From 1c326f561befe42633b6fc23604fb44171c52146 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 11 Nov 2020 13:26:59 +0000 Subject: [PATCH 1/5] Allow for disabling Elastic stack via pillar --- salt/top.sls | 106 +++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 102 insertions(+), 4 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 0c7bde183..f1a2af0e8 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -5,6 +5,15 @@ {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} {% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} +{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} +{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} +{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} +{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} +{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} +{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %} +{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} +{% set CURATOR = salt['pillar.get']('curator:enabled', True) %} +{% set REDIS = salt['pillar.get']('redis:enabled', True) %} {% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} @@ -51,8 +60,12 @@ base: - suricata - zeek - redis + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} - schedule '*_sensor and G@saltversion:{{saltversion}}': @@ -95,14 +108,18 @@ base: - idstools - suricata.manager - healthcheck - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} - pcap - suricata {%- if ZEEKVER != 'SURICATA' %} @@ -111,9 +128,15 @@ base: {%- if STRELKA %} - strelka {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if ELASTALERT %} - elastalert + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet - redis @@ -152,18 +175,30 @@ base: - manager - idstools - suricata.manager - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if REDIS %} - redis + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} + {%- if ELASTALERT %} - elastalert + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} - utility - schedule {%- if FLEETMANAGER or FLEETNODE %} @@ -201,16 +236,24 @@ base: - idstools - suricata.manager - healthcheck - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if REDIS %} - redis + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} - pcap - suricata {%- if ZEEKVER != 'SURICATA' %} @@ -219,9 +262,15 @@ base: {%- if STRELKA %} - strelka {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if ELASTALERT %} - elastalert + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet - fleet.install_package @@ -248,7 +297,9 @@ base: '*_node and I@node:node_type:parser and G@saltversion:{{saltversion}}': - match: compound - firewall + {%- if LOGSTASH %} - logstash + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -258,8 +309,12 @@ base: '*_node and I@node:node_type:hot and G@saltversion:{{saltversion}}': - match: compound - firewall + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -269,7 +324,9 @@ base: '*_node and I@node:node_type:warm and G@saltversion:{{saltversion}}': - match: compound - firewall + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -286,10 +343,18 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -326,19 +391,34 @@ base: - manager - idstools - suricata.manager - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if REDIS %} - redis + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} + {%- if ELASTALERT %} - elastalert + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} + - utility - schedule {%- if FLEETMANAGER or FLEETNODE %} @@ -370,11 +450,21 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if REDIS %} - redis + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} {%- if STRELKA %} - strelka {%- endif %} @@ -386,7 +476,9 @@ base: {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} - schedule - docker_clean @@ -417,9 +509,15 @@ base: - idstools - suricata.manager - pcap + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} - utility - suricata - zeek From 625307ac5f6a4b9cc2e6344fb7755e300a6dcb61 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 11 Nov 2020 08:52:39 -0500 Subject: [PATCH 2/5] Fix duplicate vars --- salt/top.sls | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index f1a2af0e8..9a043ecc1 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -5,8 +5,7 @@ {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} {% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} -{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} -{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} +{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} {% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} @@ -14,7 +13,6 @@ {% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} {% set CURATOR = salt['pillar.get']('curator:enabled', True) %} {% set REDIS = salt['pillar.get']('redis:enabled', True) %} -{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% import_yaml 'salt/minion.defaults.yaml' as saltversion %} From da9a915421762090b51d55d8451133479a184a35 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 11 Nov 2020 09:15:50 -0500 Subject: [PATCH 3/5] add top change for fleet getting mysql state back was reverted in https://github.com/Security-Onion-Solutions/securityonion/pull/1880/files --- salt/top.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 9a043ecc1..d707af003 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -106,7 +106,7 @@ base: - idstools - suricata.manager - healthcheck - {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} + {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -173,7 +173,7 @@ base: - manager - idstools - suricata.manager - {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} + {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -234,7 +234,7 @@ base: - idstools - suricata.manager - healthcheck - {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} + {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -389,7 +389,7 @@ base: - manager - idstools - suricata.manager - {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} + {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} From ea1f53b40ccc12a4af03bf2d045a73e6bace0049 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 11 Nov 2020 10:29:58 -0500 Subject: [PATCH 4/5] Add check for field --- salt/elasticsearch/files/ingest/syslog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/syslog b/salt/elasticsearch/files/ingest/syslog index b4e09e9df..6d28aa705 100644 --- a/salt/elasticsearch/files/ingest/syslog +++ b/salt/elasticsearch/files/ingest/syslog @@ -13,7 +13,7 @@ } }, { "grok": { "field": "message", "patterns": ["<%{INT:syslog.priority}>%{DATA:syslog.timestamp} %{WORD:source.application}: %{GREEDYDATA:real_message}"], "ignore_failure": false } }, - { "set": { "if": "ctx.source.application == 'filterlog'", "field": "dataset", "value": "firewall" } }, + { "set": { "if": "ctx.source?.application == 'filterlog'", "field": "dataset", "value": "firewall" } }, { "pipeline": { "if": "ctx.dataset == 'firewall'", "name": "filterlog" } }, { "pipeline": { "name": "common" } } ] From fc9c31706d23f317f42fb647a12c2dcf5dcad339 Mon Sep 17 00:00:00 2001 From: Automation Date: Wed, 11 Nov 2020 16:31:42 +0000 Subject: [PATCH 5/5] Auto-publish so-acng image signature --- sigs/images/so-acng.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-acng.sig diff --git a/sigs/images/so-acng.sig b/sigs/images/so-acng.sig new file mode 100644 index 0000000000000000000000000000000000000000..ef0728b1c244bfcbf780a83d44a985a2d4c942ee GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5J5$*sA2@qb#TbW_DIM!sA) zcp6qqW+7ltbDOD2I}PGK=7r88^4Pmw1eqFo(%CT*ii?ALrJ|!nfq(41<$yjv)ahh? zE`S(ebZi=Ofe*HmcaKZfV@JeImupuZR~l3sG)x#Dwi!(RqdO0NI^1e$P16ub5~o}+ z&pu{OUvZsSHxs^AiwbrXKcHK`DOFv_ZuTJNY;GB(A@|BO(c(smbx3D^W>~Bokftc` z!vLt_7!CRoPFPlHKj_jW{dCw!dZHJo*bTcuor7+L5d%C7cPq*bR|s%2b!`=EB+sLc zqxTjY0GBqg0}kc=?jwN5Yi9D1QMW|&A^vijjDZG;f+QUFXDqFoF5EiS>tzjxl{JE< z&eMJ?>rP