The Hive Module - Config Update

2025-12-16 22:12:48 +01:00 · 2019-03-08 12:44:17 -05:00
parent fa2331d9b6
commit 01ac51f2e4
2 changed files with 218 additions and 0 deletions
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -17,6 +17,8 @@ so-thehive-es:
      - /nsm/hive/esdata:/usr/share/elasticsearch/data:rw
    - environment:
      - http.host=0.0.0.0
+      - http.port=9400
+      - transport.tcp.port=9500
      - transport.host=0.0.0.0
      - xpack.security.enabled=false
      - cluster.name=hive
@@ -39,6 +41,12 @@ hiveconfdir:
    - name: /opt/so/conf/hive/etc
    - makedirs: True

+hiveconf:
+  file.manage:
+    - name: /opt/so/conf/hive/etc/application.conf
+    - source: salt://hive/thehive/etc/application.conf
+    - template: jinja
+
 so-thehive:
  docker_container_running:
    - image: thehiveproject/thehive:latest
--- a/salt/hive/thehive/etc/application.conf
+++ b/salt/hive/thehive/etc/application.conf
@@ -0,0 +1,210 @@
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+
+# Secret Key
+# The secret key is used to secure cryptographic functions.
+# WARNING: If you deploy your application on several servers, make sure to use the same key.
+play.http.secret.key="letsdewdis"
+
+# Elasticsearch
+search {
+  ## Basic configuration
+  # Index name.
+  index = the_hive
+  # ElasticSearch cluster name.
+  cluster = hive
+  # ElasticSearch instance address.
+  host = ["{{ MASTERIP }}:9500"]
+
+  ## Advanced configuration
+  # Scroll keepalive.
+  #keepalive = 1m
+  # Scroll page size.
+  #pagesize = 50
+  # Number of shards
+  #nbshards = 5
+  # Number of replicas
+  #nbreplicas = 1
+  # Arbitrary settings
+  #settings {
+  #  # Maximum number of nested fields
+  #  mapping.nested_fields.limit = 100
+  #}
+
+  ### XPack SSL configuration
+  # Username for XPack authentication
+  #search.username = ""
+  # Password for XPack authentication
+  #search.password = ""
+  # Enable SSL to connect to ElasticSearch
+  search.ssl.enabled = false
+  # Path to certificate authority file
+  #search.ssl.ca = ""
+  # Path to certificate file
+  #search.ssl.certificate = ""
+  # Path to key file
+  #search.ssl.key = ""
+
+  ### SearchGuard configuration
+  # Path to JKS file containing client certificate
+  #search.guard.keyStore.path = ""
+  # Password of the keystore
+  #search.guard.keyStore.password = ""
+  # Path to JKS file containing certificate authorities
+  #search.guard.trustStore.path = ""
+  ## Password of the truststore
+  #search.guard.trustStore.password = ""
+  # Enforce hostname verification
+  #search.guard.hostVerification = false
+  # If hostname verification is enabled specify if hostname should be resolved
+  #search.guard.hostVerificationResolveHostname = false
+}
+
+# Authentication
+auth {
+	# "provider" parameter contains authentication provider. It can be multi-valued (useful for migration)
+	# available auth types are:
+	# services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required.
+	# ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key
+	# ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key
+	provider = [local]
+
+  # By default, basic authentication is disabled. You can enable it by setting "method.basic" to true.
+  #method.basic = true
+
+
+	ad {
+		# The Windows domain name in DNS format. This parameter is required if you do not use
+		# 'serverNames' below.
+		#domainFQDN = "mydomain.local"
+
+		# Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN
+		# above. If this parameter is not set, TheHive uses 'domainFQDN'.
+        #serverNames = [ad1.mydomain.local, ad2.mydomain.local]
+
+		# The Windows domain name using short format. This parameter is required.
+		#domainName = "MYDOMAIN"
+
+		# If 'true', use SSL to connect to the domain controller.
+		#useSSL = true
+	}
+
+	ldap {
+		# The LDAP server name or address. The port can be specified using the 'host:port'
+		# syntax. This parameter is required if you don't use 'serverNames' below.
+		#serverName = "ldap.mydomain.local:389"
+
+		# If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead.
+        #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local]
+
+		# Account to use to bind to the LDAP server. This parameter is required.
+		#bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local"
+
+		# Password of the binding account. This parameter is required.
+		#bindPW = "***secret*password***"
+
+		# Base DN to search users. This parameter is required.
+		#baseDN = "ou=users,dc=mydomain,dc=local"
+
+		# Filter to search user in the directory server. Please note that {0} is replaced
+		# by the actual user name. This parameter is required.
+		#filter = "(cn={0})"
+
+		# If 'true', use SSL to connect to the LDAP directory server.
+		#useSSL = true
+	}
+}
+
+# Maximum time between two requests without requesting authentication
+session {
+  warning = 5m
+  inactivity = 1h
+}
+
+# Max textual content length
+play.http.parser.maxMemoryBuffer= 1M
+# Max file size
+play.http.parser.maxDiskBuffer = 1G
+
+# Cortex
+# TheHive can connect to one or multiple Cortex instances. Give each
+# Cortex instance a name and specify the associated URL.
+#
+# In order to use Cortex, first you need to enable the Cortex module by uncommenting the next line
+
+#play.modules.enabled += connectors.cortex.CortexConnector
+
+cortex {
+  #"CORTEX-SERVER-ID" {
+  #  url = ""
+  #  key = ""
+  #  # HTTP client configuration (SSL and proxy)
+  #  ws {}
+  #}
+}
+
+# MISP
+# TheHive can connect to one or multiple MISP instances. Give each MISP
+# instance a name and specify the associated Authkey that must  be used
+# to poll events, the case template that should be used by default when
+# importing events as well as the tags that must be added to cases upon
+# import.
+
+# Prior to configuring the integration with a MISP instance, you must
+# enable the MISP connector. This will allow you to import events to
+# and/or export cases to the MISP instance(s).
+
+#play.modules.enabled += connectors.misp.MispConnector
+
+misp {
+  # Interval between consecutive MISP event imports in hours (h) or
+  # minutes (m).
+  interval = 1h
+
+  #"MISP-SERVER-ID" {
+  #  # MISP connection configuration requires at least an url and a key. The key must
+  #  # be linked with a sync account on MISP.
+  #  url = ""
+  #  key = ""
+  #
+  #  # Name of the case template in TheHive that shall be used to import
+  #  # MISP events as cases by default.
+  #  caseTemplate = "<Template_Name_goes_here>"
+  #
+  #  # Optional tags to add to each observable  imported  from  an  event
+  #  # available on this instance.
+  #  tags = ["misp-server-id"]
+  #
+  #  ## MISP event filters
+  #  # MISP filters is used to exclude events from the import.
+  #  # Filter criteria are:
+  #  # The number of attribute
+  #  max-attributes = 1000
+  #  # The size of its JSON representation
+  #  max-size = 1 MiB
+  #  # The age of the last publish date
+  #  max-age = 7 days
+  #  # Organization and tags
+  #  exclusion {
+  #    organisation = ["bad organisation", "other organisations"]
+  #    tags = ["tag1", "tag2"]
+  #  }
+  #
+  #  ## HTTP client configuration (SSL and proxy)
+  #  # Truststore to use to validate the X.509 certificate of the MISP
+  #  # instance if the default truststore is not sufficient.
+  #  # Proxy can also be used
+  #  ws {
+  #    ssl.trustManager.stores = [ {
+  #      path = /path/to/truststore.jks
+  #    } ]
+  #    proxy {
+  #      host = proxy.mydomain.org
+  #      port = 3128
+  #    }
+  #  }
+  #
+  #  # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport)
+  #  # Default is ImportAndExport
+  #  purpose = ImportAndExport
+  #} ## <-- Uncomment to complete the configuration
+}