From caaa8cc7641d78c4e81657c8b8795d363ccf5790 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 Jan 2021 09:46:49 -0500 Subject: [PATCH 01/27] add schedule state to fleet node so it gets highstate schedule --- salt/top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/top.sls b/salt/top.sls index 18dd1b61a..f7f73d4a6 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -494,6 +494,7 @@ base: - fleet - fleet.install_package - filebeat + - schedule - docker_clean '*_import and G@saltversion:{{saltversion}}': From b1c5b83fd5ac076aaa52d39267499fa2ae2068d4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 Jan 2021 09:53:42 -0500 Subject: [PATCH 02/27] removing old search node logic and managersensor from salt top --- salt/top.sls | 58 +--------------------------------------------------- 1 file changed, 1 insertion(+), 57 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index f7f73d4a6..bab7b475f 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -292,48 +292,7 @@ base: {%- endif %} - docker_clean - # Search node logic - - '*_node and I@node:node_type:parser and G@saltversion:{{saltversion}}': - - match: compound - - firewall - {%- if LOGSTASH %} - - logstash - {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - - schedule - - docker_clean - - '*_node and I@node:node_type:hot and G@saltversion:{{saltversion}}': - - match: compound - - firewall - {%- if LOGSTASH %} - - logstash - {%- endif %} - {%- if CURATOR %} - - curator - {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - - schedule - - docker_clean - - '*_node and I@node:node_type:warm and G@saltversion:{{saltversion}}': - - match: compound - - firewall - {%- if ELASTICSEARCH %} - - elasticsearch - {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - - schedule - - docker_clean - - '*_searchnode and G@saltversion:{{saltversion}}': + '*_searchnode and G@saltversion:{{saltversion}}': - match: compound - ca - ssl @@ -361,21 +320,6 @@ base: - schedule - docker_clean - '*_managersensor and G@saltversion:{{saltversion}}': - - match: compound - - nginx - - telegraf - - influxdb - - grafana - - firewall - - sensor - - manager - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - - schedule - - docker_clean - '*_managersearch and G@saltversion:{{saltversion}}': - match: compound - salt.master From 58f922aac36bfae10d258a416d149138cc1fdd1f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 20 Jan 2021 11:17:10 -0500 Subject: [PATCH 03/27] Skip image pull if so-tcpreplay image already exists and is current --- salt/common/tools/sbin/so-tcpreplay | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay index 22722ac9b..b5dbb4155 100755 --- a/salt/common/tools/sbin/so-tcpreplay +++ b/salt/common/tools/sbin/so-tcpreplay @@ -48,9 +48,15 @@ if ! docker ps | grep -q so-tcpreplay; then echo if is_manager_node; then - TRUSTED_CONTAINERS=("so-tcpreplay") - mkdir -p /opt/so/log/tcpreplay - update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log" + set_version + if ! docker images | grep so-tcpreplay | grep ":5000" | grep -q $VERSION ; then + echo "Pulling so-tcpreplay image" + TRUSTED_CONTAINERS=("so-tcpreplay") + mkdir -p /opt/so/log/tcpreplay + update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log" + else + echo "so-tcpreplay image exists." + fi fi if is_sensor_node; then if ! is_manager_node; then From b693373d8d2f5eb5d59212d579b4851d998c22bc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 Jan 2021 15:09:53 -0500 Subject: [PATCH 04/27] change how we allow or disallow states to be run https://github.com/Security-Onion-Solutions/securityonion/issues/2679 --- salt/airgap/init.sls | 13 +- salt/allowed_states.map.jinja | 297 ++++++++++++++++++++++++++++++++++ salt/ca/init.sls | 10 +- salt/common/init.sls | 10 +- salt/curator/init.sls | 10 +- salt/docker/init.sls | 10 +- salt/docker_clean/init.sls | 11 ++ salt/domainstats/init.sls | 10 +- salt/elastalert/init.sls | 10 +- salt/elasticsearch/init.sls | 10 +- salt/filebeat/init.sls | 10 +- salt/firewall/init.sls | 10 +- salt/fleet/init.sls | 1 + salt/freqserver/init.sls | 10 +- salt/grafana/init.sls | 10 +- salt/healthcheck/init.sls | 10 +- salt/idstools/init.sls | 10 +- salt/influxdb/init.sls | 10 +- salt/kibana/init.sls | 10 +- salt/logstash/init.sls | 10 +- salt/manager/init.sls | 10 +- salt/minio/init.sls | 10 +- salt/motd/init.sls | 10 +- salt/mysql/init.sls | 10 +- salt/nginx/init.sls | 10 +- salt/nodered/init.sls | 10 +- salt/pcap/init.sls | 10 +- salt/playbook/init.sls | 10 +- salt/redis/init.sls | 10 +- salt/registry/init.sls | 10 +- salt/salt/master.sls | 12 +- salt/soc/init.sls | 10 +- salt/soctopus/init.sls | 10 +- salt/ssl/init.sls | 10 +- salt/strelka/init.sls | 10 +- salt/suricata/init.sls | 10 +- salt/suricata/manager.sls | 13 +- salt/tcpreplay/init.sls | 8 +- salt/telegraf/init.sls | 10 +- salt/thehive/init.sls | 10 +- salt/utility/init.sls | 10 +- salt/wazuh/init.sls | 10 +- salt/yum/init.sls | 10 +- salt/zeek/init.sls | 10 +- 44 files changed, 491 insertions(+), 234 deletions(-) create mode 100644 salt/allowed_states.map.jinja diff --git a/salt/airgap/init.sls b/salt/airgap/init.sls index b7ad3da1b..818bb3a3b 100644 --- a/salt/airgap/init.sls +++ b/salt/airgap/init.sls @@ -1,3 +1,6 @@ +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + {% set MANAGER = salt['grains.get']('master') %} airgapyum: file.managed: @@ -57,4 +60,12 @@ agssrepo: agwazrepo: file.absent: - - name: /etc/yum.repos.d/wazuh.repo \ No newline at end of file + - name: /etc/yum.repos.d/wazuh.repo + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} \ No newline at end of file diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja new file mode 100644 index 000000000..920a60aab --- /dev/null +++ b/salt/allowed_states.map.jinja @@ -0,0 +1,297 @@ +{% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} +{% set WAZUH = salt['pillar.get']('global:wazuh', '0') %} +{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %} +{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} +{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} +{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} +{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} +{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} +{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} +{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} +{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} +{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %} +{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} +{% set CURATOR = salt['pillar.get']('curator:enabled', True) %} +{% set REDIS = salt['pillar.get']('redis:enabled', True) %} +{% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} +{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} +{% import_yaml 'salt/minion.defaults.yaml' as saltversion %} +{% set saltversion = saltversion.salt.minion.version %} + +{# this is the list we are returning from this map file, it gets built below #} +{% set allowed_states= [] %} + +{% if grains.saltversion | string == saltversion | string %} + + {% set allowed_states= salt['grains.filter_by']({ + 'so-eval': [ + 'salt.master', + 'ca', + 'ssl', + 'registry', + 'manager', + 'nginx', + 'telegraf', + 'influxdb', + 'grafana', + 'soc', + 'firewall', + 'idstools', + 'suricata.manager', + 'healthcheck', + 'pcap', + 'suricata', + 'utility', + 'schedule', + 'soctopus', + 'tcpreplay', + 'docker_clean' + ], + 'so-heavynode': [ + 'ca', + 'ssl', + 'nginx', + 'telegraf', + 'firewall', + 'pcap', + 'suricata', + 'schedule', + 'tcpreplay', + 'docker_clean' + ], + 'so-helixsensor': [ + 'salt.master', + 'ca', + 'ssl', + 'registry', + 'telegraf', + 'firewall', + 'idstools', + 'suricata.manager', + 'zeek', + 'redis', + 'elasticsearch', + 'logstash', + 'schedule', + 'tcpreplay', + 'docker_clean' + ], + 'so-fleet': [ + 'ca', + 'ssl', + 'nginx', + 'telegraf', + 'firewall', + 'mysql', + 'redis', + 'fleet', + 'fleet.install_package', + 'filebeat', + 'schedule', + 'docker_clean' + ], + 'so-import': [ + 'salt.master', + 'ca', + 'ssl', + 'registry', + 'manager', + 'nginx', + 'soc', + 'firewall', + 'idstools', + 'suricata.manager', + 'pcap', + 'utility', + 'suricata', + 'zeek', + 'schedule', + 'tcpreplay', + 'docker_clean' + ], + 'so-manager': [ + 'salt.master', + 'ca', + 'ssl', + 'registry', + 'manager', + 'nginx', + 'telegraf', + 'influxdb', + 'grafana', + 'soc', + 'firewall', + 'idstools', + 'suricata.manager', + 'utility', + 'schedule', + 'soctopus', + 'docker_clean' + ], + 'so-managersearch': [ + 'salt.master', + 'ca', + 'ssl', + 'registry', + 'nginx', + 'telegraf', + 'influxdb', + 'grafana', + 'soc', + 'firewall', + 'manager', + 'idstools', + 'suricata.manager', + 'utility', + 'schedule', + 'soctopus', + 'docker_clean' + ], + 'so-searchnode': [ + 'ca', + 'ssl', + 'nginx', + 'telegraf', + 'firewall', + 'schedule', + 'docker_clean' + ], + 'so-standalone': [ + 'salt.master', + 'ca', + 'ssl', + 'registry', + 'manager', + 'nginx', + 'telegraf', + 'influxdb', + 'grafana', + 'soc', + 'firewall', + 'idstools', + 'suricata.manager', + 'pcap', + 'suricata', + 'utility', + 'schedule', + 'soctopus', + 'tcpreplay', + 'docker_clean' + ], + 'so-sensor': [ + 'ca', + 'ssl', + 'telegraf', + 'firewall', + 'nginx', + 'pcap', + 'suricata', + 'healthcheck', + 'wazuh', + 'filebeat', + 'schedule', + 'tcpreplay', + 'docker_clean' + ], + }, grain='role') %} + + {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %} + {% do allowed_states.append('filebeat') %} + {% endif %} + + {% if ((FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %} + {% do allowed_states.append('mysql') %} + {% endif %} + + {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode'] %} + {% do allowed_states.append('fleet.install_package') %} + {% endif %} + + {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %} + {% do allowed_states.append('fleet') %} + {% endif %} + + {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval'] %} + {% do allowed_states.append('redis') %} + {% endif %} + + {%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %} + {% do allowed_states.append('zeek') %} + {%- endif %} + + {% if STRELKA and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %} + {% do allowed_states.append('strelka') %} + {% endif %} + + {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode']%} + {% do allowed_states.append('wazuh') %} + {% endif %} + + {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %} + {% do allowed_states.append('elasticsearch') %} + {% endif %} + + {% if KIBANA and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %} + {% do allowed_states.append('kibana') %} + {% endif %} + + {% if CURATOR and grains.role in ['so-eval', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode'] %} + {% do allowed_states.append('curator') %} + {% endif %} + + {% if ELASTALERT and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} + {% do allowed_states.append('elastalert') %} + {% endif %} + + {% if (THEHIVE != 0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} + {% do allowed_states.append('thehive') %} + {% endif %} + + {% if (PLAYBOOK !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} + {% do allowed_states.append('playbook') %} + {% endif %} + + {% if (PLAYBOOK !=0) and grains.role in ['so-eval'] %} + {% do allowed_states.append('redis') %} + {% endif %} + + {% if (FREQSERVER !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} + {% do allowed_states.append('freqserver') %} + {% endif %} + + {% if (DOMAINSTATS !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} + {% do allowed_states.append('domainstats') %} + {% endif %} + + {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode'] %} + {% do allowed_states.append('logstash') %} + {% endif %} + + {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %} + {% do allowed_states.append('redis') %} + {% endif %} + + {% if grains.os == 'CentOS' %} + {% if not ISAIRGAP %} + {% do allowed_states.append('yum') %} + {% endif %} + {% do allowed_states.append('yum.packages') %} + {% endif %} + + {# all nodes on the right salt version can run the following states #} + {% do allowed_states.append('common') %} + {% do allowed_states.append('patch.os.schedule') %} + {% do allowed_states.append('motd') %} + {% do allowed_states.append('salt.minion-check') %} + {% do allowed_states.append('sensoroni') %} + {% do allowed_states.append('salt.lasthighstate') %} + +{% endif %} + + +{% if ISAIRGAP %} + {% do allowed_states.append('airgap') %} +{% endif %} + +{# all nodes can always run salt.minion state #} +{% do allowed_states.append('salt.minion') %} \ No newline at end of file diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 84c74ef3d..07cb75f31 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'ca' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set manager = salt['grains.get']('master') %} /etc/salt/minion.d/signing_policies.conf: @@ -60,8 +58,8 @@ cakeyperms: {% else %} -ca_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: ca_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/common/init.sls b/salt/common/init.sls index 337103fd9..60ff87fd4 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'common' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set role = grains.id.split('_') | last %} @@ -260,8 +258,8 @@ docker: {% else %} -common_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: common_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 2f0147794..245b700d0 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'curator' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -145,8 +143,8 @@ append_so-curator_so-status.conf: {% else %} -curator_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: curator_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 273dbae91..c01bb8e67 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'docker' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} installdocker: pkg.installed: @@ -14,8 +12,8 @@ docker: {% else %} -docker_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: docker_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index 9c5ce0d17..21e672c00 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -1,3 +1,6 @@ +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0','2.3.1','2.3.2']%} @@ -43,3 +46,11 @@ remove_images_{{ VERSION }}: - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }}' - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}' {% endfor %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} \ No newline at end of file diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls index 965d87426..da9c2926c 100644 --- a/salt/domainstats/init.sls +++ b/salt/domainstats/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'domainstats' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -63,8 +61,8 @@ append_so-domainstats_so-status.conf: {% else %} -domainstats_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: domainstats_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 7caef532f..fcab3f57c 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'elastalert' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -131,8 +129,8 @@ append_so-elastalert_so-status.conf: {% else %} -elastalert_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: elastalert_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 2d83f9882..089a21e1c 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'elasticsearch' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -265,8 +263,8 @@ so-elasticsearch-templates: {% else %} -elasticsearch_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: elasticsearch_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} {# if 'elasticsearch' in top_states #} diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 98229ca35..47dc2f3a9 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -11,10 +11,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'filebeat' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -93,8 +91,8 @@ append_so-filebeat_so-status.conf: {% else %} -filebeat_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: filebeat_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 27f04bee0..687774a58 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'firewall' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} # Firewall Magic for the grid {% from 'firewall/map.jinja' import hostgroups with context %} @@ -138,8 +136,8 @@ iptables_drop_all_the_things: {% else %} -firewall_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: firewall_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index db3414a18..f286af347 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -1,3 +1,4 @@ +{# this state can run regardless if in allowed_states or not #} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%} {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%} diff --git a/salt/freqserver/init.sls b/salt/freqserver/init.sls index f514353a1..36a17b6aa 100644 --- a/salt/freqserver/init.sls +++ b/salt/freqserver/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'freqserver' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -63,9 +61,9 @@ append_so-freq_so-status.conf: {% else %} -freqserver_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: freqserver_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 9c596ca98..4a0cc7b08 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'grafana' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set MANAGER = salt['grains.get']('master') %} @@ -281,8 +279,8 @@ append_so-grafana_so-status.conf: {% else %} -grafana_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: grafana_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/healthcheck/init.sls b/salt/healthcheck/init.sls index af1de6d83..610891980 100644 --- a/salt/healthcheck/init.sls +++ b/salt/healthcheck/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'healthcheck' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set CHECKS = salt['pillar.get']('healthcheck:checks', {}) %} {% set ENABLED = salt['pillar.get']('healthcheck:enabled', False) %} @@ -31,8 +29,8 @@ healthcheck_schedule_{{ STATUS[1] }}: {% else %} -healthcheck_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: healthcheck_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 2aacb973d..56f15a93d 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'idstools' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -83,8 +81,8 @@ append_so-idstools_so-status.conf: {% else %} -idstools_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: idstools_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif%} diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 9dc7ee692..61b97fc56 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'influxdb' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set MANAGER = salt['grains.get']('master') %} @@ -63,8 +61,8 @@ append_so-influxdb_so-status.conf: {% else %} -influxdb_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: influxdb_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 02e76495d..7d6b541cd 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'kibana' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -128,8 +126,8 @@ so-kibana-config-load: {% else %} -kibana_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: kibana_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index e23e4eef2..61f533865 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'logstash' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -209,8 +207,8 @@ append_so-logstash_so-status.conf: {% else %} -logstash_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: logstash_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 597ca3c43..908ef4502 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'manager' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -110,8 +108,8 @@ strelka_yara_update: - minute: '1' {% else %} -manager_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: manager_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/minio/init.sls b/salt/minio/init.sls index 484eac1f9..f61209c8b 100644 --- a/salt/minio/init.sls +++ b/salt/minio/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'minio' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set access_key = salt['pillar.get']('minio:access_key', '') %} {% set access_secret = salt['pillar.get']('minio:access_secret', '') %} @@ -69,8 +67,8 @@ append_so-minio_so-status.conf: {% else %} -minio_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: minio_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/motd/init.sls b/salt/motd/init.sls index bf9d276a6..c3b9c0209 100644 --- a/salt/motd/init.sls +++ b/salt/motd/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'motd' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} so_motd: file.managed: @@ -11,8 +9,8 @@ so_motd: {% else %} -motd_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: motd_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 5fb187ab8..be44b652c 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'mysql' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %} {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} @@ -112,8 +110,8 @@ append_so-mysql_so-status.conf: {% else %} -mysql_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: mysql_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 8d6dd46f7..15c1acc8e 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'nginx' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} {% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} @@ -105,8 +103,8 @@ append_so-nginx_so-status.conf: {% else %} -nginx_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: nginx_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls index c4fb8cb37..58145a6b7 100644 --- a/salt/nodered/init.sls +++ b/salt/nodered/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'nodered' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -86,8 +84,8 @@ so-nodered-flows: {% else %} -nodered_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: nodered_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index b8580fd86..06ff30972 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'pcap' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -150,8 +148,8 @@ delete_so-steno_so-status.disabled: {% else %} -pcap_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: pcap_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index dca898eec..ef538e5f6 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'playbook' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -114,8 +112,8 @@ so-playbookruleupdatecron: {% else %} -playbook_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: playbook_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 57f189865..d28aa57c3 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'redis' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -77,8 +75,8 @@ append_so-redis_so-status.conf: {% else %} -redis_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: redis_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/registry/init.sls b/salt/registry/init.sls index 43b9d8fa6..d733b6f54 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'registry' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} # Create the config directory for the docker registry dockerregistryconfdir: @@ -64,8 +62,8 @@ append_so-dockerregistry_so-status.conf: {% else %} -registry_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: registry_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/salt/master.sls b/salt/salt/master.sls index 442a9d240..3c23bbb36 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -1,10 +1,8 @@ +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + {% from 'salt/map.jinja' import COMMON with context %} -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'salt.master' in top_states %} - include: - salt.minion @@ -37,8 +35,8 @@ engines_config: {% else %} -salt_master_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: salt_master_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 0f58aab32..d31898e72 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'soc' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -141,8 +139,8 @@ append_so-kratos_so-status.conf: {% else %} -soc_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: soc_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 2137a4511..c2c8dc1ac 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'soctopus' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -80,8 +78,8 @@ append_so-soctopus_so-status.conf: {% else %} -soctopus_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: soctopus_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 221c58c93..d6c06d6fd 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'ssl' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set manager = salt['grains.get']('master') %} {% set managerip = salt['pillar.get']('global:managerip', '') %} @@ -578,8 +576,8 @@ elastickeyperms: {% else %} -ssl_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: ssl_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 1bd9e3aad..315486519 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'strelka' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set MANAGER = salt['grains.get']('master') %} {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} @@ -194,8 +192,8 @@ strelka_zeek_extracted_sync: {% else %} -strelka_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: strelka_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 99609be32..0452364c5 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'suricata' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} {% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} @@ -193,8 +191,8 @@ surilogrotate: {% else %} -suricata_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: suricata_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/suricata/manager.sls b/salt/suricata/manager.sls index 5998a484b..c196c5cae 100644 --- a/salt/suricata/manager.sls +++ b/salt/suricata/manager.sls @@ -1,3 +1,6 @@ +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + surilocaldir: file.directory: - name: /opt/so/saltstack/local/salt/suricata @@ -16,4 +19,12 @@ refresh_salt_master_fileserver_suricata_ruleslink: salt.runner: - name: fileserver.update - onchanges: - - file: ruleslink \ No newline at end of file + - file: ruleslink + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} \ No newline at end of file diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls index a684d2fef..0fa853d22 100644 --- a/salt/tcpreplay/init.sls +++ b/salt/tcpreplay/init.sls @@ -1,4 +1,6 @@ -{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' or grains['role'] == 'so-standalone' %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -17,8 +19,8 @@ so-tcpreplay: {% else %} -tcpreplay_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: tcpreplay_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 1ff34ceae..fb4cacbc6 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'telegraf' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -81,8 +79,8 @@ append_so-telegraf_so-status.conf: {% else %} -telegraf_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: telegraf_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index 6c3d4d5ac..d1ee8a4bf 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'thehive' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -152,8 +150,8 @@ thehivescript: {% else %} -thehive_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: thehive_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/utility/init.sls b/salt/utility/init.sls index d18ad5e1c..d8b8539fa 100644 --- a/salt/utility/init.sls +++ b/salt/utility/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'utility' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} # This state is for checking things {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %} @@ -27,8 +25,8 @@ fixsearch: {% else %} -utility_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: utility_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 3cad6c367..089b60846 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'wazuh' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {%- set HOSTNAME = salt['grains.get']('host', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -164,8 +162,8 @@ hidsruledir: {% else %} -wazuh_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: wazuh_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/yum/init.sls b/salt/yum/init.sls index b8a4df9ee..339a6f2a7 100644 --- a/salt/yum/init.sls +++ b/salt/yum/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'yum' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} yumconf: file.managed: @@ -12,8 +10,8 @@ yumconf: {% else %} -yum_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: yum_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 6fa289d5c..8cb9f5d21 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'zeek' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% from "zeek/map.jinja" import START with context %} @@ -211,8 +209,8 @@ disable_so-zeek_so-status.conf: {% else %} -zeek_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: zeek_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file From 18278a97acaf9dceb2e8fb0ff1564a9e3692a264 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 Jan 2021 15:13:55 -0500 Subject: [PATCH 05/27] fix salt top formatting --- salt/top.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/top.sls b/salt/top.sls index bab7b475f..68c392c25 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -292,7 +292,7 @@ base: {%- endif %} - docker_clean - '*_searchnode and G@saltversion:{{saltversion}}': + '*_searchnode and G@saltversion:{{saltversion}}': - match: compound - ca - ssl From 6e756b3586a39792883b1db2ae7b72a74666718b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 Jan 2021 17:34:53 -0500 Subject: [PATCH 06/27] allow heathcheck state for standalone and heavynode --- salt/allowed_states.map.jinja | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 920a60aab..5ec218c8c 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -55,6 +55,7 @@ 'firewall', 'pcap', 'suricata', + 'healthcheck', 'schedule', 'tcpreplay', 'docker_clean' @@ -172,6 +173,7 @@ 'suricata.manager', 'pcap', 'suricata', + 'healthcheck', 'utility', 'schedule', 'soctopus', From 18217ba38bdddb4b218e9899cb4b667967edc050 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 Jan 2021 17:40:02 -0500 Subject: [PATCH 07/27] change so-searchnode role to so-node https://github.com/Security-Onion-Solutions/securityonion/issues/2679 --- salt/allowed_states.map.jinja | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 5ec218c8c..665fdbe3d 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -148,7 +148,7 @@ 'soctopus', 'docker_clean' ], - 'so-searchnode': [ + 'so-node': [ 'ca', 'ssl', 'nginx', @@ -197,7 +197,7 @@ ], }, grain='role') %} - {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %} + {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %} {% do allowed_states.append('filebeat') %} {% endif %} @@ -205,7 +205,7 @@ {% do allowed_states.append('mysql') %} {% endif %} - {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode'] %} + {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %} {% do allowed_states.append('fleet.install_package') %} {% endif %} @@ -225,11 +225,11 @@ {% do allowed_states.append('strelka') %} {% endif %} - {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode']%} + {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode']%} {% do allowed_states.append('wazuh') %} {% endif %} - {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %} + {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %} {% do allowed_states.append('elasticsearch') %} {% endif %} @@ -237,7 +237,7 @@ {% do allowed_states.append('kibana') %} {% endif %} - {% if CURATOR and grains.role in ['so-eval', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode'] %} + {% if CURATOR and grains.role in ['so-eval', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %} {% do allowed_states.append('curator') %} {% endif %} @@ -265,7 +265,7 @@ {% do allowed_states.append('domainstats') %} {% endif %} - {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode'] %} + {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %} {% do allowed_states.append('logstash') %} {% endif %} From 74e315841a14e782322d65e0b211fec37f7a8435 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 21 Jan 2021 13:17:16 +0000 Subject: [PATCH 08/27] Modify common to reserve Docker proxy ports --- salt/common/init.sls | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index 60ff87fd4..8b17cc7f5 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -256,6 +256,17 @@ docker: - watch: - file: docker_daemon +# Reserve OS ports for Docker proxy in case boot settings are not already applied/present +dockerapplyports: + cmd.run: + - name: if [ ! -f /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314"; fi + +# Reserve OS ports for Docker proxy +dockerreserveports: + file.managed: + - source: salt://common/files/99-reserved-ports.conf + - name: /etc/sysctl.d/99-reserved-ports.conf + {% else %} {{sls}}_state_not_allowed: From 9a916746887a037358ba6ce85f8f9f9695e25780 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 21 Jan 2021 13:18:22 +0000 Subject: [PATCH 09/27] Add reserved ports file for sysctl --- salt/common/files/99-reserved-ports.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 salt/common/files/99-reserved-ports.conf diff --git a/salt/common/files/99-reserved-ports.conf b/salt/common/files/99-reserved-ports.conf new file mode 100644 index 000000000..a578ab9a5 --- /dev/null +++ b/salt/common/files/99-reserved-ports.conf @@ -0,0 +1 @@ +net.ipv4.ip_local_reserved_ports="55000,57314" From 0039877779ecc20906dabf3b25a3569b0aa6bbeb Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 21 Jan 2021 13:29:09 +0000 Subject: [PATCH 10/27] Check for port availability for Wazuh and Strelka --- salt/strelka/init.sls | 5 +++++ salt/wazuh/init.sls | 7 +------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 315486519..46d9ef35d 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -92,6 +92,11 @@ strelkaunprocessed: - group: 939 - makedirs: True +# Check to see if Strelka frontend port is available +strelkaportavailable: + cmd.run: + - name: netstat -utanp | grep ":57314" | grep -qv docker && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314. Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0 + strelka_coordinator: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 089b60846..d6c7ac15e 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -94,15 +94,10 @@ wazuhmgrwhitelist: - mode: 755 - template: jinja -# Reserve OS port for Wazuh API -wazuhreserveport: - cmd.run: - - name: grep -q 55000 /proc/sys/net/ipv4/ip_local_reserved_ports || sysctl -w net.ipv4.ip_local_reserved_ports="55000" > /dev/null && echo "55000" >> /proc/sys/net/ipv4/ip_local_reserved_ports - # Check to see if Wazuh API port is available wazuhportavailable: cmd.run: - - name: netstat -anp | grep 55000 | grep -qv docker && PROCESS=$(netstat -anp | grep 55000 | awk '{print $NF}' | uniq) && echo "Another process ($PROCESS) appears to be using port 55000. Please terminate this process, or reboot to ensure a clean state so that the Wazuh API can start properly." && exit 1 || exit 0 + -name: netstat -utanp | grep ":55000" | grep -qv docker && PROCESS=$(netstat -utanp | grep ":55000" | uniq) && echo "Another process ($PROCESS) appears to be using port 55000. Please terminate this process, or reboot to ensure a clean state so that the Wazuh API can start properly." && exit 1 || exit 0 so-wazuh: docker_container.running: From 35c741ae63a06890fdcf43caf6a9b3ea46f29d77 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 21 Jan 2021 09:49:31 -0500 Subject: [PATCH 11/27] Turn on Xpack SSL --- salt/elasticsearch/files/elasticsearch.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 1ad65c43f..637db4d90 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -7,6 +7,7 @@ {%- else %} {%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:esclustername') %} {%- endif %} +{%- set NODE_ROLES = salt['pillar.get']('elasticsearch:node_roles', ['data', 'ingest']) %} cluster.name: "{{ ESCLUSTERNAME }}" network.host: 0.0.0.0 @@ -27,13 +28,16 @@ cluster.routing.allocation.disk.watermark.flood_stage: 98% {%- if FEATURES is sameas true %} #xpack.security.enabled: false #xpack.security.http.ssl.enabled: false -#xpack.security.transport.ssl.enabled: false +xpack.security.transport.ssl.enabled: false +xpack.security.transport.ssl.verification_mode: certificate +xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key +xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt +xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ] +xpack.security.transport.ssl.verification_mode: none + #xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key #xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt #xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt -#xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key -#xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt -#xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt #xpack.security.transport.ssl.verification_mode: none #xpack.security.http.ssl.client_authentication: none #xpack.security.authc: @@ -55,7 +59,7 @@ discovery.seed_hosts: {%- endfor %} {%- endif %} {%- else %} -node.roles: [ data, ingest ] +node.roles: [ {{ NODE_ROLES }} ] node.attr.box_type: {{ NODE_ROUTE_TYPE }} discovery.seed_hosts: - {{ grains.master }} From 19d22e1f8a7b658105e111d65eb8e2021567df99 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 21 Jan 2021 15:34:54 +0000 Subject: [PATCH 12/27] Allow for Filebeat queue/output adjustments via pillar --- salt/filebeat/etc/filebeat.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 799a37337..1b902d542 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -11,6 +11,10 @@ {%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %} {%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%} {%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%} +{%- set FBMEMEVENTS = salt['pillar.get']('filebeat:mem_events', 2048) -%} +{%- set FBMEMFLUSHMINEVENTS = salt['pillar.get']('filebeat:mem_flush_min_events', 2048) -%} +{%- set FBLSWORKERS = salt['pillar.get']('filebeat:ls_workers', 1) -%} +{%- set FBLSBULKMAXSIZE = salt['pillar.get']('filebeat:ls_bulk_max_size', 2048) -%} name: {{ HOSTNAME }} @@ -290,7 +294,10 @@ output.logstash: hosts: ["{{ MANAGER }}:5644"] # Number of workers per Logstash host. - #worker: 1 + worker: {{ FBLSWORKERS }} + + # Number of records to send to Logstash input at a time + bulk_max_size: {{ FBLSBULKMAXSIZE }} # Set gzip compression level. #compression_level: 3 @@ -491,3 +498,6 @@ setup.template.enabled: false #http.host: localhost # Port on which the HTTP endpoint will bind. Default is 5066. + +queue.mem.events: {{ FBMEMEVENTS }} +queue.mem.flush.min_events: {{ FBMEMFLUSHMINEVENTS }} From 6de70ec820fe971d8ded31ad1e3af57ab6dfde96 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 21 Jan 2021 11:12:12 -0500 Subject: [PATCH 13/27] Update docker mappings for ES --- salt/elasticsearch/files/elasticsearch.yml | 1 - salt/elasticsearch/init.sls | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 637db4d90..cabec3a49 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -33,7 +33,6 @@ xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ] -xpack.security.transport.ssl.verification_mode: none #xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key #xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 2d83f9882..951c375f6 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -223,6 +223,8 @@ so-elasticsearch: - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro + - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro + - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.keys:ro - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro - /opt/so/conf/elasticsearch/sotls.yml:/usr/share/elasticsearch/config/sotls.yml:ro - watch: From 84b75a38a34ddcf8b9b3bc4731a1aca9895bfc81 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 21 Jan 2021 11:21:04 -0500 Subject: [PATCH 14/27] Fix error in init.sls for ES --- salt/elasticsearch/files/elasticsearch.yml | 2 +- salt/elasticsearch/init.sls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index cabec3a49..de97466de 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -58,7 +58,7 @@ discovery.seed_hosts: {%- endfor %} {%- endif %} {%- else %} -node.roles: [ {{ NODE_ROLES }} ] +node.roles: {{ NODE_ROLES }} node.attr.box_type: {{ NODE_ROUTE_TYPE }} discovery.seed_hosts: - {{ grains.master }} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 951c375f6..d4d81e815 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -224,7 +224,7 @@ so-elasticsearch: - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro - - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.keys:ro + - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro - /opt/so/conf/elasticsearch/sotls.yml:/usr/share/elasticsearch/config/sotls.yml:ro - watch: From 583b65e95262cfffdb489fe83834757b481d6f66 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 21 Jan 2021 11:52:23 -0500 Subject: [PATCH 15/27] Fix syntax --- salt/wazuh/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index d6c7ac15e..cf40f739a 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -96,8 +96,8 @@ wazuhmgrwhitelist: # Check to see if Wazuh API port is available wazuhportavailable: - cmd.run: - -name: netstat -utanp | grep ":55000" | grep -qv docker && PROCESS=$(netstat -utanp | grep ":55000" | uniq) && echo "Another process ($PROCESS) appears to be using port 55000. Please terminate this process, or reboot to ensure a clean state so that the Wazuh API can start properly." && exit 1 || exit 0 + cmd.run: + - name: netstat -utanp | grep ":55000" | grep -qv docker && PROCESS=$(netstat -utanp | grep ":55000" | uniq) && echo "Another process ($PROCESS) appears to be using port 55000. Please terminate this process, or reboot to ensure a clean state so that the Wazuh API can start properly." && exit 1 || exit 0 so-wazuh: docker_container.running: From 013b706ce40db032832dfd7ba6793c7adb8d86c9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 21 Jan 2021 12:13:23 -0500 Subject: [PATCH 16/27] Enable http ssl --- salt/elasticsearch/files/elasticsearch.yml | 21 ++++++++++----------- salt/elasticsearch/init.sls | 8 +------- 2 files changed, 11 insertions(+), 18 deletions(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index de97466de..1ea190236 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -25,26 +25,25 @@ cluster.routing.allocation.disk.threshold_enabled: true cluster.routing.allocation.disk.watermark.low: 95% cluster.routing.allocation.disk.watermark.high: 98% cluster.routing.allocation.disk.watermark.flood_stage: 98% -{%- if FEATURES is sameas true %} #xpack.security.enabled: false #xpack.security.http.ssl.enabled: false -xpack.security.transport.ssl.enabled: false -xpack.security.transport.ssl.verification_mode: certificate +xpack.security.transport.ssl.enabled: true +xpack.security.transport.ssl.verification_mode: none xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt -xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ] - -#xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key -#xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt -#xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt -#xpack.security.transport.ssl.verification_mode: none -#xpack.security.http.ssl.client_authentication: none +xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ] +{%- if grains['role'] in ['so-node','so-heavynode'] %} +xpack.security.http.ssl.enabled: true +xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key +xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt +xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt +xpack.security.http.ssl.client_authentication: none +{%- endif %} #xpack.security.authc: # anonymous: # username: anonymous_user # roles: superuser # authz_exception: true -{%- endif %} node.name: {{ grains.host }} script.max_compilations_rate: 1000/1m {%- if TRUECLUSTER is sameas true %} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index d4d81e815..af055c678 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -25,12 +25,6 @@ {% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} {% set MANAGERIP = salt['pillar.get']('global:managerip') %} -{% if FEATURES is sameas true %} - {% set FEATUREZ = "-features" %} -{% else %} - {% set FEATUREZ = '' %} -{% endif %} - {% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import'] %} {% set esclustername = salt['pillar.get']('manager:esclustername') %} {% set esheap = salt['pillar.get']('manager:esheap') %} @@ -188,7 +182,7 @@ eslogdir: so-elasticsearch: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}{{ FEATUREZ }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch From bb523c44e6177205dd7f06d14e9676511e4dd0b3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 21 Jan 2021 12:19:41 -0500 Subject: [PATCH 17/27] Enable features temporarily --- salt/elasticsearch/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index af055c678..e71398e4b 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -182,7 +182,7 @@ eslogdir: so-elasticsearch: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}-features - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch From 9759990233d5568d0512a53b4ab7d683fa1e6041 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 21 Jan 2021 12:29:45 -0500 Subject: [PATCH 18/27] Switch to java key store --- salt/elasticsearch/files/elasticsearch.yml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 1ea190236..3a763732b 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -29,15 +29,23 @@ cluster.routing.allocation.disk.watermark.flood_stage: 98% #xpack.security.http.ssl.enabled: false xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: none -xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key -xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt -xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ] +xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/sokeys +xpack.security.transport.ssl.keystore.password: changeit +xpack.security.transport.ssl.truststore.path: /etc/pki/java/cacerts +xpack.security.transport.ssl.truststore.password: changeit +#xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key +#xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt +#xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ] {%- if grains['role'] in ['so-node','so-heavynode'] %} xpack.security.http.ssl.enabled: true -xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key -xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt -xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt xpack.security.http.ssl.client_authentication: none +xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/sokeys +xpack.security.http.ssl.keystore.password: changeit +xpack.security.http.ssl.truststore.path: /etc/pki/java/cacerts +xpack.security.http.ssl.truststore.password: changeit +#xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key +#xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt +#xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt {%- endif %} #xpack.security.authc: # anonymous: From b0914fa60487f4486b0edbec5a69076bf974d202 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 21 Jan 2021 12:46:00 -0500 Subject: [PATCH 19/27] try .p12 --- salt/elasticsearch/files/elasticsearch.yml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 3a763732b..d9cf80cd9 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -29,20 +29,24 @@ cluster.routing.allocation.disk.watermark.flood_stage: 98% #xpack.security.http.ssl.enabled: false xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: none -xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/sokeys -xpack.security.transport.ssl.keystore.password: changeit -xpack.security.transport.ssl.truststore.path: /etc/pki/java/cacerts -xpack.security.transport.ssl.truststore.password: changeit +xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elasticsearch.p12 +xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elasticsearch.p12 +#xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/sokeys +#xpack.security.transport.ssl.keystore.secure_password: changeit +#xpack.security.transport.ssl.truststore.path: /etc/pki/java/cacerts +#xpack.security.transport.ssl.truststore.password: changeit #xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key #xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt #xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ] {%- if grains['role'] in ['so-node','so-heavynode'] %} xpack.security.http.ssl.enabled: true xpack.security.http.ssl.client_authentication: none -xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/sokeys -xpack.security.http.ssl.keystore.password: changeit -xpack.security.http.ssl.truststore.path: /etc/pki/java/cacerts -xpack.security.http.ssl.truststore.password: changeit +xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/elasticsearch.p12 +xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/elasticsearch.p12 +#xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/sokeys +#xpack.security.http.ssl.keystore.secure_password: changeit +#xpack.security.http.ssl.truststore.path: /etc/pki/java/cacerts +#xpack.security.http.ssl.truststore.password: changeit #xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key #xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt #xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt From 9f984036c5d1b4b70c6af32cf960e5af4ca79873 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 21 Jan 2021 13:00:46 -0500 Subject: [PATCH 20/27] Use the internmediate cert --- salt/elasticsearch/files/elasticsearch.yml | 25 ++++++---------------- salt/elasticsearch/init.sls | 5 +++++ 2 files changed, 11 insertions(+), 19 deletions(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index d9cf80cd9..4a7260bc6 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -26,30 +26,17 @@ cluster.routing.allocation.disk.watermark.low: 95% cluster.routing.allocation.disk.watermark.high: 98% cluster.routing.allocation.disk.watermark.flood_stage: 98% #xpack.security.enabled: false -#xpack.security.http.ssl.enabled: false xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: none -xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elasticsearch.p12 -xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elasticsearch.p12 -#xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/sokeys -#xpack.security.transport.ssl.keystore.secure_password: changeit -#xpack.security.transport.ssl.truststore.path: /etc/pki/java/cacerts -#xpack.security.transport.ssl.truststore.password: changeit -#xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key -#xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt -#xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ] +xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key +xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt +xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ] {%- if grains['role'] in ['so-node','so-heavynode'] %} xpack.security.http.ssl.enabled: true xpack.security.http.ssl.client_authentication: none -xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/elasticsearch.p12 -xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/elasticsearch.p12 -#xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/sokeys -#xpack.security.http.ssl.keystore.secure_password: changeit -#xpack.security.http.ssl.truststore.path: /etc/pki/java/cacerts -#xpack.security.http.ssl.truststore.password: changeit -#xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key -#xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt -#xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt +xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key +xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt +xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt {%- endif %} #xpack.security.authc: # anonymous: diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index e71398e4b..f1b82f068 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -216,6 +216,11 @@ so-elasticsearch: - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro + {% if grains['role'] in ['so-manager','so-managersearch'] %} + - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro + {% else %} + - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro + {% endif %} - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro From f85ecf254efa3ced574d2c623a6db531fec573cf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 21 Jan 2021 13:21:08 -0500 Subject: [PATCH 21/27] Fix dupe --- salt/elasticsearch/init.sls | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index f1b82f068..f34c87829 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -216,12 +216,11 @@ so-elasticsearch: - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - {% if grains['role'] in ['so-manager','so-managersearch'] %} + {% if ismanager %} - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro {% else %} - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro {% endif %} - - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro From 9408d62c65c7ba7042f8e1b874c35a3da1f18491 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 21 Jan 2021 13:55:53 -0500 Subject: [PATCH 22/27] Remove features --- salt/elasticsearch/init.sls | 2 +- salt/filebeat/init.sls | 2 +- salt/kibana/init.sls | 2 +- salt/logstash/init.sls | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index f34c87829..39b4722f4 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -182,7 +182,7 @@ eslogdir: so-elasticsearch: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}-features + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 98229ca35..c62d9004c 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -66,7 +66,7 @@ filebeatconfsync: OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} so-filebeat: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }} - hostname: so-filebeat - user: root - extra_hosts: {{ MANAGER }}:{{ MANAGERIP }},{{ LOCALHOSTNAME }}:{{ LOCALHOSTIP }} diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 02e76495d..3faed391e 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -75,7 +75,7 @@ kibanabin: # Start the kibana docker so-kibana: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }} - hostname: kibana - user: kibana - environment: diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index e23e4eef2..b08777db4 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -148,7 +148,7 @@ lslogdir: so-logstash: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }} - hostname: so-logstash - name: so-logstash - user: logstash From 537f7529f8299b62acf6dff85eb98bc771849c7d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 22 Jan 2021 10:09:08 -0500 Subject: [PATCH 23/27] Increase Kibana wait from 3 minutes to 15 minutes due to the longer init time needed for Kibana to start (because of the recent ES changes) --- salt/kibana/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 189964b55..1b5d05e57 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -104,7 +104,7 @@ wait_for_kibana: module.run: - http.wait_for_successful_query: - url: "http://{{MANAGER}}:5601/api/saved_objects/_find?type=config" - - wait_for: 180 + - wait_for: 900 - onchanges: - file: kibanadashtemplate From f1781b1fde6104e38bcc322079b56738186a40d5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 22 Jan 2021 12:15:29 -0500 Subject: [PATCH 24/27] [fix] Set timeout for scripts (15s, 3x default 5s) --- salt/telegraf/etc/telegraf.conf | 80 +++++++++++++++++---------------- 1 file changed, 41 insertions(+), 39 deletions(-) diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 2233b5c25..3d89628e4 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -670,47 +670,52 @@ {% if grains['role'] in ['so-manager', 'so-managersearch'] %} [[inputs.exec]] commands = [ - "/scripts/redis.sh", - "/scripts/influxdbsize.sh" + "/scripts/redis.sh", + "/scripts/influxdbsize.sh" ] - data_format = "influx" + data_format = "influx" + ## Timeout for each command to complete. + timeout = "15s" {% elif grains['role'] in ['so-sensor', 'so-heavynode'] %} [[inputs.exec]] commands = [ - "/scripts/stenoloss.sh", - "/scripts/suriloss.sh", - "/scripts/checkfiles.sh", - "/scripts/zeekloss.sh", - "/scripts/zeekcaptureloss.sh", - "/scripts/oldpcap.sh" + "/scripts/stenoloss.sh", + "/scripts/suriloss.sh", + "/scripts/checkfiles.sh", + "/scripts/zeekloss.sh", + "/scripts/zeekcaptureloss.sh", + "/scripts/oldpcap.sh" ] - data_format = "influx" + data_format = "influx" + timeout = "15s" {% elif grains['role'] == 'so-standalone' %} [[inputs.exec]] commands = [ - "/scripts/redis.sh", - "/scripts/influxdbsize.sh", - "/scripts/stenoloss.sh", - "/scripts/suriloss.sh", - "/scripts/checkfiles.sh", - "/scripts/zeekloss.sh", - "/scripts/zeekcaptureloss.sh", - "/scripts/oldpcap.sh" + "/scripts/redis.sh", + "/scripts/influxdbsize.sh", + "/scripts/stenoloss.sh", + "/scripts/suriloss.sh", + "/scripts/checkfiles.sh", + "/scripts/zeekloss.sh", + "/scripts/zeekcaptureloss.sh", + "/scripts/oldpcap.sh" ] - data_format = "influx" + data_format = "influx" + timeout = "15s" {% elif grains['role'] == 'so-eval' %} [[inputs.exec]] commands = [ - "/scripts/redis.sh", - "/scripts/stenoloss.sh", - "/scripts/suriloss.sh", - "/scripts/checkfiles.sh", - "/scripts/zeekloss.sh", - "/scripts/zeekcaptureloss.sh", - "/scripts/oldpcap.sh", - "/scripts/influxdbsize.sh" + "/scripts/redis.sh", + "/scripts/stenoloss.sh", + "/scripts/suriloss.sh", + "/scripts/checkfiles.sh", + "/scripts/zeekloss.sh", + "/scripts/zeekcaptureloss.sh", + "/scripts/oldpcap.sh", + "/scripts/influxdbsize.sh" ] - data_format = "influx" + data_format = "influx" + timeout = "15s" {% elif grains['role'] == 'so-helix' %} [[inputs.exec]] commands = [ @@ -723,19 +728,16 @@ "/scripts/helixeps.sh" ] data_format = "influx" + timeout = "15s" {% endif %} -# -# ## Timeout for each command to complete. -# timeout = "5s" -# -# ## measurement name suffix (for separating different commands) -# name_suffix = "_mycollector" -# -# ## Data format to consume. -# ## Each data format has its own unique set of configuration options, read -# ## more about them here: -# ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md + ## measurement name suffix (for separating different commands) + # name_suffix = "_mycollector" + + ## Data format to consume. + ## Each data format has its own unique set of configuration options, read + ## more about them here: + ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md From 4079f8a8e8eabbc3e629164e8687b12ee8899edb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 22 Jan 2021 12:23:09 -0500 Subject: [PATCH 25/27] [fix] Telegraf doesn't clean up zombie processes, use init flag to fix this --- salt/telegraf/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index fb4cacbc6..81513eee2 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -48,6 +48,7 @@ so-telegraf: - HOST_MOUNT_PREFIX=/host - GODEBUG=x509ignoreCN=0 - network_mode: host + - init: True - binds: - /opt/so/log/telegraf:/var/log/telegraf:rw - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro From 7273c8a0661330b56f85a4ba3b951efd8a3f56a7 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 22 Jan 2021 12:46:21 -0500 Subject: [PATCH 26/27] [fix] Also rotate stenographer log as per #2681 --- salt/common/files/log-rotate.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/files/log-rotate.conf b/salt/common/files/log-rotate.conf index f8a16a038..fd53d9983 100644 --- a/salt/common/files/log-rotate.conf +++ b/salt/common/files/log-rotate.conf @@ -18,6 +18,7 @@ /opt/so/log/filebeat/*.log /opt/so/log/telegraf/*.log /opt/so/log/redis/*.log +/opt/so/log/stenographer/*.log /opt/so/log/salt/so-salt-minion-check /opt/so/log/salt/minion /opt/so/log/salt/master From 47d69bbc9e3a7c2949b85a59633609c3a625853e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 22 Jan 2021 13:53:49 -0500 Subject: [PATCH 27/27] Move from quay.io to ghcr.io --- salt/common/tools/sbin/so-image-common | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index ef53ce60f..1a4ca233f 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -16,7 +16,7 @@ # along with this program. If not, see . # NOTE: This script depends on so-common -IMAGEREPO=securityonion +IMAGEREPO=security-onion-solutions container_list() { MANAGERCHECK=$1 @@ -103,7 +103,7 @@ update_docker_containers() { local PROGRESS_CALLBACK=$3 local LOG_FILE=$4 - local CONTAINER_REGISTRY=quay.io + local CONTAINER_REGISTRY=ghcr.io local SIGNPATH=/root/sosigs if [ -z "$CURLTYPE" ]; then