CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1157 from Security-Onion-Solutions/feature/esssl

Browse Source 
Feature/esssl
This commit is contained in:
Mike Reeves
2020-08-08 22:20:55 -04:00
committed by GitHub
parent 5e3d21c43c 32fe3ed961
commit 29aaa84a6f
14 changed files with 826 additions and 193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pillar/firewall/ports.sls
View File

@@ -33,6 +33,8 @@ firewall:
- 9300 - 9300
- 9400 - 9400
- 9500 - 9500
- 9595
- 9696
udp: udp:
- 1514 - 1514
minions: minions:

7
pillar/logstash/manager.sls
View File

@@ -1,12 +1,9 @@
{%- set PIPELINE = salt['pillar.get']('global:pipeline', 'minio') %} {%- set PIPELINE = salt['pillar.get']('global:pipeline', 'redis') %}
logstash: logstash:
pipelines: pipelines:
manager: manager:
config: config:
- so/0009_input_beats.conf - so/0009_input_beats.conf
- so/0010_input_hhbeats.conf - so/0010_input_hhbeats.conf
{%- if PIPELINE == "minio"%}
- so/9998_output_minio.conf.jinja
{%- else %}
- so/9999_output_redis.conf.jinja - so/9999_output_redis.conf.jinja
{%- endif %}

4
pillar/logstash/search.sls
View File

@@ -3,11 +3,7 @@ logstash:
pipelines: pipelines:
search: search:
config: config:
{%- if PIPELINE == "minio"%}
- so/0899_input_minio.conf.jinja
{%- else %}
- so/0900_input_redis.conf.jinja - so/0900_input_redis.conf.jinja
{%- endif %}
- so/9000_output_zeek.conf.jinja - so/9000_output_zeek.conf.jinja
- so/9002_output_import.conf.jinja - so/9002_output_import.conf.jinja
- so/9034_output_syslog.conf.jinja - so/9034_output_syslog.conf.jinja

32
salt/elasticsearch/files/scripts/so-catrust Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set VERSION = salt['pillar.get']('global:soversion', '') %}
{%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{%- set MANAGER = salt['grains.get']('master') %}
. /usr/sbin/so-common
# Check to see if we have extracted the ca cert.
if [ ! -f /opt/so/saltstack/local/salt/common/cacerts ]; then
docker run -v /etc/pki/ca.crt:/etc/pki/ca.crt --name so-elasticsearchca --user root --entrypoint keytool {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }} -keystore /etc/pki/ca-trust/extracted/java/cacerts -alias SOSCA -import -file /etc/pki/ca.crt -storepass changeit -noprompt
docker cp so-elasticsearchca:/etc/pki/ca-trust/extracted/java/cacerts /opt/so/saltstack/local/salt/common/cacerts
docker cp so-elasticsearchca:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
docker rm so-elasticsearchca
echo "" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
echo "sosca" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
cat /etc/pki/ca.crt >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
else
exit 0
fi

45
salt/elasticsearch/init.sls
View File

@@ -26,9 +26,11 @@
{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} {% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %}
{% set esclustername = salt['pillar.get']('manager:esclustername', '') %} {% set esclustername = salt['pillar.get']('manager:esclustername', '') %}
{% set esheap = salt['pillar.get']('manager:esheap', '') %} {% set esheap = salt['pillar.get']('manager:esheap', '') %}
{% set ismanager = True %}
{% elif grains['role'] in ['so-node','so-heavynode'] %} {% elif grains['role'] in ['so-node','so-heavynode'] %}
{% set esclustername = salt['pillar.get']('elasticsearch:esclustername', '') %} {% set esclustername = salt['pillar.get']('elasticsearch:esclustername', '') %}
{% set esheap = salt['pillar.get']('elasticsearch:esheap', '') %} {% set esheap = salt['pillar.get']('elasticsearch:esheap', '') %}
{% set ismanager = False %}
{% endif %} {% endif %}
{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}
@@ -37,6 +39,46 @@ vm.max_map_count:
sysctl.present: sysctl.present:
- value: 262144 - value: 262144
{% if ismanager %}
# We have to add the Manager CA to the CA list
cascriptsync:
file.managed:
- name: /usr/sbin/so-catrust
- source: salt://elasticsearch/files/scripts/so-catrust
- user: 939
- group: 939
- mode: 750
- template: jinja
# Run the CA magic
cascriptfun:
cmd.run:
- name: /usr/sbin/so-catrust
{% endif %}
# Move our new CA over so Elastic and Logstash can use SSL with the internal CA
catrustdir:
file.directory:
- name: /opt/so/conf/ca
- user: 939
- group: 939
- makedirs: True
cacertz:
file.managed:
- name: /opt/so/conf/ca/cacerts
- source: salt://common/cacerts
- user: 939
- group: 939
capemz:
file.managed:
- name: /opt/so/conf/ca/tls-ca-bundle.pem
- source: salt://common/tls-ca-bundle.pem
- user: 939
- group: 939
# Add ES Group # Add ES Group
elasticsearchgroup: elasticsearchgroup:
group.present: group.present:
@@ -149,6 +191,9 @@ so-elasticsearch:
- /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
- /nsm/elasticsearch:/usr/share/elasticsearch/data:rw - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
- /opt/so/log/elasticsearch:/var/log/elasticsearch:rw - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
- /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
- watch:
- file: cacertz
so-elasticsearch-pipelines-file: so-elasticsearch-pipelines-file:
file.managed: file.managed:

1
salt/firewall/portgroups.yaml
View File

@@ -64,6 +64,7 @@ firewall:
redis: redis:
tcp: tcp:
- 6379 - 6379
- 9696
salt_manager: salt_manager:
tcp: tcp:
- 4505 - 4505

4
salt/logstash/init.sls
View File

@@ -148,7 +148,6 @@ so-logstash:
- user: logstash - user: logstash
- environment: - environment:
- LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
- SSL_CERT_FILE=/etc/ssl/certs/ca.crt
- port_bindings: - port_bindings:
{% for BINDING in DOCKER_OPTIONS.port_bindings %} {% for BINDING in DOCKER_OPTIONS.port_bindings %}
- {{ BINDING }} - {{ BINDING }}
@@ -167,7 +166,8 @@ so-logstash:
- /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
- /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
- /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
- /etc/ssl/certs/intca.crt:/etc/ssl/certs/ca.crt:ro - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
- /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
{%- if grains['role'] == 'so-eval' %} {%- if grains['role'] == 'so-eval' %}
- /nsm/zeek:/nsm/zeek:ro - /nsm/zeek:/nsm/zeek:ro
- /nsm/suricata:/suricata:ro - /nsm/suricata:/suricata:ro

8
salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
View File

@@ -1,13 +1,11 @@
{%- if grains.role == 'so-heavynode' %} {%- set MANAGER = salt['grains.get']('master') %}
{%- set MANAGER = salt['pillar.get']('elasticsearch:mainip', '') %}
{%- else %}
{%- set MANAGER = salt['pillar.get']('global:managerip', '') %}
{% endif -%}
{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} {%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
input { input {
redis { redis {
host => '{{ MANAGER }}' host => '{{ MANAGER }}'
port => 9696
ssl => true
data_type => 'list' data_type => 'list'
key => 'logstash:unparsed' key => 'logstash:unparsed'
type => 'redis-input' type => 'redis-input'

1
salt/logstash/pipelines/config/so/9998_output_minio.conf.jinja
View File

@@ -17,6 +17,7 @@ output {
encoding => {{ ENCODING }} encoding => {{ ENCODING }}
upload_queue_size => {{ UPLOAD_QUEUE_SIZE }} upload_queue_size => {{ UPLOAD_QUEUE_SIZE }}
temporary_directory => "/usr/share/logstash/data/tmp" temporary_directory => "/usr/share/logstash/data/tmp"
validate_credentials_on_root_bucket => false
additional_settings => { additional_settings => {
"force_path_style" => true "force_path_style" => true
} }

3
salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
View File

@@ -1,8 +1,9 @@
{% set MANAGER = salt['pillar.get']('global:managerip', '') %} {%- set MANAGER = salt['grains.get']('master') %}
{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} {% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
output { output {
redis { redis {
host => '{{ MANAGER }}' host => '{{ MANAGER }}'
port => 6379
data_type => 'list' data_type => 'list'
key => 'logstash:unparsed' key => 'logstash:unparsed'
congestion_interval => 1 congestion_interval => 1

871
salt/redis/etc/redis.conf
View File

File diff suppressed because it is too large Load Diff

4
salt/redis/init.sls
View File

@@ -53,10 +53,14 @@ so-redis:
- user: socore - user: socore
- port_bindings: - port_bindings:
- 0.0.0.0:6379:6379 - 0.0.0.0:6379:6379
- 0.0.0.0:9696:9696
- binds: - binds:
- /opt/so/log/redis:/var/log/redis:rw - /opt/so/log/redis:/var/log/redis:rw
- /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro
- /opt/so/conf/redis/working:/redis:rw - /opt/so/conf/redis/working:/redis:rw
- /etc/pki/redis.crt:/certs/redis.crt:ro
- /etc/pki/redis.key:/certs/redis.key:ro
- /etc/pki/ca.crt:/certs/ca.crt:ro
- entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
- watch: - watch:
- file: /opt/so/conf/redis/etc - file: /opt/so/conf/redis/etc

35
salt/ssl/init.sls
View File

@@ -216,6 +216,41 @@ miniokeyperms:
- mode: 640 - mode: 640
- group: 939 - group: 939
/etc/pki/redis.key:
x509.private_key_managed:
- CN: {{ manager }}
- bits: 4096
- days_remaining: 0
- days_valid: 820
- backup: True
- new: True
{% if salt['file.file_exists']('/etc/pki/redis.key') -%}
- prereq:
- x509: /etc/pki/redis.crt
{%- endif %}
# Create a cert for the docker registry
/etc/pki/redis.crt:
x509.certificate_managed:
- ca_server: {{ ca_server }}
- signing_policy: registry
- public_key: /etc/pki/redis.key
- CN: {{ manager }}
- days_remaining: 0
- days_valid: 820
- backup: True
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
rediskeyperms:
file.managed:
- replace: False
- name: /etc/pki/redis.key
- mode: 640
- group: 939
/etc/pki/managerssl.key: /etc/pki/managerssl.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ manager }} - CN: {{ manager }}

2
setup/so-functions
View File

@@ -1049,7 +1049,7 @@ manager_global() {
" wazuh: $WAZUH"\ " wazuh: $WAZUH"\
" managerupdate: $MANAGERUPDATES"\ " managerupdate: $MANAGERUPDATES"\
" imagerepo: $IMAGEREPO"\ " imagerepo: $IMAGEREPO"\
" pipeline: minio"\ " pipeline: redis"\
"pcap:"\ "pcap:"\
" sensor_checkin_interval_ms: $SENSOR_CHECKIN_INTERVAL_MS"\ " sensor_checkin_interval_ms: $SENSOR_CHECKIN_INTERVAL_MS"\
"strelka:"\ "strelka:"\