From 523ff66389400f6c4ec4dca0aefa8de933accc90 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 16 Oct 2024 13:44:01 -0400 Subject: [PATCH] connect work --- pillar/top.sls | 14 ++- salt/allowed_states.map.jinja | 5 + salt/backup/defaults.yaml | 1 + salt/common/tools/sbin/so-image-common | 2 + salt/docker/defaults.yaml | 8 ++ salt/docker/soc_docker.yaml | 1 + .../grid-nodes_general/hydra-logs.json | 30 +++++ salt/elasticsearch/defaults.yaml | 110 ++++++++++++++++++ salt/elasticsearch/files/ingest/hydra | 9 ++ salt/elasticsearch/soc_elasticsearch.yaml | 1 + salt/firewall/containers.map.jinja | 3 + salt/hydra/config.sls | 50 ++++++++ salt/hydra/defaults.yaml | 37 ++++++ salt/hydra/disabled.sls | 27 +++++ salt/hydra/enabled.sls | 105 +++++++++++++++++ salt/hydra/files/hydra.yaml.jinja | 1 + salt/hydra/init.sls | 13 +++ salt/hydra/map.jinja | 7 ++ salt/hydra/soc_hydra.yaml | 4 + salt/hydra/sostatus.sls | 21 ++++ salt/logrotate/defaults.yaml | 10 ++ salt/logrotate/soc_logrotate.yaml | 7 ++ salt/manager/tools/sbin/so-minion | 12 ++ salt/nginx/etc/nginx.conf | 2 + salt/soc/defaults.yaml | 7 ++ salt/top.sls | 5 + setup/so-functions | 23 +++- setup/so-variables | 6 + 28 files changed, 513 insertions(+), 8 deletions(-) create mode 100644 salt/elasticfleet/files/integrations/grid-nodes_general/hydra-logs.json create mode 100644 salt/elasticsearch/files/ingest/hydra create mode 100644 salt/hydra/config.sls create mode 100644 salt/hydra/defaults.yaml create mode 100644 salt/hydra/disabled.sls create mode 100644 salt/hydra/enabled.sls create mode 100644 salt/hydra/files/hydra.yaml.jinja create mode 100644 salt/hydra/init.sls create mode 100644 salt/hydra/map.jinja create mode 100644 salt/hydra/soc_hydra.yaml create mode 100644 salt/hydra/sostatus.sls diff --git a/pillar/top.sls b/pillar/top.sls index 131b39a99..0762f14a7 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -47,6 +47,8 @@ base: - kibana.adv_kibana - kratos.soc_kratos - kratos.adv_kratos + - hydra.soc_hydra + - hydra.adv_hydra - redis.nodes - redis.soc_redis - redis.adv_redis @@ -96,6 +98,7 @@ base: - kibana.secrets {% endif %} - kratos.soc_kratos + - kratos.adv_kratos - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch - elasticfleet.soc_elasticfleet @@ -113,8 +116,8 @@ base: - kibana.adv_kibana - strelka.soc_strelka - strelka.adv_strelka - - kratos.soc_kratos - - kratos.adv_kratos + - hydra.soc_hydra + - hydra.adv_hydra - redis.soc_redis - redis.adv_redis - influxdb.soc_influxdb @@ -149,6 +152,8 @@ base: - idstools.adv_idstools - kratos.soc_kratos - kratos.adv_kratos + - hydra.soc_hydra + - hydra.adv_hydra - redis.nodes - redis.soc_redis - redis.adv_redis @@ -262,6 +267,7 @@ base: - kibana.secrets {% endif %} - kratos.soc_kratos + - kratos.adv_kratos - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch - elasticfleet.soc_elasticfleet @@ -277,8 +283,8 @@ base: - kibana.adv_kibana - backup.soc_backup - backup.adv_backup - - kratos.soc_kratos - - kratos.adv_kratos + - hydra.soc_hydra + - hydra.adv_hydra - redis.soc_redis - redis.adv_redis - influxdb.soc_influxdb diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index a9a8b7c5e..a3d5c1354 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -24,6 +24,7 @@ 'influxdb', 'soc', 'kratos', + 'hydra', 'elasticfleet', 'elastic-fleet-package-registry', 'firewall', @@ -68,6 +69,7 @@ 'strelka.manager', 'soc', 'kratos', + 'hydra', 'influxdb', 'telegraf', 'firewall', @@ -95,6 +97,7 @@ 'strelka.manager', 'soc', 'kratos', + 'hydra', 'elasticfleet', 'elastic-fleet-package-registry', 'firewall', @@ -117,6 +120,7 @@ 'strelka.manager', 'soc', 'kratos', + 'hydra', 'elastic-fleet-package-registry', 'elasticfleet', 'firewall', @@ -151,6 +155,7 @@ 'influxdb', 'soc', 'kratos', + 'hydra', 'elastic-fleet-package-registry', 'elasticfleet', 'firewall', diff --git a/salt/backup/defaults.yaml b/salt/backup/defaults.yaml index 1aae64910..dde128a80 100644 --- a/salt/backup/defaults.yaml +++ b/salt/backup/defaults.yaml @@ -4,4 +4,5 @@ backup: - /etc/pki - /etc/salt - /nsm/kratos + - /nsm/hydra destination: "/nsm/backup" \ No newline at end of file diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index c57749570..7fd35d5ac 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -29,6 +29,7 @@ container_list() { "so-influxdb" "so-kibana" "so-kratos" + "so-hydra" "so-nginx" "so-pcaptools" "so-soc" @@ -53,6 +54,7 @@ container_list() { "so-kafka" "so-kibana" "so-kratos" + "so-hydra" "so-logstash" "so-nginx" "so-pcaptools" diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 161dde485..d6cb0de9c 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -51,6 +51,14 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + 'so-hydra': + final_octet: 28 + port_bindings: + - 0.0.0.0:4444:4444 + - 0.0.0.0:4454:4445 + custom_bind_mounts: [] + extra_hosts: [] + extra_env: [] 'so-logstash': final_octet: 29 port_bindings: diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index e7ecba6be..dacbf2302 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -45,6 +45,7 @@ docker: so-influxdb: *dockerOptions so-kibana: *dockerOptions so-kratos: *dockerOptions + so-hydra: *dockerOptions so-logstash: *dockerOptions so-nginx: *dockerOptions so-nginx-fleet-node: *dockerOptions diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/hydra-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/hydra-logs.json new file mode 100644 index 000000000..f1b1dace9 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/hydra-logs.json @@ -0,0 +1,30 @@ +{ + "package": { + "name": "log", + "version": "" + }, + "name": "hydra-logs", + "namespace": "so", + "description": "Hydra logs", + "policy_id": "so-grid-nodes_general", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.logs": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/hydra/hydra.log" + ], + "data_stream.dataset": "hydra", + "tags": ["so-hydra"], + "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: hydra", + "custom": "pipeline: hydra" + } + } + } + } + }, + "force": true +} diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 06f5392d8..823b33f22 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -794,6 +794,116 @@ elasticsearch: priority: 50 min_age: 30d warm: 7 + so-hydra: + close: 30 + delete: 365 + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - container-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - common-settings + - common-dynamic-mappings + data_stream: + allow_custom_routing: false + hidden: false + ignore_missing_component_templates: [] + index_patterns: + - logs-hydra-so* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + lifecycle: + name: so-hydra-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + warm: 7 so-lists: index_sorting: false index_template: diff --git a/salt/elasticsearch/files/ingest/hydra b/salt/elasticsearch/files/ingest/hydra new file mode 100644 index 000000000..6bb2c22d8 --- /dev/null +++ b/salt/elasticsearch/files/ingest/hydra @@ -0,0 +1,9 @@ +{ + "description" : "hydra", + "processors" : [ + {"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}}, + {"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"hydra.{{{audience}}}","media_type":"text/plain"}}, + {"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg" }}, + { "pipeline": { "name": "common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 31a8a7f6f..7fd6d08b2 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -539,6 +539,7 @@ elasticsearch: so-suricata_x_alerts: *indexSettings so-import: *indexSettings so-kratos: *indexSettings + so-hydra: *indexSettings so-kismet: *indexSettings so-logstash: *indexSettings so-redis: *indexSettings diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index 02a1b7cac..cc0a20299 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -9,6 +9,7 @@ 'so-influxdb', 'so-kibana', 'so-kratos', + 'so-hydra', 'so-nginx', 'so-redis', 'so-soc', @@ -30,6 +31,7 @@ 'so-kafka', 'so-kibana', 'so-kratos', + 'so-hydra', 'so-logstash', 'so-nginx', 'so-redis', @@ -73,6 +75,7 @@ 'so-influxdb', 'so-kibana', 'so-kratos', + 'so-hydra', 'so-nginx', 'so-soc' ] %} diff --git a/salt/hydra/config.sls b/salt/hydra/config.sls new file mode 100644 index 000000000..6f914aa5f --- /dev/null +++ b/salt/hydra/config.sls @@ -0,0 +1,50 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from "hydra/map.jinja" import hydraMERGED %} + +hydradir: + file.directory: + - name: /nsm/hydra + - user: 928 + - group: 928 + - mode: 700 + - makedirs: True + +hydradbdir: + file.directory: + - name: /nsm/hydra/db + - user: 928 + - group: 928 + - mode: 700 + - makedirs: True + +hydralogdir: + file.directory: + - name: /opt/so/log/hydra + - user: 928 + - group: 928 + - makedirs: True + +hydraconfig: + file.managed: + - name: /opt/so/conf/hydra/hydra.yaml + - source: salt://hydra/files/hydra.yaml.jinja + - user: 928 + - group: 928 + - mode: 600 + - template: jinja + - defaults: + hydraMERGED: {{ hydraMERGED }} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/hydra/defaults.yaml b/salt/hydra/defaults.yaml new file mode 100644 index 000000000..99615cb00 --- /dev/null +++ b/salt/hydra/defaults.yaml @@ -0,0 +1,37 @@ +hydra: + enabled: False + config: + serve: + cookies: + same_site_mode: Lax + + public: + port: 4444 + admin: + port: 4445 + urls: + self: + issuer: https://URL_BASE/connect + public: https://URL_BASE/connect + admin: http://localhost:4445 + login: https://URL_BASE/login + logout: https://URL_BASE/logout + identity_provider: + url: http://127.0.0.1:4434/admin + publicUrl: https://URL_BASE/auth + headers: + Authorization: Bearer some-token + + secrets: + system: [] + + oidc: + subject_identifiers: + supported_types: + - pairwise + - public + pairwise: + salt: "" + + sqa: + opt_out: true \ No newline at end of file diff --git a/salt/hydra/disabled.sls b/salt/hydra/disabled.sls new file mode 100644 index 000000000..c940a5bd6 --- /dev/null +++ b/salt/hydra/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - hydra.sostatus + +so-hydra: + docker_container.absent: + - force: True + +so-hydra_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-hydra$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/hydra/enabled.sls b/salt/hydra/enabled.sls new file mode 100644 index 000000000..3548afb4f --- /dev/null +++ b/salt/hydra/enabled.sls @@ -0,0 +1,105 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. +# +# Note: Per the Elastic License 2.0, the second limitation states: +# +# "You may not move, change, disable, or circumvent the license key functionality +# in the software, and you may not remove or obscure any functionality in the +# software that is protected by the license key." + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% if 'api' in salt['pillar.get']('features', []) %} + +include: + - hydra.config + - hydra.sostatus + +so-hydra: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-hydra:{{ GLOBALS.so_version }} + - hostname: hydra + - name: so-hydra + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-hydra'].ip }} + - binds: + - /opt/so/conf/hydra/:/hydra-conf:ro + - /opt/so/log/hydra/:/hydra-log:rw + - /nsm/hydra/db:/hydra-data:rw + {% if DOCKER.containers['so-hydra'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} + - port_bindings: + {% for BINDING in DOCKER.containers['so-hydra'].port_bindings %} + - {{ BINDING }} + {% endfor %} + {% if DOCKER.containers['so-hydra'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-hydra'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %} + - {{ XTRAENV }} + {% endfor %} + {% endif %} + - restart_policy: unless-stopped + - watch: + - file: hydraschema + - file: hydraconfig + - require: + - file: hydraschema + - file: hydraconfig + - file: hydralogdir + - file: hydradir + +delete_so-hydra_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-hydra$ + +wait_for_hydra: + http.wait_for_successful_query: + - name: 'http://{{ GLOBALS.manager }}:4444/' + - ssl: True + - verify_ssl: False + - status: + - 200 + - 301 + - 302 + - 404 + - status_type: list + - wait_for: 300 + - request_interval: 10 + - require: + - docker_container: so-hydra + +{% else %} + +{{sls}}_no_license_detected: + test.fail_without_changes: + - name: {{sls}}_no_license_detected + - comment: + - "This is a feature supported only for customers with a valid license. + Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com + for more information about purchasing a license to enable this feature." +include: + - hydra.disabled +{% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/hydra/files/hydra.yaml.jinja b/salt/hydra/files/hydra.yaml.jinja new file mode 100644 index 000000000..fe6a33546 --- /dev/null +++ b/salt/hydra/files/hydra.yaml.jinja @@ -0,0 +1 @@ +{{ HYDRAMERGED.config | yaml(false) }} diff --git a/salt/hydra/init.sls b/salt/hydra/init.sls new file mode 100644 index 000000000..eb7792bca --- /dev/null +++ b/salt/hydra/init.sls @@ -0,0 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'hydra/map.jinja' import HYDRAMERGED %} + +include: +{% if HYDRAMERGED.enabled %} + - hydra.enabled +{% else %} + - hydra.disabled +{% endif %} diff --git a/salt/hydra/map.jinja b/salt/hydra/map.jinja new file mode 100644 index 000000000..e6cd747a4 --- /dev/null +++ b/salt/hydra/map.jinja @@ -0,0 +1,7 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'hydra/defaults.yaml' as HYDRADEFAULTS %} diff --git a/salt/hydra/soc_hydra.yaml b/salt/hydra/soc_hydra.yaml new file mode 100644 index 000000000..3f6c30442 --- /dev/null +++ b/salt/hydra/soc_hydra.yaml @@ -0,0 +1,4 @@ +hydra: + enabled: + description: Enables or disables the API authentication system, used for service account authentication. + helpLink: api.html diff --git a/salt/hydra/sostatus.sls b/salt/hydra/sostatus.sls new file mode 100644 index 000000000..8878bed4f --- /dev/null +++ b/salt/hydra/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-hydra_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-hydra + - unless: grep -q so-hydra /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/logrotate/defaults.yaml b/salt/logrotate/defaults.yaml index 7333c78e9..2f7247ff2 100644 --- a/salt/logrotate/defaults.yaml +++ b/salt/logrotate/defaults.yaml @@ -40,6 +40,16 @@ logrotate: - extension .log - dateext - dateyesterday + /opt/so/log/hydra/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday /opt/so/log/kibana/*_x_log: - daily - rotate 14 diff --git a/salt/logrotate/soc_logrotate.yaml b/salt/logrotate/soc_logrotate.yaml index 62aa935c9..56f879e4f 100644 --- a/salt/logrotate/soc_logrotate.yaml +++ b/salt/logrotate/soc_logrotate.yaml @@ -28,6 +28,13 @@ logrotate: multiline: True global: True forcedType: "[]string" + "/opt/so/log/hydra/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/hydra/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" "/opt/so/log/kibana/*_x_log": description: List of logrotate options for this file. title: /opt/so/log/kibana/*.log diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index ebbfa8fff..c978803bb 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -368,6 +368,13 @@ function add_kratos_to_minion() { " " >> $PILLARFILE } +function add_hydra_to_minion() { + printf '%s\n'\ + "hydra:"\ + " enabled: True"\ + " " >> $PILLARFILE +} + function add_idstools_to_minion() { printf '%s\n'\ "idstools:"\ @@ -448,6 +455,7 @@ function createEVAL() { add_soc_to_minion add_registry_to_minion add_kratos_to_minion + add_hydra_to_minion add_idstools_to_minion add_elastic_fleet_package_registry_to_minion } @@ -468,6 +476,7 @@ function createSTANDALONE() { add_soc_to_minion add_registry_to_minion add_kratos_to_minion + add_hydra_to_minion add_idstools_to_minion add_elastic_fleet_package_registry_to_minion } @@ -484,6 +493,7 @@ function createMANAGER() { add_soc_to_minion add_registry_to_minion add_kratos_to_minion + add_hydra_to_minion add_idstools_to_minion add_elastic_fleet_package_registry_to_minion } @@ -500,6 +510,7 @@ function createMANAGERSEARCH() { add_soc_to_minion add_registry_to_minion add_kratos_to_minion + add_hydra_to_minion add_idstools_to_minion add_elastic_fleet_package_registry_to_minion } @@ -514,6 +525,7 @@ function createIMPORT() { add_soc_to_minion add_registry_to_minion add_kratos_to_minion + add_hydra_to_minion add_idstools_to_minion add_elastic_fleet_package_registry_to_minion } diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index fc18e1fe8..1521cc710 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -219,6 +219,7 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } +{% if 'api' in salt['pillar.get']('features', []) %} location /connect/token { rewrite /connect/token(.*) /oauth2/token$1 break; limit_req zone=auth_throttle burst={{ NGINXMERGED.config.throttle_login_burst }} nodelay; @@ -247,6 +248,7 @@ http { proxy_set_header Proxy ""; proxy_set_header X-Forwarded-Proto $scheme; } +{%- endif %} location /cyberchef/ { auth_request /auth/sessions/whoami; diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 2d2a26c9a..7a8ee697f 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -119,6 +119,13 @@ soc: - identity_id - http_request.headers.user-agent - msg + ':kratos:': + - soc_timestamp + - event.dataset + - http_request.headers.x-real-ip + - identity_id + - http_request.headers.user-agent + - msg '::conn': - soc_timestamp - event.dataset diff --git a/salt/top.sls b/salt/top.sls index d876806f2..c4ad5d12f 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -61,6 +61,7 @@ base: - influxdb - soc - kratos + - hydra - sensoroni - telegraf - firewall @@ -90,6 +91,7 @@ base: - strelka.manager - soc - kratos + - hydra - firewall - manager - sensoroni @@ -122,6 +124,7 @@ base: - influxdb - soc - kratos + - hydra - firewall - sensoroni - telegraf @@ -168,6 +171,7 @@ base: - strelka.manager - soc - kratos + - hydra - firewall - manager - sensoroni @@ -219,6 +223,7 @@ base: - strelka.manager - soc - kratos + - hydra - sensoroni - telegraf - firewall diff --git a/setup/so-functions b/setup/so-functions index 5ebf76c17..5e36851c2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -791,6 +791,7 @@ create_manager_pillars() { redis_pillar idstools_pillar kratos_pillar + hydra_pillar soc_pillar idh_pillar influxdb_pillar @@ -1108,6 +1109,7 @@ generate_passwords(){ INFLUXTOKEN=$(head -c 64 /dev/urandom | base64 --wrap=0) SENSORONIKEY=$(get_random_value) KRATOSKEY=$(get_random_value) + HYDRAKEY=$(get_random_value) REDISPASS=$(get_random_value) SOCSRVKEY=$(get_random_value 64) IMPORTPASS=$(get_random_value) @@ -1303,6 +1305,18 @@ kratos_pillar() { "" > "$kratos_pillar_file" } +hydra_pillar() { + title "Create the Hydra pillar file" + touch $adv_hydra_pillar_file + printf '%s\n'\ + "hydra:"\ + " config:"\ + " secrets:"\ + " system:"\ + " - '$HYDRAKEY'"\ + "" > "$hydra_pillar_file" +} + create_global() { title "Creating the global.sls" touch $adv_global_pillar_file @@ -1404,10 +1418,10 @@ make_some_dirs() { mkdir -p $local_salt_dir/salt/firewall/portgroups mkdir -p $local_salt_dir/salt/firewall/ports - for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert stig global kafka;do - mkdir -p $local_salt_dir/pillar/$THEDIR - touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls - touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls + for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idstools idh elastalert stig global kafka;do + mkdir -p $local_salt_dir/pillar/$THEDIR + touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls + touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls done } @@ -1639,6 +1653,7 @@ reinstall_init() { # Backup (and erase) directories in /nsm to prevent app errors backup_dir /nsm/mysql "$date_string" backup_dir /nsm/kratos "$date_string" + backup_dir /nsm/hydra "$date_string" backup_dir /nsm/influxdb "$date_string" # Uninstall local Elastic Agent, if installed diff --git a/setup/so-variables b/setup/so-variables index ecc29b554..fc253df0a 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -160,6 +160,12 @@ export kratos_pillar_file adv_kratos_pillar_file="$local_salt_dir/pillar/kratos/adv_kratos.sls" export adv_kratos_pillar_file +hydra_pillar_file="$local_salt_dir/pillar/hydra/soc_hydra.sls" +export hydra_pillar_file + +adv_hydra_pillar_file="$local_salt_dir/pillar/hydra/adv_hydra.sls" +export adv_hydra_pillar_file + idstools_pillar_file="$local_salt_dir/pillar/idstools/soc_idstools.sls" export idstools_pillar_file