Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion-saltstack into dev

2025-12-06 09:12:45 +01:00 · 2020-04-09 11:59:25 -04:00
parent 48240498f9 5a985736e5
commit 2b05ae6c08
8 changed files with 63 additions and 42 deletions
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -1,4 +1,5 @@
-{% set OSQUERY = salt['pillar.get']('master:osquery', '0') %}
+{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
+{%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
 {% set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
 {% set THEHIVE = salt['pillar.get']('master:thehive', '0') %}
 {% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %}
@@ -7,7 +8,6 @@
 {% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
 {% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}

-
 eval:
  containers:
    - so-core
@@ -20,7 +20,7 @@ eval:
    - so-soc
    - so-kratos
    - so-idstools
-    {% if OSQUERY != '0' %}
+    {% if FLEETMASTER %}
    - so-mysql
    - so-fleet
    - so-redis
@@ -100,7 +100,7 @@ master_search:
    - so-elastalert
    - so-filebeat
    - so-soctopus
-    {% if OSQUERY != '0' %}
+    {% if FLEETMASTER %}
    - so-mysql
    - so-fleet
    - so-redis
@@ -143,7 +143,7 @@ master:
    - so-kibana
    - so-elastalert
    - so-filebeat
-    {% if OSQUERY != '0' %}
+    {% if FLEETMASTER %}
    - so-mysql
    - so-fleet
    - so-redis
@@ -199,4 +199,13 @@ warm_node:
    - so-core
    - so-telegraf
    - so-elasticsearch
-    
+fleet:
+  containers:
+    {% if FLEETNODE %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    - so-filebeat
+    - so-core
+    - so-telegraf
+    {% endif %}
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -148,5 +148,4 @@ so-elasticsearch-pipelines:
 so-elasticsearch-templates:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-templates
-    - cwd: /
-
+    - cwd: /opt/so
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -7,8 +7,8 @@

 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
-{%- set WAZUHENABLED = salt['pillar.get']('master:wazuh_enabled', '0') %}
-{%- set STRELKAENABLED = salt['pillar.get']('master:strelka_enabled', '0') %}
+{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '0') %}
+{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '0') %}
 {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}

@@ -110,6 +110,26 @@ filebeat.inputs:
    fields_under_root: true
    clean_removed: false
    close_removed: false
+
+  {%- if STRELKAENABLED == '1' %}
+
+  - type: log
+    paths:
+      - /nsm/strelka/log/strelka.log
+    fields:
+      module: strelka
+      category: file
+      dataset: file
+
+    processors:
+    - drop_fields:
+        fields: ["source", "prospector", "input", "offset", "beat"]    
+
+    fields_under_root: true
+    clean_removed: false
+    close_removed: false
+
+  {%- endif %}
 {%- endif %}

 {%- if WAZUHENABLED == '1' %}
@@ -160,25 +180,6 @@ filebeat.inputs:

 {%- endif %}

-{%- if STRELKAENABLED == '1' %}
-
-  - type: log
-    paths:
-      - /nsm/strelka/log/strelka.log
-    fields:
-      module: strelka
-      category: file
-      dataset: file
-
-    processors:
-    - drop_fields:
-        fields: ["source", "prospector", "input", "offset", "beat"]    
-
-    fields_under_root: true
-    clean_removed: false
-    close_removed: false
-
-{%- endif %}
 #----------------------------- Elasticsearch/Logstash output ---------------------------------
 {%- if grains['role'] == "so-eval" %}
 output.elasticsearch:
--- a/salt/kibana/bin/so-kibana-config-load
+++ b/salt/kibana/bin/so-kibana-config-load
@@ -32,8 +32,8 @@ sleep 30s

 # Sub our IP for placholders
 for i in FLEETPLACEHOLDER PCAPPLACEHOLDER SOCTOPUSPLACEHOLDER PLACEHOLDER; do
-        sed -i "s/$i/{{ MASTER }}/g" /opt/so/saltstack/salt/kibana/saved_objects.ndjson
+        sed "s/$i/{{ MASTER }}/g" /opt/so/conf/kibana/saved_objects.ndjson.template > /opt/so/conf/kibana/saved_objects.ndjson
 done

 # Load saved objects
-curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/saltstack/salt/kibana/saved_objects.ndjson
+curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/conf/kibana/saved_objects.ndjson > /dev/null 2>&1
--- a/salt/kibana/files/saved_objects.ndjson
+++ b/salt/kibana/files/saved_objects.ndjson
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -59,7 +59,19 @@ synckibanacustom:
    - user: 932
    - group: 939

-# File.Recurse for custom saved dashboards
+kibanabin:
+  file.managed:
+    - name: /usr/sbin/so-kibana-config-load
+    - source: salt://kibana/bin/so-kibana-config-load
+    - mode: 755
+    - template: jinja
+
+kibanadashtemplate:
+  file.managed:
+    - name: /opt/so/conf/kibana/saved_objects.ndjson.template
+    - source: salt://kibana/files/saved_objects.ndjson
+    - user: 932
+    - group: 939

 # Start the kibana docker
 so-kibana:
@@ -80,12 +92,12 @@ so-kibana:
      - 0.0.0.0:5601:5601

 so-kibana-config-load:
-  cmd.script:
-    - shell: /bin/bash
-    - runas: socore
+  cmd.run:
+    - name: /usr/sbin/so-kibana-config-load
    - cwd: /opt/so
-    - source: salt://kibana/bin/so-kibana-config-load
-    - template: jinja
+    - onchanges:
+      - file: kibanadashtemplate
+

 # Keep the setting correct
 #KibanaHappy:
@@ -93,4 +105,4 @@ so-kibana-config-load:
 #    - shell: /bin/bash
 #    - runas: socore
 #    - source: salt://kibana/bin/keepkibanahappy.sh
-#    - template: jinja
+#    - template: jinja
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -1,12 +1,12 @@
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%}
-{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') -%}
+{%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%}
 {%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
 {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
 {%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%}
 {%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
 {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
-{%- set STRELKA = salt['pillar.get']('master:strelka', '0') -%}
+{%- set STRELKA = salt['pillar.get']('static:strelka', '0') -%}


 base:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -865,10 +865,8 @@ master_pillar() {
  #echo "  fleetpass: $FLEETPASS" >> $PILLARFILE
  echo "  grafana: $GRAFANA" >> $PILLARFILE
  echo "  osquery: $OSQUERY" >> $PILLARFILE
-  echo "  wazuh: $WAZUH" >> $PILLARFILE
  echo "  thehive: $THEHIVE" >> $PILLARFILE
  echo "  playbook: $PLAYBOOK" >> $PILLARFILE
-  echo "  strelka: $STRELKA" >> $PILLARFILE
  echo "" >> $PILLARFILE
  echo "kratos:" >> $PILLARFILE
  if [[ $REDIRECTINFO == 'OTHER' ]]; then
@@ -913,6 +911,8 @@ master_static() {
  echo "  fleet_hostname: N/A" >> /opt/so/saltstack/pillar/static.sls
  echo "  fleet_ip: N/A" >> /opt/so/saltstack/pillar/static.sls
  echo "  sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls
+  echo "  strelka: $STRELKA" >> /opt/so/saltstack/pillar/static.sls
+  echo "  wazuh: $WAZUH" >> /opt/so/saltstack/pillar/static.sls
  if [[ $MASTERUPDATES == 'MASTER' ]]; then
    echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
  else