced: True
helpLink: suricata
lz4-level:
@@ -57,10 +55,11 @@ suricata:
advanced: True
readonly: True
helpLink: suricata
use-stream-depth:
description: Set to false to ignore the stream depth and capture the entire flow. Set to true to truncate the flow based on the stream depth.
forcedType: bool
use-stream-depth:
description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth.
advanced: True
regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata
conditional:
description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
@@ -85,16 +84,15 @@ suricata:
advanced: True
regex: ^(cluster_flow|cluster_qm)$
defrag:
description: Enable defragmentation of IP packets before processing.
forcedType: bool
advanced: True
regex: ^(yes|no)$
use-mmap:
advanced: True
readonly: True
mmap-locked:
description: Prevent swapping by locking the memory map.
forcedType: bool
advanced: True
regex: ^(yes|no)$
helpLink: suricata
threads:
description: The amount of worker threads.
@@ -118,9 +116,9 @@ suricata:
forcedType: int
helpLink: suricata
use-emergency-flush:
description: In high-traffic environments, enabling this option aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
forcedType: bool
description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
advanced: True
regex: ^(yes|no)$
helpLink: suricata
buffer-size:
description: Increasing the value of the receive buffer may improve performance.
@@ -128,33 +126,30 @@ suricata:
forcedType: int
helpLink: suricata
disable-promisc:
description: Disable promiscuous mode on the capture interface.
forcedType: bool
description: Promiscuous mode can be disabled by setting this to "yes".
advanced: True
regex: ^(yes|no)$
helpLink: suricata
checksum-checks:
description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
advanced: True
options:
- kernel
- yes
- no
- auto
regex: ^(kernel|yes|no|auto)$
helpLink: suricata
threading:
set-cpu-affinity:
description: Bind or unbind management and worker threads to a core or range of cores.
forcedType: bool
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata
cpu-affinity:
management-cpu-set:
cpu:
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
forcedType: "[]string"
helpLink: suricata
worker-cpu-set:
cpu:
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
forcedType: "[]string"
helpLink: suricata
vars:
@@ -203,44 +198,11 @@ suricata:
GENEVE_PORTS: *suriportgroup
outputs:
eve-log:
pcap-file:
description: Log the PCAP filename that a packet was read from when processing pcap files.
forcedType: bool
advanced: True
helpLink: suricata
community-id:
description: Enable Community ID flow hashing for consistent event correlation across tools.
forcedType: bool
advanced: True
helpLink: suricata
types:
alert:
metadata:
app-layer:
description: Include app-layer metadata in alert events.
forcedType: bool
advanced: True
helpLink: suricata
flow:
description: Include flow metadata in alert events.
forcedType: bool
advanced: True
helpLink: suricata
rule:
metadata:
description: Include rule metadata in alert events.
forcedType: bool
advanced: True
helpLink: suricata
raw:
description: Include raw rule text in alert events.
forcedType: bool
advanced: True
helpLink: suricata
xff:
enabled:
description: Enable X-Forward-For support.
forcedType: bool
helpLink: suricata
mode:
description: Operation mode. This should always be extra-data if you use PCAP.
@@ -280,9 +242,8 @@ suricata:
max-frags:
description: Max number of fragments to keep
helpLink: suricata
prealloc:
prealloc:
description: Preallocate memory.
forcedType: bool
helpLink: suricata
timeout:
description: Timeout value.
@@ -303,7 +264,6 @@ suricata:
helpLink: suricata
checksum-validation:
description: Validate checksum of packets.
forcedType: bool
helpLink: suricata
reassembly:
memcap:
@@ -326,7 +286,6 @@ suricata:
teredo:
enabled:
description: Enable TEREDO capabilities
forcedType: bool
helpLink: suricata
ports:
description: Ports to listen for. This should be a variable.
@@ -334,58 +293,14 @@ suricata:
vxlan:
enabled:
description: Enable VXLAN capabilities.
forcedType: bool
helpLink: suricata
ports:
description: Ports to listen for. This should be a variable.
ports:
description: Ports to listen for. This should be a variable.
helpLink: suricata
geneve:
enabled:
description: Enable VXLAN capabilities.
forcedType: bool
helpLink: suricata
ports:
description: Ports to listen for. This should be a variable.
helpLink: suricata
recursion-level:
use-for-tracking:
description: Controls whether the decoder recursion level is used for flow tracking.
forcedType: bool
advanced: True
helpLink: suricata
vlan:
use-for-tracking:
description: Enable VLAN tracking for flow identification. When enabled, VLAN tags are used to differentiate flows.
forcedType: bool
advanced: True
helpLink: suricata
detect:
profiling:
grouping:
dump-to-disk:
description: Dump detection engine grouping information to disk for analysis.
forcedType: bool
advanced: True
helpLink: suricata
include-rules:
description: Include individual rule details in grouping profiling output.
forcedType: bool
advanced: True
helpLink: suricata
include-mpm-stats:
description: Include multi-pattern matcher statistics in grouping profiling output.
forcedType: bool
advanced: True
helpLink: suricata
security:
lua:
allow-rules:
description: Allow Lua rules in the Suricata ruleset. Enabling Lua rules may introduce security risks.
forcedType: bool
advanced: True
helpLink: suricata
allow-restricted-functions:
description: Allow restricted Lua functions such as file I/O. Enabling this may introduce security risks.
forcedType: bool
advanced: True
ports:
description: Ports to listen for. This should be a variable.
helpLink: suricata

4
salt/telegraf/defaults.yaml
View File

@@ -7,8 +7,8 @@ telegraf:
collection_jitter: '0s'
flush_interval: '10s'
flush_jitter: '0s'
debug: false
quiet: false
debug: 'false'
quiet: 'false'
scripts:
eval:
- agentstatus.sh

20
salt/telegraf/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
include:
@@ -25,8 +25,8 @@ so-telegraf:
- HOST_SYS=/host/sys
- HOST_MOUNT_PREFIX=/host
- GODEBUG=x509ignoreCN=0
{% if DOCKERMERGED.containers['so-telegraf'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-telegraf'].extra_env %}
{% if DOCKER.containers['so-telegraf'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-telegraf'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
@@ -55,23 +55,17 @@ so-telegraf:
{% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
- /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro
{% endif %}
{% if DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
{% if DOCKER.containers['so-telegraf'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
{% if DOCKER.containers['so-telegraf'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-telegraf'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-telegraf'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: trusttheca
- x509: telegraf_crt

4
salt/telegraf/etc/telegraf.conf
View File

@@ -56,9 +56,9 @@
## Logging configuration:
## Run telegraf with debug log messages.
debug = {{ 'true' if TELEGRAFMERGED.config.debug else 'false' }}
debug = {{ TELEGRAFMERGED.config.debug }}
## Run telegraf in quiet mode (error log messages only).
quiet = {{ 'true' if TELEGRAFMERGED.config.quiet else 'false'}}
quiet = false
## Specify the log file name. The empty string means to log to stderr.
logfile = "/var/log/telegraf/telegraf.log"

11
salt/telegraf/soc_telegraf.yaml
View File

@@ -1,7 +1,6 @@
telegraf:
enabled:
enabled:
description: Enables the grid metrics collection process. WARNING - Security Onion grid health monitoring requires this process to remain enabled. Disabling it will cause unexpected and unsupported results.
forcedType: bool
advanced: True
helpLink: influxdb
config:
@@ -35,13 +34,13 @@ telegraf:
advanced: True
helpLink: influxdb
debug:
description: Run telegraf with debug log messages
forcedType: bool
description: Data collection interval.
global: True
advanced: True
helpLink: influxdb
quiet:
description: Run telegraf in quiet mode (error log messages only).
forcedType: bool
description: Data collection interval.
global: True
advanced: True
helpLink: influxdb
scripts:

6
salt/vars/globals.map.jinja
View File

@@ -1,5 +1,5 @@
{% import 'vars/init.map.jinja' as INIT %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'global/map.jinja' import GLOBALMERGED %}
{% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #}
@@ -25,8 +25,8 @@
'pcap_engine': GLOBALMERGED.pcapengine,
'pipeline': GLOBALMERGED.pipeline,
'so_version': INIT.PILLAR.global.soversion,
'so_docker_gateway': DOCKERMERGED.gateway,
'so_docker_range': DOCKERMERGED.range,
'so_docker_gateway': DOCKER.gateway,
'so_docker_range': DOCKER.range,
'url_base': INIT.PILLAR.global.url_base,
'so_model': INIT.GRAINS.get('sosmodel',''),
'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,

2
salt/zeek/config.sls
View File

@@ -167,7 +167,7 @@ zeekja4cfg:
- group: 939
- template: jinja
- defaults:
JA4PLUS: {{ ZEEKMERGED.ja4plus.enabled }}
JA4PLUS_ENABLED: {{ ZEEKMERGED.ja4plus_enabled }}
# BPF compilation failed
{% if ZEEKBPF and not ZEEK_BPF_STATUS %}

3
salt/zeek/defaults.yaml
View File

@@ -1,7 +1,6 @@
zeek:
enabled: False
ja4plus:
enabled: False
ja4plus_enabled: False
config:
node:
lb_procs: 0

21
salt/zeek/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
@@ -18,12 +18,9 @@ so-zeek:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
- start: True
- privileged: True
{% if DOCKERMERGED.containers['so-zeek'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- core=0
- nofile=1048576:1048576
- binds:
- /nsm/zeek/logs:/nsm/zeek/logs:rw
- /nsm/zeek/spool:/nsm/zeek/spool:rw
@@ -39,21 +36,21 @@ so-zeek:
- /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
- /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
- /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
{% if DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
{% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- network_mode: host
{% if DOCKERMERGED.containers['so-zeek'].extra_hosts %}
{% if DOCKER.containers['so-zeek'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-zeek'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-zeek'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-zeek'].extra_env %}
{% if DOCKER.containers['so-zeek'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-zeek'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-zeek'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}

16
salt/zeek/files/config.zeek.ja4
View File

@@ -8,20 +8,20 @@ export {
option JA4_raw: bool = F;
# FoxIO license required for JA4+
option JA4S_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};
option JA4S_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4S_raw: bool = F;
option JA4D_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};
option JA4D_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4H_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};
option JA4H_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4H_raw: bool = F;
option JA4L_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};
option JA4L_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};
option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4T_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};
option JA4TS_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};
option JA4T_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4TS_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4X_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};
option JA4X_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
}

9
salt/zeek/soc_zeek.yaml
View File

@@ -1,14 +1,11 @@
zeek:
enabled:
description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled.
helpLink: zeek
ja4plus_enabled:
description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license (https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
forcedType: bool
helpLink: zeek
ja4plus:
enabled:
description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
forcedType: bool
helpLink: zeek
advanced: False
config:
local:
load: