Merge branch 'dev' into kilo

2026-02-25 08:25:29 +01:00 · 2021-12-21 13:37:37 -05:00
parent d4f395b7f4 2f88f08be2
commit 62e5914ab8
39 changed files with 406 additions and 193 deletions
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -50,7 +50,6 @@
          'learn'
          ],
      'so-heavynode': [
-          'ca',
          'ssl',
          'nginx',
          'telegraf',
@@ -80,7 +79,6 @@
          'docker_clean'
          ],
      'so-fleet': [
-          'ca',
          'ssl',
          'nginx',
          'telegraf',
@@ -157,7 +155,6 @@
          'learn'
          ],
      'so-node': [
-          'ca',
          'ssl',
          'nginx',
          'telegraf',
@@ -191,7 +188,6 @@
          'learn'
          ],
      'so-sensor': [
-          'ca',
          'ssl',
          'telegraf',
          'firewall',
@@ -205,9 +201,16 @@
          'tcpreplay',
          'docker_clean'
          ],
+      'so-receiver': [
+          'ssl',
+          'telegraf',
+          'firewall',
+          'schedule',
+          'docker_clean'
+          ],
  }, grain='role') %}

-  {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %}
+  {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %}
    {% do allowed_states.append('filebeat') %}
  {% endif %}

@@ -215,7 +218,7 @@
    {% do allowed_states.append('mysql') %}
  {% endif %}

-  {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %}
+  {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
    {% do allowed_states.append('fleet.install_package') %}
  {% endif %}

@@ -235,7 +238,7 @@
    {% do allowed_states.append('strelka') %}
  {% endif %}

-  {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode']%}
+  {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver']%}
    {% do allowed_states.append('wazuh') %}
  {% endif %}

@@ -280,11 +283,11 @@
    {% do allowed_states.append('domainstats') %}
  {% endif %}

-  {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %}
+  {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
    {% do allowed_states.append('logstash') %}
  {% endif %}

-  {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %}
+  {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
    {% do allowed_states.append('redis') %}
  {% endif %}

--- a/salt/common/tools/sbin/so-logstash-events
+++ b/salt/common/tools/sbin/so-logstash-events
@@ -14,7 +14,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>
-{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
+{% set MAININT = salt['pillar.get']('host:mainint') -%}
+{% set NODEIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] -%}

 . /usr/sbin/so-common

--- a/salt/common/tools/sbin/so-logstash-pipeline-stats
+++ b/salt/common/tools/sbin/so-logstash-pipeline-stats
@@ -14,7 +14,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>
-{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
+{% set MAININT = salt['pillar.get']('host:mainint') -%}
+{% set NODEIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] -%}

 . /usr/sbin/so-common

--- a/salt/elasticsearch/files/scripts/so-catrust
+++ b/salt/elasticsearch/files/scripts/so-catrust
@@ -24,8 +24,8 @@ set -e

 # Check to see if we have extracted the ca cert.
 if [ ! -f /opt/so/saltstack/local/salt/common/cacerts ]; then
-    docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} -keystore /etc/ssl/certs/java/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt
-    docker cp so-elasticsearchca:/etc/ssl/certs/java/cacerts /opt/so/saltstack/local/salt/common/cacerts
+    docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt
+    docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/common/cacerts
    docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
    docker rm so-elasticsearchca
    echo "" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
@@ -33,4 +33,4 @@ if [ ! -f /opt/so/saltstack/local/salt/common/cacerts ]; then
    cat /etc/pki/ca.crt >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
 else
    exit 0
-fi
+fi
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -134,7 +134,7 @@ esrolesdir:
 eslibdir:
  file.absent:
    - name: /opt/so/conf/elasticsearch/lib
-   
+
 esingestdynamicconf:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/ingest
@@ -275,7 +275,7 @@ so-elasticsearch:
      - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
      - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
      - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
-      - /opt/so/conf/ca/cacerts:/etc/ssl/certs/java/cacerts:ro
+      - /opt/so/conf/ca/cacerts:/usr/share/elasticsearch/jdk/lib/security/cacerts:ro
      {% if ismanager %}
      - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
      {% else %}
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -321,7 +321,28 @@ output.logstash:
  enabled: true

  # The Logstash hosts
-  hosts: ["{{ MANAGER }}:5644"]
+  hosts:
+{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node'] %}
+{%-   set LOGSTASH = namespace() %}
+{%-   set LOGSTASH.count = 0 %}
+{%-   set LOGSTASH.loadbalance = false %}
+{%-   set node_data = salt['pillar.get']('logstash:nodes') %}
+{%-   for node_type, node_details in node_data.items() | sort -%}
+{%-     if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %}
+{%-       for hostname in node_data[node_type].keys() %}
+{%-         set LOGSTASH.count = LOGSTASH.count + 1 %}
+    - "{{ hostname }}:5644" #{{ node_details[hostname].ip }}
+{%-       endfor %}
+{%-     endif %}
+{%-     if LOGSTASH.count > 1 %}
+{%-       set LOGSTASH.loadbalance = true %}
+{%-     endif %}
+{%-   endfor %}
+
+  loadbalance: {{ LOGSTASH.loadbalance | lower }}
+{%- else %}
+    - "{{ grains.host }}:5644"
+{%- endif %}

  # Number of workers per Logstash host.
  worker: {{ FBLSWORKERS }}
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -17,12 +17,10 @@
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set LOCALHOSTNAME = salt['grains.get']('host') %}
-{% set MAININT = salt['pillar.get']('host:mainint') %}
-{% set LOCALHOSTIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 {% set MANAGER = salt['grains.get']('master') %}
-{% set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
 {% from 'filebeat/map.jinja' import THIRDPARTY with context %}
 {% from 'filebeat/map.jinja' import SO with context %}
+{% from 'filebeat/map.jinja' import FILEBEAT_EXTRA_HOSTS with context %}
 {% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %}

 include:
@@ -111,7 +109,7 @@ so-filebeat:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }}
    - hostname: so-filebeat
    - user: root
-    - extra_hosts: {{ MANAGER }}:{{ MANAGERIP }},{{ LOCALHOSTNAME }}:{{ LOCALHOSTIP }}
+    - extra_hosts: {{ FILEBEAT_EXTRA_HOSTS }}
    - binds:
      - /nsm:/nsm:ro
      - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw
--- a/salt/filebeat/map.jinja
+++ b/salt/filebeat/map.jinja
@@ -4,3 +4,20 @@
 {% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %}
 {% set SO = SODEFAULTS.securityonion_filebeat %}
 {#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#}
+
+{% set role = grains.role %}
+{% set FILEBEAT_EXTRA_HOSTS = [] %}
+{% set mainint = salt['pillar.get']('host:mainint') %}
+{% set localhostip = salt['grains.get']('ip_interfaces').get(mainint)[0] %}
+{% if role in ['so-sensor', 'so-fleet', 'so-node' ] %}
+  {% set node_data = salt['pillar.get']('logstash:nodes') %}
+  {% for node_type, node_details in node_data.items() | sort %}
+    {% if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %}
+      {% for hostname in node_data[node_type].keys() %}
+        {% do FILEBEAT_EXTRA_HOSTS.append({hostname:node_details[hostname].ip}) %}
+      {% endfor %}
+    {% endif %}
+  {% endfor %}
+{% endif %}
+
+{% do FILEBEAT_EXTRA_HOSTS.append({grains.host:localhostip}) %}
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -604,3 +604,52 @@ role:
          minion:
            portgroups:
              - {{ portgroups.salt_manager }}
+
+  receiver:
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          sensor:
+            portgroups:
+              - {{ portgroups.beats_5644 }}
+          search_node:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.beats_5644 }}
+          self:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.syslog}}
+              - {{ portgroups.beats_5644 }}
+          syslog:
+            portgroups:
+              - {{ portgroups.syslog }}
+          beats_endpoint:
+            portgroups:
+              - {{ portgroups.beats_5044 }}
+          beats_endpoint_ssl:
+            portgroups:
+              - {{ portgroups.beats_5644 }}
+          endgame:
+            portgroups:
+              - {{ portgroups.endgame }}
+          wazuh_agent:
+            portgroups:
+              - {{ portgroups.wazuh_agent }}
+          wazuh_api:
+            portgroups:
+              - {{ portgroups.wazuh_api }}
+          wazuh_authd:
+            portgroups:
+              - {{ portgroups.wazuh_authd }}
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -75,7 +75,7 @@ fleetdb:

 fleetdbuser:
  mysql_user.present:
-    - host: {{ DNET }}/255.255.0.0
+    - host: {{ DNET }}/255.255.255.0
    - password: {{ FLEETPASS }}
    - connection_host: {{ MAINIP }}
    - connection_port: 3306
@@ -89,7 +89,7 @@ fleetdbpriv:
    - grant: all privileges
    - database: fleet.*
    - user: fleetdbuser
-    - host: {{ DNET }}/255.255.0.0
+    - host: {{ DNET }}/255.255.255.0
    - connection_host: {{ MAINIP }}
    - connection_port: 3306
    - connection_user: root
--- a/salt/kibana/bin/so-kibana-config-load
+++ b/salt/kibana/bin/so-kibana-config-load
@@ -35,7 +35,7 @@ update() {
  wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}"  
  IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
  for i in "${LINES[@]}"; do
-    {{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.15.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i "
+    {{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.16.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i "
  done

 }
--- a/salt/kibana/files/config_saved_objects.ndjson
+++ b/salt/kibana/files/config_saved_objects.ndjson
@@ -1 +1 @@
-{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "7.15.2","id": "7.15.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
+{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "7.16.2","id": "7.16.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -36,17 +36,13 @@
  {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %}
  {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}

-  {% if grains.role in ['so-heavynode'] %}
-    {% set EXTRAHOSTHOSTNAME = salt['grains.get']('host') %}
-    {% set EXTRAHOSTIP = salt['pillar.get']('sensor:mainip') %}
-  {% else %}
-    {% set EXTRAHOSTHOSTNAME = MANAGER %}
-    {% set EXTRAHOSTIP = MANAGERIP %}
-  {% endif %}
+  {% from 'logstash/map.jinja' import REDIS_NODES with context %}

 include:
  - ssl
+{% if grains.role not in ['so-receiver'] %}
  - elasticsearch
+{% endif %}

 # Create the logstash group
 logstashgroup:
@@ -157,8 +153,7 @@ so-logstash:
    - hostname: so-logstash
    - name: so-logstash
    - user: logstash
-    - extra_hosts:
-      - {{ EXTRAHOSTHOSTNAME }}:{{ EXTRAHOSTIP }}
+    - extra_hosts: {{ REDIS_NODES }}
    - environment:
      - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
    - port_bindings:
@@ -174,18 +169,20 @@ so-logstash:
      - /nsm/logstash:/usr/share/logstash/data:rw
      - /opt/so/log/logstash:/var/log/logstash:rw
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
+      - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro
+  {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
      - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
      - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
  {% endif %}
-      - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro
-  {% if grains['role'] == 'so-heavynode' %}
-      - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
-  {% else %}
+  {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
      - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
+  {% else %}
+      - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
  {% endif %}
+  {% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-node'] %}
      - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
      - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
+  {% endif %}
  {%- if grains['role'] == 'so-eval' %}
      - /nsm/zeek:/nsm/zeek:ro
      - /nsm/suricata:/suricata:ro
@@ -206,16 +203,18 @@ so-logstash:
      - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
  {% endfor %}
    - require:
-  {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
+  {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
      - x509: etc_filebeat_crt
  {% endif %}
-  {% if grains['role'] == 'so-heavynode' %}
-      - x509: trusttheca
-  {% else %}
+  {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
      - x509: pki_public_ca_crt
+  {% else %}
+      - x509: trusttheca
  {% endif %}
+  {% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
      - file: cacertz
      - file: capemz
+  {% endif %}

 append_so-logstash_so-status.conf:
  file.append:
--- a/salt/logstash/map.jinja
+++ b/salt/logstash/map.jinja
@@ -0,0 +1,16 @@
+{% set role = grains.role %}
+{% set REDIS_NODES = [] %}
+{% set mainint = salt['pillar.get']('host:mainint') %}
+{% set localhostip = salt['grains.get']('ip_interfaces').get(mainint)[0] %}
+{% if role in ['so-node', 'so-standalone', 'so-managersearch'] %}
+  {% set node_data = salt['pillar.get']('logstash:nodes') %}
+  {% for node_type, node_details in node_data.items() | sort %}
+    {% if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %}
+      {% for hostname in node_data[node_type].keys() %}
+        {% do REDIS_NODES.append({hostname:node_details[hostname].ip}) %}
+      {% endfor %}
+    {% endif %}
+  {% endfor %}
+{% else %}
+  {% do REDIS_NODES.append({grains.host:localhostip}) %}
+{% endif %}
--- a/salt/logstash/pipelines/config/so/0009_input_beats.conf
+++ b/salt/logstash/pipelines/config/so/0009_input_beats.conf
@@ -8,4 +8,4 @@ filter {
  mutate {
    rename => {"@metadata" => "metadata"}
  }
-}
+}
--- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
@@ -1,19 +1,20 @@
-{%- if grains.role in ['so-heavynode'] %}
-  {%- set HOST = salt['grains.get']('host') %}
-{%- else %}
-  {%- set HOST = salt['grains.get']('master') %}
-{%- endif %}
-  {%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
-{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+{% set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') -%}
+{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) -%}
+{% from 'logstash/map.jinja' import REDIS_NODES with context -%}
+
+{% for index in range(REDIS_NODES|length) -%}
+{%   for host in REDIS_NODES[index] -%}
 input {
-	redis {
-		host => '{{ HOST }}'
-		port => 9696
-		ssl => true
-		data_type => 'list'
-		key => 'logstash:unparsed'
-		type => 'redis-input'
-		threads => {{ THREADS }}
-		batch_count => {{ BATCH }}
-	}
+        redis {
+                host => '{{ host }}'
+                port => 9696
+                ssl => true
+                data_type => 'list'
+                key => 'logstash:unparsed'
+                type => 'redis-input'
+                threads => {{ THREADS }}
+                batch_count => {{ BATCH }}
+        }
 }
+{%   endfor %}
+{% endfor -%}
--- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
@@ -1,4 +1,4 @@
-{%- if grains.role in ['so-heavynode'] %}
+{%- if grains.role in ['so-heavynode', 'so-receiver'] %}
  {%- set HOST = salt['grains.get']('host') %}
 {%- else %}
  {%- set HOST = salt['grains.get']('master') %}
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -66,7 +66,11 @@ so-redis:
      - /opt/so/conf/redis/working:/redis:rw
      - /etc/pki/redis.crt:/certs/redis.crt:ro
      - /etc/pki/redis.key:/certs/redis.key:ro
+  {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
      - /etc/pki/ca.crt:/certs/ca.crt:ro
+  {% else %}
+      - /etc/ssl/certs/intca.crt:/certs/ca.crt:ro
+  {% endif %}
    - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
    - watch:
      - file: /opt/so/conf/redis/etc
@@ -74,7 +78,11 @@ so-redis:
      - file: redisconf
      - x509: redis_crt
      - x509: redis_key
+  {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
      - x509: pki_public_ca_crt
+  {% else %}
+      - x509: trusttheca
+  {% endif %}

 append_so-redis_so-status.conf:
  file.append:
--- a/salt/salt/etc/minion.d/mine_functions.conf
+++ b/salt/salt/etc/minion.d/mine_functions.conf
@@ -0,0 +1,4 @@
+mine_interval: 35
+mine_functions:
+  network.ip_addrs:
+    - interface: {{ pillar.host.mainint }}
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -76,14 +76,23 @@ salt_minion_service_unit_file:
      - module: systemd_reload
    - listen_in:
      - service: salt_minion_service
+
 {% endif %}

+mine_functions:
+  file.managed:
+    - name: /etc/salt/minion.d/mine_functions.conf
+    - source: salt://salt/etc/minion.d/mine_functions.conf
+    - template: jinja
+
 # this has to be outside the if statement above since there are <requisite>_in calls to this state
 salt_minion_service:
  service.running:
    - name: salt-minion
    - enable: True
    - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}"
+    - watch:
+      - file: mine_functions

 patch_pkg:
  pkg.installed:
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -15,9 +15,11 @@
  {% set COMMONNAME = manager %}
 {% endif %}

-{% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import', 'helixsensor'] %}
+{% if grains.id.split('_')|last in ['manager', 'managersearch', 'eval', 'standalone', 'import', 'helixsensor'] %}
    {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %}
    {% set ca_server = grains.id %}
+include:
+  - ca
 {% else %}
    {% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %}
    {% for host in x509dict %}
@@ -30,9 +32,6 @@
    {% set ca_server = global_ca_server[0] %}
 {% endif %}

-include:
-  - ca
-
 # Trust the CA
 trusttheca:
  x509.pem_managed:
@@ -70,7 +69,7 @@ removeesp12dir:
 influxdb_key:
  x509.private_key_managed:
    - name: /etc/pki/influxdb.key
-    - CN: {{ manager }}
+    - CN: {{ HOSTNAME }}
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
@@ -92,8 +91,8 @@ influxdb_crt:
    - ca_server: {{ ca_server }}
    - signing_policy: influxdb
    - public_key: /etc/pki/influxdb.key
-    - CN: {{ manager }}
-    - subjectAltName: DNS:{{ manager }}, IP:{{ managerip }} 
+    - CN: {{ HOSTNAME }}
+    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} 
    - days_remaining: 0
    - days_valid: 820
    - backup: True
@@ -115,12 +114,12 @@ influxkeyperms:
    - mode: 640
    - group: 939

-{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-fleet'] %}
+{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-fleet', 'so-receiver'] %}
 # Create a cert for Redis encryption
 redis_key:
  x509.private_key_managed:
    - name: /etc/pki/redis.key
-    - CN: {{ COMMONNAME }}
+    - CN: {{ HOSTNAME }}
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
@@ -139,9 +138,10 @@ redis_crt:
  x509.certificate_managed:
    - name: /etc/pki/redis.crt
    - ca_server: {{ ca_server }}
+    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }}
    - signing_policy: registry
    - public_key: /etc/pki/redis.key
-    - CN: {{ COMMONNAME }}
+    - CN: {{ HOSTNAME }}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
@@ -164,7 +164,7 @@ rediskeyperms:
    - group: 939
 {% endif %}

-{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
+{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
 etc_filebeat_key:
  x509.private_key_managed:
    - name: /etc/pki/filebeat.key
@@ -190,7 +190,8 @@ etc_filebeat_crt:
    - ca_server: {{ ca_server }}
    - signing_policy: filebeat
    - public_key: /etc/pki/filebeat.key
-    - CN: {{ COMMONNAME }}
+    - CN: {{ HOSTNAME }}
+    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
@@ -209,7 +210,6 @@ etc_filebeat_crt:
    - onchanges:
      - x509: etc_filebeat_key

-
 fbperms:
  file.managed:
    - replace: False
@@ -225,7 +225,7 @@ chownilogstashfilebeatp8:
    - user: 931
    - group: 939

-  {% if grains.role != 'so-heavynode' %}
+  {% if grains.role not in ['so-heavynode', 'so-receiver'] %}
 # Create Symlinks to the keys so I can distribute it to all the things
 filebeatdir:
  file.directory:
@@ -292,51 +292,8 @@ regkeyperms:
    - mode: 640
    - group: 939

-minio_key:
-  x509.private_key_managed:
-    - name: /etc/pki/minio.key
-    - CN: {{ manager }}
-    - bits: 4096
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/minio.key') -%}
-    - prereq:
-      - x509: /etc/pki/minio.crt
-    {%- endif %}
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Create a cert for minio
-minio_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/minio.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: registry
-    - public_key: /etc/pki/minio.key
-    - CN: {{ manager }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - unless:
-      # https://github.com/saltstack/salt/issues/52167
-      # Will trigger 5 days (432000 sec) from cert expiration
-      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/minio.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-miniokeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/minio.key
-    - mode: 640
-    - group: 939
  {% endif %}
+  {% if grains.role not in ['so-receiver'] %}
 # Create a cert for elasticsearch
 /etc/pki/elasticsearch.key:
  x509.private_key_managed:
@@ -360,7 +317,8 @@ miniokeyperms:
    - ca_server: {{ ca_server }}
    - signing_policy: registry
    - public_key: /etc/pki/elasticsearch.key
-    - CN: {{ COMMONNAME }}
+    - CN: {{ HOSTNAME }}
+    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
@@ -379,7 +337,7 @@ miniokeyperms:
    - onchanges:
      - x509: /etc/pki/elasticsearch.key

-ealstickeyperms:
+elastickeyperms:
  file.managed:
    - replace: False
    - name: /etc/pki/elasticsearch.key
@@ -418,7 +376,7 @@ managerssl_crt:
    - ca_server: {{ ca_server }}
    - signing_policy: managerssl
    - public_key: /etc/pki/managerssl.key
-    - CN: {{ manager }}
+    - CN: {{ HOSTNAME }}
    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}
    - days_remaining: 0
    - days_valid: 820
@@ -439,11 +397,13 @@ msslkeyperms:
    - mode: 640
    - group: 939

+  {% endif %}
+
 # Create a private key and cert for OSQuery
 fleet_key:
  x509.private_key_managed:
    - name: /etc/pki/fleet.key
-    - CN: {{ manager }}
+    - CN: {{ HOSTNAME }}
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
@@ -462,8 +422,8 @@ fleet_crt:
  x509.certificate_managed:
    - name: /etc/pki/fleet.crt
    - signing_private_key: /etc/pki/fleet.key
-    - CN: {{ manager }}
-    - subjectAltName: DNS:{{ manager }},IP:{{ managerip }}{% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }}{% endif %}
+    - CN: {{ HOSTNAME }}
+    - subjectAltName: DNS:{{ HOSTNAME }},IP:{{ MAINIP }}{% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }}{% endif %}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
@@ -484,7 +444,8 @@ fleetkeyperms:
    - group: 939

 {% endif %}
-{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-import'] %}
+
+{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-import', 'so-receiver'] %}
   
 fbcertdir:
  file.directory:
@@ -516,7 +477,7 @@ conf_filebeat_crt:
    - ca_server: {{ ca_server }}
    - signing_policy: filebeat
    - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - CN: {{ COMMONNAME }}
+    - CN: {{ HOSTNAME }}
    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }}
    - days_remaining: 0
    - days_valid: 820
@@ -675,6 +636,7 @@ fleetkeyperms:
    - signing_policy: registry
    - public_key: /etc/pki/elasticsearch.key
    - CN: {{ HOSTNAME }}
+    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -63,7 +63,6 @@ base:

  '*_sensor and G@saltversion:{{saltversion}}':
    - match: compound
-    - ca
    - ssl
    - sensoroni
    - telegraf
@@ -298,7 +297,6 @@ base:

  '*_searchnode and G@saltversion:{{saltversion}}':
    - match: compound
-    - ca
    - ssl
    - sensoroni
    - nginx
@@ -391,7 +389,6 @@ base:

  '*_heavynode and G@saltversion:{{saltversion}}':
    - match: compound
-    - ca
    - ssl
    - sensoroni
    - nginx
@@ -433,7 +430,6 @@ base:
  
  '*_fleet and G@saltversion:{{saltversion}}':
    - match: compound
-    - ca
    - ssl
    - sensoroni
    - nginx
@@ -478,3 +474,27 @@ base:
    - docker_clean
    - pipeline.load
    - learn
+
+  '*_receiver and G@saltversion:{{saltversion}}':
+    - match: compound
+    - ssl
+    - sensoroni
+    - telegraf
+    - firewall
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
+    {%- if LOGSTASH %}
+    - logstash
+    {%- endif %}
+    {%- if REDIS %}
+    - redis
+    {%- endif %}
+    {%- if FILEBEAT %}
+    - filebeat
+    {%- endif %}
+    {%- if FLEETMANAGER or FLEETNODE %}
+    - fleet.install_package
+    {%- endif %}
+    - schedule
+    - docker_clean
--- a/salt/wazuh/files/agent/ossec.conf
+++ b/salt/wazuh/files/agent/ossec.conf
@@ -1,10 +1,6 @@
-{%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %}
-  {%- set ip = salt['pillar.get']('global:managerip', '') %}
-{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
-  {%- set ip = salt['pillar.get']('elasticsearch:mainip', '') %}
-{%- elif grains['role'] == 'so-sensor' %}
-  {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
-{%- endif %}
+{% set mainint = salt['pillar.get']('host:mainint') -%}
+{% set ip = salt['grains.get']('ip_interfaces').get(mainint)[0] -%}
+
 <!--
  Wazuh - Agent Configuration
  More info at: https://documentation.wazuh.com
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -1,10 +1,6 @@
-{%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %}
-  {%- set ip = salt['pillar.get']('global:managerip', '') %}
-{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
-  {%- set ip = salt['pillar.get']('elasticsearch:mainip', '') %}
-{%- elif grains['role'] == 'so-sensor' %}
-  {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
-{%- endif %}
+{% set mainint = salt['pillar.get']('host:mainint') -%}
+{% set ip = salt['grains.get']('ip_interfaces').get(mainint)[0] -%}
+
 #!/bin/bash

 ###