Threat hunting with SaltOpen

Introduction

The SaltStack platform is an open-source and Python-based configuration management software. Using Salt, developers and system administrators can better manage their infrastructure and deploy code and changes.

In this article we’ll be running SaltOpen, the open-source version of Salt Enterprise, to see how both the master and minion installations can be used to perform various threat hunting functions for threat hunting teams in Cybersecurity departments.

Overview of Salt

Salt is made up of six modules that can influence its functionality and management. These modules determine the actions that the Salt user intends to carry out. They include:

1. Execution modules: These represent functions that are available for direct execution from the remote execution engine
2. State modules: These make up the back end for the Salt configuration management system
3. Grains: These detect static information about a system
4. Render modules: These make it possible to render information to the Salt state system
5. Returners: These manage arbitrary return locations
6. Runners: These are master-side convenience applications which are executed by the salt-run command

Initial setup and first run

Installation of Salt Open is a pretty straightforward process; a good guide to it can be found here. In our case, we’ll be running the master and minion on Ubuntu 18.04 systems. Once you have installed the salt-master on your master and salt-minion on your minions, you can start them both using the following commands respectively.

Salt master configuration

sudo systemctl start salt-master

Sponsorships Available

Sponsorships Available

Sponsorships Available

The following screenshot shows the result of running the command above.

We need to be able to reach our minions. To do this, we edit the salt master config file to contain the location of the salt minion. This is done by editing the file /etc/salt/master to add the line ‘interface: 192.168.100.30’, where the IP address (Read more...)