diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 4e5f97678..8b23dcd44 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -182,7 +182,9 @@ function add_analyst_to_minion() { " gui:"\ " enabled: true"\ "sensoroni:"\ - " node_description: '${NODE_DESCRIPTION//\'/''}'" >> $PILLARFILE + " enabled: True"\ + " config:"\ + " node_description: '${NODE_DESCRIPTION//\'/''}'" >> $PILLARFILE } # Add basic host info to the minion file @@ -195,12 +197,25 @@ function add_host_to_minion() { # Add sensoroni specific information - Can we pull node_adrees from the host pillar? function add_sensoroni_to_minion() { - printf '%s\n'\ "sensoroni:"\ - " node_description: '${NODE_DESCRIPTION//\'/''}'"\ + " enabled: True"\ + " config:"\ + " node_description: '${NODE_DESCRIPTION//\'/''}'"\ " " >> $PILLARFILE -} +} + +# Add sensoroni specific information - Can we pull node_adrees from the host pillar? +function add_sensoroni_with_analyze_to_minion() { + printf '%s\n'\ + "sensoroni:"\ + " enabled: True"\ + " config:"\ + " analyze:"\ + " enabled: True"\ + " node_description: '${NODE_DESCRIPTION//\'/''}'"\ + " " >> $PILLARFILE +} # Sensor settings for the minion pillar function add_sensor_to_minion() { @@ -506,7 +521,12 @@ if [[ "$OPERATION" = 'add' || "$OPERATION" = 'setup' ]]; then fi create_minion_files add_host_to_minion - add_sensoroni_to_minion + managers=("EVAL" "STANDALONE" "IMPORT" "MANAGER" "MANAGERSEARCH") + if echo "${managers[@]}" | grep -qw "$NODETYPE"; then + add_sensoroni_with_analyze_to_minion + else + add_sensoroni_to_minion + fi create$NODETYPE echo "Minion file created for $MINION_ID" fi diff --git a/salt/sensoroni/config.sls b/salt/sensoroni/config.sls new file mode 100644 index 000000000..0024ca962 --- /dev/null +++ b/salt/sensoroni/config.sls @@ -0,0 +1,60 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +sensoroniconfdir: + file.directory: + - name: /opt/so/conf/sensoroni + - user: 939 + - group: 939 + - makedirs: True + +sensoroniagentconf: + file.managed: + - name: /opt/so/conf/sensoroni/sensoroni.json + - source: salt://sensoroni/files/sensoroni.json + - user: 939 + - group: 939 + - mode: 600 + - template: jinja + +analyzersdir: + file.directory: + - name: /opt/so/conf/sensoroni/analyzers + - user: 939 + - group: 939 + - makedirs: True + +sensoronilog: + file.directory: + - name: /opt/so/log/sensoroni + - user: 939 + - group: 939 + - makedirs: True + +analyzerscripts: + file.recurse: + - name: /opt/so/conf/sensoroni/analyzers + - user: 939 + - group: 939 + - file_mode: 755 + - template: jinja + - source: salt://sensoroni/files/analyzers + +sensoroni_sbin: + file.recurse: + - name: /usr/sbin + - source: salt://sensoroni/tools/sbin + - user: 939 + - group: 939 + - file_mode: 755 + +#sensoroni_sbin_jinja: +# file.recurse: +# - name: /usr/sbin +# - source: salt://sensoroni/tools/sbin_jinja +# - user: 939 +# - group: 939 +# - file_mode: 755 +# - template: jinja diff --git a/salt/sensoroni/defaults.yaml b/salt/sensoroni/defaults.yaml new file mode 100644 index 000000000..96e4e9abb --- /dev/null +++ b/salt/sensoroni/defaults.yaml @@ -0,0 +1,11 @@ +sensoroni: + enabled: False + config: + analyze: + enabled: False + analyze_timeout_ms: 900000 + analyze_parallel_limit: 5 + node_checkin_interval_ms: 10000 + node_description: + sensoronikey: + soc_host: diff --git a/salt/sensoroni/disabled.sls b/salt/sensoroni/disabled.sls new file mode 100644 index 000000000..ff4f4a49b --- /dev/null +++ b/salt/sensoroni/disabled.sls @@ -0,0 +1,16 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +include: + - sensoroni.sostatus + +so-sensoroni: + docker_container.absent: + - force: True + +so-zeek_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-sensoroni$ diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls new file mode 100644 index 000000000..9dbdf3eba --- /dev/null +++ b/salt/sensoroni/enabled.sls @@ -0,0 +1,32 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'vars/globals.map.jinja' import GLOBALS %} + +include: + - sensoroni.config + - sensoroni.sostatus + +so-sensoroni: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }} + - network_mode: host + - binds: + - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw + - /nsm/pcap:/nsm/pcap:rw + - /nsm/import:/nsm/import:rw + - /nsm/pcapout:/nsm/pcapout:rw + - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro + - /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw + - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw + - watch: + - file: /opt/so/conf/sensoroni/sensoroni.json + - require: + - file: sensoroniagentconf + +delete_so-zeek_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-sensoroni$ diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 4b545f5e0..05bb63171 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -1,43 +1,29 @@ -{%- from 'vars/globals.map.jinja' import GLOBALS -%} -{%- set ANALYZE_TIMEOUT_MS = salt['pillar.get']('sensoroni:analyze_timeout_ms', 900000) %} -{%- set ANALYZE_PARALLEL_LIMIT = salt['pillar.get']('sensoroni:analyze_parallel_limit', 5) %} -{%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %} -{%- set ROLE = grains.id.split('_') | last %} -{%- if ROLE in ['eval', 'standalone', 'sensor', 'heavynode'] %} -{%- set STENODEFAULT = True %} -{%- else %} -{%- set STENODEFAULT = False %} -{%- endif %} -{%- set STENOENABLED = salt['pillar.get']('steno:enabled', STENODEFAULT) %} -{%- if ROLE in ['eval', 'standalone', 'import', 'manager', 'managersearch'] %} -{%- set ANALYZEDEFAULT = True %} -{%- else %} -{%- set ANALYZEDEFAULT = False %} -{%- endif %} -{%- set ANALYZEENABLED = salt['pillar.get']('sensoroni:analyze_enabled', ANALYZEDEFAULT) %} +{%- from 'vars/globals.map.jinja' import GLOBALS %} +{%- from 'sensoroni/map.jinja' import SENSORONIMERGED %} +{%- from 'pcap/config.map.jinja' import PCAPMERGED %} { "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"info", "agent": { "nodeId": "{{ GLOBALS.hostname | lower }}", "role": "{{ GLOBALS.role }}", - "description": {{ GLOBALS.description | tojson }}, + "description": {{ SENSORONIMERGED.config.node_description | tojson }}, "address": "{{ GLOBALS.node_ip }}", "model": "{{ GLOBALS.so_model }}", - "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, + "pollIntervalMs": {{ SENSORONIMERGED.config.node_checkin_interval_ms }}, "serverUrl": "https://{{ GLOBALS.url_base }}/sensoroniagents", "verifyCert": false, "modules": { -{%- if ANALYZEENABLED %} +{%- if SENSORONIMERGED.config.analyze.enabled %} "analyze": { - "timeoutMs": {{ ANALYZE_TIMEOUT_MS }}, - "parallelLimit": {{ ANALYZE_PARALLEL_LIMIT }} + "timeoutMs": {{ SENSORONIMERGED.config.analyze_timeout_ms }}, + "parallelLimit": {{ SENSORONIMERGED.config.analyze_parallel_limit }} }, {%- endif %} "importer": {}, "statickeyauth": { "apiKey": "{{ GLOBALS.sensoroni_key }}" -{%- if STENOENABLED %} +{%- if PCAPMERGED.enabled %} }, "stenoquery": { "executablePath": "/opt/sensoroni/scripts/stenoquery.sh", diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls index df6b99948..98d13ca15 100644 --- a/salt/sensoroni/init.sls +++ b/salt/sensoroni/init.sls @@ -1,79 +1,13 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -sensoroniconfdir: - file.directory: - - name: /opt/so/conf/sensoroni - - user: 939 - - group: 939 - - makedirs: True +{% from 'sensoroni/map.jinja' import SENSORONIMERGED %} -sensoroniagentconf: - file.managed: - - name: /opt/so/conf/sensoroni/sensoroni.json - - source: salt://sensoroni/files/sensoroni.json - - user: 939 - - group: 939 - - mode: 600 - - template: jinja - -analyzersdir: - file.directory: - - name: /opt/so/conf/sensoroni/analyzers - - user: 939 - - group: 939 - - makedirs: True - -sensoronilog: - file.directory: - - name: /opt/so/log/sensoroni - - user: 939 - - group: 939 - - makedirs: True - -analyzerscripts: - file.recurse: - - name: /opt/so/conf/sensoroni/analyzers - - user: 939 - - group: 939 - - file_mode: 755 - - template: jinja - - source: salt://sensoroni/files/analyzers - -sensoroni_sbin: - file.recurse: - - name: /usr/sbin - - source: salt://sensoroni/tools/sbin - - user: 939 - - group: 939 - - file_mode: 755 - -#sensoroni_sbin_jinja: -# file.recurse: -# - name: /usr/sbin -# - source: salt://sensoroni/tools/sbin_jinja -# - user: 939 -# - group: 939 -# - file_mode: 755 -# - template: jinja - -so-sensoroni: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }} - - network_mode: host - - binds: - - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw - - /nsm/pcap:/nsm/pcap:rw - - /nsm/import:/nsm/import:rw - - /nsm/pcapout:/nsm/pcapout:rw - - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro - - /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw - - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw - - watch: - - file: /opt/so/conf/sensoroni/sensoroni.json - - require: - - file: sensoroniagentconf - -append_so-sensoroni_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-sensoroni +include: +{% if SENSORONIMERGED.enabled %} + - sensoroni.enabled +{% else %} + - sensoroni.disabled +{% endif %} diff --git a/salt/sensoroni/map.jinja b/salt/sensoroni/map.jinja new file mode 100644 index 000000000..228daa910 --- /dev/null +++ b/salt/sensoroni/map.jinja @@ -0,0 +1,7 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'sensoroni/defaults.yaml' as SENSORONIDEFAULTS %} +{% set SENSORONIMERGED = salt['pillar.get']('sensoroni', SENSORONIDEFAULTS.sensoroni, merge=True) %} diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 6f6a75452..af6760f07 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -1,19 +1,37 @@ sensoroni: - node_checkin_interval_ms: - description: Interval in ms to checkin to the soc_host. + enabled: + description: Enable or disable Sensoroni. advanced: True helpLink: sensoroni.html - node_description: - description: Description of the specific node. - helpLink: sensoroni.html - sensoronikey: - description: Shared key for sensoroni authentication. - helpLink: sensoroni.html - global: True - sensitive: True - advanced: True - soc_host: - description: Host for sensoroni agents to connect to. - helpLink: sensoroni.html - global: True - advanced: True \ No newline at end of file + config: + analyze: + enabled: + description: Enable or disable the analyzer. + advanced: True + helpLink: sensoroni.html + analyze_timeout_ms: + description: Timeout period for the analyzer. + advanced: True + helpLink: sensoroni.html + analyze_parallel_limit: + description: Parallel limit for the analyzer. + advanced: True + helpLink: sensoroni.html + node_checkin_interval_ms: + description: Interval in ms to checkin to the soc_host. + advanced: True + helpLink: sensoroni.html + node_description: + description: Description of the specific node. + helpLink: sensoroni.html + sensoronikey: + description: Shared key for sensoroni authentication. + helpLink: sensoroni.html + global: True + sensitive: True + advanced: True + soc_host: + description: Host for sensoroni agents to connect to. + helpLink: sensoroni.html + global: True + advanced: True diff --git a/salt/sensoroni/sostatus.sls b/salt/sensoroni/sostatus.sls new file mode 100644 index 000000000..97d918e9d --- /dev/null +++ b/salt/sensoroni/sostatus.sls @@ -0,0 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +append_so-zeek_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-sensoroni + - unless: grep -q so-sensoroni /opt/so/conf/so-status/so-status.conf diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index 578432799..a56fad571 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -26,8 +26,7 @@ 'so_docker_range': DOCKER.sorange, 'url_base': INIT.PILLAR.global.url_base, 'so_model': INIT.GRAINS.get('sosmodel',''), - 'description': INIT.PILLAR.sensoroni.get('node_description',''), - 'sensoroni_key': INIT.PILLAR.sensoroni.sensoronikey, + 'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey, 'os': INIT.GRAINS.os, 'application_urls': {}, 'manager_roles': [