configure and enable/disable sensoroni via ui

2025-12-06 09:12:45 +01:00 · 2023-05-12 14:26:46 -04:00
parent e342dae818
commit 00d1ca0b62
11 changed files with 216 additions and 123 deletions
--- a/salt/manager/tools/sbin/so-minion
+++ b/salt/manager/tools/sbin/so-minion
@@ -182,7 +182,9 @@ function add_analyst_to_minion() {
 		"  gui:"\
 		"    enabled: true"\
 		"sensoroni:"\
-		"  node_description: '${NODE_DESCRIPTION//\'/''}'" >> $PILLARFILE
+		"  enabled: True"\
+		"  config:"\		
+		"    node_description: '${NODE_DESCRIPTION//\'/''}'" >> $PILLARFILE
 }

 # Add basic host info to the minion file
@@ -195,10 +197,23 @@ function add_host_to_minion() {

 # Add sensoroni specific information - Can we pull node_adrees from the host pillar?
 function add_sensoroni_to_minion() {
-
 	printf '%s\n'\
    "sensoroni:"\
-	"  node_description: '${NODE_DESCRIPTION//\'/''}'"\
+	"  enabled: True"\
+	"  config:"\
+	"    node_description: '${NODE_DESCRIPTION//\'/''}'"\
+    "  " >> $PILLARFILE
+}
+
+# Add sensoroni specific information - Can we pull node_adrees from the host pillar?
+function add_sensoroni_with_analyze_to_minion() {
+	printf '%s\n'\
+    "sensoroni:"\
+	"  enabled: True"\
+	"  config:"\
+    "    analyze:"\
+    "      enabled: True"\
+	"    node_description: '${NODE_DESCRIPTION//\'/''}'"\
    "  " >> $PILLARFILE
 }

@@ -506,7 +521,12 @@ if [[ "$OPERATION" = 'add' || "$OPERATION" = 'setup' ]]; then
 	fi
 	create_minion_files
 	add_host_to_minion
-	add_sensoroni_to_minion
+	managers=("EVAL" "STANDALONE" "IMPORT" "MANAGER" "MANAGERSEARCH")
+	if echo "${managers[@]}" | grep -qw "$NODETYPE"; then
+		add_sensoroni_with_analyze_to_minion
+	else
+		add_sensoroni_to_minion
+	fi
 	create$NODETYPE
 	echo "Minion file created for $MINION_ID"	
 fi
--- a/salt/sensoroni/config.sls
+++ b/salt/sensoroni/config.sls
@@ -0,0 +1,60 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+sensoroniconfdir:
+  file.directory:
+    - name: /opt/so/conf/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+sensoroniagentconf:
+  file.managed:
+    - name: /opt/so/conf/sensoroni/sensoroni.json
+    - source: salt://sensoroni/files/sensoroni.json
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
+analyzersdir:
+  file.directory:
+    - name: /opt/so/conf/sensoroni/analyzers
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+sensoronilog:
+  file.directory:
+    - name: /opt/so/log/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+analyzerscripts:
+  file.recurse:
+    - name: /opt/so/conf/sensoroni/analyzers
+    - user: 939
+    - group: 939
+    - file_mode: 755
+    - template: jinja
+    - source: salt://sensoroni/files/analyzers
+
+sensoroni_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://sensoroni/tools/sbin
+    - user: 939
+    - group: 939
+    - file_mode: 755
+
+#sensoroni_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://sensoroni/tools/sbin_jinja
+#    - user: 939
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
--- a/salt/sensoroni/defaults.yaml
+++ b/salt/sensoroni/defaults.yaml
@@ -0,0 +1,11 @@
+sensoroni:
+  enabled: False
+  config:
+    analyze:
+      enabled: False
+      analyze_timeout_ms: 900000
+      analyze_parallel_limit: 5
+    node_checkin_interval_ms: 10000
+    node_description:
+    sensoronikey:
+    soc_host:
--- a/salt/sensoroni/disabled.sls
+++ b/salt/sensoroni/disabled.sls
@@ -0,0 +1,16 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+include:
+  - sensoroni.sostatus
+  
+so-sensoroni:
+  docker_container.absent:
+    - force: True
+
+so-zeek_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-sensoroni$
--- a/salt/sensoroni/enabled.sls
+++ b/salt/sensoroni/enabled.sls
@@ -0,0 +1,32 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+include:
+  - sensoroni.config
+  - sensoroni.sostatus
+
+so-sensoroni:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
+    - network_mode: host
+    - binds:
+      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      - /nsm/pcap:/nsm/pcap:rw
+      - /nsm/import:/nsm/import:rw
+      - /nsm/pcapout:/nsm/pcapout:rw
+      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
+      - /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw
+      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
+    - watch:
+      - file: /opt/so/conf/sensoroni/sensoroni.json
+    - require:
+      - file: sensoroniagentconf
+
+delete_so-zeek_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-sensoroni$
--- a/salt/sensoroni/files/sensoroni.json
+++ b/salt/sensoroni/files/sensoroni.json
@@ -1,43 +1,29 @@
-{%- from 'vars/globals.map.jinja' import GLOBALS -%}
-{%- set ANALYZE_TIMEOUT_MS = salt['pillar.get']('sensoroni:analyze_timeout_ms', 900000) %}
-{%- set ANALYZE_PARALLEL_LIMIT = salt['pillar.get']('sensoroni:analyze_parallel_limit', 5) %}
-{%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %}
-{%- set ROLE = grains.id.split('_') | last %}
-{%- if ROLE in ['eval', 'standalone', 'sensor', 'heavynode'] %}
-{%-   set STENODEFAULT = True %}
-{%- else %}
-{%-   set STENODEFAULT = False %}
-{%- endif %}
-{%- set STENOENABLED = salt['pillar.get']('steno:enabled', STENODEFAULT) %}
-{%- if ROLE in ['eval', 'standalone', 'import', 'manager', 'managersearch'] %}
-{%-   set ANALYZEDEFAULT = True %}
-{%- else %}
-{%-   set ANALYZEDEFAULT = False %}
-{%- endif %}
-{%- set ANALYZEENABLED = salt['pillar.get']('sensoroni:analyze_enabled', ANALYZEDEFAULT) %}
+{%- from 'vars/globals.map.jinja' import GLOBALS %}
+{%- from 'sensoroni/map.jinja' import SENSORONIMERGED %}
+{%- from 'pcap/config.map.jinja' import PCAPMERGED %}
 {
  "logFilename": "/opt/sensoroni/logs/sensoroni.log",
  "logLevel":"info",
  "agent": {
    "nodeId": "{{ GLOBALS.hostname | lower }}",
    "role": "{{ GLOBALS.role }}",
-    "description": {{ GLOBALS.description | tojson }},
+    "description": {{ SENSORONIMERGED.config.node_description | tojson }},
    "address": "{{ GLOBALS.node_ip }}",
    "model": "{{ GLOBALS.so_model }}",
-    "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }},
+    "pollIntervalMs": {{ SENSORONIMERGED.config.node_checkin_interval_ms }},
    "serverUrl": "https://{{ GLOBALS.url_base }}/sensoroniagents",
    "verifyCert": false,
    "modules": {
-{%- if ANALYZEENABLED %} 
+{%- if SENSORONIMERGED.config.analyze.enabled %} 
      "analyze": {
-        "timeoutMs": {{ ANALYZE_TIMEOUT_MS }},
-        "parallelLimit": {{ ANALYZE_PARALLEL_LIMIT }}
+        "timeoutMs": {{ SENSORONIMERGED.config.analyze_timeout_ms }},
+        "parallelLimit": {{ SENSORONIMERGED.config.analyze_parallel_limit }}
      },
 {%- endif %}
      "importer": {},
      "statickeyauth": {
        "apiKey": "{{ GLOBALS.sensoroni_key }}"
-{%- if STENOENABLED %} 
+{%- if PCAPMERGED.enabled %} 
      },     
      "stenoquery": {
        "executablePath": "/opt/sensoroni/scripts/stenoquery.sh",
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -1,79 +1,13 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.

-sensoroniconfdir:
-  file.directory:
-    - name: /opt/so/conf/sensoroni
-    - user: 939
-    - group: 939
-    - makedirs: True
+{% from 'sensoroni/map.jinja' import SENSORONIMERGED %}

-sensoroniagentconf:
-  file.managed:
-    - name: /opt/so/conf/sensoroni/sensoroni.json
-    - source: salt://sensoroni/files/sensoroni.json
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-
-analyzersdir:
-  file.directory:
-    - name: /opt/so/conf/sensoroni/analyzers
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-sensoronilog:
-  file.directory:
-    - name: /opt/so/log/sensoroni
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-analyzerscripts:
-  file.recurse:
-    - name: /opt/so/conf/sensoroni/analyzers
-    - user: 939
-    - group: 939
-    - file_mode: 755
-    - template: jinja
-    - source: salt://sensoroni/files/analyzers
-
-sensoroni_sbin:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://sensoroni/tools/sbin
-    - user: 939
-    - group: 939
-    - file_mode: 755
-
-#sensoroni_sbin_jinja:
-#  file.recurse:
-#    - name: /usr/sbin
-#    - source: salt://sensoroni/tools/sbin_jinja
-#    - user: 939
-#    - group: 939 
-#    - file_mode: 755
-#    - template: jinja
-
-so-sensoroni:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
-    - network_mode: host
-    - binds:
-      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
-      - /nsm/pcap:/nsm/pcap:rw
-      - /nsm/import:/nsm/import:rw
-      - /nsm/pcapout:/nsm/pcapout:rw
-      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
-      - /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw
-      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
-    - watch:
-      - file: /opt/so/conf/sensoroni/sensoroni.json
-    - require:
-      - file: sensoroniagentconf
-
-append_so-sensoroni_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-sensoroni
+include:
+{% if SENSORONIMERGED.enabled %}
+  - sensoroni.enabled
+{% else %}
+  - sensoroni.disabled
+{% endif %}
--- a/salt/sensoroni/map.jinja
+++ b/salt/sensoroni/map.jinja
@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% import_yaml 'sensoroni/defaults.yaml' as SENSORONIDEFAULTS %}
+{% set SENSORONIMERGED = salt['pillar.get']('sensoroni', SENSORONIDEFAULTS.sensoroni, merge=True) %}
--- a/salt/sensoroni/soc_sensoroni.yaml
+++ b/salt/sensoroni/soc_sensoroni.yaml
@@ -1,19 +1,37 @@
 sensoroni:
-  node_checkin_interval_ms:
-    description: Interval in ms to checkin to the soc_host.
+  enabled:
+    description: Enable or disable Sensoroni.
    advanced: True
    helpLink: sensoroni.html
-  node_description:
-    description: Description of the specific node.
-    helpLink: sensoroni.html
-  sensoronikey:
-    description: Shared key for sensoroni authentication.
-    helpLink: sensoroni.html
-    global: True
-    sensitive: True
-    advanced: True
-  soc_host:
-    description: Host for sensoroni agents to connect to.
-    helpLink: sensoroni.html
-    global: True
-    advanced: True
+  config:
+    analyze:
+      enabled:
+        description: Enable or disable the analyzer.
+        advanced: True
+        helpLink: sensoroni.html
+      analyze_timeout_ms:
+        description: Timeout period for the analyzer.
+        advanced: True
+        helpLink: sensoroni.html
+      analyze_parallel_limit:
+        description: Parallel limit for the analyzer.
+        advanced: True
+        helpLink: sensoroni.html
+    node_checkin_interval_ms:
+      description: Interval in ms to checkin to the soc_host.
+      advanced: True
+      helpLink: sensoroni.html
+    node_description:
+      description: Description of the specific node.
+      helpLink: sensoroni.html
+    sensoronikey:
+      description: Shared key for sensoroni authentication.
+      helpLink: sensoroni.html
+      global: True
+      sensitive: True
+      advanced: True
+    soc_host:
+      description: Host for sensoroni agents to connect to.
+      helpLink: sensoroni.html
+      global: True
+      advanced: True
--- a/salt/sensoroni/sostatus.sls
+++ b/salt/sensoroni/sostatus.sls
@@ -0,0 +1,10 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+append_so-zeek_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-sensoroni
+    - unless: grep -q so-sensoroni /opt/so/conf/so-status/so-status.conf
--- a/salt/vars/globals.map.jinja
+++ b/salt/vars/globals.map.jinja
@@ -26,8 +26,7 @@
    'so_docker_range': DOCKER.sorange,
    'url_base': INIT.PILLAR.global.url_base,
    'so_model': INIT.GRAINS.get('sosmodel',''),
-    'description': INIT.PILLAR.sensoroni.get('node_description',''),
-    'sensoroni_key': INIT.PILLAR.sensoroni.sensoronikey,
+    'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,
    'os': INIT.GRAINS.os,
    'application_urls': {},
    'manager_roles': [