Skip to content
This repository was archived by the owner on Apr 16, 2021. It is now read-only.

Salt

Jump to bottom
Doug Burks edited this page Mar 27, 2015 · 20 revisions

What is Salt?

"Salt delivers a dynamic communication bus for infrastructures that can be used for orchestration, remote execution, configuration management and much more."

http://docs.saltstack.com/

What is OnionSalt?

"OnionSalt is a tool created to manage multiple Security Onion sensors."

https://github.com/TOoSmOotH/onionsalt

Salt and OnionSalt are optional packages

Please note that Salt is totally optional. If you're happy with your current method of sensor management, then you don't have to install securityonion-onionsalt and nothing will change for you.

Warning

Please be advised that our Salt integration is still considered experimental.

Firewall Requirements

Sensors need to be able to connect to the master server on ports 4505/tcp and 4506/tcp:

http://docs.saltstack.com/topics/tutorials/firewall.html

Installation

For new deployments, Advanced Setup checks to see if the securityonion-onionsalt package is installed and, if so, asks if you want to enable Salt. Simply answer "Yes" and it will configure salt-master and/or salt-minion services and open firewall ports as necessary.

For existing deployments, please see:

Existing Deployment

Checking Status

Want to verify all your sensors are up?

sudo salt '*' test.ping

Remote Execution

Want to execute a command on all your sensors at once?

sudo salt '*' cmd.run 'InsertYourCommandHere'

Features

When you install and enable securityonion-onionsalt, the following data will replicate from the master server out to the sensors every 15 minutes:

  • user accounts and sudoers in /opt/onionsalt/pillar/users/init.sls
  • user ssh keys in /opt/onionsalt/salt/users/keys/
    • For each user account in /opt/onionsalt/pillar/users/init.sls, you can add an SSH Public Key to /opt/onionsalt/salt/users/keys/USERNAME.id_rsa.pub (replacing USERNAME with the user's actual username)
  • NIDS rules in /etc/nsm/rules/ (Snort/Suricata/barnyard will automatically restart as necessary)
  • HIDS rules in /var/ossec/rules/local_rules.xml (OSSEC will automatically restart as necessary)
  • Bro scripts in /opt/bro/share/bro/policy/
    • Bro does not restart automatically, but you can easily use salt on your master server to tell all your Bro instances to update and restart:
# Force all Salt minions to update Bro scripts
sudo salt '*' cmd.run 'salt-call state.highstate'
# Restart Bro
sudo salt '*' cmd.run 'nsm_sensor_ps-restart --only-bro'
  • Bro intel in /opt/bro/share/bro/intel/
    • You'll need to restart Bro as shown above if you add any intel files to the default intel.dat. After that initial Bro restart, Bro should be watching the intel files with the Input framework which should automatically notice if the files ever change (new intel is added). In many cases, you won't need to restart Bro if you're just adding intel to the existing intel file(s).

In addition, Salt is a full configuration management system, so you can script anything that you want to deploy across your army of sensors.

Using Salt to Install Updates Across Your Entire Deployment

You can use Salt and Soup to install updates across your entire deployment, but please remember to always update your master server first:

# Update Master first
# If MySQL and/or kernel updates are installed, it will reboot
sudo soup -y

# After Master server is fully updated, now update the rest of the deployment
# If MySQL and/or kernel updates are installed, the sensors will reboot
sudo salt '*' cmd.run 'soup -y'

Modifying Salt config files

If you need to modify the values in /etc/salt/master or /etc/salt/minion, please pay attention to this note at the top of each file:

# /etc/salt/master
# Per default, the master will automatically include all config files
# from master.d/*.conf (master.d is a directory in the same directory
# as the main master config file)
#default_include: master.d/*.conf

# /etc/salt/minion
# Per default the minion will automatically include all config files
# from minion.d/*.conf (minion.d is a directory in the same directory
# as the main minion config file).
#default_include: minion.d/*.conf

Instead of modifying /etc/salt/master or /etc/salt/minion directly, please add your custom settings in /etc/salt/master.d/*.conf or /etc/salt/minion.d/*.conf, respectively.

Salting an Existing Deployment

Configure the Master Server first

# Make sure the necessary packages are installed and updated
sudo apt-get update && sudo apt-get install securityonion-onionsalt

# Edit /opt/onionsalt/salt/top.sls and add your master as a "backend"

# Open salt ports in firewall:
# sudo ufw allow salt
# OR preferably just allow from your sensor IP addresses like this:
# sudo ufw allow proto tcp from a.b.c.d to any port 4505,4506
# Also see our Firewall page:
# https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall

# Configure minion
echo "master: localhost" | sudo tee -a /etc/salt/minion.d/onionsalt.conf

# Allow salt-master and salt-minion to start on boot if they had previously been disabled
[ -f /etc/init/salt-master.DISABLED ] && sudo mv /etc/init/salt-master.DISABLED /etc/init/salt-master.conf
[ -f /etc/init/salt-master.override ] && sudo rm -f /etc/init/salt-master.override
[ -f /etc/init/salt-minion.DISABLED ] && sudo mv /etc/init/salt-minion.DISABLED /etc/init/salt-minion.conf
[ -f /etc/init/salt-minion.override ] && sudo rm -f /etc/init/salt-minion.override

# Restart minion
sudo service salt-minion restart

# list the salt keys:
sudo salt-key -L

# You should see an unaccepted salt key for the minion, add it:
sudo salt-key -a '*'

# Verify that the master can communicate with the minion:
sudo salt '*' test.ping

# Tell salt to do an update
sudo salt '*' state.highstate

Now configure salt-minion on a Sensor

# Make sure the necessary packages are installed and updated
sudo apt-get update && sudo apt-get install securityonion-onionsalt

# Stop the running salt-master
sudo service salt-master stop

# Disable salt-master
[ -f /etc/init/salt-master.conf ] && echo "manual" | sudo tee /etc/init/salt-master.override

# Allow salt-minion to start on boot if it had previously been disabled
[ -f /etc/init/salt-minion.DISABLED ] && sudo mv /etc/init/salt-minion.DISABLED /etc/init/salt-minion.conf
[ -f /etc/init/salt-minion.override ] && sudo rm -f /etc/init/salt-minion.override

# Configure minion
MASTER=`grep SENSOR_SERVER_HOST /etc/nsm/*/sensor.conf |head -1 |cut -d\" -f2`
echo "master: $MASTER" | sudo tee -a /etc/salt/minion.d/onionsalt.conf

# Restart minion
sudo service salt-minion restart

Now return to the Master and accept the new minion

# Edit /opt/onionsalt/salt/top.sls and add the new minion as a "sensor"

# list the salt keys:
sudo salt-key -L

# You should see an unaccepted salt key for the sensor, add it:
sudo salt-key -a '*'

# Verify that the master can communicate with all minions:
sudo salt '*' test.ping

# Tell all minions to do an update
sudo salt '*' state.highstate

Additional Reading

http://www.geekempire.com/2014/09/onionsalt-saltstack-cheat-sheer.html

Getting Started

Update/Upgrade

Analyst Tools

Network Visibility

Host Visibility

Elastic Stack

Customizing for your network

Tuning

Tricks and Tips

Help

Issues

Other

Scripts

Clone this wiki locally