diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 47867edaf..372813649 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -5,10 +5,11 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'strelka/map.jinja' import STRELKAMERGED %} -{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %} -{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=true) %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'strelka/map.jinja' import STRELKAMERGED %} +{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %} +{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=true) %} +{% from 'strelka/map.jinja' import STRELKAMERGED %} include: - salt.minion @@ -81,6 +82,16 @@ socore_own_saltstack: - user - group +{% if STRELKAMERGED.rules.enabled %} +strelkarepos: + file.managed: + - name: /opt/so/conf/strelka/repos.txt + - source: salt://strelka/rules/repos.txt.jinja + - template: jinja + - defaults: + STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} +{% endif %} + yara_update_script: file.managed: - name: /usr/sbin/so-yara-update diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 6f28057e1..864b714d6 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -249,6 +249,54 @@ function add_redis_to_minion() { " " >> $PILLARFILE } +function add_strelka_backend_to_minion() { + printf '%s\n'\ + "strelka:"\ + " backend:"\ + " enabled: True"\ + " " >> $PILLARFILE +} + +function add_strelka_filestream_to_minion() { + printf '%s\n'\ + "strelka:"\ + " filestream:"\ + " enabled: True"\ + " " >> $PILLARFILE +} + +function add_strelka_frontend_to_minion() { + printf '%s\n'\ + "strelka:"\ + " frontend:"\ + " enabled: True"\ + " " >> $PILLARFILE +} + +function add_strelka_manager_to_minion() { + printf '%s\n'\ + "strelka:"\ + " manager:"\ + " enabled: True"\ + " " >> $PILLARFILE +} + +function add_strelka_coordinator_to_minion() { + printf '%s\n'\ + "strelka:"\ + " coordinator:"\ + " enabled: True"\ + " " >> $PILLARFILE +} + +function add_strelka_gatekeeper_to_minion() { + printf '%s\n'\ + "strelka:"\ + " gatekeeper:"\ + " enabled: True"\ + " " >> $PILLARFILE +} + function create_fleet_policy() { JSON_STRING=$( jq -n \ @@ -295,6 +343,12 @@ function apply_ES_state() { function createEVAL() { add_elasticsearch_to_minion add_sensor_to_minion + add_strelka_backend_to_minion + add_strelka_filestream_to_minion + add_strelka_frontend_to_minion + add_strelka_manager_to_minion + add_strelka_coordinator_to_minion + add_strelka_gatekeeper_to_minion add_elastalert_to_minion add_kibana_to_minion } @@ -303,6 +357,12 @@ function createSTANDALONE() { add_elasticsearch_to_minion add_logstash_to_minion add_sensor_to_minion + add_strelka_backend_to_minion + add_strelka_filestream_to_minion + add_strelka_frontend_to_minion + add_strelka_manager_to_minion + add_strelka_coordinator_to_minion + add_strelka_gatekeeper_to_minion add_playbook_to_minion add_elastalert_to_minion add_kibana_to_minion @@ -349,11 +409,23 @@ function createHEAVYNODE() { add_elasticsearch_to_minion add_logstash_to_minion add_sensor_to_minion + add_strelka_backend_to_minion + add_strelka_filestream_to_minion + add_strelka_frontend_to_minion + add_strelka_manager_to_minion + add_strelka_coordinator_to_minion + add_strelka_gatekeeper_to_minion add_redis_to_minion } function createSENSOR() { add_sensor_to_minion + add_strelka_backend_to_minion + add_strelka_filestream_to_minion + add_strelka_frontend_to_minion + add_strelka_manager_to_minion + add_strelka_coordinator_to_minion + add_strelka_gatekeeper_to_minion } function createSEARCHNODE() { diff --git a/salt/strelka/backend/config.sls b/salt/strelka/backend/config.sls new file mode 100644 index 000000000..d51debb1b --- /dev/null +++ b/salt/strelka/backend/config.sls @@ -0,0 +1,69 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'strelka/map.jinja' import STRELKAMERGED %} + +include: + - strelka.config + - strelka.backend.sostatus + +backend_backend_config: + file.managed: + - name: /opt/so/conf/strelka/backend/backend.yaml + - source: salt://strelka/backend/files/backend.yaml.jinja + - template: jinja + - user: 939 + - group: 939 + - makedirs: True + - defaults: + BACKENDCONFIG: {{ STRELKAMERGED.backend.config.backend }} + +backend_logging_config: + file.managed: + - name: /opt/so/conf/strelka/backend/logging.yaml + - source: salt://strelka/backend/files/logging.yaml.jinja + - template: jinja + - user: 939 + - group: 939 + - defaults: + LOGGINGCONFIG: {{ STRELKAMERGED.backend.config.logging }} + +backend_passwords: + file.managed: + - name: /opt/so/conf/strelka/backend/passwords.dat + - source: salt://strelka/backend/files/passwords.dat.jinja + - template: jinja + - user: 939 + - group: 939 + - defaults: + PASSWORDS: {{ STRELKAMERGED.backend.config.passwords }} + +backend_taste: + file.managed: + - name: /opt/so/conf/strelka/backend/taste/taste.yara + - source: salt://strelka/backend/files/taste/taste.yara + - makedirs: True + - user: 939 + - group: 939 + +{% if STRELKAMERGED.rules.enabled %} +strelkarules: + file.recurse: + - name: /opt/so/conf/strelka/rules + - source: salt://strelka/rules + - user: 939 + - group: 939 + - clean: True +{% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/backend/disabled.sls b/salt/strelka/backend/disabled.sls new file mode 100644 index 000000000..fcf9136c6 --- /dev/null +++ b/salt/strelka/backend/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - strelka.backend.sostatus + +so-strelka-backend: + docker_container.absent: + - force: True + +so-strelka-backend_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-strelka-backend$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls new file mode 100644 index 000000000..2ba998e30 --- /dev/null +++ b/salt/strelka/backend/enabled.sls @@ -0,0 +1,41 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +include: + - strelka.backend.config + - strelka.backend.sostatus + +strelka_backend: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-backend:{{ GLOBALS.so_version }} + - binds: + - /opt/so/conf/strelka/backend/:/etc/strelka/:ro + - /opt/so/conf/strelka/rules/:/etc/yara/:ro + - name: so-strelka-backend + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} + - command: strelka-backend + - extra_hosts: + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + - restart_policy: on-failure + +delete_so-strelka-backend_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-strelka-backend$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/files/backend/backend.yaml.jinja b/salt/strelka/backend/files/backend.yaml.jinja similarity index 100% rename from salt/strelka/files/backend/backend.yaml.jinja rename to salt/strelka/backend/files/backend.yaml.jinja diff --git a/salt/strelka/files/backend/logging.yaml.jinja b/salt/strelka/backend/files/logging.yaml.jinja similarity index 100% rename from salt/strelka/files/backend/logging.yaml.jinja rename to salt/strelka/backend/files/logging.yaml.jinja diff --git a/salt/strelka/files/backend/passwords.dat.jinja b/salt/strelka/backend/files/passwords.dat.jinja similarity index 100% rename from salt/strelka/files/backend/passwords.dat.jinja rename to salt/strelka/backend/files/passwords.dat.jinja diff --git a/salt/strelka/files/backend/taste/taste.yara b/salt/strelka/backend/files/taste/taste.yara similarity index 100% rename from salt/strelka/files/backend/taste/taste.yara rename to salt/strelka/backend/files/taste/taste.yara diff --git a/salt/strelka/backend/init.sls b/salt/strelka/backend/init.sls new file mode 100644 index 000000000..253544c98 --- /dev/null +++ b/salt/strelka/backend/init.sls @@ -0,0 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'strelka/map.jinja' import STRELKAMERGED %} + +include: +{% if STRELKAMERGED.backend.enabled %} + - strelka.backend.enabled +{% else %} + - strelka.backend.disabled +{% endif %} diff --git a/salt/strelka/backend/sostatus.sls b/salt/strelka/backend/sostatus.sls new file mode 100644 index 000000000..6de50cfdc --- /dev/null +++ b/salt/strelka/backend/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-strelka-backend_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-strelka-backend + - unless: grep -q so-strelka-backend /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/config.sls b/salt/strelka/config.sls new file mode 100644 index 000000000..aa51e4b03 --- /dev/null +++ b/salt/strelka/config.sls @@ -0,0 +1,61 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +# Strelka config +strelkaconfdir: + file.directory: + - name: /opt/so/conf/strelka + - user: 939 + - group: 939 + - makedirs: True + +strelkarulesdir: + file.directory: + - name: /opt/so/conf/strelka/rules + - user: 939 + - group: 939 + - makedirs: True + +strelkadatadir: + file.directory: + - name: /nsm/strelka + - user: 939 + - group: 939 + - makedirs: True + +strelkalogdir: + file.directory: + - name: /nsm/strelka/log + - user: 939 + - group: 939 + - makedirs: True + +strelka_sbin: + file.recurse: + - name: /usr/sbin + - source: salt://strelka/tools/sbin + - user: 939 + - group: 939 + - file_mode: 755 + +#strelka_sbin_jinja: +# file.recurse: +# - name: /usr/sbin +# - source: salt://strelka/tools/sbin_jinja +# - user: 939 +# - group: 939 +# - file_mode: 755 +# - template: jinja + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/coordinator/config.sls b/salt/strelka/coordinator/config.sls new file mode 100644 index 000000000..55cb4239c --- /dev/null +++ b/salt/strelka/coordinator/config.sls @@ -0,0 +1,19 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - strelka.config + - strelka.coordinator.sostatus + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/coordinator/disabled.sls b/salt/strelka/coordinator/disabled.sls new file mode 100644 index 000000000..4ac20fe0f --- /dev/null +++ b/salt/strelka/coordinator/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - strelka.coordinator.sostatus + +so-strelka-coordinator: + docker_container.absent: + - force: True + +so-strelka-coordinator_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-strelka-coordinator$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls new file mode 100644 index 000000000..9f2627344 --- /dev/null +++ b/salt/strelka/coordinator/enabled.sls @@ -0,0 +1,41 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +include: + - strelka.coordinator.config + - strelka.coordinator.sostatus + +strelka_coordinator: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} + - name: so-strelka-coordinator + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} + - entrypoint: redis-server --save "" --appendonly no + - extra_hosts: + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + - port_bindings: + {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %} + - {{ BINDING }} + {% endfor %} + +delete_so-strelka-coordinator_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-strelka-coordinator$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/coordinator/init.sls b/salt/strelka/coordinator/init.sls new file mode 100644 index 000000000..bad4c0a48 --- /dev/null +++ b/salt/strelka/coordinator/init.sls @@ -0,0 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'strelka/map.jinja' import STRELKAMERGED %} + +include: +{% if STRELKAMERGED.coordinator.enabled %} + - strelka.coordinator.enabled +{% else %} + - strelka.coordinator.disabled +{% endif %} diff --git a/salt/strelka/coordinator/sostatus.sls b/salt/strelka/coordinator/sostatus.sls new file mode 100644 index 000000000..dbc124993 --- /dev/null +++ b/salt/strelka/coordinator/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-strelka-coordinator_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-strelka-coordinator + - unless: grep -q so-strelka-coordinator /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index bcef0fd9b..6a0b1c2b5 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -1,6 +1,7 @@ strelka: - config: - backend: + backend: + enabled: False + config: backend: logging_cfg: '/etc/strelka/logging.yaml' limits: @@ -493,7 +494,9 @@ strelka: passwords: - infected - password - filestream: + filestream: + enabled: False + config: conn: server: 'HOST:57314' cert: '' @@ -514,7 +517,9 @@ strelka: report: 5s delta: 5s staging: '/nsm/strelka/staging' - frontend: + frontend: + enabled: False + config: server: ":57314" coordinator: addr: 'HOST:6380' @@ -525,10 +530,16 @@ strelka: ttl: 1h response: log: "/var/log/strelka/strelka.log" - manager: + manager: + enabled: False + config: coordinator: addr: 'HOST:6380' db: 0 + coordinator: + enabled: False + gatekeeper: + enabled: False rules: enabled: True repos: diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls new file mode 100644 index 000000000..a215967ee --- /dev/null +++ b/salt/strelka/filestream/config.sls @@ -0,0 +1,108 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'strelka/map.jinja' import STRELKAMERGED %} +{% from 'strelka/map.jinja' import filecheck_runas %} + +include: + - strelka.config + - strelka.filestream.sostatus + +strelkaprocessed: + file.directory: + - name: /nsm/strelka/processed + - user: 939 + - group: 939 + - makedirs: True + +strelkastaging: + file.directory: + - name: /nsm/strelka/staging + - user: 939 + - group: 939 + - makedirs: True + +strelkaunprocessed: + file.directory: + - name: /nsm/strelka/unprocessed + - user: 939 + - group: 939 + - mode: 775 + - makedirs: True + +filestream_config: + file.managed: + - name: /opt/so/conf/strelka/filestream/filestream.yaml + - source: salt://strelka/filestream/files/filestream.yaml.jinja + - template: jinja + - user: 939 + - group: 939 + - makedirs: True + - defaults: + FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }} + +# Filecheck Section +filecheck_logdir: + file.directory: + - name: /opt/so/log/strelka + - user: 939 + - group: 939 + - mode: 775 + - makedirs: True + +filecheck_history: + file.directory: + - name: /nsm/strelka/history + - user: 939 + - group: 939 + - mode: 775 + - makedirs: True + +filecheck_conf: + file.managed: + - name: /opt/so/conf/strelka/filecheck.yaml + - source: salt://strelka/filecheck/filecheck.yaml.jinja + - template: jinja + - defaults: + FILECHECKCONFIG: {{ STRELKAMERGED.filecheck }} + +filecheck_script: + file.managed: + - name: /opt/so/conf/strelka/filecheck + - source: salt://strelka/filecheck/filecheck + - user: 939 + - group: 939 + - mode: 755 + +filecheck_restart: + cmd.run: + - name: pkill -f "python3 /opt/so/conf/strelka/filecheck" + - hide_output: True + - success_retcodes: [0,1] + - onchanges: + - file: filecheck_script + +filecheck_run: + cron.present: + - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' + - identifier: filecheck_run + - user: {{ filecheck_runas }} + +filcheck_history_clean: + cron.present: + - name: '/usr/bin/find /nsm/strelka/history/ -type f -mtime +2 -exec rm {} + > /dev/null 2>&1' + - identifier: filecheck_history_clean + - minute: '33' +# End Filecheck Section + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/filestream/disabled.sls b/salt/strelka/filestream/disabled.sls new file mode 100644 index 000000000..162e310a9 --- /dev/null +++ b/salt/strelka/filestream/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - strelka.filestream.sostatus + +so-strelka-filestream: + docker_container.absent: + - force: True + +so-strelka-filestream_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-strelka-filestream$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls new file mode 100644 index 000000000..e798629c4 --- /dev/null +++ b/salt/strelka/filestream/enabled.sls @@ -0,0 +1,38 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - strelka.filestream.config + - strelka.filestream.sostatus + +strelka_filestream: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-filestream:{{ GLOBALS.so_version }} + - binds: + - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro + - /nsm/strelka:/nsm/strelka + - name: so-strelka-filestream + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} + - command: strelka-filestream + - extra_hosts: + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + +delete_so-strelka-filestream_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-strelka-filestream$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/files/filestream/filestream.yaml.jinja b/salt/strelka/filestream/files/filestream.yaml.jinja similarity index 100% rename from salt/strelka/files/filestream/filestream.yaml.jinja rename to salt/strelka/filestream/files/filestream.yaml.jinja diff --git a/salt/strelka/filestream/init.sls b/salt/strelka/filestream/init.sls new file mode 100644 index 000000000..79b471891 --- /dev/null +++ b/salt/strelka/filestream/init.sls @@ -0,0 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'strelka/map.jinja' import STRELKAMERGED %} + +include: +{% if STRELKAMERGED.filestream.enabled %} + - strelka.filestream.enabled +{% else %} + - strelka.filestream.disabled +{% endif %} diff --git a/salt/strelka/filestream/sostatus.sls b/salt/strelka/filestream/sostatus.sls new file mode 100644 index 000000000..cb292a459 --- /dev/null +++ b/salt/strelka/filestream/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-strelka-filestream_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-strelka-filestream + - unless: grep -q so-strelka-filestream /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/frontend/config.sls b/salt/strelka/frontend/config.sls new file mode 100644 index 000000000..e06994b10 --- /dev/null +++ b/salt/strelka/frontend/config.sls @@ -0,0 +1,36 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'strelka/map.jinja' import STRELKAMERGED %} + +include: + - strelka.config + - strelka.frontend.sostatus + +# Check to see if Strelka frontend port is available +strelkaportavailable: + cmd.run: + - name: netstat -utanp | grep ":57314" | grep -qvE 'docker|TIME_WAIT' && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314. Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0 + +frontend_config: + file.managed: + - name: /opt/so/conf/strelka/frontend/frontend.yaml + - source: salt://strelka/frontend/files/frontend.yaml.jinja + - template: jinja + - user: 939 + - group: 939 + - makedirs: True + - defaults: + FRONTENDCONFIG: {{ STRELKAMERGED.frontend.config }} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/frontend/disabled.sls b/salt/strelka/frontend/disabled.sls new file mode 100644 index 000000000..66f6c898c --- /dev/null +++ b/salt/strelka/frontend/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - strelka.frontend.sostatus + +so-strelka-frontend: + docker_container.absent: + - force: True + +so-strelka-frontend_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-strelka-frontend$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls new file mode 100644 index 000000000..28b7dc19c --- /dev/null +++ b/salt/strelka/frontend/enabled.sls @@ -0,0 +1,45 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +include: + - strelka.frontend.config + - strelka.frontend.sostatus + +strelka_frontend: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-frontend:{{ GLOBALS.so_version }} + - binds: + - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro + - /nsm/strelka/log/:/var/log/strelka/:rw + - privileged: True + - name: so-strelka-frontend + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} + - command: strelka-frontend + - extra_hosts: + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + - port_bindings: + {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %} + - {{ BINDING }} + {% endfor %} + +delete_so-strelka-frontend_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-strelka-frontend$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/files/frontend/frontend.yaml.jinja b/salt/strelka/frontend/files/frontend.yaml.jinja similarity index 100% rename from salt/strelka/files/frontend/frontend.yaml.jinja rename to salt/strelka/frontend/files/frontend.yaml.jinja diff --git a/salt/strelka/frontend/init.sls b/salt/strelka/frontend/init.sls new file mode 100644 index 000000000..980746dfd --- /dev/null +++ b/salt/strelka/frontend/init.sls @@ -0,0 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'strelka/map.jinja' import STRELKAMERGED %} + +include: +{% if STRELKAMERGED.frontend.enabled %} + - strelka.frontend.enabled +{% else %} + - strelka.frontend.disabled +{% endif %} diff --git a/salt/strelka/frontend/sostatus.sls b/salt/strelka/frontend/sostatus.sls new file mode 100644 index 000000000..a1ab76312 --- /dev/null +++ b/salt/strelka/frontend/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-strelka-frontend_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-strelka-frontend + - unless: grep -q so-strelka-frontend /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/gatekeeper/config.sls b/salt/strelka/gatekeeper/config.sls new file mode 100644 index 000000000..069813f9d --- /dev/null +++ b/salt/strelka/gatekeeper/config.sls @@ -0,0 +1,19 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - strelka.config + - strelka.gatekeeper.sostatus + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/gatekeeper/disabled.sls b/salt/strelka/gatekeeper/disabled.sls new file mode 100644 index 000000000..8f49d383c --- /dev/null +++ b/salt/strelka/gatekeeper/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - strelka.gatekeeper.sostatus + +so-strelka-gatekeeper: + docker_container.absent: + - force: True + +so-strelka-gatekeeper_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-strelka-gatekeeper$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls new file mode 100644 index 000000000..326fb752f --- /dev/null +++ b/salt/strelka/gatekeeper/enabled.sls @@ -0,0 +1,41 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +include: + - strelka.gatekeeper.config + - strelka.gatekeeper.sostatus + +strelka_gatekeeper: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} + - name: so-strelka-gatekeeper + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} + - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru + - extra_hosts: + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + - port_bindings: + {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} + - {{ BINDING }} + {% endfor %} + +delete_so-strelka-gatekeeper_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-strelka-gatekeeper$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/gatekeeper/init.sls b/salt/strelka/gatekeeper/init.sls new file mode 100644 index 000000000..33ece563a --- /dev/null +++ b/salt/strelka/gatekeeper/init.sls @@ -0,0 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'strelka/map.jinja' import STRELKAMERGED %} + +include: +{% if STRELKAMERGED.gatekeeper.enabled %} + - strelka.gatekeeper.enabled +{% else %} + - strelka.gatekeeper.disabled +{% endif %} diff --git a/salt/strelka/gatekeeper/sostatus.sls b/salt/strelka/gatekeeper/sostatus.sls new file mode 100644 index 000000000..db6c6416e --- /dev/null +++ b/salt/strelka/gatekeeper/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-strelka-gatekeeper_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-strelka-gatekeeper + - unless: grep -q so-strelka-gatekeeper /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 6b7a2bbd2..a60612087 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -3,361 +3,41 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} -{% from 'vars/globals.map.jinja' import GLOBALS %} - {% from 'strelka/map.jinja' import STRELKAMERGED %} -{% from 'strelka/map.jinja' import filecheck_runas %} - -# Strelka config -strelkaconfdir: - file.directory: - - name: /opt/so/conf/strelka - - user: 939 - - group: 939 - - makedirs: True - -strelkarulesdir: - file.directory: - - name: /opt/so/conf/strelka/rules - - user: 939 - - group: 939 - - makedirs: True - -backend_backend_config: - file.managed: - - name: /opt/so/conf/strelka/backend/backend.yaml - - source: salt://strelka/files/backend/backend.yaml.jinja - - template: jinja - - user: 939 - - group: 939 - - makedirs: True - - defaults: - BACKENDCONFIG: {{ STRELKAMERGED.config.backend.backend }} - -backend_logging_config: - file.managed: - - name: /opt/so/conf/strelka/backend/logging.yaml - - source: salt://strelka/files/backend/logging.yaml.jinja - - template: jinja - - user: 939 - - group: 939 - - defaults: - LOGGINGCONFIG: {{ STRELKAMERGED.config.backend.logging }} - -backend_passwords: - file.managed: - - name: /opt/so/conf/strelka/backend/passwords.dat - - source: salt://strelka/files/backend/passwords.dat.jinja - - template: jinja - - user: 939 - - group: 939 - - defaults: - PASSWORDS: {{ STRELKAMERGED.config.backend.passwords }} - -strelka_sbin: - file.recurse: - - name: /usr/sbin - - source: salt://strelka/tools/sbin - - user: 939 - - group: 939 - - file_mode: 755 - -#strelka_sbin_jinja: -# file.recurse: -# - name: /usr/sbin -# - source: salt://strelka/tools/sbin_jinja -# - user: 939 -# - group: 939 -# - file_mode: 755 -# - template: jinja - -backend_taste: - file.managed: - - name: /opt/so/conf/strelka/backend/taste/taste.yara - - source: salt://strelka/files/backend/taste/taste.yara - - makedirs: True - - user: 939 - - group: 939 - -filestream_config: - file.managed: - - name: /opt/so/conf/strelka/filestream/filestream.yaml - - source: salt://strelka/files/filestream/filestream.yaml.jinja - - template: jinja - - user: 939 - - group: 939 - - makedirs: True - - defaults: - FILESTREAMCONFIG: {{ STRELKAMERGED.config.filestream }} - -frontend_config: - file.managed: - - name: /opt/so/conf/strelka/frontend/frontend.yaml - - source: salt://strelka/files/frontend/frontend.yaml.jinja - - template: jinja - - user: 939 - - group: 939 - - makedirs: True - - defaults: - FRONTENDCONFIG: {{ STRELKAMERGED.config.frontend }} - -manager_config: - file.managed: - - name: /opt/so/conf/strelka/manager/manager.yaml - - source: salt://strelka/files/manager/manager.yaml.jinja - - template: jinja - - user: 939 - - group: 939 - - makedirs: True - - defaults: - MANAGERCONFIG: {{ STRELKAMERGED.config.manager }} - -{% if STRELKAMERGED.rules.enabled %} - -strelkarules: - file.recurse: - - name: /opt/so/conf/strelka/rules - - source: salt://strelka/rules - - user: 939 - - group: 939 - - clean: True - -{% if grains['role'] in GLOBALS.manager_roles %} -strelkarepos: - file.managed: - - name: /opt/so/conf/strelka/repos.txt - - source: salt://strelka/rules/repos.txt.jinja - - template: jinja - - defaults: - STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} - -{% endif %} -{% endif %} - -strelkadatadir: - file.directory: - - name: /nsm/strelka - - user: 939 - - group: 939 - - makedirs: True - -strelkalogdir: - file.directory: - - name: /nsm/strelka/log - - user: 939 - - group: 939 - - makedirs: True - -strelkaprocessed: - file.directory: - - name: /nsm/strelka/processed - - user: 939 - - group: 939 - - makedirs: True - -strelkastaging: - file.directory: - - name: /nsm/strelka/staging - - user: 939 - - group: 939 - - makedirs: True - -strelkaunprocessed: - file.directory: - - name: /nsm/strelka/unprocessed - - user: 939 - - group: 939 - - mode: 775 - - makedirs: True - -# Check to see if Strelka frontend port is available -strelkaportavailable: - cmd.run: - - name: netstat -utanp | grep ":57314" | grep -qvE 'docker|TIME_WAIT' && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314. Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0 - -# Filecheck Section -filecheck_logdir: - file.directory: - - name: /opt/so/log/strelka - - user: 939 - - group: 939 - - mode: 775 - - makedirs: True - -filecheck_history: - file.directory: - - name: /nsm/strelka/history - - user: 939 - - group: 939 - - mode: 775 - - makedirs: True - -filecheck_conf: - file.managed: - - name: /opt/so/conf/strelka/filecheck.yaml - - source: salt://strelka/filecheck/filecheck.yaml.jinja - - template: jinja - - defaults: - FILECHECKCONFIG: {{ STRELKAMERGED.filecheck }} - -filecheck_script: - file.managed: - - name: /opt/so/conf/strelka/filecheck - - source: salt://strelka/filecheck/filecheck - - user: 939 - - group: 939 - - mode: 755 - -filecheck_restart: - cmd.run: - - name: pkill -f "python3 /opt/so/conf/strelka/filecheck" - - hide_output: True - - success_retcodes: [0,1] - - onchanges: - - file: filecheck_script - -filecheck_run: - cron.present: - - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' - - identifier: filecheck_run - - user: {{ filecheck_runas }} - -filcheck_history_clean: - cron.present: - - name: '/usr/bin/find /nsm/strelka/history/ -type f -mtime +2 -exec rm {} + > /dev/null 2>&1' - - identifier: filecheck_history_clean - - minute: '33' -# End Filecheck Section - - -strelka_coordinator: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - - name: so-strelka-coordinator - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - - entrypoint: redis-server --save "" --appendonly no - - extra_hosts: - - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - - port_bindings: - {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %} - - {{ BINDING }} - {% endfor %} - -append_so-strelka-coordinator_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-strelka-coordinator - -strelka_gatekeeper: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - - name: so-strelka-gatekeeper - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - - extra_hosts: - - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - - port_bindings: - {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} - - {{ BINDING }} - {% endfor %} - -append_so-strelka-gatekeeper_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-strelka-gatekeeper - -strelka_frontend: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-frontend:{{ GLOBALS.so_version }} - - binds: - - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro - - /nsm/strelka/log/:/var/log/strelka/:rw - - privileged: True - - name: so-strelka-frontend - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - - command: strelka-frontend - - extra_hosts: - - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - - port_bindings: - {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %} - - {{ BINDING }} - {% endfor %} - -append_so-strelka-frontend_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-strelka-frontend - -strelka_backend: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-backend:{{ GLOBALS.so_version }} - - binds: - - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - - /opt/so/conf/strelka/rules/:/etc/yara/:ro - - name: so-strelka-backend - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - - command: strelka-backend - - extra_hosts: - - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - - restart_policy: on-failure - -append_so-strelka-backend_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-strelka-backend - -strelka_manager: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }} - - binds: - - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - - name: so-strelka-manager - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - - command: strelka-manager - - extra_hosts: - - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - -append_so-strelka-manager_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-strelka-manager - -strelka_filestream: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-filestream:{{ GLOBALS.so_version }} - - binds: - - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - - /nsm/strelka:/nsm/strelka - - name: so-strelka-filestream - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - - command: strelka-filestream - - extra_hosts: - - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - -append_so-strelka-filestream_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-strelka-filestream +include: +{% if STRELKAMERGED.coordinator.enabled %} + - strelka.coordinator.enabled {% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - + - strelka.coordinator.disabled +{% endif %} + +{% if STRELKAMERGED.gatekeeper.enabled %} + - strelka.gatekeeper.enabled +{% else %} + - strelka.gatekeeper.disabled +{% endif %} + +{% if STRELKAMERGED.frontend.enabled %} + - strelka.frontend.enabled +{% else %} + - strelka.frontend.disabled +{% endif %} + +{% if STRELKAMERGED.backend.enabled %} + - strelka.backend.enabled +{% else %} + - strelka.backend.disabled +{% endif %} + +{% if STRELKAMERGED.manager.enabled %} + - strelka.manager.enabled +{% else %} + - strelka.manager.disabled +{% endif %} + +{% if STRELKAMERGED.filestream.enabled %} + - strelka.filestream.enabled +{% else %} + - strelka.filestream.disabled {% endif %} diff --git a/salt/strelka/manager/config.sls b/salt/strelka/manager/config.sls new file mode 100644 index 000000000..a99bdb27a --- /dev/null +++ b/salt/strelka/manager/config.sls @@ -0,0 +1,31 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'strelka/map.jinja' import STRELKAMERGED %} + +include: + - strelka.config + - strelka.manager.sostatus + +manager_config: + file.managed: + - name: /opt/so/conf/strelka/manager/manager.yaml + - source: salt://strelka/manager/files/manager.yaml.jinja + - template: jinja + - user: 939 + - group: 939 + - makedirs: True + - defaults: + MANAGERCONFIG: {{ STRELKAMERGED.manager.config }} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/manager/disabled.sls b/salt/strelka/manager/disabled.sls new file mode 100644 index 000000000..0826166ad --- /dev/null +++ b/salt/strelka/manager/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - strelka.manager.sostatus + +so-strelka-manager: + docker_container.absent: + - force: True + +so-strelka-manager_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-strelka-manager$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls new file mode 100644 index 000000000..0c78c9dcb --- /dev/null +++ b/salt/strelka/manager/enabled.sls @@ -0,0 +1,39 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +include: + - strelka.manager.config + - strelka.manager.sostatus + +strelka_manager: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }} + - binds: + - /opt/so/conf/strelka/manager/:/etc/strelka/:ro + - name: so-strelka-manager + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} + - command: strelka-manager + - extra_hosts: + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + +delete_so-strelka-manager_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-strelka-manager$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/files/manager/manager.yaml.jinja b/salt/strelka/manager/files/manager.yaml.jinja similarity index 100% rename from salt/strelka/files/manager/manager.yaml.jinja rename to salt/strelka/manager/files/manager.yaml.jinja diff --git a/salt/strelka/manager/init.sls b/salt/strelka/manager/init.sls new file mode 100644 index 000000000..2b479751c --- /dev/null +++ b/salt/strelka/manager/init.sls @@ -0,0 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'strelka/map.jinja' import STRELKAMERGED %} + +include: +{% if STRELKAMERGED.manager.enabled %} + - strelka.manager.enabled +{% else %} + - strelka.manager.disabled +{% endif %} diff --git a/salt/strelka/manager/sostatus.sls b/salt/strelka/manager/sostatus.sls new file mode 100644 index 000000000..5e42093f5 --- /dev/null +++ b/salt/strelka/manager/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-strelka-manager_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-strelka-manager + - unless: grep -q so-strelka-manager /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml index dbe949817..5cdf442d5 100644 --- a/salt/strelka/soc_strelka.yaml +++ b/salt/strelka/soc_strelka.yaml @@ -1,6 +1,9 @@ strelka: - config: - backend: + backend: + enabled: + description: You can enable or disable Strelka backend. + helpLink: strelka.html + config: backend: logging_cfg: description: Path to the Python logging configuration. @@ -398,7 +401,11 @@ strelka: global: False helpLink: strelka.html multiline: True - filestream: + filestream: + enabled: + description: You can enable or disable Strelka filestream. + helpLink: strelka.html + config: conn: server: description: Network address of the frontend server. @@ -488,7 +495,11 @@ strelka: global: False helpLink: strelka.html advanced: True - frontend: + frontend: + enabled: + description: You can enable or disable Strelka frontend. + helpLink: strelka.html + config: server: description: Network address of the frontend server. readonly: False @@ -534,7 +545,11 @@ strelka: global: False helpLink: strelka.html advanced: True - manager: + manager: + enabled: + description: You can enable or disable Strelka manager. + helpLink: strelka.html + config: coordinator: addr: description: Network address of the coordinator. @@ -548,6 +563,14 @@ strelka: global: False helpLink: strelka.html advanced: True + coordinator: + enabled: + description: You can enable or disable Strelka coordinator. + helpLink: strelka.html + gatekeeper: + enabled: + description: You can enable or disable Strelka gatekeeper. + helpLink: strelka.html rules: enabled: description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes.