CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into logrotate-fix

Browse Source
This commit is contained in:
William Wernert
2021-01-22 15:20:55 -05:00
committed by GitHub
parent 249651edc7 2159914742
commit 59a4b148bc
51 changed files with 602 additions and 366 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
salt/airgap/init.sls
View File

@@ -1,3 +1,6 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
airgapyum: airgapyum:
file.managed: file.managed:
@@ -58,3 +61,11 @@ agssrepo:
agwazrepo: agwazrepo:
file.absent: file.absent:
- name: /etc/yum.repos.d/wazuh.repo - name: /etc/yum.repos.d/wazuh.repo
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

299
salt/allowed_states.map.jinja Normal file
View File

@@ -0,0 +1,299 @@
{% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
{% set WAZUH = salt['pillar.get']('global:wazuh', '0') %}
{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %}
{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %}
{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %}
{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %}
{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %}
{% set CURATOR = salt['pillar.get']('curator:enabled', True) %}
{% set REDIS = salt['pillar.get']('redis:enabled', True) %}
{% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %}
{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %}
{% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
{% set saltversion = saltversion.salt.minion.version %}
{# this is the list we are returning from this map file, it gets built below #}
{% set allowed_states= [] %}
{% if grains.saltversion | string == saltversion | string %}
{% set allowed_states= salt['grains.filter_by']({
'so-eval': [
'salt.master',
'ca',
'ssl',
'registry',
'manager',
'nginx',
'telegraf',
'influxdb',
'grafana',
'soc',
'firewall',
'idstools',
'suricata.manager',
'healthcheck',
'pcap',
'suricata',
'utility',
'schedule',
'soctopus',
'tcpreplay',
'docker_clean'
],
'so-heavynode': [
'ca',
'ssl',
'nginx',
'telegraf',
'firewall',
'pcap',
'suricata',
'healthcheck',
'schedule',
'tcpreplay',
'docker_clean'
],
'so-helixsensor': [
'salt.master',
'ca',
'ssl',
'registry',
'telegraf',
'firewall',
'idstools',
'suricata.manager',
'zeek',
'redis',
'elasticsearch',
'logstash',
'schedule',
'tcpreplay',
'docker_clean'
],
'so-fleet': [
'ca',
'ssl',
'nginx',
'telegraf',
'firewall',
'mysql',
'redis',
'fleet',
'fleet.install_package',
'filebeat',
'schedule',
'docker_clean'
],
'so-import': [
'salt.master',
'ca',
'ssl',
'registry',
'manager',
'nginx',
'soc',
'firewall',
'idstools',
'suricata.manager',
'pcap',
'utility',
'suricata',
'zeek',
'schedule',
'tcpreplay',
'docker_clean'
],
'so-manager': [
'salt.master',
'ca',
'ssl',
'registry',
'manager',
'nginx',
'telegraf',
'influxdb',
'grafana',
'soc',
'firewall',
'idstools',
'suricata.manager',
'utility',
'schedule',
'soctopus',
'docker_clean'
],
'so-managersearch': [
'salt.master',
'ca',
'ssl',
'registry',
'nginx',
'telegraf',
'influxdb',
'grafana',
'soc',
'firewall',
'manager',
'idstools',
'suricata.manager',
'utility',
'schedule',
'soctopus',
'docker_clean'
],
'so-node': [
'ca',
'ssl',
'nginx',
'telegraf',
'firewall',
'schedule',
'docker_clean'
],
'so-standalone': [
'salt.master',
'ca',
'ssl',
'registry',
'manager',
'nginx',
'telegraf',
'influxdb',
'grafana',
'soc',
'firewall',
'idstools',
'suricata.manager',
'pcap',
'suricata',
'healthcheck',
'utility',
'schedule',
'soctopus',
'tcpreplay',
'docker_clean'
],
'so-sensor': [
'ca',
'ssl',
'telegraf',
'firewall',
'nginx',
'pcap',
'suricata',
'healthcheck',
'wazuh',
'filebeat',
'schedule',
'tcpreplay',
'docker_clean'
],
}, grain='role') %}
{% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %}
{% do allowed_states.append('filebeat') %}
{% endif %}
{% if ((FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %}
{% do allowed_states.append('mysql') %}
{% endif %}
{% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %}
{% do allowed_states.append('fleet.install_package') %}
{% endif %}
{% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %}
{% do allowed_states.append('fleet') %}
{% endif %}
{% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval'] %}
{% do allowed_states.append('redis') %}
{% endif %}
{%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
{% do allowed_states.append('zeek') %}
{%- endif %}
{% if STRELKA and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
{% do allowed_states.append('strelka') %}
{% endif %}
{% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode']%}
{% do allowed_states.append('wazuh') %}
{% endif %}
{% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %}
{% do allowed_states.append('elasticsearch') %}
{% endif %}
{% if KIBANA and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
{% do allowed_states.append('kibana') %}
{% endif %}
{% if CURATOR and grains.role in ['so-eval', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %}
{% do allowed_states.append('curator') %}
{% endif %}
{% if ELASTALERT and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
{% do allowed_states.append('elastalert') %}
{% endif %}
{% if (THEHIVE != 0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
{% do allowed_states.append('thehive') %}
{% endif %}
{% if (PLAYBOOK !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
{% do allowed_states.append('playbook') %}
{% endif %}
{% if (PLAYBOOK !=0) and grains.role in ['so-eval'] %}
{% do allowed_states.append('redis') %}
{% endif %}
{% if (FREQSERVER !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
{% do allowed_states.append('freqserver') %}
{% endif %}
{% if (DOMAINSTATS !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
{% do allowed_states.append('domainstats') %}
{% endif %}
{% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %}
{% do allowed_states.append('logstash') %}
{% endif %}
{% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %}
{% do allowed_states.append('redis') %}
{% endif %}
{% if grains.os == 'CentOS' %}
{% if not ISAIRGAP %}
{% do allowed_states.append('yum') %}
{% endif %}
{% do allowed_states.append('yum.packages') %}
{% endif %}
{# all nodes on the right salt version can run the following states #}
{% do allowed_states.append('common') %}
{% do allowed_states.append('patch.os.schedule') %}
{% do allowed_states.append('motd') %}
{% do allowed_states.append('salt.minion-check') %}
{% do allowed_states.append('sensoroni') %}
{% do allowed_states.append('salt.lasthighstate') %}
{% endif %}
{% if ISAIRGAP %}
{% do allowed_states.append('airgap') %}
{% endif %}
{# all nodes can always run salt.minion state #}
{% do allowed_states.append('salt.minion') %}

10
salt/ca/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'ca' in top_states %}
{% set manager = salt['grains.get']('master') %} {% set manager = salt['grains.get']('master') %}
/etc/salt/minion.d/signing_policies.conf: /etc/salt/minion.d/signing_policies.conf:
@@ -60,8 +58,8 @@ cakeyperms:
{% else %} {% else %}
ca_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: ca_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

1
salt/common/files/99-reserved-ports.conf Normal file
View File

@@ -0,0 +1 @@
net.ipv4.ip_local_reserved_ports="55000,57314"

21
salt/common/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'common' in top_states %}
{% set role = grains.id.split('_') | last %} {% set role = grains.id.split('_') | last %}
@@ -258,10 +256,21 @@ docker:
- watch: - watch:
- file: docker_daemon - file: docker_daemon
# Reserve OS ports for Docker proxy in case boot settings are not already applied/present
dockerapplyports:
cmd.run:
- name: if [ ! -f /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314"; fi
# Reserve OS ports for Docker proxy
dockerreserveports:
file.managed:
- source: salt://common/files/99-reserved-ports.conf
- name: /etc/sysctl.d/99-reserved-ports.conf
{% else %} {% else %}
common_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: common_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

4
salt/common/tools/sbin/so-image-common
View File

@@ -16,7 +16,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
# NOTE: This script depends on so-common # NOTE: This script depends on so-common
IMAGEREPO=securityonion IMAGEREPO=security-onion-solutions
container_list() { container_list() {
MANAGERCHECK=$1 MANAGERCHECK=$1
@@ -103,7 +103,7 @@ update_docker_containers() {
local PROGRESS_CALLBACK=$3 local PROGRESS_CALLBACK=$3
local LOG_FILE=$4 local LOG_FILE=$4
local CONTAINER_REGISTRY=quay.io local CONTAINER_REGISTRY=ghcr.io
local SIGNPATH=/root/sosigs local SIGNPATH=/root/sosigs
if [ -z "$CURLTYPE" ]; then if [ -z "$CURLTYPE" ]; then

6
salt/common/tools/sbin/so-tcpreplay
View File

@@ -48,9 +48,15 @@ if ! docker ps | grep -q so-tcpreplay; then
echo echo
if is_manager_node; then if is_manager_node; then
set_version
if ! docker images | grep so-tcpreplay | grep ":5000" | grep -q $VERSION ; then
echo "Pulling so-tcpreplay image"
TRUSTED_CONTAINERS=("so-tcpreplay") TRUSTED_CONTAINERS=("so-tcpreplay")
mkdir -p /opt/so/log/tcpreplay mkdir -p /opt/so/log/tcpreplay
update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log" update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log"
else
echo "so-tcpreplay image exists."
fi
fi fi
if is_sensor_node; then if is_sensor_node; then
if ! is_manager_node; then if ! is_manager_node; then

10
salt/curator/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'curator' in top_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -145,8 +143,8 @@ append_so-curator_so-status.conf:
{% else %} {% else %}
curator_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: curator_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/docker/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'docker' in top_states %}
installdocker: installdocker:
pkg.installed: pkg.installed:
@@ -14,8 +12,8 @@ docker:
{% else %} {% else %}
docker_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: docker_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

11
salt/docker_clean/init.sls
View File

@@ -1,3 +1,6 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0','2.3.1','2.3.2']%} {% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0','2.3.1','2.3.2']%}
@@ -43,3 +46,11 @@ remove_images_{{ VERSION }}:
- '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }}' - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }}'
- '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}' - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}'
{% endfor %} {% endfor %}
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

10
salt/domainstats/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'domainstats' in top_states %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -63,8 +61,8 @@ append_so-domainstats_so-status.conf:
{% else %} {% else %}
domainstats_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: domainstats_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/elastalert/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'elastalert' in top_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -131,8 +129,8 @@ append_so-elastalert_so-status.conf:
{% else %} {% else %}
elastalert_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: elastalert_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

27
salt/elasticsearch/files/elasticsearch.yml
View File

@@ -7,6 +7,7 @@
{%- else %} {%- else %}
{%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:esclustername') %} {%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:esclustername') %}
{%- endif %} {%- endif %}
{%- set NODE_ROLES = salt['pillar.get']('elasticsearch:node_roles', ['data', 'ingest']) %}
cluster.name: "{{ ESCLUSTERNAME }}" cluster.name: "{{ ESCLUSTERNAME }}"
network.host: 0.0.0.0 network.host: 0.0.0.0
@@ -24,24 +25,24 @@ cluster.routing.allocation.disk.threshold_enabled: true
cluster.routing.allocation.disk.watermark.low: 95% cluster.routing.allocation.disk.watermark.low: 95%
cluster.routing.allocation.disk.watermark.high: 98% cluster.routing.allocation.disk.watermark.high: 98%
cluster.routing.allocation.disk.watermark.flood_stage: 98% cluster.routing.allocation.disk.watermark.flood_stage: 98%
{%- if FEATURES is sameas true %}
#xpack.security.enabled: false #xpack.security.enabled: false
#xpack.security.http.ssl.enabled: false xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.enabled: false xpack.security.transport.ssl.verification_mode: none
#xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key
#xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt
#xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ]
#xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key {%- if grains['role'] in ['so-node','so-heavynode'] %}
#xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt xpack.security.http.ssl.enabled: true
#xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt xpack.security.http.ssl.client_authentication: none
#xpack.security.transport.ssl.verification_mode: none xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key
#xpack.security.http.ssl.client_authentication: none xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt
xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt
{%- endif %}
#xpack.security.authc: #xpack.security.authc:
# anonymous: # anonymous:
# username: anonymous_user # username: anonymous_user
# roles: superuser # roles: superuser
# authz_exception: true # authz_exception: true
{%- endif %}
node.name: {{ grains.host }} node.name: {{ grains.host }}
script.max_compilations_rate: 1000/1m script.max_compilations_rate: 1000/1m
{%- if TRUECLUSTER is sameas true %} {%- if TRUECLUSTER is sameas true %}
@@ -55,7 +56,7 @@ discovery.seed_hosts:
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- else %} {%- else %}
node.roles: [ data, ingest ] node.roles: {{ NODE_ROLES }}
node.attr.box_type: {{ NODE_ROUTE_TYPE }} node.attr.box_type: {{ NODE_ROUTE_TYPE }}
discovery.seed_hosts: discovery.seed_hosts:
- {{ grains.master }} - {{ grains.master }}

24
salt/elasticsearch/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'elasticsearch' in top_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -25,12 +23,6 @@
{% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} {% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %}
{% set MANAGERIP = salt['pillar.get']('global:managerip') %} {% set MANAGERIP = salt['pillar.get']('global:managerip') %}
{% if FEATURES is sameas true %}
{% set FEATUREZ = "-features" %}
{% else %}
{% set FEATUREZ = '' %}
{% endif %}
{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import'] %} {% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import'] %}
{% set esclustername = salt['pillar.get']('manager:esclustername') %} {% set esclustername = salt['pillar.get']('manager:esclustername') %}
{% set esheap = salt['pillar.get']('manager:esheap') %} {% set esheap = salt['pillar.get']('manager:esheap') %}
@@ -188,7 +180,7 @@ eslogdir:
so-elasticsearch: so-elasticsearch:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}{{ FEATUREZ }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}
- hostname: elasticsearch - hostname: elasticsearch
- name: so-elasticsearch - name: so-elasticsearch
- user: elasticsearch - user: elasticsearch
@@ -222,7 +214,13 @@ so-elasticsearch:
- /nsm/elasticsearch:/usr/share/elasticsearch/data:rw - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
- /opt/so/log/elasticsearch:/var/log/elasticsearch:rw - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
- /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
{% if ismanager %}
- /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
{% else %}
- /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
{% endif %}
- /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
- /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
- /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
- /opt/so/conf/elasticsearch/sotls.yml:/usr/share/elasticsearch/config/sotls.yml:ro - /opt/so/conf/elasticsearch/sotls.yml:/usr/share/elasticsearch/config/sotls.yml:ro
- watch: - watch:
@@ -265,8 +263,8 @@ so-elasticsearch-templates:
{% else %} {% else %}
elasticsearch_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: elasticsearch_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {# if 'elasticsearch' in top_states #} {% endif %} {# if 'elasticsearch' in top_states #}

12
salt/filebeat/etc/filebeat.yml
View File

@@ -11,6 +11,10 @@
{%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %} {%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %}
{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%} {%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%} {%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%}
{%- set FBMEMEVENTS = salt['pillar.get']('filebeat:mem_events', 2048) -%}
{%- set FBMEMFLUSHMINEVENTS = salt['pillar.get']('filebeat:mem_flush_min_events', 2048) -%}
{%- set FBLSWORKERS = salt['pillar.get']('filebeat:ls_workers', 1) -%}
{%- set FBLSBULKMAXSIZE = salt['pillar.get']('filebeat:ls_bulk_max_size', 2048) -%}
name: {{ HOSTNAME }} name: {{ HOSTNAME }}
@@ -290,7 +294,10 @@ output.logstash:
hosts: ["{{ MANAGER }}:5644"] hosts: ["{{ MANAGER }}:5644"]
# Number of workers per Logstash host. # Number of workers per Logstash host.
#worker: 1 worker: {{ FBLSWORKERS }}
# Number of records to send to Logstash input at a time
bulk_max_size: {{ FBLSBULKMAXSIZE }}
# Set gzip compression level. # Set gzip compression level.
#compression_level: 3 #compression_level: 3
@@ -491,3 +498,6 @@ setup.template.enabled: false
#http.host: localhost #http.host: localhost
# Port on which the HTTP endpoint will bind. Default is 5066. # Port on which the HTTP endpoint will bind. Default is 5066.
queue.mem.events: {{ FBMEMEVENTS }}
queue.mem.flush.min_events: {{ FBMEMFLUSHMINEVENTS }}

12
salt/filebeat/init.sls
View File

@@ -11,10 +11,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'filebeat' in top_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -66,7 +64,7 @@ filebeatconfsync:
OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }}
so-filebeat: so-filebeat:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }}{{ FEATURES }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }}
- hostname: so-filebeat - hostname: so-filebeat
- user: root - user: root
- extra_hosts: {{ MANAGER }}:{{ MANAGERIP }},{{ LOCALHOSTNAME }}:{{ LOCALHOSTIP }} - extra_hosts: {{ MANAGER }}:{{ MANAGERIP }},{{ LOCALHOSTNAME }}:{{ LOCALHOSTIP }}
@@ -93,8 +91,8 @@ append_so-filebeat_so-status.conf:
{% else %} {% else %}
filebeat_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: filebeat_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/firewall/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'firewall' in top_states %}
# Firewall Magic for the grid # Firewall Magic for the grid
{% from 'firewall/map.jinja' import hostgroups with context %} {% from 'firewall/map.jinja' import hostgroups with context %}
@@ -138,8 +136,8 @@ iptables_drop_all_the_things:
{% else %} {% else %}
firewall_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: firewall_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

1
salt/fleet/init.sls
View File

@@ -1,3 +1,4 @@
{# this state can run regardless if in allowed_states or not #}
{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%}
{%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%} {%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%}
{%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%} {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%}

10
salt/freqserver/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'freqserver' in top_states %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -63,9 +61,9 @@ append_so-freq_so-status.conf:
{% else %} {% else %}
freqserver_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: freqserver_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/grafana/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'grafana' in top_states %}
{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
@@ -281,8 +279,8 @@ append_so-grafana_so-status.conf:
{% else %} {% else %}
grafana_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: grafana_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/healthcheck/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'healthcheck' in top_states %}
{% set CHECKS = salt['pillar.get']('healthcheck:checks', {}) %} {% set CHECKS = salt['pillar.get']('healthcheck:checks', {}) %}
{% set ENABLED = salt['pillar.get']('healthcheck:enabled', False) %} {% set ENABLED = salt['pillar.get']('healthcheck:enabled', False) %}
@@ -31,8 +29,8 @@ healthcheck_schedule_{{ STATUS[1] }}:
{% else %} {% else %}
healthcheck_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: healthcheck_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/idstools/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'idstools' in top_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -83,8 +81,8 @@ append_so-idstools_so-status.conf:
{% else %} {% else %}
idstools_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: idstools_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif%} {% endif%}

10
salt/influxdb/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'influxdb' in top_states %}
{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
@@ -63,8 +61,8 @@ append_so-influxdb_so-status.conf:
{% else %} {% else %}
influxdb_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: influxdb_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

14
salt/kibana/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'kibana' in top_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -75,7 +73,7 @@ kibanabin:
# Start the kibana docker # Start the kibana docker
so-kibana: so-kibana:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }}{{ FEATURES }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }}
- hostname: kibana - hostname: kibana
- user: kibana - user: kibana
- environment: - environment:
@@ -106,7 +104,7 @@ wait_for_kibana:
module.run: module.run:
- http.wait_for_successful_query: - http.wait_for_successful_query:
- url: "http://{{MANAGER}}:5601/api/saved_objects/_find?type=config" - url: "http://{{MANAGER}}:5601/api/saved_objects/_find?type=config"
- wait_for: 180 - wait_for: 900
- onchanges: - onchanges:
- file: kibanadashtemplate - file: kibanadashtemplate
@@ -128,8 +126,8 @@ so-kibana-config-load:
{% else %} {% else %}
kibana_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: kibana_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

12
salt/logstash/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'logstash' in top_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -148,7 +146,7 @@ lslogdir:
so-logstash: so-logstash:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }}{{ FEATURES }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }}
- hostname: so-logstash - hostname: so-logstash
- name: so-logstash - name: so-logstash
- user: logstash - user: logstash
@@ -209,8 +207,8 @@ append_so-logstash_so-status.conf:
{% else %} {% else %}
logstash_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: logstash_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/manager/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'manager' in top_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -110,8 +108,8 @@ strelka_yara_update:
- minute: '1' - minute: '1'
{% else %} {% else %}
manager_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: manager_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/minio/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'minio' in top_states %}
{% set access_key = salt['pillar.get']('minio:access_key', '') %} {% set access_key = salt['pillar.get']('minio:access_key', '') %}
{% set access_secret = salt['pillar.get']('minio:access_secret', '') %} {% set access_secret = salt['pillar.get']('minio:access_secret', '') %}
@@ -69,8 +67,8 @@ append_so-minio_so-status.conf:
{% else %} {% else %}
minio_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: minio_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/motd/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'motd' in top_states %}
so_motd: so_motd:
file.managed: file.managed:
@@ -11,8 +9,8 @@ so_motd:
{% else %} {% else %}
motd_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: motd_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/mysql/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'mysql' in top_states %}
{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %}
{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
@@ -112,8 +110,8 @@ append_so-mysql_so-status.conf:
{% else %} {% else %}
mysql_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: mysql_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/nginx/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'nginx' in top_states %}
{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} {% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
@@ -105,8 +103,8 @@ append_so-nginx_so-status.conf:
{% else %} {% else %}
nginx_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: nginx_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/nodered/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'nodered' in top_states %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -86,8 +84,8 @@ so-nodered-flows:
{% else %} {% else %}
nodered_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: nodered_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/pcap/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'pcap' in top_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -150,8 +148,8 @@ delete_so-steno_so-status.disabled:
{% else %} {% else %}
pcap_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: pcap_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/playbook/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'playbook' in top_states %}
{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
@@ -114,8 +112,8 @@ so-playbookruleupdatecron:
{% else %} {% else %}
playbook_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: playbook_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/redis/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'redis' in top_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -77,8 +75,8 @@ append_so-redis_so-status.conf:
{% else %} {% else %}
redis_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: redis_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/registry/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'registry' in top_states %}
# Create the config directory for the docker registry # Create the config directory for the docker registry
dockerregistryconfdir: dockerregistryconfdir:
@@ -64,8 +62,8 @@ append_so-dockerregistry_so-status.conf:
{% else %} {% else %}
registry_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: registry_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

12
salt/salt/master.sls
View File

@@ -1,10 +1,8 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'salt/map.jinja' import COMMON with context %} {% from 'salt/map.jinja' import COMMON with context %}
{% set show_top = salt['state.show_top']() %}
{% set top_states = show_top.values() | join(', ') %}
{% if 'salt.master' in top_states %}
include: include:
- salt.minion - salt.minion
@@ -37,8 +35,8 @@ engines_config:
{% else %} {% else %}
salt_master_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: salt_master_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/soc/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'soc' in top_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -141,8 +139,8 @@ append_so-kratos_so-status.conf:
{% else %} {% else %}
soc_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: soc_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/soctopus/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'soctopus' in top_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -80,8 +78,8 @@ append_so-soctopus_so-status.conf:
{% else %} {% else %}
soctopus_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: soctopus_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/ssl/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'ssl' in top_states %}
{% set manager = salt['grains.get']('master') %} {% set manager = salt['grains.get']('master') %}
{% set managerip = salt['pillar.get']('global:managerip', '') %} {% set managerip = salt['pillar.get']('global:managerip', '') %}
@@ -578,8 +576,8 @@ elastickeyperms:
{% else %} {% else %}
ssl_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: ssl_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

15
salt/strelka/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'strelka' in top_states %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
{% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
@@ -94,6 +92,11 @@ strelkaunprocessed:
- group: 939 - group: 939
- makedirs: True - makedirs: True
# Check to see if Strelka frontend port is available
strelkaportavailable:
cmd.run:
- name: netstat -utanp | grep ":57314" | grep -qv docker && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314. Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0
strelka_coordinator: strelka_coordinator:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }}
@@ -194,8 +197,8 @@ strelka_zeek_extracted_sync:
{% else %} {% else %}
strelka_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: strelka_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/suricata/init.sls
View File

@@ -12,10 +12,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'suricata' in top_states %}
{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
{% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} {% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
@@ -172,8 +170,8 @@ disable_so-suricata_so-status.conf:
{% else %} {% else %}
suricata_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: suricata_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

11
salt/suricata/manager.sls
View File

@@ -1,3 +1,6 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
surilocaldir: surilocaldir:
file.directory: file.directory:
- name: /opt/so/saltstack/local/salt/suricata - name: /opt/so/saltstack/local/salt/suricata
@@ -17,3 +20,11 @@ refresh_salt_master_fileserver_suricata_ruleslink:
- name: fileserver.update - name: fileserver.update
- onchanges: - onchanges:
- file: ruleslink - file: ruleslink
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

8
salt/tcpreplay/init.sls
View File

@@ -1,4 +1,6 @@
{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' or grains['role'] == 'so-standalone' %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
@@ -17,8 +19,8 @@ so-tcpreplay:
{% else %} {% else %}
tcpreplay_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: tcpreplay_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

24
salt/telegraf/etc/telegraf.conf
View File

@@ -674,6 +674,8 @@
"/scripts/influxdbsize.sh" "/scripts/influxdbsize.sh"
] ]
data_format = "influx" data_format = "influx"
## Timeout for each command to complete.
timeout = "15s"
{% elif grains['role'] in ['so-sensor', 'so-heavynode'] %} {% elif grains['role'] in ['so-sensor', 'so-heavynode'] %}
[[inputs.exec]] [[inputs.exec]]
commands = [ commands = [
@@ -685,6 +687,7 @@
"/scripts/oldpcap.sh" "/scripts/oldpcap.sh"
] ]
data_format = "influx" data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-standalone' %} {% elif grains['role'] == 'so-standalone' %}
[[inputs.exec]] [[inputs.exec]]
commands = [ commands = [
@@ -698,6 +701,7 @@
"/scripts/oldpcap.sh" "/scripts/oldpcap.sh"
] ]
data_format = "influx" data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-eval' %} {% elif grains['role'] == 'so-eval' %}
[[inputs.exec]] [[inputs.exec]]
commands = [ commands = [
@@ -711,6 +715,7 @@
"/scripts/influxdbsize.sh" "/scripts/influxdbsize.sh"
] ]
data_format = "influx" data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-helix' %} {% elif grains['role'] == 'so-helix' %}
[[inputs.exec]] [[inputs.exec]]
commands = [ commands = [
@@ -723,19 +728,16 @@
"/scripts/helixeps.sh" "/scripts/helixeps.sh"
] ]
data_format = "influx" data_format = "influx"
timeout = "15s"
{% endif %} {% endif %}
# ## measurement name suffix (for separating different commands)
# ## Timeout for each command to complete. # name_suffix = "_mycollector"
# timeout = "5s"
# ## Data format to consume.
# ## measurement name suffix (for separating different commands) ## Each data format has its own unique set of configuration options, read
# name_suffix = "_mycollector" ## more about them here:
# ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md
# ## Data format to consume.
# ## Each data format has its own unique set of configuration options, read
# ## more about them here:
# ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md

11
salt/telegraf/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'telegraf' in top_states %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
@@ -50,6 +48,7 @@ so-telegraf:
- HOST_MOUNT_PREFIX=/host - HOST_MOUNT_PREFIX=/host
- GODEBUG=x509ignoreCN=0 - GODEBUG=x509ignoreCN=0
- network_mode: host - network_mode: host
- init: True
- binds: - binds:
- /opt/so/log/telegraf:/var/log/telegraf:rw - /opt/so/log/telegraf:/var/log/telegraf:rw
- /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro
@@ -81,8 +80,8 @@ append_so-telegraf_so-status.conf:
{% else %} {% else %}
telegraf_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: telegraf_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/thehive/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'thehive' in top_states %}
{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
@@ -152,8 +150,8 @@ thehivescript:
{% else %} {% else %}
thehive_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: thehive_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

57
salt/top.sls
View File

@@ -292,47 +292,6 @@ base:
{%- endif %} {%- endif %}
- docker_clean - docker_clean
# Search node logic
'*_node and I@node:node_type:parser and G@saltversion:{{saltversion}}':
- match: compound
- firewall
{%- if LOGSTASH %}
- logstash
{%- endif %}
{%- if FLEETMANAGER or FLEETNODE %}
- fleet.install_package
{%- endif %}
- schedule
- docker_clean
'*_node and I@node:node_type:hot and G@saltversion:{{saltversion}}':
- match: compound
- firewall
{%- if LOGSTASH %}
- logstash
{%- endif %}
{%- if CURATOR %}
- curator
{%- endif %}
{%- if FLEETMANAGER or FLEETNODE %}
- fleet.install_package
{%- endif %}
- schedule
- docker_clean
'*_node and I@node:node_type:warm and G@saltversion:{{saltversion}}':
- match: compound
- firewall
{%- if ELASTICSEARCH %}
- elasticsearch
{%- endif %}
{%- if FLEETMANAGER or FLEETNODE %}
- fleet.install_package
{%- endif %}
- schedule
- docker_clean
'*_searchnode and G@saltversion:{{saltversion}}': '*_searchnode and G@saltversion:{{saltversion}}':
- match: compound - match: compound
- ca - ca
@@ -361,21 +320,6 @@ base:
- schedule - schedule
- docker_clean - docker_clean
'*_managersensor and G@saltversion:{{saltversion}}':
- match: compound
- nginx
- telegraf
- influxdb
- grafana
- firewall
- sensor
- manager
{%- if FLEETMANAGER or FLEETNODE %}
- fleet.install_package
{%- endif %}
- schedule
- docker_clean
'*_managersearch and G@saltversion:{{saltversion}}': '*_managersearch and G@saltversion:{{saltversion}}':
- match: compound - match: compound
- salt.master - salt.master
@@ -494,6 +438,7 @@ base:
- fleet - fleet
- fleet.install_package - fleet.install_package
- filebeat - filebeat
- schedule
- docker_clean - docker_clean
'*_import and G@saltversion:{{saltversion}}': '*_import and G@saltversion:{{saltversion}}':

10
salt/utility/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'utility' in top_states %}
# This state is for checking things # This state is for checking things
{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %} {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %}
@@ -27,8 +25,8 @@ fixsearch:
{% else %} {% else %}
utility_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: utility_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

17
salt/wazuh/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'wazuh' in top_states %}
{%- set HOSTNAME = salt['grains.get']('host', '') %} {%- set HOSTNAME = salt['grains.get']('host', '') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
@@ -96,15 +94,10 @@ wazuhmgrwhitelist:
- mode: 755 - mode: 755
- template: jinja - template: jinja
# Reserve OS port for Wazuh API
wazuhreserveport:
cmd.run:
- name: grep -q 55000 /proc/sys/net/ipv4/ip_local_reserved_ports || sysctl -w net.ipv4.ip_local_reserved_ports="55000" > /dev/null && echo "55000" >> /proc/sys/net/ipv4/ip_local_reserved_ports
# Check to see if Wazuh API port is available # Check to see if Wazuh API port is available
wazuhportavailable: wazuhportavailable:
cmd.run: cmd.run:
- name: netstat -anp | grep 55000 | grep -qv docker && PROCESS=$(netstat -anp | grep 55000 | awk '{print $NF}' | uniq) && echo "Another process ($PROCESS) appears to be using port 55000. Please terminate this process, or reboot to ensure a clean state so that the Wazuh API can start properly." && exit 1 || exit 0 - name: netstat -utanp | grep ":55000" | grep -qv docker && PROCESS=$(netstat -utanp | grep ":55000" | uniq) && echo "Another process ($PROCESS) appears to be using port 55000. Please terminate this process, or reboot to ensure a clean state so that the Wazuh API can start properly." && exit 1 || exit 0
so-wazuh: so-wazuh:
docker_container.running: docker_container.running:
@@ -164,8 +157,8 @@ hidsruledir:
{% else %} {% else %}
wazuh_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: wazuh_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/yum/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'yum' in top_states %}
yumconf: yumconf:
file.managed: file.managed:
@@ -12,8 +10,8 @@ yumconf:
{% else %} {% else %}
yum_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: yum_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

10
salt/zeek/init.sls
View File

@@ -1,7 +1,5 @@
{% set show_top = salt['state.show_top']() %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% set top_states = show_top.values() | join(', ') %} {% if sls in allowed_states %}
{% if 'zeek' in top_states %}
{% from "zeek/map.jinja" import START with context %} {% from "zeek/map.jinja" import START with context %}
@@ -211,8 +209,8 @@ disable_so-zeek_so-status.conf:
{% else %} {% else %}
zeek_state_not_allowed: {{sls}}_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: zeek_state_not_allowed - name: {{sls}}_state_not_allowed
{% endif %} {% endif %}