diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/kratos-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/kratos-logs.json new file mode 100644 index 000000000..f6b01cdff --- /dev/null +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/kratos-logs.json @@ -0,0 +1,46 @@ +{%- set identities = salt['sqlite3.fetch']('/nsm/kratos/db/db.sqlite', 'SELECT id, json_extract(traits, "$.email") as email FROM identities;') -%} +{%- set valid_identities = false -%} +{%- if identities -%} + {%- set valid_identities = true -%} + {%- for id, email in identities -%} + {%- if not id or not email -%} + {%- set valid_identities = false -%} + {%- break -%} + {%- endif -%} + {%- endfor -%} +{%- endif -%} +{ + "package": { + "name": "log", + "version": "" + }, + "name": "kratos-logs", + "namespace": "so", + "description": "Kratos logs", + "policy_id": "so-grid-nodes_general", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.logs": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/kratos/kratos.log" + ], + "data_stream.dataset": "kratos", + "tags": ["so-kratos"], + {%- if valid_identities -%} + "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos\n- if:\n has_fields:\n - identity_id\n then:{% for id, email in identities %}\n - if:\n equals:\n identity_id: \"{{ id }}\"\n then:\n - add_fields:\n target: ''\n fields:\n user.name: \"{{ email }}\"{% endfor %}", + {%- else -%} + "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos", + {%- endif -%} + "custom": "pipeline: kratos" + } + } + } + } + }, + "force": true +} + diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json deleted file mode 100644 index 6a67c9c1c..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "kratos-logs", - "namespace": "so", - "description": "Kratos logs", - "policy_id": "so-grid-nodes_general", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.logs": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/kratos/kratos.log" - ], - "data_stream.dataset": "kratos", - "tags": ["so-kratos"], - "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos", - "custom": "pipeline: kratos" - } - } - } - } - }, - "force": true -} diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index af162d9e9..1d25fa668 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -204,12 +204,17 @@ so-elasticsearch-roles-load: - docker_container: so-elasticsearch - file: elasticsearch_sbin_jinja -{% if grains.role in ['so-eval', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-manager'] %} +{% if grains.role in ['so-managersearch', 'so-heavynode', 'so-manager'] %} +{% set ap = "absent" %} +{% endif %} +{% if grains.role in ['so-eval', 'so-standalone'] %} {% if ELASTICSEARCHMERGED.index_clean %} {% set ap = "present" %} {% else %} {% set ap = "absent" %} {% endif %} +{% endif %} +{% if grains.role in ['so-eval', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-manager'] %} so-elasticsearch-indices-delete: cron.{{ap}}: - name: /usr/sbin/so-elasticsearch-indices-delete > /opt/so/log/elasticsearch/cron-elasticsearch-indices-delete.log 2>&1 diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index ebbfa8fff..98add9a96 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -126,7 +126,7 @@ function testMinion() { } function restartMinion() { - salt "$MINION_ID" system.reboot + salt "$MINION_ID" system.reboot --async result=$? exit $result diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index ac22aa2c1..91ab6e3c1 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -138,6 +138,43 @@ soc: title: Require TOTP description: Require all users to enable Time-based One Time Passwords (MFA) upon login to SOC. global: True + subgrids: + title: Subordinate Grids + description: | + Optional list of *subgrids* that this grid has access to manage. This is also known as a 'Manager of Managers' configuration. The values entered must originate from the remote subordinate grid. The API Client must be granted most permissions in order to perform required functions. + + *Requires a valid Security Onion license key with subgrid allocations.* + global: True + syntax: json + forcedType: "[]{}" + uiElements: + - field: id + label: Unique Subgrid ID + regex: "^((?!_)).+$" + regexFailureMessage: Subgrid ID cannot start with an underscore + required: true + - field: managerUrl + label: Subgrid Manager URL + required: true + - field: clientId + label: Subgrid API Client ID + required: true + regex: "^socl_[a-z0-9_]+$" + regexFailureMessage: Client ID must be a valid socl_* API Client ID + - field: clientSecret + label: Subgrid API Client Secret + required: true + - field: tlsSkipVerify + label: Skip Subgrid TLS Certification Validation + forcedType: bool + default: false + - field: caCertificate + label: Subgrid CA Certificate + multiline: True + - field: enabled + label: Subgrid Enabled + forcedType: bool + default: false modules: elastalertengine: aiRepoUrl: