From 20e896cacf0616740f141fd8e2fb59090b778b55 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 2 Jun 2021 12:17:15 -0400 Subject: [PATCH] Update all configs to pass user/pass to ES --- salt/curator/files/curator.yml | 4 ++++ salt/elastalert/defaults.yaml | 8 +++++--- salt/filebeat/etc/filebeat.yml | 4 ++++ salt/kibana/etc/kibana.yml | 8 +++++--- .../pipelines/config/so/9000_output_zeek.conf.jinja | 4 ++++ .../pipelines/config/so/9002_output_import.conf.jinja | 4 ++++ .../pipelines/config/so/9004_output_flow.conf.jinja | 4 ++++ .../pipelines/config/so/9033_output_snort.conf.jinja | 4 ++++ .../pipelines/config/so/9034_output_syslog.conf.jinja | 4 ++++ .../pipelines/config/so/9100_output_osquery.conf.jinja | 4 ++++ .../config/so/9101_output_osquery_livequery.conf.jinja | 4 ++++ .../pipelines/config/so/9200_output_firewall.conf.jinja | 4 ++++ .../pipelines/config/so/9400_output_suricata.conf.jinja | 4 ++++ .../pipelines/config/so/9500_output_beats.conf.jinja | 4 ++++ .../pipelines/config/so/9600_output_ossec.conf.jinja | 4 ++++ .../pipelines/config/so/9700_output_strelka.conf.jinja | 4 ++++ salt/soc/files/soc/soc.json | 6 ++++-- salt/soctopus/files/SOCtopus.conf | 7 ++++--- salt/telegraf/etc/telegraf.conf | 6 ++++++ 19 files changed, 80 insertions(+), 11 deletions(-) diff --git a/salt/curator/files/curator.yml b/salt/curator/files/curator.yml index 7d86ccc04..a237416a1 100644 --- a/salt/curator/files/curator.yml +++ b/salt/curator/files/curator.yml @@ -3,6 +3,8 @@ {% elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone'] %} {%- set elasticsearch = salt['pillar.get']('manager:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}) --- # Remember, leave a key empty if there is no value. None will be a string, @@ -11,6 +13,8 @@ client: hosts: - {{elasticsearch}} port: 9200 + username: {{ ES_USER }} + password: {{ ES_PASS }} url_prefix: use_ssl: True certificate: diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index ad675b8ee..788d87f85 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -1,3 +1,5 @@ +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}) elastalert: config: rules_folder: /opt/elastalert/rules/ @@ -19,8 +21,8 @@ elastalert: use_ssl: true verify_certs: false #es_send_get_body_as: GET - #es_username: someusername - #es_password: somepassword + es_username: {{ ES_USER }} + es_password: {{ ES_PASS }} writeback_index: elastalert_status alert_time_limit: days: 2 @@ -45,4 +47,4 @@ elastalert: level: INFO handlers: - file - propagate: false \ No newline at end of file + propagate: false diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 0f7c9c778..cd9c76de1 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -3,6 +3,8 @@ {%- else %} {%- set MANAGER = salt['grains.get']('master') %} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_beats_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_beats_user:pass', '') %}) {%- set HOSTNAME = salt['grains.get']('host', '') %} @@ -261,6 +263,8 @@ output.{{ type }}: output.elasticsearch: enabled: true hosts: ["https://{{ MANAGER }}:9200"] + username: "{{ ES_USER }}" + password: "{{ ES_PASS }}" ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] pipelines: - pipeline: "%{[module]}.%{[dataset]}" diff --git a/salt/kibana/etc/kibana.yml b/salt/kibana/etc/kibana.yml index 501d93c8a..94e170167 100644 --- a/salt/kibana/etc/kibana.yml +++ b/salt/kibana/etc/kibana.yml @@ -1,14 +1,16 @@ --- # Default Kibana configuration from kibana-docker. {%- set ES = salt['pillar.get']('manager:mainip', '') -%} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass', '') %}) server.name: kibana server.host: "0" server.basePath: /kibana elasticsearch.hosts: [ "https://{{ ES }}:9200" ] elasticsearch.ssl.verificationMode: none #kibana.index: ".kibana" -#elasticsearch.username: elastic -#elasticsearch.password: changeme +elasticsearch.username: {{ ES_USER }} +elasticsearch.password: {{ ES_PASS }} #xpack.monitoring.ui.container.elasticsearch.enabled: true elasticsearch.requestTimeout: 90000 logging.dest: /var/log/kibana/kibana.log @@ -19,4 +21,4 @@ xpack.security.authc.providers: anonymous.anonymous1: order: 0 credentials: "elasticsearch_anonymous_user" -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index d17dc2b22..77f1b59ec 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -3,11 +3,15 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}) output { if [module] =~ "zeek" and "import" not in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" + username => "{{ ES_USER }}" + password => "{{ ES_PASS }}" index => "so-zeek" template_name => "so-zeek" template => "/templates/so-zeek-template.json" diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 4562dcee7..2453a25d8 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -3,11 +3,15 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}) output { if "import" in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" + username => "{{ ES_USER }}" + password => "{{ ES_PASS }}" index => "so-import" template_name => "so-import" template => "/templates/so-import-template.json" diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index fb6eaee5d..010f01ee8 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -3,10 +3,14 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}) output { if [event_type] == "sflow" { elasticsearch { hosts => "{{ ES }}" + username => "{{ ES_USER }}" + password => "{{ ES_PASS }}" index => "so-flow" template_name => "so-flow" template => "/templates/so-flow-template.json" diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index 61aa21a82..2b42541dc 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -3,10 +3,14 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}) output { if [event_type] == "ids" and "import" not in [tags] { elasticsearch { hosts => "{{ ES }}" + username => "{{ ES_USER }}" + password => "{{ ES_PASS }}" index => "so-ids" template_name => "so-ids" template => "/templates/so-ids-template.json" diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index 0afbf45ea..b2cd7107d 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -3,11 +3,15 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}) output { if [module] =~ "syslog" { elasticsearch { pipeline => "%{module}" hosts => "{{ ES }}" + username => "{{ ES_USER }}" + password => "{{ ES_PASS }}" index => "so-syslog" template_name => "so-syslog" template => "/templates/so-syslog-template.json" diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index efa46c7af..d663e79b6 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -3,11 +3,15 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_pass:pass', '') %}) output { if [module] =~ "osquery" and "live_query" not in [dataset] { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" + username => "{{ ES_USER }}" + password => "{{ ES_PASS }}" index => "so-osquery" template_name => "so-osquery" template => "/templates/so-osquery-template.json" diff --git a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja index 6d7b71415..c8e70d85a 100644 --- a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja @@ -3,6 +3,8 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}) {% set FEATURES = salt['pillar.get']('elastic:features', False) %} filter { @@ -30,6 +32,8 @@ output { elasticsearch { pipeline => "osquery.live_query" hosts => "{{ ES }}" + username => "{{ ES_USER }}" + password => "{{ ES_PASS }}" index => "so-osquery" template_name => "so-osquery" template => "/templates/so-osquery-template.json" diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index 764f597b9..2a8ab27bf 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -3,10 +3,14 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}) output { if [dataset] =~ "firewall" { elasticsearch { hosts => "{{ ES }}" + username => "{{ ES_USER }}" + password => "{{ ES_PASS }}" index => "so-firewall" template_name => "so-firewall" template => "/templates/so-firewall-template.json" diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 5013bafc1..de93b6c81 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -3,11 +3,15 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}) output { if [module] =~ "suricata" and "import" not in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" + username => "{{ ES_USER }}" + password => "{{ ES_PASS }}" index => "so-ids" template_name => "so-ids" template => "/templates/so-ids-template.json" diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 349c0ada1..95dce8160 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -3,11 +3,15 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}) output { if "beat-ext" in [tags] and "import" not in [tags] { elasticsearch { pipeline => "beats.common" hosts => "{{ ES }}" + username => "{{ ES_USER }}" + password => "{{ ES_PASS }}" index => "so-beats" template_name => "so-beats" template => "/templates/so-beats-template.json" diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 1a4987a53..ce26d6093 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -3,11 +3,15 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}) output { if [module] =~ "ossec" { elasticsearch { pipeline => "%{module}" hosts => "{{ ES }}" + username => "{{ ES_USER }}" + password => "{{ ES_PASS }}" index => "so-ossec" template_name => "so-ossec" template => "/templates/so-ossec-template.json" diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index d564486e4..ef804ea17 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -3,11 +3,15 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}) output { if [module] =~ "strelka" { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" + username => "{{ ES_USER }}" + password => "{{ ES_PASS }}" index => "so-strelka" template_name => "so-strelka" template => "/templates/so-strelka-template.json" diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index e275ec28b..9f274e9f8 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -18,6 +18,8 @@ {%- import_json "soc/files/soc/menu.actions.json" as menu_actions %} {%- import_json "soc/files/soc/tools.json" as tools %} {%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}) { "logFilename": "/opt/sensoroni/logs/sensoroni-server.log", @@ -47,8 +49,8 @@ {%- endfor %} ], {%- endif %} - "username": "", - "password": "", + "username": "{{ ES_USER }}", + "password": "{{ ES_PASS }}", "cacheMs": {{ ES_FIELDCAPS_CACHE }}, "verifyCert": false, "timeoutMs": {{ API_TIMEOUT }} diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index b6ee45e74..424eb35cb 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -3,13 +3,14 @@ {%- set HIVEKEY = salt['pillar.get']('global:hivekey', '') %} {%- set CORTEXKEY = salt['pillar.get']('global:cortexorguserkey', '') %} {%- set PLAYBOOK_KEY = salt['pillar.get']('playbook:api_key', '') %} - +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}) [es] es_url = https://{{MANAGER}}:9200 es_ip = {{MANAGER}} -es_user = -es_pass = +es_user = {{ ES_USER }} +es_pass = {{ ES_PASS }} es_index_pattern = so-* es_verifycert = no diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index af3474913..8c910b718 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -14,6 +14,8 @@ # for numbers and booleans they should be plain (ie, $INT_VAR, $BOOL_VAR) {%- set MANAGER = salt['grains.get']('master') %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}) +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}) {% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %} {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} @@ -620,10 +622,14 @@ {% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} [[inputs.elasticsearch]] servers = ["https://{{ MANAGER }}:9200"] + username = "{{ ES_USER }}" + password = "{{ ES_PASS }}" insecure_skip_verify = true {% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} [[inputs.elasticsearch]] servers = ["https://{{ NODEIP }}:9200"] + username = "{{ ES_USER }}" + password = "{{ ES_PASS }}" insecure_skip_verify = true {% endif %}