diff --git a/salt/hive/init.sls b/salt/hive/init.sls index fd3e6b861..dcefe2e50 100644 --- a/salt/hive/init.sls +++ b/salt/hive/init.sls @@ -17,6 +17,8 @@ so-thehive-es: - /nsm/hive/esdata:/usr/share/elasticsearch/data:rw - environment: - http.host=0.0.0.0 + - http.port=9400 + - transport.tcp.port=9500 - transport.host=0.0.0.0 - xpack.security.enabled=false - cluster.name=hive @@ -39,6 +41,12 @@ hiveconfdir: - name: /opt/so/conf/hive/etc - makedirs: True +hiveconf: + file.manage: + - name: /opt/so/conf/hive/etc/application.conf + - source: salt://hive/thehive/etc/application.conf + - template: jinja + so-thehive: docker_container_running: - image: thehiveproject/thehive:latest diff --git a/salt/hive/thehive/etc/application.conf b/salt/hive/thehive/etc/application.conf new file mode 100644 index 000000000..5a0a96b9b --- /dev/null +++ b/salt/hive/thehive/etc/application.conf @@ -0,0 +1,210 @@ +{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} + +# Secret Key +# The secret key is used to secure cryptographic functions. +# WARNING: If you deploy your application on several servers, make sure to use the same key. +play.http.secret.key="letsdewdis" + +# Elasticsearch +search { + ## Basic configuration + # Index name. + index = the_hive + # ElasticSearch cluster name. + cluster = hive + # ElasticSearch instance address. + host = ["{{ MASTERIP }}:9500"] + + ## Advanced configuration + # Scroll keepalive. + #keepalive = 1m + # Scroll page size. + #pagesize = 50 + # Number of shards + #nbshards = 5 + # Number of replicas + #nbreplicas = 1 + # Arbitrary settings + #settings { + # # Maximum number of nested fields + # mapping.nested_fields.limit = 100 + #} + + ### XPack SSL configuration + # Username for XPack authentication + #search.username = "" + # Password for XPack authentication + #search.password = "" + # Enable SSL to connect to ElasticSearch + search.ssl.enabled = false + # Path to certificate authority file + #search.ssl.ca = "" + # Path to certificate file + #search.ssl.certificate = "" + # Path to key file + #search.ssl.key = "" + + ### SearchGuard configuration + # Path to JKS file containing client certificate + #search.guard.keyStore.path = "" + # Password of the keystore + #search.guard.keyStore.password = "" + # Path to JKS file containing certificate authorities + #search.guard.trustStore.path = "" + ## Password of the truststore + #search.guard.trustStore.password = "" + # Enforce hostname verification + #search.guard.hostVerification = false + # If hostname verification is enabled specify if hostname should be resolved + #search.guard.hostVerificationResolveHostname = false +} + +# Authentication +auth { + # "provider" parameter contains authentication provider. It can be multi-valued (useful for migration) + # available auth types are: + # services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required. + # ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key + # ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key + provider = [local] + + # By default, basic authentication is disabled. You can enable it by setting "method.basic" to true. + #method.basic = true + + + ad { + # The Windows domain name in DNS format. This parameter is required if you do not use + # 'serverNames' below. + #domainFQDN = "mydomain.local" + + # Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN + # above. If this parameter is not set, TheHive uses 'domainFQDN'. + #serverNames = [ad1.mydomain.local, ad2.mydomain.local] + + # The Windows domain name using short format. This parameter is required. + #domainName = "MYDOMAIN" + + # If 'true', use SSL to connect to the domain controller. + #useSSL = true + } + + ldap { + # The LDAP server name or address. The port can be specified using the 'host:port' + # syntax. This parameter is required if you don't use 'serverNames' below. + #serverName = "ldap.mydomain.local:389" + + # If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead. + #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local] + + # Account to use to bind to the LDAP server. This parameter is required. + #bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local" + + # Password of the binding account. This parameter is required. + #bindPW = "***secret*password***" + + # Base DN to search users. This parameter is required. + #baseDN = "ou=users,dc=mydomain,dc=local" + + # Filter to search user in the directory server. Please note that {0} is replaced + # by the actual user name. This parameter is required. + #filter = "(cn={0})" + + # If 'true', use SSL to connect to the LDAP directory server. + #useSSL = true + } +} + +# Maximum time between two requests without requesting authentication +session { + warning = 5m + inactivity = 1h +} + +# Max textual content length +play.http.parser.maxMemoryBuffer= 1M +# Max file size +play.http.parser.maxDiskBuffer = 1G + +# Cortex +# TheHive can connect to one or multiple Cortex instances. Give each +# Cortex instance a name and specify the associated URL. +# +# In order to use Cortex, first you need to enable the Cortex module by uncommenting the next line + +#play.modules.enabled += connectors.cortex.CortexConnector + +cortex { + #"CORTEX-SERVER-ID" { + # url = "" + # key = "" + # # HTTP client configuration (SSL and proxy) + # ws {} + #} +} + +# MISP +# TheHive can connect to one or multiple MISP instances. Give each MISP +# instance a name and specify the associated Authkey that must be used +# to poll events, the case template that should be used by default when +# importing events as well as the tags that must be added to cases upon +# import. + +# Prior to configuring the integration with a MISP instance, you must +# enable the MISP connector. This will allow you to import events to +# and/or export cases to the MISP instance(s). + +#play.modules.enabled += connectors.misp.MispConnector + +misp { + # Interval between consecutive MISP event imports in hours (h) or + # minutes (m). + interval = 1h + + #"MISP-SERVER-ID" { + # # MISP connection configuration requires at least an url and a key. The key must + # # be linked with a sync account on MISP. + # url = "" + # key = "" + # + # # Name of the case template in TheHive that shall be used to import + # # MISP events as cases by default. + # caseTemplate = "" + # + # # Optional tags to add to each observable imported from an event + # # available on this instance. + # tags = ["misp-server-id"] + # + # ## MISP event filters + # # MISP filters is used to exclude events from the import. + # # Filter criteria are: + # # The number of attribute + # max-attributes = 1000 + # # The size of its JSON representation + # max-size = 1 MiB + # # The age of the last publish date + # max-age = 7 days + # # Organization and tags + # exclusion { + # organisation = ["bad organisation", "other organisations"] + # tags = ["tag1", "tag2"] + # } + # + # ## HTTP client configuration (SSL and proxy) + # # Truststore to use to validate the X.509 certificate of the MISP + # # instance if the default truststore is not sufficient. + # # Proxy can also be used + # ws { + # ssl.trustManager.stores = [ { + # path = /path/to/truststore.jks + # } ] + # proxy { + # host = proxy.mydomain.org + # port = 3128 + # } + # } + # + # # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport) + # # Default is ImportAndExport + # purpose = ImportAndExport + #} ## <-- Uncomment to complete the configuration +}