mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
Elastic auth: Fun with Salt
This commit is contained in:
Jason Ertel
0
salt/common/tools/sbin/so-airgap-hotfixapply
Normal file → Executable file
0
salt/common/tools/sbin/so-airgap-hotfixapply
Normal file → Executable file
0
salt/common/tools/sbin/so-airgap-hotfixdownload
Normal file → Executable file
0
salt/common/tools/sbin/so-airgap-hotfixdownload
Normal file → Executable file
9
salt/common/tools/sbin/so-elastic-auth
Normal file → Executable file
9
salt/common/tools/sbin/so-elastic-auth
Normal file → Executable file
@@ -29,12 +29,17 @@ if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
function restart() {
|
||||
so-elastic-stop
|
||||
salt-call state.highstate queue=True
|
||||
}
|
||||
|
||||
if [[ "$authEnable" == "true" ]]; then
|
||||
if grep -q "enabled: False" "$ES_AUTH_PILLAR"; then
|
||||
sed -i 's/enabled: False/enabled: True/g' "$ES_AUTH_PILLAR"
|
||||
if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then
|
||||
echo "Applying highstate - this may take a few minutes..."
|
||||
salt-call state.highstate queue=True
|
||||
restart
|
||||
fi
|
||||
echo "Elastic auth is now enabled."
|
||||
if grep -q "argon" "$ES_USERS_FILE"; then
|
||||
@@ -50,7 +55,7 @@ elif [[ "$authEnable" == "false" ]]; then
|
||||
sed -i 's/enabled: True/enabled: False/g' "$ES_AUTH_PILLAR"
|
||||
if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then
|
||||
echo "Applying highstate - this may take a few minutes..."
|
||||
salt-call state.highstate queue=True
|
||||
restart
|
||||
fi
|
||||
echo "Elastic auth is now disabled."
|
||||
else
|
||||
|
||||
0
salt/common/tools/sbin/so-elasticsearch-query
Normal file → Executable file
0
salt/common/tools/sbin/so-elasticsearch-query
Normal file → Executable file
5
salt/common/tools/sbin/so-elasticsearch-wait
Executable file
5
salt/common/tools/sbin/so-elasticsearch-wait
Executable file
@@ -0,0 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/sbin/so-common
|
||||
|
||||
wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "{{ ELASTICCURL }}"
|
||||
0
salt/common/tools/sbin/so-influxdb-clean
Normal file → Executable file
0
salt/common/tools/sbin/so-influxdb-clean
Normal file → Executable file
0
salt/common/tools/sbin/so-influxdb-migrate
Normal file → Executable file
0
salt/common/tools/sbin/so-influxdb-migrate
Normal file → Executable file
0
salt/common/tools/sbin/so-pcap-export
Normal file → Executable file
0
salt/common/tools/sbin/so-pcap-export
Normal file → Executable file
@@ -18,8 +18,10 @@ client:
|
||||
hosts:
|
||||
- {{elasticsearch}}
|
||||
port: 9200
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
username: {{ ES_USER }}
|
||||
password: {{ ES_PASS }}
|
||||
{% endif %}
|
||||
url_prefix:
|
||||
use_ssl: True
|
||||
certificate:
|
||||
|
||||
@@ -1,10 +1,5 @@
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
elastalert:
|
||||
config:
|
||||
rules_folder: /opt/elastalert/rules/
|
||||
@@ -26,8 +21,10 @@ elastalert:
|
||||
use_ssl: true
|
||||
verify_certs: false
|
||||
#es_send_get_body_as: GET
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
es_username: {{ ES_USER }}
|
||||
es_password: {{ ES_PASS }}
|
||||
{%- endif %}
|
||||
writeback_index: elastalert_status
|
||||
alert_time_limit:
|
||||
days: 2
|
||||
|
||||
@@ -103,15 +103,8 @@ elastaconf:
|
||||
- template: jinja
|
||||
|
||||
wait_for_elasticsearch:
|
||||
module.run:
|
||||
- http.wait_for_successful_query:
|
||||
- url: 'https://{{MANAGER}}:9200/_cat/indices/.kibana*'
|
||||
- wait_for: 180
|
||||
- status:
|
||||
- 200
|
||||
- 401
|
||||
- status_type: list
|
||||
- verify_ssl: False
|
||||
cmd.run:
|
||||
- name: so-elasticsearch-wait
|
||||
|
||||
so-elastalert:
|
||||
docker_container.running:
|
||||
|
||||
@@ -3,13 +3,8 @@
|
||||
{%- else %}
|
||||
{%- set MANAGER = salt['grains.get']('master') %}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
|
||||
{%- set HOSTNAME = salt['grains.get']('host', '') %}
|
||||
{%- set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %}
|
||||
@@ -272,8 +267,10 @@ output.{{ type }}:
|
||||
output.elasticsearch:
|
||||
enabled: true
|
||||
hosts: ["https://{{ MANAGER }}:9200"]
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
username: "{{ ES_USER }}"
|
||||
password: "{{ ES_PASS }}"
|
||||
{%- endif %}
|
||||
ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
|
||||
pipelines:
|
||||
- pipeline: "%{[module]}.%{[dataset]}"
|
||||
|
||||
@@ -3,17 +3,14 @@
|
||||
{%- else %}
|
||||
{%- set MANAGER = salt['grains.get']('master') %}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
|
||||
output.elasticsearch:
|
||||
enabled: true
|
||||
hosts: ["https://{{ MANAGER }}:9200"]
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
username: "{{ ES_USER }}"
|
||||
password: "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
|
||||
|
||||
@@ -1,21 +1,18 @@
|
||||
---
|
||||
# Default Kibana configuration from kibana-docker.
|
||||
{%- set ES = salt['pillar.get']('manager:mainip', '') -%}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
server.name: kibana
|
||||
server.host: "0"
|
||||
server.basePath: /kibana
|
||||
elasticsearch.hosts: [ "https://{{ ES }}:9200" ]
|
||||
elasticsearch.ssl.verificationMode: none
|
||||
#kibana.index: ".kibana"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
elasticsearch.username: {{ ES_USER }}
|
||||
elasticsearch.password: {{ ES_PASS }}
|
||||
{% endif %}
|
||||
#xpack.monitoring.ui.container.elasticsearch.enabled: true
|
||||
elasticsearch.requestTimeout: 90000
|
||||
logging.dest: /var/log/kibana/kibana.log
|
||||
|
||||
@@ -3,20 +3,17 @@
|
||||
{%- else %}
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
output {
|
||||
if [module] =~ "zeek" and "import" not in [tags] {
|
||||
elasticsearch {
|
||||
pipeline => "%{module}.%{dataset}"
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-zeek"
|
||||
template_name => "so-zeek"
|
||||
template => "/templates/so-zeek-template.json"
|
||||
|
||||
@@ -3,20 +3,17 @@
|
||||
{%- else %}
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
output {
|
||||
if "import" in [tags] {
|
||||
elasticsearch {
|
||||
pipeline => "%{module}.%{dataset}"
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-import"
|
||||
template_name => "so-import"
|
||||
template => "/templates/so-import-template.json"
|
||||
|
||||
@@ -3,19 +3,16 @@
|
||||
{%- else %}
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
output {
|
||||
if [event_type] == "sflow" {
|
||||
elasticsearch {
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-flow"
|
||||
template_name => "so-flow"
|
||||
template => "/templates/so-flow-template.json"
|
||||
|
||||
@@ -3,19 +3,16 @@
|
||||
{%- else %}
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
output {
|
||||
if [event_type] == "ids" and "import" not in [tags] {
|
||||
elasticsearch {
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-ids"
|
||||
template_name => "so-ids"
|
||||
template => "/templates/so-ids-template.json"
|
||||
|
||||
@@ -3,20 +3,17 @@
|
||||
{%- else %}
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
output {
|
||||
if [module] =~ "syslog" {
|
||||
elasticsearch {
|
||||
pipeline => "%{module}"
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-syslog"
|
||||
template_name => "so-syslog"
|
||||
template => "/templates/so-syslog-template.json"
|
||||
|
||||
@@ -3,21 +3,18 @@
|
||||
{%- else %}
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
output {
|
||||
if [metadata][pipeline] {
|
||||
elasticsearch {
|
||||
id => "filebeat_modules_metadata_pipeline"
|
||||
pipeline => "%{[metadata][pipeline]}"
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-%{[event][module]}-%{+YYYY.MM.dd}"
|
||||
template_name => "so-common"
|
||||
template => "/templates/so-common-template.json"
|
||||
|
||||
@@ -3,20 +3,17 @@
|
||||
{%- else %}
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
output {
|
||||
if [module] =~ "osquery" and "live_query" not in [dataset] {
|
||||
elasticsearch {
|
||||
pipeline => "%{module}.%{dataset}"
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-osquery"
|
||||
template_name => "so-osquery"
|
||||
template => "/templates/so-osquery-template.json"
|
||||
|
||||
@@ -4,13 +4,8 @@
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- set FEATURES = salt['pillar.get']('elastic:features', False) %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
|
||||
filter {
|
||||
if [type] =~ "live_query" {
|
||||
@@ -37,8 +32,10 @@ output {
|
||||
elasticsearch {
|
||||
pipeline => "osquery.live_query"
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-osquery"
|
||||
template_name => "so-osquery"
|
||||
template => "/templates/so-osquery-template.json"
|
||||
|
||||
@@ -3,19 +3,16 @@
|
||||
{%- else %}
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
output {
|
||||
if [dataset] =~ "firewall" {
|
||||
elasticsearch {
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-firewall"
|
||||
template_name => "so-firewall"
|
||||
template => "/templates/so-firewall-template.json"
|
||||
|
||||
@@ -3,20 +3,17 @@
|
||||
{%- else %}
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
output {
|
||||
if [module] =~ "suricata" and "import" not in [tags] {
|
||||
elasticsearch {
|
||||
pipeline => "%{module}.%{dataset}"
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-ids"
|
||||
template_name => "so-ids"
|
||||
template => "/templates/so-ids-template.json"
|
||||
|
||||
@@ -3,20 +3,17 @@
|
||||
{%- else %}
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
output {
|
||||
if "beat-ext" in [tags] and "import" not in [tags] {
|
||||
elasticsearch {
|
||||
pipeline => "beats.common"
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-beats"
|
||||
template_name => "so-beats"
|
||||
template => "/templates/so-beats-template.json"
|
||||
|
||||
@@ -3,20 +3,17 @@
|
||||
{%- else %}
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
output {
|
||||
if [module] =~ "ossec" {
|
||||
elasticsearch {
|
||||
pipeline => "%{module}"
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-ossec"
|
||||
template_name => "so-ossec"
|
||||
template => "/templates/so-ossec-template.json"
|
||||
|
||||
@@ -3,20 +3,17 @@
|
||||
{%- else %}
|
||||
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
output {
|
||||
if [module] =~ "strelka" {
|
||||
elasticsearch {
|
||||
pipeline => "%{module}.%{dataset}"
|
||||
hosts => "{{ ES }}"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
user => "{{ ES_USER }}"
|
||||
password => "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
index => "so-strelka"
|
||||
template_name => "so-strelka"
|
||||
template => "/templates/so-strelka-template.json"
|
||||
|
||||
@@ -1,10 +1,3 @@
|
||||
{% from 'salt/map.jinja' import PYINOTIFYPACKAGE with context%}
|
||||
{% from 'salt/map.jinja' import PYTHONINSTALLER with context%}
|
||||
|
||||
patch_package:
|
||||
pkg.installed:
|
||||
- name: patch
|
||||
|
||||
pyinotify:
|
||||
{{PYTHONINSTALLER}}.installed:
|
||||
- name: {{ PYINOTIFYPACKAGE }}
|
||||
|
||||
@@ -11,7 +11,6 @@
|
||||
{% set PYTHON3INFLUX= 'influxdb == ' ~ PYTHONINFLUXVERSION %}
|
||||
{% set PYTHON3INFLUXDEPS= ['certifi', 'chardet', 'python-dateutil', 'pytz', 'requests'] %}
|
||||
{% set PYTHONINSTALLER = 'pip' %}
|
||||
{% set PYINOTIFYPACKAGE = 'pyinotify' %}
|
||||
{% else %}
|
||||
{% set SPLITCHAR = '-' %}
|
||||
{% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %}
|
||||
@@ -22,7 +21,6 @@
|
||||
{% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %}
|
||||
{% set PYTHON3INFLUXDEPS= ['python36-certifi', 'python36-chardet', 'python36-dateutil', 'python36-pytz', 'python36-requests'] %}
|
||||
{% set PYTHONINSTALLER = 'pkg' %}
|
||||
{% set PYINOTIFYPACKAGE = 'securityonion-python3-pyinotify' %}
|
||||
{% endif %}
|
||||
|
||||
{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %}
|
||||
|
||||
@@ -1,16 +1,13 @@
|
||||
{% set ES = salt['pillar.get']('global:managerip', '') %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
|
||||
alert: modules.so.playbook-es.PlaybookESAlerter
|
||||
elasticsearch_host: "{{ ES }}:9200"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
elasticsearch_user: "{{ ES_USER }}"
|
||||
elasticsearch_pass: "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
play_title: ""
|
||||
play_url: "https://{{ ES }}/playbook/issues/6000"
|
||||
sigma_level: ""
|
||||
|
||||
@@ -1,18 +1,15 @@
|
||||
{% set es = salt['pillar.get']('global:url_base', '') %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
|
||||
alert:
|
||||
- "modules.so.playbook-es.PlaybookESAlerter"
|
||||
|
||||
elasticsearch_host: "{{ es }}:9200"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
elasticsearch_user: "{{ ES_USER }}"
|
||||
elasticsearch_pass: "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
play_title: ""
|
||||
play_id: ""
|
||||
event.module: "playbook"
|
||||
|
||||
@@ -1,18 +1,15 @@
|
||||
{% set es = salt['pillar.get']('global:url_base', '') %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
|
||||
alert:
|
||||
- "modules.so.playbook-es.PlaybookESAlerter"
|
||||
|
||||
elasticsearch_host: "{{ es }}:9200"
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
elasticsearch_user: "{{ ES_USER }}"
|
||||
elasticsearch_pass: "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
play_title: ""
|
||||
event.module: "playbook"
|
||||
event.dataset: "alert"
|
||||
|
||||
@@ -14,13 +14,8 @@
|
||||
# for numbers and booleans they should be plain (ie, $INT_VAR, $BOOL_VAR)
|
||||
|
||||
{%- set MANAGER = salt['grains.get']('master') %}
|
||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
|
||||
{%- else %}
|
||||
{%- set ES_USER = '' %}
|
||||
{%- set ES_PASS = '' %}
|
||||
{%- endif %}
|
||||
{% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %}
|
||||
{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
|
||||
{% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %}
|
||||
@@ -627,8 +622,10 @@
|
||||
{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %}
|
||||
[[inputs.elasticsearch]]
|
||||
servers = ["https://{{ MANAGER }}:9200"]
|
||||
{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||
username = "{{ ES_USER }}"
|
||||
password = "{{ ES_PASS }}"
|
||||
{% endif %}
|
||||
insecure_skip_verify = true
|
||||
{% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %}
|
||||
[[inputs.elasticsearch]]
|
||||
|
||||
Reference in New Issue
Block a user