From be8398387e580e6a7d68812818f0fefba0392fd5 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 2 Apr 2020 15:38:30 -0400 Subject: [PATCH 1/4] Support individual email or password validation --- salt/common/tools/sbin/so-user | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 32e7728a9..357614efb 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -22,13 +22,17 @@ got_root() { got_root if [[ $# < 1 || $# > 2 ]]; then - echo "Usage: $0 [email]" + echo "Usage: $0 [email]" echo "" echo " list: Lists all user email addresses currently defined in the identity system" echo " add: Adds a new user to the identity system; requires 'email' parameter" echo " update: Updates a user's password; requires 'email' parameter" echo " delete: Deletes an existing user; requires 'email' parameter" echo " validate: Validates that the given email address and password are acceptable for defining a new user; requires 'email' parameter" + echo " valemail: Validates that the given email address is acceptable for defining a new user; requires 'email' parameter" + echo " valpass: Validates that a password is acceptable for defining a new user" + echo "" + echo " Note that the password can be piped into stdin to avoid prompting for it." exit 1 fi @@ -211,6 +215,16 @@ case "${operation}" in "validate") validateEmail "$email" + updatePassword + echo "Email and password are acceptable" + ;; + + "valemail") + validateEmail "$email" + echo "Email is acceptable" + ;; + + "valpass") updatePassword echo "Password is acceptable" ;; From eb0c23387b55aea64f735e3051ba6f80f9bc4c6a Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 2 Apr 2020 20:01:49 +0000 Subject: [PATCH 2/4] specify ES vs LS in FB config --- salt/filebeat/etc/filebeat.yml | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 3be56233e..50dab6d2f 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -179,7 +179,8 @@ filebeat.inputs: close_removed: false {%- endif %} -#----------------------------- Logstash output --------------------------------- +#----------------------------- Elasticsearch/Logstash output --------------------------------- +{%- if grains['role'] == "so-eval" %} output.elasticsearch: enabled: true hosts: ["{{ MASTER }}:9200"] @@ -202,12 +203,15 @@ output.elasticsearch: when.contains: module: "strelka" -#output.logstash: +setup.template.enabled: false +{%- else %} + +output.logstash: # Boolean flag to enable or disable the output module. - #enabled: true + enabled: true # The Logstash hosts - #hosts: ["{{ MASTER }}:5644"] + hosts: ["{{ MASTER }}:5644"] # Number of workers per Logstash host. #worker: 1 @@ -222,21 +226,21 @@ output.elasticsearch: # and certificates will be accepted. In this mode, SSL based connections are # susceptible to man-in-the-middle attacks. Use only for testing. Default is # `full`. - #ssl.verification_mode: full + ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions 1.0 up to # 1.2 are enabled. - #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] + ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] # Certificate for SSL client authentication - #ssl.certificate: "/usr/share/filebeat/filebeat.crt" + ssl.certificate: "/usr/share/filebeat/filebeat.crt" # Client Certificate Key - #ssl.key: "/usr/share/filebeat/filebeat.key" + ssl.key: "/usr/share/filebeat/filebeat.key" setup.template.enabled: false # A dictionary of settings to place into the settings.index dictionary @@ -251,7 +255,7 @@ setup.template.enabled: false # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html #_source: #enabled: false - +{%- endif %} #============================== Kibana ===================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. From 9a082725d165e6be67dce753762b03c58c4b721e Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 2 Apr 2020 20:03:29 +0000 Subject: [PATCH 3/4] add Strelka for sensor if enabled --- salt/top.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/top.sls b/salt/top.sls index bb629c106..dd4e825db 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -42,6 +42,9 @@ base: - zeek {%- endif %} - wazuh + {%- if STRELKA %} + - strelka + {%- endif %} - filebeat {%- if FLEETMASTER or FLEETNODE %} - fleet.install_package From f2ceaf074b40015126d4d2d8a0612cce7c99788a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 2 Apr 2020 16:11:01 -0400 Subject: [PATCH 4/4] Switch from auth_pillar to secrets_pillar --- setup/so-setup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 11bf5a1f7..5a386793b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -306,7 +306,7 @@ if (whiptail_you_sure) ; then set_hostname set_version generate_passwords - auth_pillar + secrets_pillar clear_master mkdir -p /nsm get_filesystem_root @@ -586,7 +586,7 @@ if (whiptail_you_sure) ; then set_hostname set_version generate_passwords - auth_pillar + secrets_pillar clear_master mkdir -p /nsm get_filesystem_root