CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10363 from Security-Onion-Solutions/issue/10229

Browse Source 
Issue/10229
This commit is contained in:
Josh Patterson
2023-05-16 09:36:31 -04:00
committed by GitHub
parent 1724565331 6325f6db16
commit 56a7fdcfcd
250 changed files with 8882 additions and 6003 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pillar/top.sls
View File

@@ -101,6 +101,8 @@ base:
- soc.adv_soc
- soctopus.soc_soctopus
- soctopus.adv_soctopus
- kibana.soc_kibana
- kibana.adv_kibana
- strelka.soc_strelka
- strelka.adv_strelka
- curator.soc_curator
@@ -155,6 +157,8 @@ base:
- soc.adv_soc
- soctopus.soc_soctopus
- soctopus.adv_soctopus
- kibana.soc_kibana
- kibana.adv_kibana
- strelka.soc_strelka
- strelka.adv_strelka
- curator.soc_curator
@@ -248,6 +252,8 @@ base:
- soc.adv_soc
- soctopus.soc_soctopus
- soctopus.adv_soctopus
- kibana.soc_kibana
- kibana.adv_kibana
- curator.soc_curator
- curator.adv_curator
- backup.soc_backup

34
salt/allowed_states.map.jinja
View File

@@ -3,16 +3,6 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %}
{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %}
{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %}
{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %}
{% set CURATOR = salt['pillar.get']('curator:enabled', True) %}
{% set REDIS = salt['pillar.get']('redis:enabled', True) %}
{% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %}
{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %}
{% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
{% set saltversion = saltversion.salt.minion.version %}
@@ -217,27 +207,27 @@
],
}, grain='role') %}
{% if (PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %}
{% if grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %}
{% do allowed_states.append('mysql') %}
{% endif %}
{%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
{%- if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
{% do allowed_states.append('zeek') %}
{%- endif %}
{% if STRELKA and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
{% if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
{% do allowed_states.append('strelka') %}
{% endif %}
{% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %}
{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %}
{% do allowed_states.append('elasticsearch') %}
{% endif %}
{% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
{% do allowed_states.append('elasticsearch.auth') %}
{% endif %}
{% if KIBANA and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
{% do allowed_states.append('kibana') %}
{% do allowed_states.append('kibana.secrets') %}
{% endif %}
@@ -246,23 +236,19 @@
{% do allowed_states.append('curator') %}
{% endif %}
{% if ELASTALERT and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
{% do allowed_states.append('elastalert') %}
{% endif %}
{% if (PLAYBOOK !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
{% do allowed_states.append('playbook') %}
{% endif %}
{% if (PLAYBOOK !=0) and grains.role in ['so-eval'] %}
{% do allowed_states.append('redis') %}
{% endif %}
{% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
{% if grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
{% do allowed_states.append('logstash') %}
{% endif %}
{% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
{% if grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver', 'so-eval'] %}
{% do allowed_states.append('redis') %}
{% endif %}

81
salt/curator/config.sls Normal file
View File

@@ -0,0 +1,81 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from "curator/map.jinja" import CURATORMERGED %}
# Create the group
curatorgroup:
group.present:
- name: curator
- gid: 934
# Add user
curator:
user.present:
- uid: 934
- gid: 934
- home: /opt/so/conf/curator
- createhome: False
# Create the log directory
curlogdir:
file.directory:
- name: /opt/so/log/curator
- user: 934
- group: 939
curactiondir:
file.directory:
- name: /opt/so/conf/curator/action
- user: 934
- group: 939
- makedirs: True
actionconfs:
file.recurse:
- name: /opt/so/conf/curator/action
- source: salt://curator/files/action
- user: 934
- group: 939
- template: jinja
- defaults:
CURATORMERGED: {{ CURATORMERGED.elasticsearch.index_settings }}
curconf:
file.managed:
- name: /opt/so/conf/curator/curator.yml
- source: salt://curator/files/curator.yml
- user: 934
- group: 939
- mode: 660
- template: jinja
- show_changes: False
curator_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://curator/tools/sbin
- user: 934
- group: 939
- file_mode: 755
curator_sbin_jinja:
file.recurse:
- name: /usr/sbin
- source: salt://curator/tools/sbin_jinja
- user: 934
- group: 939
- file_mode: 755
- template: jinja
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

198
salt/curator/defaults.yaml
View File

@@ -1,98 +1,100 @@
elasticsearch:
index_settings:
logs-import-so:
close: 73000
delete: 73001
logs-strelka-so:
close: 30
delete: 365
logs-suricata-so:
close: 30
delete: 365
logs-syslog-so:
close: 30
delete: 365
logs-zeek-so:
close: 30
delete: 365
logs-elastic_agent-metricbeat-default:
close: 30
delete: 365
logs-elastic_agent-osquerybeat-default:
close: 30
delete: 365
logs-elastic_agent-fleet_server-default:
close: 30
delete: 365
logs-elastic_agent-filebeat-default:
close: 30
delete: 365
logs-elastic_agent-default:
close: 30
delete: 365
logs-system-auth-default:
close: 30
delete: 365
logs-system-application-default:
close: 30
delete: 365
logs-system-security-default:
close: 30
delete: 365
logs-system-system-default:
close: 30
delete: 365
logs-system-syslog-default:
close: 30
delete: 365
logs-windows-powershell-default:
close: 30
delete: 365
logs-windows-sysmon_operational-default:
close: 30
delete: 365
so-beats:
close: 30
delete: 365
so-elasticsearch:
close: 30
delete: 365
so-firewall:
close: 30
delete: 365
so-ids:
close: 30
delete: 365
so-import:
close: 73000
delete: 73001
so-kratos:
close: 30
delete: 365
so-kibana:
close: 30
delete: 365
so-logstash:
close: 30
delete: 365
so-netflow:
close: 30
delete: 365
so-osquery:
close: 30
delete: 365
so-ossec:
close: 30
delete: 365
so-redis:
close: 30
delete: 365
so-strelka:
close: 30
delete: 365
so-syslog:
close: 30
delete: 365
so-zeek:
close: 30
delete: 365
curator:
enabled: False
elasticsearch:
index_settings:
logs-import-so:
close: 73000
delete: 73001
logs-strelka-so:
close: 30
delete: 365
logs-suricata-so:
close: 30
delete: 365
logs-syslog-so:
close: 30
delete: 365
logs-zeek-so:
close: 30
delete: 365
logs-elastic_agent-metricbeat-default:
close: 30
delete: 365
logs-elastic_agent-osquerybeat-default:
close: 30
delete: 365
logs-elastic_agent-fleet_server-default:
close: 30
delete: 365
logs-elastic_agent-filebeat-default:
close: 30
delete: 365
logs-elastic_agent-default:
close: 30
delete: 365
logs-system-auth-default:
close: 30
delete: 365
logs-system-application-default:
close: 30
delete: 365
logs-system-security-default:
close: 30
delete: 365
logs-system-system-default:
close: 30
delete: 365
logs-system-syslog-default:
close: 30
delete: 365
logs-windows-powershell-default:
close: 30
delete: 365
logs-windows-sysmon_operational-default:
close: 30
delete: 365
so-beats:
close: 30
delete: 365
so-elasticsearch:
close: 30
delete: 365
so-firewall:
close: 30
delete: 365
so-ids:
close: 30
delete: 365
so-import:
close: 73000
delete: 73001
so-kratos:
close: 30
delete: 365
so-kibana:
close: 30
delete: 365
so-logstash:
close: 30
delete: 365
so-netflow:
close: 30
delete: 365
so-osquery:
close: 30
delete: 365
so-ossec:
close: 30
delete: 365
so-redis:
close: 30
delete: 365
so-strelka:
close: 30
delete: 365
so-syslog:
close: 30
delete: 365
so-zeek:
close: 30
delete: 365

35
salt/curator/disabled.sls Normal file
View File

@@ -0,0 +1,35 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- curator.sostatus
so-curator:
docker_container.absent:
- force: True
so-curator_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-curator$
so-curator-cluster-close:
cron.absent:
- identifier: so-curator-cluster-close
so-curator-cluster-delete:
cron.absent:
- identifier: so-curator-cluster-delete
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

71
salt/curator/enabled.sls Normal file
View File

@@ -0,0 +1,71 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- curator.config
- curator.sostatus
so-curator:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }}
- start: True
- hostname: curator
- name: so-curator
- user: curator
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-curator'].ip }}
- interactive: True
- tty: True
- binds:
- /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
- /opt/so/conf/curator/action/:/etc/curator/action:ro
- /opt/so/log/curator:/var/log/curator:rw
- require:
- file: actionconfs
- file: curconf
- file: curlogdir
- watch:
- file: curconf
delete_so-curator_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-curator$
so-curator-cluster-close:
cron.present:
- name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
- identifier: so-curator-cluster-close
- user: root
- minute: '2'
- hour: '*/1'
- daymonth: '*'
- month: '*'
- dayweek: '*'
so-curator-cluster-delete:
cron.present:
- name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1
- identifier: so-curator-cluster-delete
- user: root
- minute: '*/5'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

6
salt/curator/files/curator.yml
View File

@@ -4,9 +4,9 @@
# Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if grains['role'] in ['so-searchnode', 'so-heavynode'] %}
{% if GLOBALS.role in ['so-searchnode', 'so-heavynode'] %}
{%- set elasticsearch = GLOBALS.node_ip -%}
{% elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %}
{% elif GLOBALS.role in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %}
{%- set elasticsearch = GLOBALS.manager_ip -%}
{%- endif %}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
@@ -30,10 +30,8 @@ elasticsearch:
id:
api_key:
master_only: False
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
username: "{{ ES_USER }}"
password: "{{ ES_PASS }}"
{%- endif %}
logging:
loglevel: INFO

145
salt/curator/init.sls
View File

@@ -3,146 +3,11 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from "curator/map.jinja" import CURATOROPTIONS %}
{% from "curator/map.jinja" import CURATORMERGED %}
{% set REMOVECURATORCRON = False %}
# Curator
# Create the group
curatorgroup:
group.present:
- name: curator
- gid: 934
# Add user
curator:
user.present:
- uid: 934
- gid: 934
- home: /opt/so/conf/curator
- createhome: False
# Create the log directory
curlogdir:
file.directory:
- name: /opt/so/log/curator
- user: 934
- group: 939
curactiondir:
file.directory:
- name: /opt/so/conf/curator/action
- user: 934
- group: 939
- makedirs: True
actionconfs:
file.recurse:
- name: /opt/so/conf/curator/action
- source: salt://curator/files/action
- user: 934
- group: 939
- template: jinja
- defaults:
CURATORMERGED: {{ CURATORMERGED }}
curconf:
file.managed:
- name: /opt/so/conf/curator/curator.yml
- source: salt://curator/files/curator.yml
- user: 934
- group: 939
- mode: 660
- template: jinja
- show_changes: False
curator_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://curator/tools/sbin
- user: 934
- group: 939
- file_mode: 755
curator_sbin_jinja:
file.recurse:
- name: /usr/sbin
- source: salt://curator/tools/sbin_jinja
- user: 934
- group: 939
- file_mode: 755
- template: jinja
so-curator:
docker_container.{{ CURATOROPTIONS.status }}:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }}
- start: {{ CURATOROPTIONS.start }}
- hostname: curator
- name: so-curator
- user: curator
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-curator'].ip }}
- interactive: True
- tty: True
- binds:
- /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
- /opt/so/conf/curator/action/:/etc/curator/action:ro
- /opt/so/log/curator:/var/log/curator:rw
- require:
- file: actionconfs
- file: curconf
- file: curlogdir
- watch:
- file: curconf
append_so-curator_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-curator
- unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf
{% if not CURATOROPTIONS.start %}
so-curator_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-curator$
{% else %}
delete_so-curator_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-curator$
{% endif %}
so-curator-cluster-close:
cron.present:
- name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
- identifier: so-curator-cluster-close
- user: root
- minute: '2'
- hour: '*/1'
- daymonth: '*'
- month: '*'
- dayweek: '*'
so-curator-cluster-delete:
cron.present:
- name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1
- identifier: so-curator-cluster-delete
- user: root
- minute: '*/5'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
{% from 'curator/map.jinja' import CURATORMERGED %}
include:
{% if CURATORMERGED.enabled %}
- curator.enabled
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
- curator.disabled
{% endif %}

21
salt/curator/map.jinja
View File

@@ -1,18 +1,7 @@
{% set CURATOROPTIONS = {} %}
{% set ENABLED = salt['pillar.get']('curator:enabled', True) %}
{% do CURATOROPTIONS.update({'manage_sostatus': True}) %}
# don't start the docker container if curator is disabled via pillar
{% if not ENABLED %}
{% do CURATOROPTIONS.update({'start': False}) %}
{% do CURATOROPTIONS.update({'status': 'absent'}) %}
{% if (TRUECLUSTER and grains.id.split('_')|last == 'searchnode') or (not TRUECLUSTER and grains.id.split('_')|last == 'manager') %}
{% do CURATOROPTIONS.update({'manage_sostatus': False}) %}
{% endif %}
{% else %}
{% do CURATOROPTIONS.update({'start': True}) %}
{% do CURATOROPTIONS.update({'status': 'running'}) %}
{% endif %}
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% import_yaml 'curator/defaults.yaml' as CURATORDEFAULTS %}
{% set CURATORMERGED = salt['pillar.get']('elasticsearch:index_settings', CURATORDEFAULTS.elasticsearch.index_settings, merge=true) %}
{% set CURATORMERGED = salt['pillar.get']('curator', CURATORDEFAULTS.curator, merge=true) %}

108
salt/curator/soc_curator.yaml Normal file
View File

@@ -0,0 +1,108 @@
curator:
enabled:
description: You can enable or disable Curator.
helpLink: curator.html
elasticsearch:
index_settings:
logs-import-so:
close: &close
description: Age, in days, when Curator closes the index.
helpLink: curator.html
forcedType: int
delete: &delete
description: Age, in days, when Curator deletes the index.
helpLink: curator.html
forcedType: int
logs-strelka-so:
close: *close
delete: *delete
logs-suricata-so:
close: *close
delete: *delete
logs-syslog-so:
close: *close
delete: *delete
logs-zeek-so:
close: *close
delete: *delete
logs-elastic_agent-metricbeat-default:
close: *close
delete: *delete
logs-elastic_agent-osquerybeat-default:
close: *close
delete: *delete
logs-elastic_agent-fleet_server-default:
close: *close
delete: *delete
logs-elastic_agent-filebeat-default:
close: *close
delete: *delete
logs-elastic_agent-default:
close: *close
delete: *delete
logs-system-auth-default:
close: *close
delete: *delete
logs-system-application-default:
close: *close
delete: *delete
logs-system-security-default:
close: *close
delete: *delete
logs-system-system-default:
close: *close
delete: *delete
logs-system-syslog-default:
close: *close
delete: *delete
logs-windows-powershell-default:
close: *close
delete: *delete
logs-windows-sysmon_operational-default:
close: *close
delete: *delete
so-beats:
close: *close
delete: *delete
so-elasticsearch:
close: *close
delete: *delete
so-firewall:
close: *close
delete: *delete
so-ids:
close: *close
delete: *delete
so-import:
close: *close
delete: *delete
so-kratos:
close: *close
delete: *delete
so-kibana:
close: *close
delete: *delete
so-logstash:
close: *close
delete: *delete
so-netflow:
close: *close
delete: *delete
so-osquery:
close: *close
delete: *delete
so-ossec:
close: *close
delete: *delete
so-redis:
close: *close
delete: *delete
so-strelka:
close: *close
delete: *delete
so-syslog:
close: *close
delete: *delete
so-zeek:
close: *close
delete: *delete

21
salt/curator/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-curator_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-curator
- unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

103
salt/elastalert/config.sls Normal file
View File

@@ -0,0 +1,103 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'elastalert/map.jinja' import ELASTALERTMERGED %}
# Create the group
elastagroup:
group.present:
- name: elastalert
- gid: 933
# Add user
elastalert:
user.present:
- uid: 933
- gid: 933
- home: /opt/so/conf/elastalert
- createhome: False
elastalogdir:
file.directory:
- name: /opt/so/log/elastalert
- user: 933
- group: 933
- makedirs: True
elastalert_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://elastalert/tools/sbin
- user: 933
- group: 939
- file_mode: 755
#elastalert_sbin_jinja:
# file.recurse:
# - name: /usr/sbin
# - source: salt://elastalert/tools/sbin_jinja
# - user: 933
# - group: 939
# - file_mode: 755
# - template: jinja
elastarules:
file.directory:
- name: /opt/so/rules/elastalert
- user: 933
- group: 933
- makedirs: True
elastaconfdir:
file.directory:
- name: /opt/so/conf/elastalert
- user: 933
- group: 933
- makedirs: True
elastasomodulesdir:
file.directory:
- name: /opt/so/conf/elastalert/modules/so
- user: 933
- group: 933
- makedirs: True
elastacustmodulesdir:
file.directory:
- name: /opt/so/conf/elastalert/modules/custom
- user: 933
- group: 933
- makedirs: True
elastasomodulesync:
file.recurse:
- name: /opt/so/conf/elastalert/modules/so
- source: salt://elastalert/files/modules/so
- user: 933
- group: 933
- makedirs: True
elastaconf:
file.managed:
- name: /opt/so/conf/elastalert/elastalert_config.yaml
- source: salt://elastalert/files/elastalert_config.yaml.jinja
- context:
elastalert_config: {{ ELASTALERTMERGED.config }}
- user: 933
- group: 933
- mode: 660
- template: jinja
- show_changes: False
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

1
salt/elastalert/defaults.yaml
View File

@@ -1,4 +1,5 @@
elastalert:
enabled: False
config:
rules_folder: /opt/elastalert/rules/
scan_subdirectories: true

27
salt/elastalert/disabled.sls Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- elastalert.sostatus
so-elastalert:
docker_container.absent:
- force: True
so-elastalert_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-elastalert$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

11
salt/elastalert/elastalert_config.map.jinja
View File

@@ -1,11 +0,0 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'elastalert/defaults.yaml' as ELASTALERT %}
{% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
{% do ELASTALERT.elastalert.config.update({'es_host': GLOBALS.manager}) %}
{% do ELASTALERT.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
{% do ELASTALERT.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}
{% do salt['defaults.merge'](ELASTALERT.elastalert.config, elastalert_pillar, in_place=True) %}

58
salt/elastalert/enabled.sls Normal file
View File

@@ -0,0 +1,58 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- elastalert.config
- elastalert.sostatus
wait_for_elasticsearch:
cmd.run:
- name: so-elasticsearch-wait
so-elastalert:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastalert:{{ GLOBALS.so_version }}
- hostname: elastalert
- name: so-elastalert
- user: so-elastalert
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
- detach: True
- binds:
- /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
- /opt/so/log/elastalert:/var/log/elastalert:rw
- /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
- /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- require:
- cmd: wait_for_elasticsearch
- file: elastarules
- file: elastalogdir
- file: elastacustmodulesdir
- file: elastaconf
- watch:
- file: elastaconf
- onlyif:
- "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #}
delete_so-elastalert_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-elastalert$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

144
salt/elastalert/init.sls
View File

@@ -1,141 +1,13 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'elastalert/elastalert_config.map.jinja' import ELASTALERT as elastalert_config with context %}
# Create the group
elastagroup:
group.present:
- name: elastalert
- gid: 933
# Add user
elastalert:
user.present:
- uid: 933
- gid: 933
- home: /opt/so/conf/elastalert
- createhome: False
elastalogdir:
file.directory:
- name: /opt/so/log/elastalert
- user: 933
- group: 933
- makedirs: True
elastalert_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://elastalert/tools/sbin
- user: 933
- group: 939
- file_mode: 755
#elastalert_sbin_jinja:
# file.recurse:
# - name: /usr/sbin
# - source: salt://elastalert/tools/sbin_jinja
# - user: 933
# - group: 939
# - file_mode: 755
# - template: jinja
elastarules:
file.directory:
- name: /opt/so/rules/elastalert
- user: 933
- group: 933
- makedirs: True
elastaconfdir:
file.directory:
- name: /opt/so/conf/elastalert
- user: 933
- group: 933
- makedirs: True
elastasomodulesdir:
file.directory:
- name: /opt/so/conf/elastalert/modules/so
- user: 933
- group: 933
- makedirs: True
elastacustmodulesdir:
file.directory:
- name: /opt/so/conf/elastalert/modules/custom
- user: 933
- group: 933
- makedirs: True
elastasomodulesync:
file.recurse:
- name: /opt/so/conf/elastalert/modules/so
- source: salt://elastalert/files/modules/so
- user: 933
- group: 933
- makedirs: True
elastaconf:
file.managed:
- name: /opt/so/conf/elastalert/elastalert_config.yaml
- source: salt://elastalert/files/elastalert_config.yaml.jinja
- context:
elastalert_config: {{ elastalert_config.elastalert.config }}
- user: 933
- group: 933
- mode: 660
- template: jinja
- show_changes: False
wait_for_elasticsearch:
cmd.run:
- name: so-elasticsearch-wait
so-elastalert:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastalert:{{ GLOBALS.so_version }}
- hostname: elastalert
- name: so-elastalert
- user: so-elastalert
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
- detach: True
- binds:
- /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
- /opt/so/log/elastalert:/var/log/elastalert:rw
- /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
- /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- require:
- cmd: wait_for_elasticsearch
- file: elastarules
- file: elastalogdir
- file: elastacustmodulesdir
- file: elastaconf
- watch:
- file: elastaconf
- onlyif:
- "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #}
append_so-elastalert_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elastalert
{% from 'elastalert/map.jinja' import ELASTALERTMERGED %}
include:
{% if ELASTALERTMERGED.enabled %}
- elastalert.enabled
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
- elastalert.disabled
{% endif %}

15
salt/elastalert/map.jinja Normal file
View File

@@ -0,0 +1,15 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'elastalert/defaults.yaml' as ELASTALERTDEFAULTS %}
{% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_host': GLOBALS.manager}) %}
{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}
{% set ELASTALERTMERGED = salt['pillar.get']('elastalert', ELASTALERTDEFAULTS.elastalert, merge=True) %}

3
salt/elastalert/soc_elastalert.yaml
View File

@@ -1,4 +1,7 @@
elastalert:
enabled:
description: You can enable or disable Elastalert.
helpLink: elastalert.html
config:
disable_rules_on_error:
description: Disable rules on failure.

21
salt/elastalert/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-elastalert_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elastalert
- unless: grep -q so-elastalert /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

29
salt/elastic-fleet-package-registry/config.sls Normal file
View File

@@ -0,0 +1,29 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
# Add Group
elasticsagentprgroup:
group.present:
- name: elastic-agent-pr
- gid: 948
# Add user
elastic-agent-pr:
user.present:
- uid: 948
- gid: 948
- home: /opt/so/conf/elastic-fleet-pr
- createhome: False
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

2
salt/elastic-fleet-package-registry/defaults.yaml Normal file
View File

@@ -0,0 +1,2 @@
elastic_fleet_package_registry:
enabled: False

27
salt/elastic-fleet-package-registry/disabled.sls Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- elastic-fleet-package-registry.sostatus
so-elastic-fleet-package-registry:
docker_container.absent:
- force: True
so-elastic-fleet-package-registry_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-elastic-fleet-package-registry$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

43
salt/elastic-fleet-package-registry/enabled.sls Normal file
View File

@@ -0,0 +1,43 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- elastic-fleet-package-registry.config
- elastic-fleet-package-registry.sostatus
so-elastic-fleet-package-registry:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }}
- name: so-elastic-fleet-package-registry
- hostname: Fleet-package-reg-{{ GLOBALS.hostname }}
- detach: True
- user: 948
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- port_bindings:
{% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
- {{ BINDING }}
{% endfor %}
delete_so-elastic-fleet-package-registry_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-elastic-fleet-package-registry$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

55
salt/elastic-fleet-package-registry/init.sls
View File

@@ -1,52 +1,13 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
# Add Group
elasticsagentprgroup:
group.present:
- name: elastic-agent-pr
- gid: 948
# Add user
elastic-agent-pr:
user.present:
- uid: 948
- gid: 948
- home: /opt/so/conf/elastic-fleet-pr
- createhome: False
so-elastic-fleet-package-registry:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }}
- name: so-elastic-fleet-package-registry
- hostname: Fleet-package-reg-{{ GLOBALS.hostname }}
- detach: True
- user: 948
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- port_bindings:
{% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
- {{ BINDING }}
{% endfor %}
append_so-elastic-fleet-package-registry_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elastic-fleet-package-registry
{% from 'elastic-fleet-package-registry/map.jinja' import ELASTICFLEETPACKAGEREGISTRYMERGED %}
include:
{% if ELASTICFLEETPACKAGEREGISTRYMERGED.enabled %}
- elastic-fleet-package-registry.enabled
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
- elastic-fleet-package-registry.disabled
{% endif %}

7
salt/elastic-fleet-package-registry/map.jinja Normal file
View File

@@ -0,0 +1,7 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% import_yaml 'elastic-fleet-package-registry/defaults.yaml' as ELASTICFLEETPACKAGEREGISTRYDEFAULTS %}
{% set ELASTICFLEETPACKAGEREGISTRYMERGED = salt['pillar.get']('elastic_fleet_package_registry', ELASTICFLEETPACKAGEREGISTRYDEFAULTS.elastic_fleet_package_registry, merge=True) %}

4
salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml Normal file
View File

@@ -0,0 +1,4 @@
elastic_fleet_package_registry:
enabled:
description: You can enable or disable Elastic Fleet Package Registry.
advanced: True

21
salt/elastic-fleet-package-registry/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-elastic-fleet-package-registry_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elastic-fleet-package-registry
- unless: grep -q so-elastic-fleet-package-registry /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

60
salt/elasticfleet/config.sls Normal file
View File

@@ -0,0 +1,60 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
# Add EA Group
elasticsagentgroup:
group.present:
- name: elastic-agent
- gid: 947
# Add EA user
elastic-agent:
user.present:
- uid: 947
- gid: 947
- home: /opt/so/conf/elastic-fleet
- createhome: False
elasticfleet_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://elasticfleet/tools/sbin
- user: 947
- group: 939
- file_mode: 755
elasticfleet_sbin_jinja:
file.recurse:
- name: /usr/sbin
- source: salt://elasticfleet/tools/sbin_jinja
- user: 947
- group: 939
- file_mode: 755
- template: jinja
eaconfdir:
file.directory:
- name: /opt/so/conf/elastic-fleet
- user: 947
- group: 939
- makedirs: True
eastatedir:
file.directory:
- name: /opt/so/conf/elastic-fleet/state
- user: 947
- group: 939
- makedirs: True
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

8
salt/elasticfleet/defaults.yaml Normal file
View File

@@ -0,0 +1,8 @@
elasticfleet:
enabled: False
config:
server:
endpoints_enrollment: ''
es_token: ''
grid_enrollment: ''
url: ''

27
salt/elasticfleet/disabled.sls Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- elasticfleet.sostatus
so-elastic-fleet:
docker_container.absent:
- force: True
so-elastic-fleet_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-elastic-fleet$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

62
salt/elasticfleet/enabled.sls Normal file
View File

@@ -0,0 +1,62 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{# This value is generated during node install and stored in minion pillar #}
{% set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %}
include:
- elasticfleet.config
- elasticfleet.sostatus
{% if SERVICETOKEN != '' %}
so-elastic-fleet:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }}
- name: so-elastic-fleet
- hostname: FleetServer-{{ GLOBALS.hostname }}
- detach: True
- user: 947
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- port_bindings:
{% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
- /etc/pki:/etc/pki:ro
#- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
- environment:
- FLEET_SERVER_ENABLE=true
- FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
- FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
- FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
- FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt
- FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key
- FLEET_CA=/etc/pki/tls/certs/intca.crt
{% endif %}
delete_so-elastic-fleet_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-elastic-fleet$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

107
salt/elasticfleet/init.sls
View File

@@ -1,104 +1,13 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
# These values are generated during node install and stored in minion pillar
{% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','') %}
#{% set FLEETSERVERPOLICY = salt['pillar.get']('elasticfleet:server:server_policy','so-manager') %}
#{% set FLEETURL = salt['pillar.get']('elasticfleet:server:url') %}
# Add EA Group
elasticsagentgroup:
group.present:
- name: elastic-agent
- gid: 947
# Add EA user
elastic-agent:
user.present:
- uid: 947
- gid: 947
- home: /opt/so/conf/elastic-fleet
- createhome: False
elasticfleet_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://elasticfleet/tools/sbin
- user: 947
- group: 939
- file_mode: 755
elasticfleet_sbin_jinja:
file.recurse:
- name: /usr/sbin
- source: salt://elasticfleet/tools/sbin_jinja
- user: 947
- group: 939
- file_mode: 755
- template: jinja
eaconfdir:
file.directory:
- name: /opt/so/conf/elastic-fleet
- user: 947
- group: 939
- makedirs: True
eastatedir:
file.directory:
- name: /opt/so/conf/elastic-fleet/state
- user: 947
- group: 939
- makedirs: True
{% if SERVICETOKEN != '' %}
so-elastic-fleet:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }}
- name: so-elastic-fleet
- hostname: FleetServer-{{ GLOBALS.hostname }}
- detach: True
- user: 947
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- port_bindings:
{% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
- /etc/pki:/etc/pki:ro
#- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
- environment:
- FLEET_SERVER_ENABLE=true
- FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
- FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
- FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
- FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt
- FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key
- FLEET_CA=/etc/pki/tls/certs/intca.crt
{% endif %}
append_so-elastic-fleet_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elastic-fleet
{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
include:
{% if ELASTICFLEETMERGED.enabled %}
- elasticfleet.enabled
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
- elasticfleet.disabled
{% endif %}

7
salt/elasticfleet/map.jinja Normal file
View File

@@ -0,0 +1,7 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %}
{% set ELASTICFLEETMERGED = salt['pillar.get']('elasticfleet', ELASTICFLEETDEFAULTS.elasticfleet, merge=True) %}

53
salt/elasticfleet/soc_elasticfleet.yaml
View File

@@ -1,25 +1,30 @@
elasticfleet:
server:
endpoints_enrollment:
description: Endpoint enrollment key.
global: True
helpLink: elastic-fleet.html
sensitive: True
advanced: True
es_token:
description: Elastic auth token.
global: True
helpLink: elastic-fleet.html
sensitive: True
advanced: True
grid_enrollment:
description: Grid enrollment key.
global: True
helpLink: elastic-fleet.html
sensitive: True
advanced: True
url:
description: Agent connection URL.
global: True
helpLink: elastic-fleet.html
advanced: True
enabled:
description: You can enable or disable Elastic Fleet.
advanced: True
helpLink: elastic-fleet.html
config:
server:
endpoints_enrollment:
description: Endpoint enrollment key.
global: True
helpLink: elastic-fleet.html
sensitive: True
advanced: True
es_token:
description: Elastic auth token.
global: True
helpLink: elastic-fleet.html
sensitive: True
advanced: True
grid_enrollment:
description: Grid enrollment key.
global: True
helpLink: elastic-fleet.html
sensitive: True
advanced: True
url:
description: Agent connection URL.
global: True
helpLink: elastic-fleet.html
advanced: True

21
salt/elasticfleet/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-elastic-fleet_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elastic-fleet
- unless: grep -q ^so-elastic-fleet$ /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

10
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
View File

@@ -81,10 +81,12 @@ GRIDNODESENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "loc
pillar_file=/opt/so/saltstack/local/pillar/minions/{{ GLOBALS.minion_id }}.sls
printf '%s\n'\
"elasticfleet:"\
" server:"\
" es_token: '$ESTOKEN'"\
" endpoints_enrollment: '$ENDPOINTSENROLLMENTOKEN'"\
" grid_enrollment: '$GRIDNODESENROLLMENTOKEN'"\
" enabled: True"\
" config:"\
" server:"\
" es_token: '$ESTOKEN'"\
" endpoints_enrollment: '$ENDPOINTSENROLLMENTOKEN'"\
" grid_enrollment: '$GRIDNODESENROLLMENTOKEN'"\
"" >> "$pillar_file"
#Store Grid Nodes Enrollment token in Global pillar

50
salt/elasticsearch/ca.sls Normal file
View File

@@ -0,0 +1,50 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
# Move our new CA over so Elastic and Logstash can use SSL with the internal CA
catrustdir:
file.directory:
- name: /opt/so/conf/ca
- user: 939
- group: 939
- makedirs: True
{% if GLOBALS.is_manager %}
# We have to add the Manager CA to the CA list
cascriptsync:
cmd.script:
- source: salt://elasticsearch/tools/sbin_jinja/so-catrust
- template: jinja
- defaults:
GLOBALS: {{ GLOBALS }}
{% endif %}
{% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-searchnode'] %}
cacertz:
file.managed:
- name: /opt/so/conf/ca/cacerts
- source: salt://elasticsearch/cacerts
- user: 939
- group: 939
capemz:
file.managed:
- name: /opt/so/conf/ca/tls-ca-bundle.pem
- source: salt://elasticsearch/tls-ca-bundle.pem
- user: 939
- group: 939
{% endif %}
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

29
salt/elasticsearch/config.map.jinja
View File

@@ -1,44 +1,43 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
{% from 'logstash/map.jinja' import LOGSTASH_NODES with context %}
{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
{% if grains.id.split('_') | last in ['manager','managersearch','standalone'] %}
{% if LOGSTASH_NODES | length > 1 %}
{% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': []}}) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': []}}) %}
{% for NODE in LOGSTASH_NODES %}
{% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %}
{% endfor %}
{% if grains.id.split('_') | last == 'manager' %}
{% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %}
{% else %}
{% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %}
{% endif %}
{% endif %}
{% elif grains.id.split('_') | last == 'searchnode' %}
{% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data_hot', 'ingest']}) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['data_hot', 'ingest']}) %}
{% if HIGHLANDER %}
{% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
{% endif %}
{% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
{% endif %}
{% if HIGHLANDER %}
{% do ESCONFIG.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
{% endif %}
{% do ESCONFIG.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
{% do ESCONFIG.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}
{% do ESCONFIG.elasticsearch.config.transport.update({'publish_host': GLOBALS.hostname}) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.transport.update({'publish_host': GLOBALS.hostname}) %}
{# merge with the elasticsearch pillar #}
{% set ESCONFIG = salt['pillar.get']('elasticsearch:config', default=ESCONFIG.elasticsearch.config, merge=True) %}
{% set ELASTICSEARCHMERGED = salt['pillar.get']('elasticsearch', default=ELASTICSEARCHDEFAULTS.elasticsearch, merge=True) %}
{% if salt['pillar.get']('elasticsearch:config:path:repo', False) %}
{% for repo in pillar.elasticsearch.config.path.repo %}
{# remove elasticsearch.config.path.repo value if the directory doesn't exist on the node #}
{% if not salt['file.directory_exists'](repo) %}
{% do ESCONFIG.path.repo.remove(repo) %}
{% do ELASTICSEARCHMERGED.config.path.repo.remove(repo) %}
{% endif %}
{% endfor %}
{% endif %}

219
salt/elasticsearch/config.sls Normal file
View File

@@ -0,0 +1,219 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- ssl
- elasticsearch.ca
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
vm.max_map_count:
sysctl.present:
- value: 262144
# Add ES Group
elasticsearchgroup:
group.present:
- name: elasticsearch
- gid: 930
esconfdir:
file.directory:
- name: /opt/so/conf/elasticsearch
- user: 930
- group: 939
- makedirs: True
# Add ES user
elasticsearch:
user.present:
- uid: 930
- gid: 930
- home: /opt/so/conf/elasticsearch
- createhome: False
elasticsearch_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://elasticsearch/tools/sbin
- user: 930
- group: 939
- file_mode: 755
- exclude_pat:
- so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state
elasticsearch_sbin_jinja:
file.recurse:
- name: /usr/sbin
- source: salt://elasticsearch/tools/sbin_jinja
- user: 939
- group: 939
- file_mode: 755
- template: jinja
- exclude_pat:
- so-elasticsearch-ilm-policy-load # exclude this because we need to watch it for changes, we sync it in another state
- defaults:
GLOBALS: {{ GLOBALS }}
so-elasticsearch-ilm-policy-load-script:
file.managed:
- name: /usr/sbin/so-elasticsearch-ilm-policy-load
- source: salt://elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load
- user: 930
- group: 939
- mode: 754
- template: jinja
so-elasticsearch-pipelines-script:
file.managed:
- name: /usr/sbin/so-elasticsearch-pipelines
- source: salt://elasticsearch/tools/sbin/so-elasticsearch-pipelines
- user: 930
- group: 939
- mode: 754
esingestdir:
file.directory:
- name: /opt/so/conf/elasticsearch/ingest
- user: 930
- group: 939
- makedirs: True
estemplatedir:
file.directory:
- name: /opt/so/conf/elasticsearch/templates/index
- user: 930
- group: 939
- makedirs: True
esrolesdir:
file.directory:
- name: /opt/so/conf/elasticsearch/roles
- user: 930
- group: 939
- makedirs: True
eslibdir:
file.absent:
- name: /opt/so/conf/elasticsearch/lib
esingestdynamicconf:
file.recurse:
- name: /opt/so/conf/elasticsearch/ingest
- source: salt://elasticsearch/files/ingest-dynamic
- user: 930
- group: 939
- template: jinja
esingestconf:
file.recurse:
- name: /opt/so/conf/elasticsearch/ingest
- source: salt://elasticsearch/files/ingest
- user: 930
- group: 939
eslog4jfile:
file.managed:
- name: /opt/so/conf/elasticsearch/log4j2.properties
- source: salt://elasticsearch/files/log4j2.properties
- user: 930
- group: 939
- template: jinja
esyml:
file.managed:
- name: /opt/so/conf/elasticsearch/elasticsearch.yml
- source: salt://elasticsearch/files/elasticsearch.yaml.jinja
- user: 930
- group: 939
- defaults:
ESCONFIG: {{ ELASTICSEARCHMERGED.config }}
- template: jinja
esroles:
file.recurse:
- source: salt://elasticsearch/roles/
- name: /opt/so/conf/elasticsearch/roles/
- clean: True
- template: jinja
- user: 930
- group: 939
nsmesdir:
file.directory:
- name: /nsm/elasticsearch
- user: 930
- group: 939
- makedirs: True
eslogdir:
file.directory:
- name: /opt/so/log/elasticsearch
- user: 930
- group: 939
- makedirs: True
es_repo_dir:
file.directory:
- name: /nsm/elasticsearch/repo/
- user: 930
- group: 930
- require:
- file: nsmesdir
so-pipelines-reload:
file.absent:
- name: /opt/so/state/espipelines.txt
- onchanges:
- file: esingestconf
- file: esingestdynamicconf
- file: esyml
- file: so-elasticsearch-pipelines-script
auth_users:
file.managed:
- name: /opt/so/conf/elasticsearch/users.tmp
- source: salt://elasticsearch/files/users
- user: 930
- group: 930
- mode: 600
- show_changes: False
auth_users_roles:
file.managed:
- name: /opt/so/conf/elasticsearch/users_roles.tmp
- source: salt://elasticsearch/files/users_roles
- user: 930
- group: 930
- mode: 600
- show_changes: False
auth_users_inode:
require:
- file: auth_users
cmd.run:
- name: cat /opt/so/conf/elasticsearch/users.tmp > /opt/so/conf/elasticsearch/users && chown 930:939 /opt/so/conf/elasticsearch/users && chmod 660 /opt/so/conf/elasticsearch/users
- onchanges:
- file: /opt/so/conf/elasticsearch/users.tmp
auth_users_roles_inode:
require:
- file: auth_users_roles
cmd.run:
- name: cat /opt/so/conf/elasticsearch/users_roles.tmp > /opt/so/conf/elasticsearch/users_roles && chown 930:939 /opt/so/conf/elasticsearch/users_roles && chmod 660 /opt/so/conf/elasticsearch/users_roles
- onchanges:
- file: /opt/so/conf/elasticsearch/users_roles.tmp
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

1
salt/elasticsearch/defaults.yaml
View File

@@ -1,4 +1,5 @@
elasticsearch:
enabled: False
retention:
retention_pct: 50
config:

27
salt/elasticsearch/disabled.sls Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- elasticsearch.sostatus
so-elasticsearch:
docker_container.absent:
- force: True
so-elasticsearch_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-elasticsearch$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

183
salt/elasticsearch/enabled.sls Normal file
View File

@@ -0,0 +1,183 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'logstash/map.jinja' import LOGSTASH_NODES %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}
{% from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS %}
include:
- elasticsearch.config
- elasticsearch.sostatus
so-elasticsearch:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }}
- hostname: elasticsearch
- name: so-elasticsearch
- user: elasticsearch
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
- extra_hosts: {{ LOGSTASH_NODES }}
- environment:
{% if LOGSTASH_NODES | length == 1 %}
- discovery.type=single-node
{% endif %}
- ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
ulimits:
- memlock=-1:-1
- nofile=65536:65536
- nproc=4096
- port_bindings:
{% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
- /opt/so/conf/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
- /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
- /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
- /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
- /opt/so/conf/ca/cacerts:/usr/share/elasticsearch/jdk/lib/security/cacerts:ro
{% if GLOBALS.is_manager %}
- /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
{% else %}
- /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
{% endif %}
- /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
- /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
- /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
- /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro
- /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro
{% if ELASTICSEARCHMERGED.config.path.get('repo', False) %}
{% for repo in ELASTICSEARCHMERGED.config.path.repo %}
- {{ repo }}:{{ repo }}:rw
{% endfor %}
{% endif %}
- watch:
- file: cacertz
- file: esyml
- require:
- file: esyml
- file: eslog4jfile
- file: nsmesdir
- file: eslogdir
- file: cacertz
- x509: /etc/pki/elasticsearch.crt
- x509: /etc/pki/elasticsearch.key
- file: elasticp12perms
{% if GLOBALS.is_manager %}
- x509: pki_public_ca_crt
{% else %}
- x509: trusttheca
{% endif %}
- cmd: auth_users_roles_inode
- cmd: auth_users_inode
delete_so-elasticsearch_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-elasticsearch$
{% if GLOBALS.role != "so-searchnode" %}
escomponenttemplates:
file.recurse:
- name: /opt/so/conf/elasticsearch/templates/component
- source: salt://elasticsearch/templates/component
- user: 930
- group: 939
- onchanges_in:
- cmd: so-elasticsearch-templates
# Auto-generate templates from defaults file
{% for index, settings in ES_INDEX_SETTINGS.items() %}
{% if settings.index_template is defined %}
es_index_template_{{index}}:
file.managed:
- name: /opt/so/conf/elasticsearch/templates/index/{{ index }}-template.json
- source: salt://elasticsearch/base-template.json.jinja
- defaults:
TEMPLATE_CONFIG: {{ settings.index_template }}
- template: jinja
- onchanges_in:
- cmd: so-elasticsearch-templates
{% endif %}
{% endfor %}
{% if TEMPLATES %}
# Sync custom templates to /opt/so/conf/elasticsearch/templates
{% for TEMPLATE in TEMPLATES %}
es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
file.managed:
- source: salt://elasticsearch/templates/index/{{TEMPLATE}}
{% if 'jinja' in TEMPLATE.split('.')[-1] %}
- name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}
- template: jinja
{% else %}
- name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1]}}
{% endif %}
- user: 930
- group: 939
- onchanges_in:
- cmd: so-elasticsearch-templates
{% endfor %}
{% endif %}
so-es-cluster-settings:
cmd.run:
- name: /usr/sbin/so-elasticsearch-cluster-settings
- cwd: /opt/so
- template: jinja
- require:
- docker_container: so-elasticsearch
- file: elasticsearch_sbin_jinja
so-elasticsearch-ilm-policy-load:
cmd.run:
- name: /usr/sbin/so-elasticsearch-ilm-policy-load
- cwd: /opt/so
- require:
- docker_container: so-elasticsearch
- file: so-elasticsearch-ilm-policy-load-script
- onchanges:
- file: so-elasticsearch-ilm-policy-load-script
so-elasticsearch-templates:
cmd.run:
- name: /usr/sbin/so-elasticsearch-templates-load
- cwd: /opt/so
- template: jinja
- require:
- docker_container: so-elasticsearch
- file: elasticsearch_sbin_jinja
so-elasticsearch-pipelines:
cmd.run:
- name: /usr/sbin/so-elasticsearch-pipelines {{ GLOBALS.hostname }}
- require:
- docker_container: so-elasticsearch
- file: so-elasticsearch-pipelines-script
so-elasticsearch-roles-load:
cmd.run:
- name: /usr/sbin/so-elasticsearch-roles-load
- cwd: /opt/so
- template: jinja
- require:
- docker_container: so-elasticsearch
- file: elasticsearch_sbin_jinja
{% endif %}
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

424
salt/elasticsearch/init.sls
View File

@@ -3,425 +3,11 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
include:
- ssl
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}
{% set ROLES = salt['pillar.get']('elasticsearch:roles', {}) %}
{% from 'elasticsearch/config.map.jinja' import ESCONFIG with context %}
{% from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS without context %}
{% from 'logstash/map.jinja' import LOGSTASH_NODES %}
vm.max_map_count:
sysctl.present:
- value: 262144
# Add ES Group
elasticsearchgroup:
group.present:
- name: elasticsearch
- gid: 930
esconfdir:
file.directory:
- name: /opt/so/conf/elasticsearch
- user: 930
- group: 939
- makedirs: True
# Add ES user
elasticsearch:
user.present:
- uid: 930
- gid: 930
- home: /opt/so/conf/elasticsearch
- createhome: False
{% if GLOBALS.is_manager %}
# We have to add the Manager CA to the CA list
cascriptsync:
file.managed:
- name: /usr/sbin/so-catrust
- source: salt://elasticsearch/tools/sbin_jinja/so-catrust
- user: 939
- group: 939
- mode: 750
- template: jinja
- defaults:
GLOBALS: {{ GLOBALS }}
# Run the CA magic
cascriptfun:
cmd.run:
- name: /usr/sbin/so-catrust
- require:
- file: cascriptsync
{% endif %}
elasticsearch_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://elasticsearch/tools/sbin
- user: 930
- group: 939
- file_mode: 755
- exclude_pat:
- so-catrust
- so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state
elasticsearch_sbin_jinja:
file.recurse:
- name: /usr/sbin
- source: salt://elasticsearch/tools/sbin_jinja
- user: 939
- group: 939
- file_mode: 755
- template: jinja
- exclude_pat:
- so-elasticsearch-ilm-policy-load # exclude this because we need to watch it for changes, we sync it in another state
- defaults:
GLOBALS: {{ GLOBALS }}
so-elasticsearch-ilm-policy-load-script:
file.managed:
- name: /usr/sbin/so-elasticsearch-ilm-policy-load
- source: salt://elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load
- user: 930
- group: 939
- mode: 754
- template: jinja
so-elasticsearch-pipelines-script:
file.managed:
- name: /usr/sbin/so-elasticsearch-pipelines
- source: salt://elasticsearch/tools/sbin/so-elasticsearch-pipelines
- user: 930
- group: 939
- mode: 754
# Move our new CA over so Elastic and Logstash can use SSL with the internal CA
catrustdir:
file.directory:
- name: /opt/so/conf/ca
- user: 939
- group: 939
- makedirs: True
cacertz:
file.managed:
- name: /opt/so/conf/ca/cacerts
- source: salt://common/cacerts
- user: 939
- group: 939
capemz:
file.managed:
- name: /opt/so/conf/ca/tls-ca-bundle.pem
- source: salt://common/tls-ca-bundle.pem
- user: 939
- group: 939
esingestdir:
file.directory:
- name: /opt/so/conf/elasticsearch/ingest
- user: 930
- group: 939
- makedirs: True
estemplatedir:
file.directory:
- name: /opt/so/conf/elasticsearch/templates/index
- user: 930
- group: 939
- makedirs: True
esrolesdir:
file.directory:
- name: /opt/so/conf/elasticsearch/roles
- user: 930
- group: 939
- makedirs: True
eslibdir:
file.absent:
- name: /opt/so/conf/elasticsearch/lib
esingestdynamicconf:
file.recurse:
- name: /opt/so/conf/elasticsearch/ingest
- source: salt://elasticsearch/files/ingest-dynamic
- user: 930
- group: 939
- template: jinja
esingestconf:
file.recurse:
- name: /opt/so/conf/elasticsearch/ingest
- source: salt://elasticsearch/files/ingest
- user: 930
- group: 939
eslog4jfile:
file.managed:
- name: /opt/so/conf/elasticsearch/log4j2.properties
- source: salt://elasticsearch/files/log4j2.properties
- user: 930
- group: 939
- template: jinja
esyml:
file.managed:
- name: /opt/so/conf/elasticsearch/elasticsearch.yml
- source: salt://elasticsearch/files/elasticsearch.yaml.jinja
- user: 930
- group: 939
- defaults:
ESCONFIG: {{ ESCONFIG }}
- template: jinja
{% if GLOBALS.role != "so-searchnode" %}
escomponenttemplates:
file.recurse:
- name: /opt/so/conf/elasticsearch/templates/component
- source: salt://elasticsearch/templates/component
- user: 930
- group: 939
- onchanges_in:
- cmd: so-elasticsearch-templates
# Auto-generate templates from defaults file
{% for index, settings in ES_INDEX_SETTINGS.items() %}
{% if settings.index_template is defined %}
es_index_template_{{index}}:
file.managed:
- name: /opt/so/conf/elasticsearch/templates/index/{{ index }}-template.json
- source: salt://elasticsearch/base-template.json.jinja
- defaults:
TEMPLATE_CONFIG: {{ settings.index_template }}
- template: jinja
- onchanges_in:
- cmd: so-elasticsearch-templates
{% endif %}
{% endfor %}
{% if TEMPLATES %}
# Sync custom templates to /opt/so/conf/elasticsearch/templates
{% for TEMPLATE in TEMPLATES %}
es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
file.managed:
- source: salt://elasticsearch/templates/index/{{TEMPLATE}}
{% if 'jinja' in TEMPLATE.split('.')[-1] %}
- name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}
- template: jinja
{% else %}
- name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1]}}
{% endif %}
- user: 930
- group: 939
- onchanges_in:
- cmd: so-elasticsearch-templates
{% endfor %}
{% endif %}
{% endif %}
esroles:
file.recurse:
- source: salt://elasticsearch/roles/
- name: /opt/so/conf/elasticsearch/roles/
- clean: True
- template: jinja
- user: 930
- group: 939
nsmesdir:
file.directory:
- name: /nsm/elasticsearch
- user: 930
- group: 939
- makedirs: True
eslogdir:
file.directory:
- name: /opt/so/log/elasticsearch
- user: 930
- group: 939
- makedirs: True
es_repo_dir:
file.directory:
- name: /nsm/elasticsearch/repo/
- user: 930
- group: 930
- require:
- file: nsmesdir
so-pipelines-reload:
file.absent:
- name: /opt/so/state/espipelines.txt
- onchanges:
- file: esingestconf
- file: esingestdynamicconf
- file: esyml
- file: so-elasticsearch-pipelines-script
auth_users:
file.managed:
- name: /opt/so/conf/elasticsearch/users.tmp
- source: salt://elasticsearch/files/users
- user: 930
- group: 930
- mode: 600
- show_changes: False
auth_users_roles:
file.managed:
- name: /opt/so/conf/elasticsearch/users_roles.tmp
- source: salt://elasticsearch/files/users_roles
- user: 930
- group: 930
- mode: 600
- show_changes: False
auth_users_inode:
require:
- file: auth_users
cmd.run:
- name: cat /opt/so/conf/elasticsearch/users.tmp > /opt/so/conf/elasticsearch/users && chown 930:939 /opt/so/conf/elasticsearch/users && chmod 660 /opt/so/conf/elasticsearch/users
- onchanges:
- file: /opt/so/conf/elasticsearch/users.tmp
auth_users_roles_inode:
require:
- file: auth_users_roles
cmd.run:
- name: cat /opt/so/conf/elasticsearch/users_roles.tmp > /opt/so/conf/elasticsearch/users_roles && chown 930:939 /opt/so/conf/elasticsearch/users_roles && chmod 660 /opt/so/conf/elasticsearch/users_roles
- onchanges:
- file: /opt/so/conf/elasticsearch/users_roles.tmp
so-elasticsearch:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }}
- hostname: elasticsearch
- name: so-elasticsearch
- user: elasticsearch
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
- extra_hosts: {{ LOGSTASH_NODES }}
- environment:
{% if LOGSTASH_NODES | length == 1 %}
- discovery.type=single-node
{% endif %}
- ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
ulimits:
- memlock=-1:-1
- nofile=65536:65536
- nproc=4096
- port_bindings:
{% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
- /opt/so/conf/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
- /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
- /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
- /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
- /opt/so/conf/ca/cacerts:/usr/share/elasticsearch/jdk/lib/security/cacerts:ro
{% if GLOBALS.is_manager %}
- /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
{% else %}
- /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
{% endif %}
- /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
- /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
- /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
- /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro
- /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro
{% if ESCONFIG.path.get('repo', False) %}
{% for repo in ESCONFIG.path.repo %}
- {{ repo }}:{{ repo }}:rw
{% endfor %}
{% endif %}
- watch:
- file: cacertz
- file: esyml
- require:
- file: esyml
- file: eslog4jfile
- file: nsmesdir
- file: eslogdir
- file: cacertz
- x509: /etc/pki/elasticsearch.crt
- x509: /etc/pki/elasticsearch.key
- file: elasticp12perms
{% if GLOBALS.is_manager %}
- x509: pki_public_ca_crt
{% else %}
- x509: trusttheca
{% endif %}
- cmd: auth_users_roles_inode
- cmd: auth_users_inode
append_so-elasticsearch_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elasticsearch
{% if GLOBALS.role != "so-searchnode" %}
so-es-cluster-settings:
cmd.run:
- name: /usr/sbin/so-elasticsearch-cluster-settings
- cwd: /opt/so
- template: jinja
- require:
- docker_container: so-elasticsearch
- file: elasticsearch_sbin_jinja
so-elasticsearch-ilm-policy-load:
cmd.run:
- name: /usr/sbin/so-elasticsearch-ilm-policy-load
- cwd: /opt/so
- require:
- docker_container: so-elasticsearch
- file: so-elasticsearch-ilm-policy-load-script
- onchanges:
- file: so-elasticsearch-ilm-policy-load-script
so-elasticsearch-templates:
cmd.run:
- name: /usr/sbin/so-elasticsearch-templates-load
- cwd: /opt/so
- template: jinja
- require:
- docker_container: so-elasticsearch
- file: elasticsearch_sbin_jinja
so-elasticsearch-pipelines:
cmd.run:
- name: /usr/sbin/so-elasticsearch-pipelines {{ GLOBALS.hostname }}
- require:
- docker_container: so-elasticsearch
- file: so-elasticsearch-pipelines-script
so-elasticsearch-roles-load:
cmd.run:
- name: /usr/sbin/so-elasticsearch-roles-load
- cwd: /opt/so
- template: jinja
- require:
- docker_container: so-elasticsearch
- file: elasticsearch_sbin_jinja
{% endif %}
{% if ELASTICSEARCHMERGED.enabled %}
- elasticsearch.enabled
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %} {# if 'elasticsearch' in top_states #}
- elasticsearch.disabled
{% endif %}

3
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -1,4 +1,7 @@
elasticsearch:
enabled:
description: You can enable or disable Elasticsearch.
helpLink: elasticsearch.html
esheap:
description: Specify the memory heap size in (m)egabytes for Elasticsearch.
helpLink: elasticsearch.html

21
salt/elasticsearch/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-elasticsearch_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elasticsearch
- unless: grep -q so-elasticsearch /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

4
salt/elasticsearch/template.map.jinja
View File

@@ -1,5 +1,5 @@
{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %}
{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
{% for index, settings in ES_INDEX_SETTINGS.items() %}
{% if settings.index_template is defined %}
{% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}

12
salt/elasticsearch/tools/sbin_jinja/so-catrust
View File

@@ -11,14 +11,14 @@
set -e
# Check to see if we have extracted the ca cert.
if [ ! -f /opt/so/saltstack/local/salt/common/cacerts ]; then
if [ ! -f /opt/so/saltstack/local/salt/elasticsearch/cacerts ]; then
docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt
docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/common/cacerts
docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts
docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
docker rm so-elasticsearchca
echo "" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
echo "sosca" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
cat /etc/pki/ca.crt >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
echo "" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
echo "sosca" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
cat /etc/pki/ca.crt >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
else
exit 0
fi

8
salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load
View File

@@ -6,15 +6,15 @@
. /usr/sbin/so-common
{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %}
{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
{%- for index, settings in ES_INDEX_SETTINGS.items() %}
{%- if settings.policy is defined %}
{%- if settings.policy is defined %}
echo
echo "Setting up {{ index }}-logs policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://localhost:9200/_ilm/policy/{{ index }}-logs" -H 'Content-Type: application/json' -d'{ "policy": {{ settings.policy | tojson(true) }} }'
echo
{%- endif %}
{%- endif %}
{%- endfor %}
echo

85
salt/idh/config.sls Normal file
View File

@@ -0,0 +1,85 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'idh/opencanary_config.map.jinja' import RESTRICTIDHSERVICES %}
{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
include:
- idh.openssh.config
- firewall
# If True, block IDH Services from accepting connections on Managment IP
{% if RESTRICTIDHSERVICES %}
{% from 'idh/opencanary_config.map.jinja' import IDH_SERVICES %}
{% for service in IDH_SERVICES %}
{% if service in ["smnp","ntp", "tftp"] %}
{% set proto = 'udp' %}
{% else %}
{% set proto = 'tcp' %}
{% endif %}
block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'_x_port'] }} :
iptables.insert:
- table: filter
- chain: INPUT
- jump: DROP
- position: 1
- proto: {{ proto }}
- dport: {{ OPENCANARYCONFIG[service~'_x_port'] }}
- destination: {{ GLOBALS.node_ip }}
{% endfor %}
{% endif %}
# Create a config directory
idhconfdir:
file.directory:
- name: /opt/so/conf/idh
- user: 939
- group: 939
- makedirs: True
# Create a log directory
idhlogdir:
file.directory:
- name: /nsm/idh
- user: 939
- group: 939
- makedirs: True
opencanary_config:
file.managed:
- name: /opt/so/conf/idh/opencanary.conf
- source: salt://idh/idh.conf.jinja
- template: jinja
- defaults:
OPENCANARYCONFIG: {{ OPENCANARYCONFIG }}
idh_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://idh/tools/sbin
- user: 934
- group: 939
- file_mode: 755
#idh_sbin_jinja:
# file.recurse:
# - name: /usr/sbin
# - source: salt://idh/tools/sbin_jinja
# - user: 939
# - group: 939
# - file_mode: 755
# - template: jinja
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

3
salt/idh/defaults.yaml
View File

@@ -1,5 +1,6 @@
idh:
restrict_management_ip: false
enabled: False
restrict_management_ip: False
openssh:
enable: true
config:

27
salt/idh/disabled.sls Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- idh.sostatus
so-idh:
docker_container.absent:
- force: True
so-idh_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-idh$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

39
salt/idh/enabled.sls Normal file
View File

@@ -0,0 +1,39 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
- idh.config
- idh.sostatus
so-idh:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idh:{{ GLOBALS.so_version }}
- name: so-idh
- detach: True
- network_mode: host
- binds:
- /nsm/idh:/var/tmp:rw
- /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
- watch:
- file: opencanary_config
- require:
- file: opencanary_config
delete_so-idh_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-idh$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

100
salt/idh/init.sls
View File

@@ -3,103 +3,11 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'idh/opencanary_config.map.jinja' import RESTRICTIDHSERVICES %}
{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
{% from 'idh/opencanary_config.map.jinja' import IDHMERGED %}
include:
- idh.openssh.config
- firewall
# If True, block IDH Services from accepting connections on Managment IP
{% if RESTRICTIDHSERVICES %}
{% from 'idh/opencanary_config.map.jinja' import IDH_SERVICES %}
{% for service in IDH_SERVICES %}
{% if service in ["smnp","ntp", "tftp"] %}
{% set proto = 'udp' %}
{% else %}
{% set proto = 'tcp' %}
{% endif %}
block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'_x_port'] }} :
iptables.insert:
- table: filter
- chain: INPUT
- jump: DROP
- position: 1
- proto: {{ proto }}
- dport: {{ OPENCANARYCONFIG[service~'_x_port'] }}
- destination: {{ GLOBALS.node_ip }}
{% endfor %}
{% endif %}
# Create a config directory
temp:
file.directory:
- name: /opt/so/conf/idh
- user: 939
- group: 939
- makedirs: True
# Create a log directory
configdir:
file.directory:
- name: /nsm/idh
- user: 939
- group: 939
- makedirs: True
opencanary_config:
file.managed:
- name: /opt/so/conf/idh/opencanary.conf
- source: salt://idh/idh.conf.jinja
- template: jinja
- defaults:
OPENCANARYCONFIG: {{ OPENCANARYCONFIG }}
idh_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://idh/tools/sbin
- user: 934
- group: 939
- file_mode: 755
#idh_sbin_jinja:
# file.recurse:
# - name: /usr/sbin
# - source: salt://idh/tools/sbin_jinja
# - user: 939
# - group: 939
# - file_mode: 755
# - template: jinja
so-idh:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idh:{{ GLOBALS.so_version }}
- name: so-idh
- detach: True
- network_mode: host
- binds:
- /nsm/idh:/var/tmp:rw
- /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
- watch:
- file: opencanary_config
- require:
- file: opencanary_config
append_so-idh_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-idh
{% if IDHMERGED.enabled %}
- idh.enabled
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
- idh.disabled
{% endif %}

1
salt/idh/opencanary_config.map.jinja
View File

@@ -20,6 +20,7 @@
{% set IDH_PORTGROUPS = {} %}
{% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %}
{% set IDHMERGED = salt['pillar.get']('idh', IDHCONFIG.idh, merge=True) %}
{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', default=IDHCONFIG.idh.restrict_management_ip) %}
{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %}
{# update skinlist to skin.list to avoid issues with SOC UI config #}

3
salt/idh/soc_idh.yaml
View File

@@ -1,4 +1,7 @@
idh:
enabled:
description: You can enable or disable IDH.
helpLink: idh.html
opencanary:
config:
logger:

21
salt/idh/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-idh_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-idh
- unless: grep -q so-idh /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

42
salt/idstools/config.sls Normal file
View File

@@ -0,0 +1,42 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- idstools.sync_files
idstoolslogdir:
file.directory:
- name: /opt/so/log/idstools
- user: 939
- group: 939
- makedirs: True
idstools_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://idstools/tools/sbin
- user: 934
- group: 939
- file_mode: 755
#idstools_sbin_jinja:
# file.recurse:
# - name: /usr/sbin
# - source: salt://idstools/tools/sbin_jinja
# - user: 934
# - group: 939
# - file_mode: 755
# - template: jinja
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

3
salt/idstools/defaults.yaml
View File

@@ -1,4 +1,5 @@
idstools:
enabled: False
config:
urls: []
ruleset: ETOPEN
@@ -6,4 +7,4 @@ idstools:
sids:
enabled: []
disabled: []
modify: []
modify: []

31
salt/idstools/disabled.sls Normal file
View File

@@ -0,0 +1,31 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- idstools.sostatus
so-idstools:
docker_container.absent:
- force: True
so-idstools_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-idstools$
so-rule-update:
cron.absent:
- identifier: so-rule-update
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

55
salt/idstools/enabled.sls Normal file
View File

@@ -0,0 +1,55 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% set proxy = salt['pillar.get']('manager:proxy') %}
include:
- idstools.config
- idstools.sostatus
so-idstools:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }}
- hostname: so-idstools
- user: socore
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-idstools'].ip }}
{% if proxy %}
- environment:
- http_proxy={{ proxy }}
- https_proxy={{ proxy }}
- no_proxy={{ salt['pillar.get']('manager:no_proxy') }}
{% endif %}
- binds:
- /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro
- /opt/so/rules/nids:/opt/so/rules/nids:rw
- watch:
- file: idstoolsetcsync
delete_so-idstools_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-idstools$
so-rule-update:
cron.present:
- name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
- identifier: so-rule-update
- user: root
- minute: '1'
- hour: '7'
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

5
salt/idstools/etc/rulecat.conf
View File

@@ -1,6 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS %}
{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS.idstools, merge=True) %}
{%- from 'idstools/map.jinja' import IDSTOOLSMERGED %}
{%- if GLOBALS.airgap is sameas true -%}
--merged=/opt/so/rules/nids/all.rules
--local=/opt/so/rules/nids/local.rules
@@ -35,4 +34,4 @@
{%- for URL in IDSTOOLSMERGED.config.urls %}
--url={{ URL }}
{%- endfor %}
{%- endif %}
{%- endif %}

78
salt/idstools/init.sls
View File

@@ -2,78 +2,12 @@
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% set proxy = salt['pillar.get']('manager:proxy') %}
{% from 'idstools/map.jinja' import IDSTOOLSMERGED %}
include:
- idstools.sync_files
# IDSTools Setup
idstoolslogdir:
file.directory:
- name: /opt/so/log/idstools
- user: 939
- group: 939
- makedirs: True
idstools_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://idstools/tools/sbin
- user: 934
- group: 939
- file_mode: 755
#idstools_sbin_jinja:
# file.recurse:
# - name: /usr/sbin
# - source: salt://idstools/tools/sbin_jinja
# - user: 934
# - group: 939
# - file_mode: 755
# - template: jinja
so-rule-update:
cron.present:
- name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
- identifier: so-rule-update
- user: root
- minute: '1'
- hour: '7'
so-idstools:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }}
- hostname: so-idstools
- user: socore
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-idstools'].ip }}
{% if proxy %}
- environment:
- http_proxy={{ proxy }}
- https_proxy={{ proxy }}
- no_proxy={{ salt['pillar.get']('manager:no_proxy') }}
{% endif %}
- binds:
- /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro
- /opt/so/rules/nids:/opt/so/rules/nids:rw
- watch:
- file: idstoolsetcsync
append_so-idstools_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-idstools
{% if IDSTOOLSMERGED.enabled %}
- idstools.enabled
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif%}
- idstools.disabled
{% endif %}

7
salt/idstools/map.jinja Normal file
View File

@@ -0,0 +1,7 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS with context %}
{% set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS.idstools, merge=True) %}

2
salt/idstools/soc_idstools.yaml
View File

@@ -1,4 +1,6 @@
idstools:
enabled:
description: You can enable or disable IDSTools.
config:
oinkcode:
description: Enter your registration code or oinkcode for paid NIDS rulesets.

21
salt/idstools/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-idstools_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-idstools
- unless: grep -q so-idstools /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

96
salt/influxdb/config.sls Normal file
View File

@@ -0,0 +1,96 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'influxdb/map.jinja' import INFLUXMERGED %}
include:
- salt.minion
- ssl
# Influx DB
influxconfdir:
file.directory:
- name: /opt/so/conf/influxdb
- makedirs: True
influxlogdir:
file.directory:
- name: /opt/so/log/influxdb
- dir_mode: 755
- user: 939
- group: 939
- makedirs: True
influxdbdir:
file.directory:
- name: /nsm/influxdb
- makedirs: True
influxdb_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://influxdb/tools/sbin
- user: 939
- group: 939
- file_mode: 755
#influxdb_sbin_jinja:
# file.recurse:
# - name: /usr/sbin
# - source: salt://influxdb/tools/sbin_jinja
# - user: 939
# - group: 939
# - file_mode: 755
# - template: jinja
influxdbconf:
file.managed:
- name: /opt/so/conf/influxdb/config.yaml
- source: salt://influxdb/config.yaml.jinja
- user: 939
- group: 939
- template: jinja
- defaults:
INFLUXMERGED: {{ INFLUXMERGED }}
influxdbbucketsconf:
file.managed:
- name: /opt/so/conf/influxdb/buckets.json
- source: salt://influxdb/buckets.json.jinja
- user: 939
- group: 939
- template: jinja
- defaults:
INFLUXMERGED: {{ INFLUXMERGED }}
influxdb-templates:
file.recurse:
- name: /opt/so/conf/influxdb/templates
- source: salt://influxdb/templates
- user: 939
- group: 939
- template: jinja
- clean: True
- defaults:
INFLUXMERGED: {{ INFLUXMERGED }}
influxdb_curl_config:
file.managed:
- name: /opt/so/conf/influxdb/curl.config
- source: salt://influxdb/curl.config.jinja
- mode: 600
- template: jinja
- show_changes: False
- makedirs: True
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

3
salt/influxdb/defaults.yaml
View File

@@ -1,4 +1,5 @@
influxdb:
enabled: False
config:
assets-path: /ui
bolt-path: /var/lib/influxdb2/influxd.bolt
@@ -74,4 +75,4 @@ influxdb:
shard_duration: 604800
downsample:
so_long_term:
resolution: 5m
resolution: 5m

32
salt/influxdb/disabled.sls Normal file
View File

@@ -0,0 +1,32 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- influxdb.sostatus
so-influxdb:
docker_container.absent:
- force: True
so-influxdb_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-influxdb$
get_influxdb_size:
cron.absent:
- identifier: get_influxdb_size
- user: root
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

87
salt/influxdb/enabled.sls Normal file
View File

@@ -0,0 +1,87 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
{% set TOKEN = salt['pillar.get']('influxdb:token') %}
include:
- influxdb.config
- influxdb.sostatus
so-influxdb:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }}
- hostname: influxdb
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
- environment:
- INFLUXD_CONFIG_PATH=/conf
- INFLUXDB_HTTP_LOG_ENABLED=false
- DOCKER_INFLUXDB_INIT_MODE=setup
- DOCKER_INFLUXDB_INIT_USERNAME=so
- DOCKER_INFLUXDB_INIT_PASSWORD={{ PASSWORD }}
- DOCKER_INFLUXDB_INIT_ORG=Security Onion
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
- binds:
- /opt/so/log/influxdb/:/log:rw
- /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro
- /nsm/influxdb:/var/lib/influxdb2:rw
- /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
- /etc/pki/influxdb.key:/conf/influxdb.key:ro
- port_bindings:
{% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- watch:
- file: influxdbconf
- require:
- file: influxdbconf
- x509: influxdb_key
- x509: influxdb_crt
delete_so-influxdb_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-influxdb$
influxdb-setup:
cmd.run:
- name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log
- require:
- file: influxdbbucketsconf
- file: influxdb_curl_config
- docker_container: so-influxdb
metrics_link_file:
cmd.run:
- name: so-influxdb-manage dashboardpath "Security Onion Performance" > /opt/so/saltstack/local/salt/influxdb/metrics_link.txt
- require:
- docker_container: so-influxdb
# Install cron job to determine size of influxdb for telegraf
get_influxdb_size:
cron.present:
- name: 'du -s -k /nsm/influxdb | cut -f1 > /opt/so/log/telegraf/influxdb_size.log 2>&1'
- identifier: get_influxdb_size
- user: root
- minute: '*/1'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

166
salt/influxdb/init.sls
View File

@@ -1,163 +1,13 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'influxdb/map.jinja' import INFLUXMERGED %}
{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %}
{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
{% set TOKEN = salt['pillar.get']('influxdb:token') %}
include:
- salt.minion
- ssl
# Influx DB
influxconfdir:
file.directory:
- name: /opt/so/conf/influxdb
- makedirs: True
influxlogdir:
file.directory:
- name: /opt/so/log/influxdb
- dir_mode: 755
- user: 939
- group: 939
- makedirs: True
influxdbdir:
file.directory:
- name: /nsm/influxdb
- makedirs: True
influxdb_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://influxdb/tools/sbin
- user: 939
- group: 939
- file_mode: 755
#influxdb_sbin_jinja:
# file.recurse:
# - name: /usr/sbin
# - source: salt://influxdb/tools/sbin_jinja
# - user: 939
# - group: 939
# - file_mode: 755
# - template: jinja
influxdbconf:
file.managed:
- name: /opt/so/conf/influxdb/config.yaml
- source: salt://influxdb/config.yaml.jinja
- user: 939
- group: 939
- template: jinja
- defaults:
INFLUXMERGED: {{ INFLUXMERGED }}
influxdbbucketsconf:
file.managed:
- name: /opt/so/conf/influxdb/buckets.json
- source: salt://influxdb/buckets.json.jinja
- user: 939
- group: 939
- template: jinja
- defaults:
INFLUXMERGED: {{ INFLUXMERGED }}
influxdb-templates:
file.recurse:
- name: /opt/so/conf/influxdb/templates
- source: salt://influxdb/templates
- user: 939
- group: 939
- template: jinja
- clean: True
- defaults:
INFLUXMERGED: {{ INFLUXMERGED }}
influxdb_curl_config:
file.managed:
- name: /opt/so/conf/influxdb/curl.config
- source: salt://influxdb/curl.config.jinja
- mode: 600
- template: jinja
- show_changes: False
- makedirs: True
so-influxdb:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }}
- hostname: influxdb
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
- environment:
- INFLUXD_CONFIG_PATH=/conf
- INFLUXDB_HTTP_LOG_ENABLED=false
- DOCKER_INFLUXDB_INIT_MODE=setup
- DOCKER_INFLUXDB_INIT_USERNAME=so
- DOCKER_INFLUXDB_INIT_PASSWORD={{ PASSWORD }}
- DOCKER_INFLUXDB_INIT_ORG=Security Onion
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
- binds:
- /opt/so/log/influxdb/:/log:rw
- /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro
- /nsm/influxdb:/var/lib/influxdb2:rw
- /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
- /etc/pki/influxdb.key:/conf/influxdb.key:ro
- port_bindings:
{% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- watch:
- file: influxdbconf
- require:
- file: influxdbconf
- x509: influxdb_key
- x509: influxdb_crt
append_so-influxdb_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-influxdb
influxdb-setup:
cmd.run:
- name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log
- require:
- file: influxdbbucketsconf
- file: influxdb_curl_config
- docker_container: so-influxdb
metrics_link_file:
cmd.run:
- name: so-influxdb-manage dashboardpath "Security Onion Performance" > /opt/so/saltstack/local/salt/influxdb/metrics_link.txt
- require:
- docker_container: so-influxdb
# Install cron job to determine size of influxdb for telegraf
get_influxdb_size:
cron.present:
- name: 'du -s -k /nsm/influxdb | cut -f1 > /opt/so/log/telegraf/influxdb_size.log 2>&1'
- identifier: get_influxdb_size
- user: root
- minute: '*/1'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
{% endif %}
{% if INFLUXMERGED.enabled %}
- influxdb.enabled
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
- influxdb.disabled
{% endif %}

9
salt/influxdb/map.jinja
View File

@@ -1,2 +1,7 @@
{%- import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %}
{%- set INFLUXMERGED = salt['pillar.get']('influxdb', default=INFLUXDEFAULTS.influxdb, merge=true) %}
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %}
{% set INFLUXMERGED = salt['pillar.get']('influxdb', default=INFLUXDEFAULTS.influxdb, merge=true) %}

5
salt/influxdb/soc_influxdb.yaml
View File

@@ -1,4 +1,7 @@
influxdb:
enabled:
description: You can enable or disable InfluxDB.
helpLink: influxdb.html
config:
assets-path:
description: Path to the InfluxDB user interface assets located inside the so-influxdb container.
@@ -352,4 +355,4 @@ influxdb:
resolution:
description: Amount of time to turn into a single data point.
global: True
helpLink: influxdb.html
helpLink: influxdb.html

21
salt/influxdb/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-influxdb_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-influxdb
- unless: grep -q so-influxdb /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

18
salt/kibana/config.map.jinja
View File

@@ -1,18 +0,0 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'kibana/defaults.yaml' as KIBANACONFIG with context %}
{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
{% do KIBANACONFIG.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
{% do KIBANACONFIG.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}
{% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %}
{% do KIBANACONFIG.kibana.config.xpack.fleet.update({'registryUrl': 'http://' ~ GLOBALS.manager_ip ~ ':8080'}) %}
{% if salt['pillar.get']('kibana:secrets') %}
{% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %}
{% do KIBANACONFIG.kibana.config.xpack.security.update({'encryptionKey': pillar['kibana']['secrets']['security']['encryptionKey']}) %}
{% do KIBANACONFIG.kibana.config.xpack.update({'reporting': {'encryptionKey': pillar['kibana']['secrets']['reporting']['encryptionKey']}}) %}
{% endif %}
{% set KIBANACONFIG = salt['pillar.get']('kibana:config', default=KIBANACONFIG.kibana.config, merge=True) %}

93
salt/kibana/config.sls Normal file
View File

@@ -0,0 +1,93 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'kibana/defaults.yaml' as default_settings %}
{% from 'kibana/map.jinja' import KIBANAMERGED %}
# Add ES Group
kibanasearchgroup:
group.present:
- name: kibana
- gid: 932
# Add ES user
kibana:
user.present:
- uid: 932
- gid: 932
- home: /opt/so/conf/kibana
- createhome: False
# Drop the correct nginx config based on role
kibanaconfdir:
file.directory:
- name: /opt/so/conf/kibana/etc
- user: 932
- group: 939
- makedirs: True
kibana_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://kibana/tools/sbin
- user: 932
- group: 939
- file_mode: 755
kibana_sbin_jinja:
file.recurse:
- name: /usr/sbin
- source: salt://kibana/tools/sbin_jinja
- user: 932
- group: 939
- file_mode: 755
- template: jinja
- defaults:
GLOBALS: {{ GLOBALS }}
kibanaconfig:
file.managed:
- name: /opt/so/conf/kibana/etc/kibana.yml
- source: salt://kibana/etc/kibana.yml.jinja
- user: 932
- group: 939
- mode: 660
- template: jinja
- defaults:
KIBANACONFIG: {{ KIBANAMERGED.config }}
- show_changes: False
kibanalogdir:
file.directory:
- name: /opt/so/log/kibana
- user: 932
- group: 939
- makedirs: True
kibanacustdashdir:
file.directory:
- name: /opt/so/conf/kibana/customdashboards
- user: 932
- group: 939
- makedirs: True
synckibanacustom:
file.recurse:
- name: /opt/so/conf/kibana/customdashboards
- source: salt://kibana/custom
- user: 932
- group: 939
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

4
salt/kibana/defaults.yaml
View File

@@ -1,5 +1,5 @@
kibana:
enabled: True
enabled: False
config:
server:
name: kibana
@@ -32,4 +32,4 @@ kibana:
kibanaServer:
hostname: localhost
fleet:
registryUrl: ""
registryUrl: ""

27
salt/kibana/disabled.sls Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- kibana.sostatus
so-kibana:
docker_container.absent:
- force: True
so-kibana_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-kibana$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

53
salt/kibana/enabled.sls Normal file
View File

@@ -0,0 +1,53 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
- kibana.config
- kibana.sostatus
# Start the kibana docker
so-kibana:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }}
- hostname: kibana
- user: kibana
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
- environment:
- ELASTICSEARCH_HOST={{ GLOBALS.manager }}
- ELASTICSEARCH_PORT=9200
- MANAGER={{ GLOBALS.manager }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- binds:
- /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw
- /opt/so/log/kibana:/var/log/kibana:rw
- /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- port_bindings:
{% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- watch:
- file: kibanaconfig
delete_so-kibana_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-kibana$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

127
salt/kibana/init.sls
View File

@@ -3,125 +3,14 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'kibana/defaults.yaml' as default_settings %}
{% set KIBANA_SETTINGS = salt['grains.filter_by'](default_settings, default='kibana', merge=salt['pillar.get']('kibana', {})) %}
{% from 'kibana/config.map.jinja' import KIBANACONFIG with context %}
# Add ES Group
kibanasearchgroup:
group.present:
- name: kibana
- gid: 932
# Add ES user
kibana:
user.present:
- uid: 932
- gid: 932
- home: /opt/so/conf/kibana
- createhome: False
# Drop the correct nginx config based on role
kibanaconfdir:
file.directory:
- name: /opt/so/conf/kibana/etc
- user: 932
- group: 939
- makedirs: True
kibana_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://kibana/tools/sbin
- user: 932
- group: 939
- file_mode: 755
kibana_sbin_jinja:
file.recurse:
- name: /usr/sbin
- source: salt://kibana/tools/sbin_jinja
- user: 932
- group: 939
- file_mode: 755
- template: jinja
- defaults:
GLOBALS: {{ GLOBALS }}
kibanaconfig:
file.managed:
- name: /opt/so/conf/kibana/etc/kibana.yml
- source: salt://kibana/etc/kibana.yml.jinja
- user: 932
- group: 939
- mode: 660
- template: jinja
- defaults:
KIBANACONFIG: {{ KIBANACONFIG }}
- show_changes: False
kibanalogdir:
file.directory:
- name: /opt/so/log/kibana
- user: 932
- group: 939
- makedirs: True
kibanacustdashdir:
file.directory:
- name: /opt/so/conf/kibana/customdashboards
- user: 932
- group: 939
- makedirs: True
synckibanacustom:
file.recurse:
- name: /opt/so/conf/kibana/customdashboards
- source: salt://kibana/custom
- user: 932
- group: 939
# Start the kibana docker
so-kibana:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }}
- hostname: kibana
- user: kibana
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
- environment:
- ELASTICSEARCH_HOST={{ GLOBALS.manager }}
- ELASTICSEARCH_PORT=9200
- MANAGER={{ GLOBALS.manager }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- binds:
- /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw
- /opt/so/log/kibana:/var/log/kibana:rw
- /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- port_bindings:
{% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- watch:
- file: kibanaconfig
append_so-kibana_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-kibana
{% from 'kibana/map.jinja' import KIBANAMERGED %}
include:
{% if KIBANAMERGED.enabled %}
- kibana.enabled
- kibana.so_config_load
- kibana.so_securitySolution_load
- kibana.so_dashboard_load
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
- kibana.disabled
{% endif %}

23
salt/kibana/map.jinja Normal file
View File

@@ -0,0 +1,23 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'kibana/defaults.yaml' as KIBANADEFAULTS with context %}
{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
{% do KIBANADEFAULTS.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
{% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}
{% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %}
{% do KIBANADEFAULTS.kibana.config.xpack.fleet.update({'registryUrl': 'http://' ~ GLOBALS.manager_ip ~ ':8080'}) %}
{% if salt['pillar.get']('kibana:secrets') %}
{% do KIBANADEFAULTS.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %}
{% do KIBANADEFAULTS.kibana.config.xpack.security.update({'encryptionKey': pillar['kibana']['secrets']['security']['encryptionKey']}) %}
{% do KIBANADEFAULTS.kibana.config.xpack.update({'reporting': {'encryptionKey': pillar['kibana']['secrets']['reporting']['encryptionKey']}}) %}
{% endif %}
{% set KIBANAMERGED = salt['pillar.get']('kibana', default=KIBANADEFAULTS.kibana, merge=True) %}

4
salt/kibana/so_config_load.sls
View File

@@ -4,7 +4,7 @@
# Elastic License 2.0.
include:
- kibana
- kibana.enabled
config_saved_objects:
file.managed:
@@ -25,5 +25,5 @@ so-kibana-config-load:
- name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/config_saved_objects.ndjson.template
- cwd: /opt/so
- require:
- sls: kibana
- sls: kibana.enabled
- file: config_saved_objects

6
salt/kibana/so_dashboard_load.sls
View File

@@ -5,7 +5,7 @@
{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
include:
- kibana
- kibana.enabled
dashboard_saved_objects_template:
file.managed:
@@ -27,7 +27,7 @@ so-kibana-dashboard-load:
- name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/saved_objects.ndjson.template
- cwd: /opt/so
- require:
- sls: kibana
- sls: kibana.enabled
- file: dashboard_saved_objects_template
{%- if HIGHLANDER %}
dashboard_saved_objects_template_hl:
@@ -50,6 +50,6 @@ so-kibana-dashboard-load_hl:
- name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/hl.ndjson.template
- cwd: /opt/so
- require:
- sls: kibana
- sls: kibana.enabled
- file: dashboard_saved_objects_template_hl
{%- endif %}

2
salt/kibana/so_savedobjects_defaults.sls
View File

@@ -4,7 +4,7 @@
# Elastic License 2.0.
include:
- kibana
- kibana.enabled
- kibana.so_config_load
- kibana.so_securitySolution_load
- kibana.so_dashboard_load

4
salt/kibana/so_securitySolution_load.sls
View File

@@ -4,7 +4,7 @@
# Elastic License 2.0.
include:
- kibana
- kibana.enabled
securitySolution_saved_objects:
file.managed:
@@ -25,5 +25,5 @@ so-kibana-securitySolution_saved_objects-load:
- name: /usr/sbin/so-kibana-config-load -u /opt/so/conf/kibana/securitySolution_saved_objects.ndjson.template
- cwd: /opt/so
- require:
- sls: kibana
- sls: kibana.enabled
- file: securitySolution_saved_objects

3
salt/kibana/soc_kibana.yaml
View File

@@ -1,4 +1,7 @@
kibana:
enabled:
description: You can enable or disable Kibana.
helpLink: kibana.html
config:
elasticsearch:
requestTimeout:

21
salt/kibana/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-kibana_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-kibana
- unless: grep -q so-kibana /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

71
salt/kratos/config.sls Normal file
View File

@@ -0,0 +1,71 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from "kratos/map.jinja" import KRATOSMERGED %}
# Add Kratos Group
kratosgroup:
group.present:
- name: kratos
- gid: 928
# Add Kratos user
kratos:
user.present:
- uid: 928
- gid: 928
- home: /opt/so/conf/kratos
kratosdir:
file.directory:
- name: /nsm/kratos
- user: 928
- group: 928
- mode: 700
- makedirs: True
kratosdbdir:
file.directory:
- name: /nsm/kratos/db
- user: 928
- group: 928
- mode: 700
- makedirs: True
kratoslogdir:
file.directory:
- name: /opt/so/log/kratos
- user: 928
- group: 928
- makedirs: True
kratosschema:
file.managed:
- name: /opt/so/conf/kratos/schema.json
- source: salt://kratos/files/schema.json
- user: 928
- group: 928
- mode: 600
kratosconfig:
file.managed:
- name: /opt/so/conf/kratos/kratos.yaml
- source: salt://kratos/files/kratos.yaml.jinja
- user: 928
- group: 928
- mode: 600
- template: jinja
- defaults:
KRATOSMERGED: {{ KRATOSMERGED }}
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

1
salt/kratos/defaults.yaml
View File

@@ -1,4 +1,5 @@
kratos:
enabled: False
config:
session:
lifespan: 24h

27
salt/kratos/disabled.sls Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- kratos.sostatus
so-kratos:
docker_container.absent:
- force: True
so-kratos_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-kratos$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

69
salt/kratos/enabled.sls Normal file
View File

@@ -0,0 +1,69 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
- kratos.config
- kratos.sostatus
so-kratos:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }}
- hostname: kratos
- name: so-kratos
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
- binds:
- /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro
- /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro
- /opt/so/log/kratos/:/kratos-log:rw
- /nsm/kratos/db:/kratos-data:rw
- port_bindings:
{% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- restart_policy: unless-stopped
- watch:
- file: kratosschema
- file: kratosconfig
- require:
- file: kratosschema
- file: kratosconfig
- file: kratoslogdir
- file: kratosdir
delete_so-kratos_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-kratos$
wait_for_kratos:
http.wait_for_successful_query:
- name: 'http://{{ GLOBALS.manager }}:4434/'
- ssl: True
- verify_ssl: False
- status:
- 200
- 301
- 302
- 404
- status_type: list
- wait_for: 300
- request_interval: 10
- require:
- docker_container: so-kratos
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

15
salt/kratos/files/kratos.yaml.jinja
View File

@@ -1,14 +1 @@
{%- import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.error.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.error.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.update({'default_browser_return_url': KRATOSDEFAULTS.kratos.config.selfservice.default_browser_return_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.serve.public.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.public.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.serve.admin.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.admin.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.courier.smtp.update({'connection_uri': KRATOSDEFAULTS.kratos.config.courier.smtp.connection_uri | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- set KRATOSMERGED = salt['pillar.get']('kratos:config', default=KRATOSDEFAULTS.kratos.config, merge=true) %}
{{- KRATOSMERGED | yaml(false) }}
{{ KRATOSMERGED.config | yaml(false) }}

117
salt/kratos/init.sls
View File

@@ -3,118 +3,11 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
# Add Kratos Group
kratosgroup:
group.present:
- name: kratos
- gid: 928
# Add Kratos user
kratos:
user.present:
- uid: 928
- gid: 928
- home: /opt/so/conf/kratos
kratosdir:
file.directory:
- name: /nsm/kratos
- user: 928
- group: 928
- mode: 700
- makedirs: True
kratosdbdir:
file.directory:
- name: /nsm/kratos/db
- user: 928
- group: 928
- mode: 700
- makedirs: True
kratoslogdir:
file.directory:
- name: /opt/so/log/kratos
- user: 928
- group: 928
- makedirs: True
kratosschema:
file.managed:
- name: /opt/so/conf/kratos/schema.json
- source: salt://kratos/files/schema.json
- user: 928
- group: 928
- mode: 600
kratosconfig:
file.managed:
- name: /opt/so/conf/kratos/kratos.yaml
- source: salt://kratos/files/kratos.yaml.jinja
- user: 928
- group: 928
- mode: 600
- template: jinja
- defaults:
GLOBALS: {{ GLOBALS }}
so-kratos:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }}
- hostname: kratos
- name: so-kratos
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
- binds:
- /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro
- /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro
- /opt/so/log/kratos/:/kratos-log:rw
- /nsm/kratos/db:/kratos-data:rw
- port_bindings:
{% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- restart_policy: unless-stopped
- watch:
- file: kratosschema
- file: kratosconfig
- require:
- file: kratosschema
- file: kratosconfig
- file: kratoslogdir
- file: kratosdir
append_so-kratos_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-kratos
wait_for_kratos:
http.wait_for_successful_query:
- name: 'http://{{ GLOBALS.manager }}:4434/'
- ssl: True
- verify_ssl: False
- status:
- 200
- 301
- 302
- 404
- status_type: list
- wait_for: 300
- request_interval: 10
- require:
- docker_container: so-kratos
{% from 'kratos/map.jinja' import KRATOSMERGED %}
include:
{% if KRATOSMERGED.enabled %}
- kratos.enabled
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
- kratos.disabled
{% endif %}

19
salt/kratos/map.jinja Normal file
View File

@@ -0,0 +1,19 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %}
{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.error.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.error.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.selfservice.update({'default_browser_return_url': KRATOSDEFAULTS.kratos.config.selfservice.default_browser_return_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.serve.public.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.public.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.serve.admin.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.admin.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.courier.smtp.update({'connection_uri': KRATOSDEFAULTS.kratos.config.courier.smtp.connection_uri | replace("URL_BASE", GLOBALS.url_base)}) %}
{% set KRATOSMERGED = salt['pillar.get']('kratos', default=KRATOSDEFAULTS.kratos, merge=true) %}

4
salt/kratos/soc_kratos.yaml
View File

@@ -1,4 +1,8 @@
kratos:
enabled:
description: You can enable or disable Kratos.
advanced: True
helpLink: kratos.html
config:
session:
lifespan:

21
salt/kratos/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-kratos_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-kratos
- unless: grep -q so-kratos /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

153
salt/logstash/config.sls Normal file
View File

@@ -0,0 +1,153 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
{% set ASSIGNED_PIPELINES = LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %}
include:
- ssl
{% if GLOBALS.role not in ['so-receiver','so-fleet'] %}
- elasticsearch
{% endif %}
# Create the logstash group
logstashgroup:
group.present:
- name: logstash
- gid: 931
# Add the logstash user for the jog4j settings
logstash:
user.present:
- uid: 931
- gid: 931
- home: /opt/so/conf/logstash
lslibdir:
file.absent:
- name: /opt/so/conf/logstash/lib
logstash_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://logstash/tools/sbin
- user: 931
- group: 939
- file_mode: 755
#logstash_sbin_jinja:
# file.recurse:
# - name: /usr/sbin
# - source: salt://logstash/tools/sbin_jinja
# - user: 931
# - group: 939
# - file_mode: 755
# - template: jinja
lsetcdir:
file.directory:
- name: /opt/so/conf/logstash/etc
- user: 931
- group: 939
- makedirs: True
lspipelinedir:
file.directory:
- name: /opt/so/conf/logstash/pipelines
- user: 931
- group: 939
{% for assigned_pipeline in ASSIGNED_PIPELINES %}
{% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %}
ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}:
file.managed:
- source: salt://logstash/pipelines/config/{{CONFIGFILE}}
{% if 'jinja' in CONFIGFILE.split('.')[-1] %}
- name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}}/{{CONFIGFILE.split('/')[1] | replace(".jinja", "")}}
- template: jinja
- defaults:
GLOBALS: {{ GLOBALS }}
ES_USER: "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') }}"
ES_PASS: "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') }}"
THREADS: {{ LOGSTASH_MERGED.config.pipeline_x_workers }}
BATCH: {{ LOGSTASH_MERGED.config.pipeline_x_batch_x_size }}
{% else %}
- name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}}/{{CONFIGFILE.split('/')[1]}}
{% endif %}
- user: 931
- group: 939
- mode: 660
- makedirs: True
- show_changes: False
{% endfor %}
ls_pipeline_{{assigned_pipeline}}:
file.directory:
- name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}}
- user: 931
- group: 939
- require:
{% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %}
- file: ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}
{% endfor %}
- clean: True
{% endfor %}
# Copy down all the configs
lspipelinesyml:
file.managed:
- name: /opt/so/conf/logstash/etc/pipelines.yml
- source: salt://logstash/etc/pipelines.yml.jinja
- template: jinja
- defaults:
ASSIGNED_PIPELINES: {{ ASSIGNED_PIPELINES }}
lsetcsync:
file.recurse:
- name: /opt/so/conf/logstash/etc
- source: salt://logstash/etc
- user: 931
- group: 939
- template: jinja
- clean: True
- exclude_pat: pipelines*
- defaults:
LOGSTASH_MERGED: {{ LOGSTASH_MERGED }}
# Create the import directory
importdir:
file.directory:
- name: /nsm/import
- user: 931
- group: 939
- makedirs: True
# Create the logstash data directory
nsmlsdir:
file.directory:
- name: /nsm/logstash/tmp
- user: 931
- group: 939
- makedirs: True
# Create the log directory
lslogdir:
file.directory:
- name: /opt/so/log/logstash
- user: 931
- group: 939
- makedirs: True
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

1
salt/logstash/defaults.yaml
View File

@@ -1,4 +1,5 @@
logstash:
enabled: False
assigned_pipelines:
roles:
standalone:

27
salt/logstash/disabled.sls Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- logstash.sostatus
so-logstash:
docker_container.absent:
- force: True
so-logstash_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-logstash$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

101
salt/logstash/enabled.sls Normal file
View File

@@ -0,0 +1,101 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
{% from 'logstash/map.jinja' import REDIS_NODES %}
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
include:
- elasticsearch.ca
- logstash.config
- logstash.sostatus
so-logstash:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }}
- hostname: so-logstash
- name: so-logstash
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
- user: logstash
- extra_hosts: {{ REDIS_NODES }}
- environment:
- LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
- port_bindings:
{% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
- /opt/so/conf/elasticsearch/templates/:/templates/:ro
- /opt/so/conf/logstash/etc/:/usr/share/logstash/config/:ro
- /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro
- /opt/so/rules:/etc/nsm/rules:ro
- /nsm/import:/nsm/import:ro
- /nsm/logstash:/usr/share/logstash/data:rw
- /opt/so/log/logstash:/var/log/logstash:rw
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro
{% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
- /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
- /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
{% endif %}
{% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-eval','so-fleet'] %}
- /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.crt:/usr/share/logstash/elasticfleet-logstash.crt:ro
- /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.p8:/usr/share/logstash/elasticfleet-logstash.key:ro
{% endif %}
{% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
- /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
{% else %}
- /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
{% endif %}
{% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %}
- /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
- /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
{% endif %}
{% if GLOBALS.role == 'so-eval' %}
- /nsm/zeek:/nsm/zeek:ro
- /nsm/suricata:/suricata:ro
- /opt/so/log/fleet/:/osquery/logs:ro
- /opt/so/log/strelka:/strelka:ro
{% endif %}
- watch:
- file: lsetcsync
{% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %}
- file: ls_pipeline_{{assigned_pipeline}}
{% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %}
- file: ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}
{% endfor %}
{% endfor %}
- require:
{% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
- x509: etc_filebeat_crt
{% endif %}
{% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
- x509: pki_public_ca_crt
{% else %}
- x509: trusttheca
{% endif %}
{% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
- file: cacertz
- file: capemz
{% endif %}
delete_so-logstash_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-logstash$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

Some files were not shown because too many files have changed in this diff Show More