From 426257443ac135f28e39ae2f6732a2b6e97a2045 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Sep 2020 10:54:47 -0400 Subject: [PATCH] Final airgap tweaks --- salt/airgap/init.sls | 7 ++++++- salt/idstools/localrules/local.rules | 2 +- salt/nginx/etc/nginx.conf.so-eval | 17 ++++++++++++++++- salt/nginx/etc/nginx.conf.so-manager | 15 +++++++++++++++ salt/nginx/etc/nginx.conf.so-managersearch | 15 +++++++++++++++ salt/nginx/etc/nginx.conf.so-standalone | 2 +- 6 files changed, 54 insertions(+), 4 deletions(-) diff --git a/salt/airgap/init.sls b/salt/airgap/init.sls index 5e972e877..026598e54 100644 --- a/salt/airgap/init.sls +++ b/salt/airgap/init.sls @@ -9,6 +9,7 @@ airgap.repo: - humanname: Airgap Repo - baseurl: https://{{ MANAGER }}/repo - gpgcheck: 0 + - sslverify: 0 agbase: file.absent: @@ -52,4 +53,8 @@ agtesting: agssrepo: file.absent: - - name: /etc/yum.repos.d/saltstack.repo \ No newline at end of file + - name: /etc/yum.repos.d/saltstack.repo + +agwazrepo: + file.absent: + - name: /etc/yum.repos.d/wazuh.repo \ No newline at end of file diff --git a/salt/idstools/localrules/local.rules b/salt/idstools/localrules/local.rules index 8c8ac2601..1c8b10955 100644 --- a/salt/idstools/localrules/local.rules +++ b/salt/idstools/localrules/local.rules @@ -1 +1 @@ -# Put your own custom Snort/Suricata rules in /opt/so/saltstack/local/salt/idstools/localrules/local.rules \ No newline at end of file +# Put your own custom Snort/Suricata rules in this file! /opt/so/saltstack/local/salt/idstools/localrules/local.rules \ No newline at end of file diff --git a/salt/nginx/etc/nginx.conf.so-eval b/salt/nginx/etc/nginx.conf.so-eval index 79db008c1..1e1c83675 100644 --- a/salt/nginx/etc/nginx.conf.so-eval +++ b/salt/nginx/etc/nginx.conf.so-eval @@ -2,6 +2,8 @@ {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %} +{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} + # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ @@ -180,7 +182,20 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; proxy_set_header X-Forwarded-Proto $scheme; - } + } + + {%- if ISAIRGAP is sameas true %} + location /repo/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + + {%- endif %} location /grafana/ { auth_request /auth/sessions/whoami; diff --git a/salt/nginx/etc/nginx.conf.so-manager b/salt/nginx/etc/nginx.conf.so-manager index ceae18cb1..76de6de2d 100644 --- a/salt/nginx/etc/nginx.conf.so-manager +++ b/salt/nginx/etc/nginx.conf.so-manager @@ -2,6 +2,8 @@ {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %} +{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} + # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ @@ -232,6 +234,19 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } + {%- if ISAIRGAP is sameas true %} + location /repo/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + + {%- endif %} + {%- if FLEET_NODE %} location /fleet/ { return 301 https://{{ FLEET_IP }}/fleet; diff --git a/salt/nginx/etc/nginx.conf.so-managersearch b/salt/nginx/etc/nginx.conf.so-managersearch index 01a3afdaa..012a91ba3 100644 --- a/salt/nginx/etc/nginx.conf.so-managersearch +++ b/salt/nginx/etc/nginx.conf.so-managersearch @@ -2,6 +2,8 @@ {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %} +{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} + # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ @@ -180,6 +182,19 @@ http { proxy_set_header Proxy ""; proxy_set_header X-Forwarded-Proto $scheme; } + + {%- if ISAIRGAP is sameas true %} + location /repo/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + + {%- endif %} location /grafana/ { auth_request /auth/sessions/whoami; diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone index dca073437..19a029813 100644 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ b/salt/nginx/etc/nginx.conf.so-standalone @@ -2,7 +2,7 @@ {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %} -{%- set ISAIRGAP = salt['pillar.get']('global:airgap') %} +{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/