From 0e50d36da60d3aeabb5cffa779daa90262456cd3 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Feb 2023 16:18:04 -0500 Subject: [PATCH] upgrade influx --- salt/common/tools/sbin/so-influxdb-user | 95 +++++++++++++++++++++++++ salt/common/tools/sbin/so-user | 5 ++ salt/nginx/etc/nginx.conf | 4 +- salt/telegraf/etc/telegraf.conf | 6 +- 4 files changed, 107 insertions(+), 3 deletions(-) create mode 100644 salt/common/tools/sbin/so-influxdb-user diff --git a/salt/common/tools/sbin/so-influxdb-user b/salt/common/tools/sbin/so-influxdb-user new file mode 100644 index 000000000..9b9e5e57b --- /dev/null +++ b/salt/common/tools/sbin/so-influxdb-user @@ -0,0 +1,95 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +usage() { + echo "Usage: $0 " + echo "" + echo "Supported Operations:" + echo " add Adds a new user" + echo " delete Removes an existing user" + echo " enable Enables a user" + echo " disable Disables a user" + echo " password Updates a user's password" + echo "" + echo "If required, the password will be read from STDIN." + exit 1 +} + +if [ $# -ne 2 ]; then + usage +fi + +KIND=InfluxDB +OP=$1 +USER_EMAIL=$2 +TOKEN=$(lookup_pillar_secret influx_token) + +log() { + echo -e "$@" +} + +read_password() { + # Read password for new user from stdin + test -t 0 + if [[ $? == 0 ]]; then + echo "Enter new password:" + fi + read -rs USER_PASS + + check_password_and_exit "$USER_PASS" +} + +check_response() { + response=$1 + if [[ "$response" =~ "\"code\":" ]]; then + log "Failed. Check the response for more details.\n$response" + fi +} + +set -eo pipefail + +if [[ "$OP" == "add" ]]; then + log "Creating new $KIND user" + response=$(curl -sk https://localhost:8086/api/v2/users -X POST -d "{\"name\":\"$USER_EMAIL\"}" -H "Authorization: Token $TOKEN") + check_response "$response" + OP=password +fi + +response=$(curl -sk https://localhost:8086/api/v2/users?limit=100 -H "Authorization: Token $TOKEN") +check_response "$response" +USER_ID=$(echo "$response" | jq -r ".users[] | select(.name == \"$USER_EMAIL\").id") +if [[ -z "$USER_ID" ]]; then + log "$KIND user not found" + exit 1 +fi + +if [[ "$OP" == "password" ]]; then + read_password + log "Updating $KIND user password" + response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID/password -X POST -d "{\"password\":\"$USER_PASS\"}" -H "Authorization: Token $TOKEN") + check_response "$response" +fi + +if [[ "$OP" == "delete" ]]; then + log "Deleting $KIND user" + response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID -X DELETE -H "Authorization: Token $TOKEN") + check_response "$response" +fi + +if [[ "$OP" == "enable" ]]; then + log "Enabling $KIND user" + response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID -X PATCH -d "{\"name\":\"$USER_EMAIL\",\"status\":\"active\"}" -H "Authorization: Token $TOKEN") + check_response "$response" +fi + +if [[ "$OP" == "disable" ]]; then + log "Disabling $KIND user" + response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID -X PATCH -d "{\"name\":\"$USER_EMAIL\",\"status\":\"inactive\"}" -H "Authorization: Token $TOKEN") + check_response "$response" +fi diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 1e69ee82b..46feef640 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -588,6 +588,7 @@ case "${operation}" in syncAll echo "Successfully added new user to SOC" check_container fleet && echo "$password" | so-fleet-user-add "$email" + echo "$password" | so-influxdb-user add "$email" ;; "list") @@ -628,6 +629,7 @@ case "${operation}" in updateUserPassword "$email" syncAll echo "Successfully updated user password" + echo "$password" | so-influxdb-user password "$email" ;; "profile") @@ -648,6 +650,7 @@ case "${operation}" in syncAll echo "Successfully enabled user" echo "Fleet user will need to be recreated manually with so-fleet-user-add" + so-influxdb-user enable "$email" ;; "disable") @@ -659,6 +662,7 @@ case "${operation}" in syncAll echo "Successfully disabled user" check_container fleet && so-fleet-user-delete "$email" + so-influxdb-user disable "$email" ;; "delete") @@ -670,6 +674,7 @@ case "${operation}" in syncAll echo "Successfully deleted user" check_container fleet && so-fleet-user-delete "$email" + so-influxdb-user delete "$email" ;; "sync") diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 5822170ea..8dce92b75 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -185,11 +185,11 @@ http { location /influxdb/ { auth_request /auth/sessions/whoami; + rewrite /influxdb/api/(.*) /api/$1 break; proxy_pass https://{{ GLOBALS.manager_ip }}:8086/; - proxy_read_timeout 90; + proxy_read_timeout 300; proxy_connect_timeout 90; proxy_set_header Host $host; - proxy_set_header Authorization "Basic {{ influxauth }}"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 0c3957a89..b6298a637 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -2,6 +2,7 @@ {%- set INFLUXDBHOST = GLOBALS.influxdb_host %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} +{%- set TOKEN = salt['pillar.get']('secrets:influx_token', '') %} {%- set NODEIP = GLOBALS.node_ip %} {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %} @@ -71,8 +72,11 @@ ############################################################################### # Configuration for sending metrics to InfluxDB -[[outputs.influxdb]] +[[outputs.influxdb_v2]] urls = ["https://{{ INFLUXDBHOST }}:8086"] + token = "$TOKEN" + organization = "Security Onion" + bucket = "telegraf/so_short_term" ## Optional TLS Config for use on HTTP connections. tls_ca = "/etc/telegraf/ca.crt"