CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

use heavynode hostname for certs if heavynode. changes to logstash pipeline for redis if heavynode

Browse Source
This commit is contained in:
m0duspwnens
2021-07-06 15:32:39 -04:00
parent ce0b064972
commit 0627ca2fc2
4 changed files with 42 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
salt/logstash/init.sls
View File

@@ -36,6 +36,14 @@
{% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %}
{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}
{% if grains.role in ['so-heavynode'] %}
{% set EXTRAHOSTHOSTNAME = salt['grains.get']('host') %}
{% set EXTRAHOSTIP = salt['pillar.get']('sensor:mainip') %}
{% else %}
{% set EXTRAHOSTHOSTNAME = MANAGER %}
{% set EXTRAHOSTIP = MANAGERIP %}
{% endif %}
include: include:
- elasticsearch - elasticsearch
@@ -145,12 +153,7 @@ so-logstash:
- name: so-logstash - name: so-logstash
- user: logstash - user: logstash
- extra_hosts: - extra_hosts:
{% if grains.role in ['so-heavynode'] %} - {{ EXTRAHOSTHOSTNAME }}:{{ EXTRAHOSTIP }}
{% set MANAGER = salt['grains.get']('host') %}
{% set MANAGERIP = salt['pillar.get']('sensor:mainip') %}
{% else %}
- {{ MANAGER }}:{{ MANAGERIP }}
{% endif %}
- environment: - environment:
- LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
- port_bindings: - port_bindings:

11
salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
View File

@@ -1,14 +1,13 @@
{%- if grains.role in ['so-heavynode'] %} {%- if grains.role in ['so-heavynode'] %}
{%- set MANAGER = salt['grains.get']('host') %} {%- set HOST = salt['grains.get']('host') %}
{%- else %} {%- else %}
{%- set MANAGER = salt['grains.get']('master') %} {%- set HOST = salt['grains.get']('master') %}
{%- endif %} {%- endif %}
{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} {%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
input { input {
redis { redis {
host => '{{ MANAGER }}' host => '{{ HOST }}'
port => 9696 port => 9696
ssl => true ssl => true
data_type => 'list' data_type => 'list'

8
salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
View File

@@ -1,12 +1,12 @@
{%- if grains.role in ['so-heavynode'] %} {%- if grains.role in ['so-heavynode'] %}
{%- set MANAGER = salt['grains.get']('host') %} {%- set HOST = salt['grains.get']('host') %}
{%- else %} {%- else %}
{%- set MANAGER = salt['grains.get']('master') %} {%- set HOST = salt['grains.get']('master') %}
{%- endif %} {%- endif %}
{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
output { output {
redis { redis {
host => '{{ MANAGER }}' host => '{{ HOST }}'
port => 6379 port => 6379
data_type => 'list' data_type => 'list'
key => 'logstash:unparsed' key => 'logstash:unparsed'

70
salt/ssl/init.sls
View File

@@ -10,7 +10,9 @@
{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %}
{% if grains.role in ['so-heavynode'] %} {% if grains.role in ['so-heavynode'] %}
{% set heavynode = salt['grains.get']('host') %} {% set COMMONNAME = salt['grains.get']('host') %}
{% else %}
{% set COMMONNAME = manager %}
{% endif %} {% endif %}
{% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import', 'helixsensor'] %} {% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import', 'helixsensor'] %}
@@ -60,7 +62,7 @@ removeesp12dir:
/etc/pki/influxdb.key: /etc/pki/influxdb.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -81,7 +83,7 @@ removeesp12dir:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: influxdb - signing_policy: influxdb
- public_key: /etc/pki/influxdb.key - public_key: /etc/pki/influxdb.key
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- subjectAltName: DNS:{{ HOSTNAME }} - subjectAltName: DNS:{{ HOSTNAME }}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -106,11 +108,7 @@ influxkeyperms:
# Create a cert for Redis encryption # Create a cert for Redis encryption
/etc/pki/redis.key: /etc/pki/redis.key:
x509.private_key_managed: x509.private_key_managed:
{% if grains.role in ['so-heavynode'] %} - CN: {{ COMMONNAME }}
- CN: {{ heavynode }}
{% else %}
- CN: {{ manager }}
{% endif %}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -130,11 +128,7 @@ influxkeyperms:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: registry - signing_policy: registry
- public_key: /etc/pki/redis.key - public_key: /etc/pki/redis.key
{% if grains.role in ['so-heavynode'] %} - CN: {{ COMMONNAME }}
- CN: {{ heavynode }}
{% else %}
- CN: {{ manager }}
{% endif %}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
@@ -158,7 +152,7 @@ rediskeyperms:
{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %} {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
/etc/pki/filebeat.key: /etc/pki/filebeat.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -179,11 +173,7 @@ rediskeyperms:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: filebeat - signing_policy: filebeat
- public_key: /etc/pki/filebeat.key - public_key: /etc/pki/filebeat.key
{% if grains.role == 'so-heavynode' %} - CN: {{ COMMONNAME }}
- CN: {{grains.host}}
{% else %}
- CN: {{manager}}
{% endif %}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
@@ -239,7 +229,7 @@ fbcrtlink:
/etc/pki/registry.key: /etc/pki/registry.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -260,7 +250,7 @@ fbcrtlink:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: registry - signing_policy: registry
- public_key: /etc/pki/registry.key - public_key: /etc/pki/registry.key
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
@@ -282,7 +272,7 @@ regkeyperms:
/etc/pki/minio.key: /etc/pki/minio.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -303,7 +293,7 @@ regkeyperms:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: registry - signing_policy: registry
- public_key: /etc/pki/minio.key - public_key: /etc/pki/minio.key
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
@@ -326,11 +316,7 @@ miniokeyperms:
# Create a cert for elasticsearch # Create a cert for elasticsearch
/etc/pki/elasticsearch.key: /etc/pki/elasticsearch.key:
x509.private_key_managed: x509.private_key_managed:
{% if grains.role in ['so-heavynode'] %} - CN: {{ COMMONNAME }}
- CN: {{ heavynode }}
{% else %}
- CN: {{ manager }}
{% endif %}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -350,11 +336,7 @@ miniokeyperms:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: registry - signing_policy: registry
- public_key: /etc/pki/elasticsearch.key - public_key: /etc/pki/elasticsearch.key
{% if grains.role in ['so-heavynode'] %} - CN: {{ COMMONNAME }}
- CN: {{ heavynode }}
{% else %}
- CN: {{ manager }}
{% endif %}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
@@ -387,7 +369,7 @@ elasticp12perms:
/etc/pki/managerssl.key: /etc/pki/managerssl.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -408,7 +390,7 @@ elasticp12perms:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: managerssl - signing_policy: managerssl
- public_key: /etc/pki/managerssl.key - public_key: /etc/pki/managerssl.key
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -432,7 +414,7 @@ msslkeyperms:
# Create a private key and cert for OSQuery # Create a private key and cert for OSQuery
/etc/pki/fleet.key: /etc/pki/fleet.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -450,7 +432,7 @@ msslkeyperms:
/etc/pki/fleet.crt: /etc/pki/fleet.crt:
x509.certificate_managed: x509.certificate_managed:
- signing_private_key: /etc/pki/fleet.key - signing_private_key: /etc/pki/fleet.key
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- subjectAltName: DNS:{{ manager }},IP:{{ managerip }} - subjectAltName: DNS:{{ manager }},IP:{{ managerip }}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -481,7 +463,7 @@ fbcertdir:
/opt/so/conf/filebeat/etc/pki/filebeat.key: /opt/so/conf/filebeat/etc/pki/filebeat.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -502,11 +484,7 @@ fbcertdir:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: filebeat - signing_policy: filebeat
- public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
{% if grains.role == 'so-heavynode' %} - CN: {{ COMMONNAME }}
- CN: {{grains.id}}
{% else %}
- CN: {{manager}}
{% endif %}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
@@ -547,7 +525,7 @@ chownfilebeatp8:
/etc/pki/managerssl.key: /etc/pki/managerssl.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -592,7 +570,7 @@ msslkeyperms:
# Create a private key and cert for Fleet # Create a private key and cert for Fleet
/etc/pki/fleet.key: /etc/pki/fleet.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -637,7 +615,7 @@ fleetkeyperms:
# Create a cert for elasticsearch # Create a cert for elasticsearch
/etc/pki/elasticsearch.key: /etc/pki/elasticsearch.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ manager }} - CN: {{ COMMONNAME }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820