From 02e1a29f0c650c200dbf650a15a63a92ab4120a1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 10 May 2023 11:54:21 -0400 Subject: [PATCH] configure redis in ui --- salt/allowed_states.map.jinja | 6 +- salt/manager/tools/sbin/so-minion | 11 ++++ salt/redis/config.sls | 68 ++++++++++++++++++++ salt/redis/defaults.yaml | 1 + salt/redis/disabled.sls | 27 ++++++++ salt/redis/enabled.sls | 62 ++++++++++++++++++ salt/redis/etc/redis.conf.jinja | 6 +- salt/redis/init.sls | 103 ++---------------------------- salt/redis/map.jinja | 7 ++ salt/redis/soc_redis.yaml | 3 + salt/redis/sostatus.sls | 21 ++++++ salt/top.sls | 13 ---- 12 files changed, 209 insertions(+), 119 deletions(-) create mode 100644 salt/redis/config.sls create mode 100644 salt/redis/disabled.sls create mode 100644 salt/redis/enabled.sls create mode 100644 salt/redis/map.jinja create mode 100644 salt/redis/sostatus.sls diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 1165a80f8..882e33576 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -247,15 +247,11 @@ {% do allowed_states.append('playbook') %} {% endif %} - {% if (REDIS !=0) and grains.role in ['so-eval'] %} - {% do allowed_states.append('redis') %} - {% endif %} - {% if grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} {% do allowed_states.append('logstash') %} {% endif %} - {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} + {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver', 'so-eval'] %} {% do allowed_states.append('redis') %} {% endif %} diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index a7fd3a19d..6f28057e1 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -242,6 +242,12 @@ function add_kibana_to_minion() { " " >> $PILLARFILE } +function add_redis_to_minion() { + printf '%s\n'\ + "redis:"\ + " enabled: True"\ + " " >> $PILLARFILE +} function create_fleet_policy() { @@ -300,6 +306,7 @@ function createSTANDALONE() { add_playbook_to_minion add_elastalert_to_minion add_kibana_to_minion + add_redis_to_minion } function createMANAGER() { @@ -308,6 +315,7 @@ function createMANAGER() { add_playbook_to_minion add_elastalert_to_minion add_kibana_to_minion + add_redis_to_minion } function createMANAGERSEARCH() { @@ -316,6 +324,7 @@ function createMANAGERSEARCH() { add_playbook_to_minion add_elastalert_to_minion add_kibana_to_minion + add_redis_to_minion } function createIMPORT() { @@ -340,6 +349,7 @@ function createHEAVYNODE() { add_elasticsearch_to_minion add_logstash_to_minion add_sensor_to_minion + add_redis_to_minion } function createSENSOR() { @@ -355,6 +365,7 @@ function createSEARCHNODE() { function createRECEIVER() { add_logstash_to_minion + add_redis_to_minion } diff --git a/salt/redis/config.sls b/salt/redis/config.sls new file mode 100644 index 000000000..d698040f8 --- /dev/null +++ b/salt/redis/config.sls @@ -0,0 +1,68 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'redis/map.jinja' import REDISMERGED %} + +include: + - ssl + +# Redis Setup +redisconfdir: + file.directory: + - name: /opt/so/conf/redis/etc + - user: 939 + - group: 939 + - makedirs: True + +redisworkdir: + file.directory: + - name: /opt/so/conf/redis/working + - user: 939 + - group: 939 + - makedirs: True + +redislogdir: + file.directory: + - name: /opt/so/log/redis + - user: 939 + - group: 939 + - makedirs: True + +redisconf: + file.managed: + - name: /opt/so/conf/redis/etc/redis.conf + - source: salt://redis/etc/redis.conf.jinja + - user: 939 + - group: 939 + - template: jinja + - defaults: + REDISMERGED: {{ REDISMERGED }} + +redis_sbin: + file.recurse: + - name: /usr/sbin + - source: salt://redis/tools/sbin + - user: 939 + - group: 939 + - file_mode: 755 + +redis_sbin_jinja: + file.recurse: + - name: /usr/sbin + - source: salt://redis/tools/sbin_jinja + - user: 939 + - group: 939 + - file_mode: 755 + - template: jinja + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/redis/defaults.yaml b/salt/redis/defaults.yaml index ede78ad6b..913ebe7a0 100644 --- a/salt/redis/defaults.yaml +++ b/salt/redis/defaults.yaml @@ -1,4 +1,5 @@ redis: + enabled: False config: bind: '0.0.0.0' protected-mode: 'yes' diff --git a/salt/redis/disabled.sls b/salt/redis/disabled.sls new file mode 100644 index 000000000..09cb9f1fd --- /dev/null +++ b/salt/redis/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - redis.sostatus + +so-redis: + docker_container.absent: + - force: True + +so-redis_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-redis$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls new file mode 100644 index 000000000..26f95e59f --- /dev/null +++ b/salt/redis/enabled.sls @@ -0,0 +1,62 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +include: + - redis.config + - redis.sostatus + +so-redis: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} + - hostname: so-redis + - user: socore + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-redis'].ip }} + - port_bindings: + {% for BINDING in DOCKER.containers['so-redis'].port_bindings %} + - {{ BINDING }} + {% endfor %} + - binds: + - /opt/so/log/redis:/var/log/redis:rw + - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro + - /opt/so/conf/redis/working:/redis:rw + - /etc/pki/redis.crt:/certs/redis.crt:ro + - /etc/pki/redis.key:/certs/redis.key:ro + {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} + - /etc/pki/ca.crt:/certs/ca.crt:ro + {% else %} + - /etc/ssl/certs/intca.crt:/certs/ca.crt:ro + {% endif %} + - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" + - watch: + - file: /opt/so/conf/redis/etc + - require: + - file: redisconf + - x509: redis_crt + - x509: redis_key + {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} + - x509: pki_public_ca_crt + {% else %} + - x509: trusttheca + {% endif %} + +delete_so-redis_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-redis$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/redis/etc/redis.conf.jinja b/salt/redis/etc/redis.conf.jinja index c3291c3e8..cb6d8abd8 100644 --- a/salt/redis/etc/redis.conf.jinja +++ b/salt/redis/etc/redis.conf.jinja @@ -1,5 +1,7 @@ -{%- import_yaml 'redis/defaults.yaml' as REDISDEFAULTS %} -{%- set REDISMERGED = salt['pillar.get']('redis', default=REDISDEFAULTS.redis, merge=true) %} +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} {%- for k, v in REDISMERGED.config.items() %} {%- if v is iterable and v is not string %} diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 5806d99f3..2f7f38dcc 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -3,106 +3,11 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} -{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'redis/map.jinja' import REDISMERGED %} include: - - ssl - -# Redis Setup -redisconfdir: - file.directory: - - name: /opt/so/conf/redis/etc - - user: 939 - - group: 939 - - makedirs: True - -redisworkdir: - file.directory: - - name: /opt/so/conf/redis/working - - user: 939 - - group: 939 - - makedirs: True - -redislogdir: - file.directory: - - name: /opt/so/log/redis - - user: 939 - - group: 939 - - makedirs: True - -redisconf: - file.managed: - - name: /opt/so/conf/redis/etc/redis.conf - - source: salt://redis/etc/redis.conf.jinja - - user: 939 - - group: 939 - - template: jinja - -redis_sbin: - file.recurse: - - name: /usr/sbin - - source: salt://redis/tools/sbin - - user: 939 - - group: 939 - - file_mode: 755 - -redis_sbin_jinja: - file.recurse: - - name: /usr/sbin - - source: salt://redis/tools/sbin_jinja - - user: 939 - - group: 939 - - file_mode: 755 - - template: jinja - -so-redis: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - - hostname: so-redis - - user: socore - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-redis'].ip }} - - port_bindings: - {% for BINDING in DOCKER.containers['so-redis'].port_bindings %} - - {{ BINDING }} - {% endfor %} - - binds: - - /opt/so/log/redis:/var/log/redis:rw - - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro - - /opt/so/conf/redis/working:/redis:rw - - /etc/pki/redis.crt:/certs/redis.crt:ro - - /etc/pki/redis.key:/certs/redis.key:ro - {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} - - /etc/pki/ca.crt:/certs/ca.crt:ro - {% else %} - - /etc/ssl/certs/intca.crt:/certs/ca.crt:ro - {% endif %} - - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - - watch: - - file: /opt/so/conf/redis/etc - - require: - - file: redisconf - - x509: redis_crt - - x509: redis_key - {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} - - x509: pki_public_ca_crt - {% else %} - - x509: trusttheca - {% endif %} - -append_so-redis_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-redis - +{% if REDISMERGED.enabled %} + - redis.enabled {% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - + - redis.disabled {% endif %} diff --git a/salt/redis/map.jinja b/salt/redis/map.jinja new file mode 100644 index 000000000..576a7c658 --- /dev/null +++ b/salt/redis/map.jinja @@ -0,0 +1,7 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'redis/defaults.yaml' as REDISDEFAULTS %} +{% set REDISMERGED = salt['pillar.get']('redis', REDISDEFAULTS.redis, merge=True) %} diff --git a/salt/redis/soc_redis.yaml b/salt/redis/soc_redis.yaml index 5f5ac3da5..45c63ffd3 100644 --- a/salt/redis/soc_redis.yaml +++ b/salt/redis/soc_redis.yaml @@ -1,4 +1,7 @@ redis: + enabled: + description: You can enable or disable Redis. + helpLink: redis.html config: bind: description: The IP address to bind to. diff --git a/salt/redis/sostatus.sls b/salt/redis/sostatus.sls new file mode 100644 index 000000000..8ac26250c --- /dev/null +++ b/salt/redis/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-redis_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-redis + - unless: grep -q so-redis /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/top.sls b/salt/top.sls index 95f599f04..9941f0077 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -3,7 +3,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% set REDIS = salt['pillar.get']('redis:enabled', True) %} {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} {% import_yaml 'salt/minion.defaults.yaml' as saltversion %} {% set saltversion = saltversion.salt.minion.version %} @@ -85,9 +84,7 @@ base: - utility - soctopus - playbook - {%- if REDIS != 0 %} - redis - {%- endif %} - elasticfleet - docker_clean @@ -111,9 +108,7 @@ base: - mysql - elasticsearch - logstash - {%- if REDIS %} - redis - {%- endif %} - elastic-fleet-package-registry - kibana - curator @@ -145,9 +140,7 @@ base: - mysql - elasticsearch - logstash - {%- if REDIS %} - redis - {%- endif %} - elastic-fleet-package-registry - kibana - pcap @@ -196,9 +189,7 @@ base: - mysql - elasticsearch - logstash - {%- if REDIS %} - redis - {%- endif %} - curator - elastic-fleet-package-registry - kibana @@ -218,9 +209,7 @@ base: - firewall - elasticsearch - logstash - {%- if REDIS %} - redis - {%- endif %} - curator {%- if STRELKA %} - strelka @@ -264,9 +253,7 @@ base: - telegraf - firewall - logstash - {%- if REDIS %} - redis - {%- endif %} - elasticfleet.install_agent_grid - docker_clean