Merge pull request #340 from Security-Onion-Solutions/dev

Update Readme and index.html

README.md

@@ -1,36 +1,25 @@
-## Hybrid Hunter Alpha 1.1.3
-
-### ISO Download:
-
-[HH1.1.3-21.iso](https://github.com/Security-Onion-Solutions/securityonion-hh-iso/releases/download/HH1.1.3/HH-1.1.3-21.iso)  
-MD5: 0FDACF6A2BB63B390C4D7FA46CCA3AA5  
-SHA1: 20506D5C535CF5D0E2F7440C8ACBE9D318049B7D  
-SHA256: EAEE7DC173F0E91BED43BDA13A84A20167975B5F7BD6598BE2D434AB29EAC51B
-
-
-```
-Default Username: onion
-Default Password: V@daL1aZ
-```
+## Hybrid Hunter Alpha 1.1.4 - Feature Parity Release
 
 ### Changes:
 
-- Overhaul of the setup script to support both ISO and network based setups.
-- ISO will now boot properly from a USB stick.
-- Python 3 is now default.
-- Fix Filebeat from restarting every check in due to x509 refresh issue. 
-- Cortex installed and integrated with TheHive. 
-- Switched to using vanilla Kolide Fleet and upgraded to latest version (2.4) .  
-- Playbook changes:
-  - Now preloaded with Plays generated from Sysmon Sigma signatures in the [Sigma community repo](https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon).  
-  - New update script that updates / pulls in new Sigma signatures from the community repo .
-  - Bulk enable / disable plays from the webui . 
-  - Updated sigmac mapping template & configuration (backend is now `elastalert`) . 
-  - Updated TheHive alerts formatting . 
-- OS patch scheduling:
-  - During setup, choose between auto, manual, or scheduled OS patch interval
-  - For scheduled, create a new or import an existing named schedule
-
+- Added new in-house auth method [Security Onion Auth](https://github.com/Security-Onion-Solutions/securityonion-auth).
+- Web user creation is done via the browser now instead of so-user-add.
+- New Logstash pipeline setup. Now uses multiple pipelines.
+- New Master + Search node type and well as a Heavy Node type in the install. 
+- Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub.
+- Zeek 3.0.1
+- Elastic 6.8.6
+- New SO Start | Stop | Restart scripts for all components (eg. `so-playbook-restart`).
+- BPF support for Suricata (NIDS), Steno (PCAP) & Zeek ([Docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/BPF)).
+- Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them.
+- Added so-status script which gives an easy to read look at container status.
+- Manage threshold.conf for Suricata using the thresholding pillar.
+- The ISO now includes all the docker containers for faster install speeds.
+- You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup. 
+- Updated Helix parsers for better compatibility.
+- Updated telegraf docker to include curl and jq.
+- CVE-2020-0601 Zeek Detection Script. 
+- ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup.
 
 
 ### Warnings and Disclaimers

salt/common/init.sls

@@ -102,6 +102,13 @@ nginxconf:
     - template: jinja
     - source: salt://common/nginx/nginx.conf.{{ grains.role }}
 
+copyindex:
+  file.managed:
+    - name: /opt/so/conf/nginx/index.html
+    - user: 939
+    - group: 939
+    - source: salt://common/nginx/index.html
+
 nginxlogdir:
   file.directory:
     - name: /opt/so/log/nginx/
@@ -124,6 +131,7 @@ so-core:
     - binds:
       - /opt/so:/opt/so:rw
       - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - /opt/so/conf/nginx/index.html:/opt/socore/html/index.html:ro
       - /opt/so/log/nginx/:/var/log/nginx:rw
       - /opt/so/tmp/nginx/:/var/lib/nginx:rw
       - /opt/so/tmp/nginx/:/run:rw
@@ -189,7 +197,7 @@ so-telegraf:
       - /proc:/host/proc:ro
       - /nsm:/host/nsm:ro
       - /etc:/host/etc:ro
-      {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+      {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
       - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
       {% else %}
       - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro

salt/common/nginx/index.html

@@ -0,0 +1,130 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<title>Security Onion - Hybrid Hunter</title>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
+<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
+<style>
+* {
+  box-sizing: border-box;
+  font-family: Arial, Helvetica, sans-serif;
+	padding-left: 30px;
+	padding-right: 30px;
+}
+
+body {
+  font-family: Arial, Helvetica, sans-serif;
+	background-color: #2a2a2a;
+
+}
+a {
+	color: #f2f2f2;
+	text-align: left;
+	padding: 0px;
+}
+
+.center {
+	margin: 0 auto;
+}
+
+/* Style the top navigation bar */
+.topnav {
+  overflow: hidden;
+  background-color: #333;
+  width: 1080px;
+  display: flex;
+  align-content: center;
+}
+
+/* Style the topnav links */
+.topnav a {
+  margin: auto;
+  color: #f2f2f2;
+  text-align: center;
+  padding: 14px 16px;
+  text-decoration: none;
+}
+
+/* Change color on hover */
+.topnav a:hover {
+  background-color: #ddd;
+  color: black;
+}
+
+/* Style the content */
+.content {
+  background-color: #2a2a2a;
+  padding: 10px;
+	padding-top: 20px;
+	padding-left: 60px;
+	color: #E3DBCC;
+	width: 1080px;
+}
+
+/* Style the footer */
+.footer {
+  background-color: #2a2a2a;
+  padding: 60px;
+  color: #E3DBCC;
+  width: 1080px;
+}
+
+</style>
+</head>
+<body>
+	<div class="center">
+		<div class="topnav center">
+			<a href="/so-auth/loginpage/create-user" target="_blank">Create New User</a>
+			<a href="/kibana/" target="_blank">Kibana</a>
+			<a href="/grafana/" target="_blank">Grafana</a>
+			<a href="/sensoroni/" target="_blank">Sensoroni</a>
+	  		<a href="/playbook/" target="_blank">Playbook</a>
+			<a href="/fleet/" target="_blank">Fleet</a>
+			<a href="/thehive/" target="_blank">TheHive</a>
+			<a href="/packages/" target="_blank">Osquery Packages</a>
+			<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
+			<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
+			<a href="https://blog.securityonion.net" target="_blank">Blog</a>
+		</div>
+
+		<div class="content center">
+			<center><a href="https://securityonion.net"><img STYLE="border: none;" src="alpha_logo.jpg" alt="Security Onion" align="center" target="_blank"></img></a><br></center>
+
+			<p><center><h1>Hybrid Hunter Alpha 1.1.4 - Feature Parity Release</h1></center><br>
+				<h2>Changes:</h2>
+        <ul>
+          <li>Added new in-house auth method [Security Onion Auth](https://github.com/Security-Onion-Solutions/securityonion-auth).</li>
+          <li>Web user creation is done via the browser now instead of so-user-add.</li>
+          <li>New Logstash pipeline setup. Now uses multiple pipelines.</li>
+          <li>New Master + Search node type and well as a Heavy Node type in the install.</li>
+          <li>Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub.</li>
+          <li>Zeek 3.0.1</li>
+          <li>Elastic 6.8.6</li>
+          <li>New SO Start | Stop | Restart scripts for all components (eg. `so-playbook-restart`).</li>
+          <li>BPF support for Suricata (NIDS), Steno (PCAP) & Zeek ([Docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/BPF)).</li>
+          <li>Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them.</li>
+          <li>Added so-status script which gives an easy to read look at container status.</li>
+          <li>Manage threshold.conf for Suricata using the thresholding pillar.</li>
+          <li>The ISO now includes all the docker containers for faster install speeds.</li>
+          <li>You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup.</li>
+          <li>Updated Helix parsers for better compatibility.</li>
+          <li>Updated telegraf docker to include curl and jq.</li>
+          <li>CVE-2020-0601 Zeek Detection Script.</li>
+          <li>ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup.</li>
+    		  <li>Check out the <a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide" target="_blank">Hybrid Hunter Quick Start Guide</a>.</li>
+		   </ul>
+	  </p>
+		</div>
+
+		<div class="footer center">
+		<b>Disclaimer of Warranty</b><br>
+			<small>THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM .AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.</small><br>
+			<br>
+			<b>Limitation of Liability</b><br>
+			<small>IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.</small><br>
+		</div>
+	</div>
+</body>
+</html>