From 6ce9561ba75405ff764e296dee7e010adbabaa30 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 11 May 2023 13:15:26 -0400 Subject: [PATCH] enabled/disable nginx via ui --- salt/manager/tools/sbin/so-minion | 15 +++ salt/nginx/config.sls | 110 ++++++++++++++++++++ salt/nginx/defaults.yaml | 5 +- salt/nginx/disabled.sls | 27 +++++ salt/nginx/enabled.sls | 69 +++++++++++++ salt/nginx/init.sls | 161 ++---------------------------- salt/nginx/map.jinja | 7 ++ salt/nginx/soc_nginx.yaml | 3 + salt/nginx/sostatus.sls | 21 ++++ 9 files changed, 264 insertions(+), 154 deletions(-) create mode 100644 salt/nginx/config.sls create mode 100644 salt/nginx/disabled.sls create mode 100644 salt/nginx/enabled.sls create mode 100644 salt/nginx/map.jinja create mode 100644 salt/nginx/sostatus.sls diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index e8e92bb71..97e183f2a 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -288,6 +288,13 @@ function add_influxdb_to_minion() { " " >> $PILLARFILE } +function add_nginx_to_minion() { + printf '%s\n'\ + "nginx:"\ + " enabled: True"\ + " " >> $PILLARFILE +} + function create_fleet_policy() { JSON_STRING=$( jq -n \ @@ -340,6 +347,7 @@ function createEVAL() { add_curator_to_minion add_telegraf_to_minion add_influxdb_to_minion + add_nginx_to_minion } function createSTANDALONE() { @@ -354,6 +362,7 @@ function createSTANDALONE() { add_curator_to_minion add_telegraf_to_minion add_influxdb_to_minion + add_nginx_to_minion } function createMANAGER() { @@ -366,6 +375,7 @@ function createMANAGER() { add_curator_to_minion add_telegraf_to_minion add_influxdb_to_minion + add_nginx_to_minion } function createMANAGERSEARCH() { @@ -378,6 +388,7 @@ function createMANAGERSEARCH() { add_curator_to_minion add_telegraf_to_minion add_influxdb_to_minion + add_nginx_to_minion } function createIMPORT() { @@ -386,6 +397,7 @@ function createIMPORT() { add_kibana_to_minion add_telegraf_to_minion add_influxdb_to_minion + add_nginx_to_minion } function createFLEET() { @@ -410,18 +422,21 @@ function createHEAVYNODE() { add_redis_to_minion add_curator_to_minion add_telegraf_to_minion + add_nginx_to_minion } function createSENSOR() { add_sensor_to_minion add_strelka_strelka_to_minion add_telegraf_to_minion + add_nginx_to_minion } function createSEARCHNODE() { add_elasticsearch_to_minion add_logstash_to_minion add_telegraf_to_minion + add_nginx_to_minion updateMine apply_ES_state } diff --git a/salt/nginx/config.sls b/salt/nginx/config.sls new file mode 100644 index 000000000..814bef815 --- /dev/null +++ b/salt/nginx/config.sls @@ -0,0 +1,110 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - ssl + +# Drop the correct nginx config based on role +nginxconfdir: + file.directory: + - name: /opt/so/conf/nginx/html + - user: 939 + - group: 939 + - makedirs: True + +nginxhtml: + file.recurse: + - name: /opt/so/conf/nginx/html + - source: salt://nginx/html/ + - user: 939 + - group: 939 + +nginxconf: + file.managed: + - name: /opt/so/conf/nginx/nginx.conf + - user: 939 + - group: 939 + - template: jinja + - source: salt://nginx/etc/nginx.conf + - show_changes: False + +nginxlogdir: + file.directory: + - name: /opt/so/log/nginx/ + - user: 939 + - group: 939 + - makedirs: True + +nginxtmp: + file.directory: + - name: /opt/so/tmp/nginx/tmp + - user: 939 + - group: 939 + - makedirs: True + +navigatorconfig: + file.managed: + - name: /opt/so/conf/navigator/navigator_config.json + - source: salt://nginx/files/navigator_config.json + - user: 939 + - group: 939 + - makedirs: True + - template: jinja + +navigatordefaultlayer: + file.managed: + - name: /opt/so/conf/navigator/nav_layer_playbook.json + - source: salt://nginx/files/nav_layer_playbook.json + - user: 939 + - group: 939 + - makedirs: True + - replace: False + - template: jinja + +navigatorpreattack: + file.managed: + - name: /opt/so/conf/navigator/pre-attack.json + - source: salt://nginx/files/pre-attack.json + - user: 939 + - group: 939 + - makedirs: True + - replace: False + +navigatorenterpriseattack: + file.managed: + - name: /opt/so/conf/navigator/enterprise-attack.json + - source: salt://nginx/files/enterprise-attack.json + - user: 939 + - group: 939 + - makedirs: True + - replace: False + +nginx_sbin: + file.recurse: + - name: /usr/sbin + - source: salt://nginx/tools/sbin + - user: 939 + - group: 939 + - file_mode: 755 + +#nginx_sbin_jinja: +# file.recurse: +# - name: /usr/sbin +# - source: salt://nginx/tools/sbin_jinja +# - user: 939 +# - group: 939 +# - file_mode: 755 +# - template: jinja + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/nginx/defaults.yaml b/salt/nginx/defaults.yaml index cf051274b..66ba64d2d 100644 --- a/salt/nginx/defaults.yaml +++ b/salt/nginx/defaults.yaml @@ -1,3 +1,4 @@ nginx: - config: - replace_cert: False \ No newline at end of file + enabled: False + config: + replace_cert: False diff --git a/salt/nginx/disabled.sls b/salt/nginx/disabled.sls new file mode 100644 index 000000000..1e94a7a3b --- /dev/null +++ b/salt/nginx/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - nginx.sostatus + +so-nginx: + docker_container.absent: + - force: True + +so-nginx_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-nginx$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls new file mode 100644 index 000000000..592388cf6 --- /dev/null +++ b/salt/nginx/enabled.sls @@ -0,0 +1,69 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} + +include: + - nginx.config + - nginx.sostatus + +so-nginx: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }} + - hostname: so-nginx + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }} + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - binds: + - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - /opt/so/log/nginx/:/var/log/nginx:rw + - /opt/so/tmp/nginx/:/var/lib/nginx:rw + - /opt/so/tmp/nginx/:/run:rw + - /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/:/opt/socore/html/packages + - /nsm/elastic-fleet/artifacts/:/opt/socore/html/artifacts + {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} + - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro + - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro + # ATT&CK Navigator binds + - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro + - /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro + - /opt/so/conf/navigator/enterprise-attack.json:/opt/socore/html/navigator/assets/enterprise-attack.json:ro + - /opt/so/conf/navigator/pre-attack.json:/opt/socore/html/navigator/assets/pre-attack.json:ro + - /nsm/repo:/opt/socore/html/repo:ro + {% endif %} + - cap_add: NET_BIND_SERVICE + - port_bindings: + {% for BINDING in DOCKER.containers['so-nginx'].port_bindings %} + - {{ BINDING }} + {% endfor %} + - watch: + - file: nginxconf + - file: nginxconfdir + - require: + - file: nginxconf + {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} + - x509: managerssl_key + - x509: managerssl_crt + - file: navigatorconfig + - file: navigatordefaultlayer + {% endif %} + +delete_so-nginx_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-nginx$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index c66af0837..9869aa5d7 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,156 +1,13 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'nginx/map.jinja' import NGINXMERGED %} include: - - ssl - -# Drop the correct nginx config based on role -nginxconfdir: - file.directory: - - name: /opt/so/conf/nginx/html - - user: 939 - - group: 939 - - makedirs: True - -nginxhtml: - file.recurse: - - name: /opt/so/conf/nginx/html - - source: salt://nginx/html/ - - user: 939 - - group: 939 - -nginxconf: - file.managed: - - name: /opt/so/conf/nginx/nginx.conf - - user: 939 - - group: 939 - - template: jinja - - source: salt://nginx/etc/nginx.conf - - show_changes: False - -nginxlogdir: - file.directory: - - name: /opt/so/log/nginx/ - - user: 939 - - group: 939 - - makedirs: True - -nginxtmp: - file.directory: - - name: /opt/so/tmp/nginx/tmp - - user: 939 - - group: 939 - - makedirs: True - -navigatorconfig: - file.managed: - - name: /opt/so/conf/navigator/navigator_config.json - - source: salt://nginx/files/navigator_config.json - - user: 939 - - group: 939 - - makedirs: True - - template: jinja - -navigatordefaultlayer: - file.managed: - - name: /opt/so/conf/navigator/nav_layer_playbook.json - - source: salt://nginx/files/nav_layer_playbook.json - - user: 939 - - group: 939 - - makedirs: True - - replace: False - - template: jinja - -navigatorpreattack: - file.managed: - - name: /opt/so/conf/navigator/pre-attack.json - - source: salt://nginx/files/pre-attack.json - - user: 939 - - group: 939 - - makedirs: True - - replace: False - -navigatorenterpriseattack: - file.managed: - - name: /opt/so/conf/navigator/enterprise-attack.json - - source: salt://nginx/files/enterprise-attack.json - - user: 939 - - group: 939 - - makedirs: True - - replace: False - -nginx_sbin: - file.recurse: - - name: /usr/sbin - - source: salt://nginx/tools/sbin - - user: 939 - - group: 939 - - file_mode: 755 - -#nginx_sbin_jinja: -# file.recurse: -# - name: /usr/sbin -# - source: salt://nginx/tools/sbin_jinja -# - user: 939 -# - group: 939 -# - file_mode: 755 -# - template: jinja - -so-nginx: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }} - - hostname: so-nginx - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }} - - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - - binds: - - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - - /opt/so/log/nginx/:/var/log/nginx:rw - - /opt/so/tmp/nginx/:/var/lib/nginx:rw - - /opt/so/tmp/nginx/:/run:rw - - /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/:/opt/socore/html/packages - - /nsm/elastic-fleet/artifacts/:/opt/socore/html/artifacts - {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} - - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro - - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro - # ATT&CK Navigator binds - - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro - - /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro - - /opt/so/conf/navigator/enterprise-attack.json:/opt/socore/html/navigator/assets/enterprise-attack.json:ro - - /opt/so/conf/navigator/pre-attack.json:/opt/socore/html/navigator/assets/pre-attack.json:ro - - /nsm/repo:/opt/socore/html/repo:ro - - {% endif %} - - cap_add: NET_BIND_SERVICE - - port_bindings: - {% for BINDING in DOCKER.containers['so-nginx'].port_bindings %} - - {{ BINDING }} - {% endfor %} - - watch: - - file: nginxconf - - file: nginxconfdir - - require: - - file: nginxconf - {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} - - x509: managerssl_key - - x509: managerssl_crt - - file: navigatorconfig - - file: navigatordefaultlayer - {% endif %} - -append_so-nginx_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-nginx - +{% if NGINXMERGED.enabled %} + - nginx.enabled {% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - + - nginx.disabled {% endif %} diff --git a/salt/nginx/map.jinja b/salt/nginx/map.jinja new file mode 100644 index 000000000..cf2812c5e --- /dev/null +++ b/salt/nginx/map.jinja @@ -0,0 +1,7 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'nginx/defaults.yaml' as NGINXDEFAULTS %} +{% set NGINXMERGED = salt['pillar.get']('nginx', NGINXDEFAULTS.nginx, merge=True) %} diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index b78550c2b..4a3642f93 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -1,4 +1,7 @@ nginx: + enabled: + description: You can enable or disable Nginx. + helpLink: nginx.html config: replace_cert: description: Enable this if you would like to replace the Security Onion Certificate with your own. diff --git a/salt/nginx/sostatus.sls b/salt/nginx/sostatus.sls new file mode 100644 index 000000000..bea5757fa --- /dev/null +++ b/salt/nginx/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-nginx_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-nginx + - unless: grep -q so-nginx /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %}