CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix conflict

Browse Source
This commit is contained in:
Mike Reeves
2023-02-22 10:20:14 -05:00
parent c3784fe548 3a2ec8e8bf
commit 76011c96d6
104 changed files with 2331 additions and 1784 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pillar/data/addtotab.sh
View File

@@ -45,12 +45,10 @@ echo " rootfs: $ROOTFS" >> $local_salt_dir/pillar/data/$TYPE.sls
echo " nsmfs: $NSM" >> $local_salt_dir/pillar/data/$TYPE.sls echo " nsmfs: $NSM" >> $local_salt_dir/pillar/data/$TYPE.sls
if [ $TYPE == 'sensorstab' ]; then if [ $TYPE == 'sensorstab' ]; then
echo " monint: bond0" >> $local_salt_dir/pillar/data/$TYPE.sls echo " monint: bond0" >> $local_salt_dir/pillar/data/$TYPE.sls
salt-call state.apply grafana queue=True
fi fi
if [ $TYPE == 'evaltab' ] || [ $TYPE == 'standalonetab' ]; then if [ $TYPE == 'evaltab' ] || [ $TYPE == 'standalonetab' ]; then
echo " monint: bond0" >> $local_salt_dir/pillar/data/$TYPE.sls echo " monint: bond0" >> $local_salt_dir/pillar/data/$TYPE.sls
if [ ! $10 ]; then if [ ! $10 ]; then
salt-call state.apply grafana queue=True
salt-call state.apply utility queue=True salt-call state.apply utility queue=True
fi fi
fi fi

5
salt/allowed_states.map.jinja
View File

@@ -33,7 +33,6 @@
'nginx', 'nginx',
'telegraf', 'telegraf',
'influxdb', 'influxdb',
'grafana',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet', 'elastic-fleet',
@@ -82,7 +81,6 @@
'ssl', 'ssl',
'telegraf', 'telegraf',
'firewall', 'firewall',
'filebeat',
'idh', 'idh',
'schedule', 'schedule',
'docker_clean' 'docker_clean'
@@ -119,7 +117,6 @@
'nginx', 'nginx',
'telegraf', 'telegraf',
'influxdb', 'influxdb',
'grafana',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet', 'elastic-fleet',
@@ -139,7 +136,6 @@
'nginx', 'nginx',
'telegraf', 'telegraf',
'influxdb', 'influxdb',
'grafana',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet', 'elastic-fleet',
@@ -169,7 +165,6 @@
'nginx', 'nginx',
'telegraf', 'telegraf',
'influxdb', 'influxdb',
'grafana',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet', 'elastic-fleet',

0
salt/common/tools/sbin/so-elastic-fleet-agent-policy-view Normal file → Executable file
View File

0
salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete Normal file → Executable file
View File

2
salt/common/tools/sbin/so-elastic-fleet-setup
View File

@@ -24,7 +24,7 @@ mkdir -p /opt/so/conf/elastic-fleet/certs
cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs
cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs
{% if grains.role == 'so-import' %} {% if grains.role in ['so-import', 'so-standalone', 'so-eval'] %}
# Add SO-Manager Elasticsearch Ouput # Add SO-Manager Elasticsearch Ouput
ESCACRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) ESCACRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt)
JSON_STRING=$( jq -n \ JSON_STRING=$( jq -n \

15
salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status Executable file
View File

@@ -0,0 +1,15 @@
#/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
if [ "$1" == "" ]; then
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_all/_ilm/explain | jq .
else
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/$1/_ilm/explain | jq .[]
fi

9
salt/common/tools/sbin/so-grafana-stop → salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete
View File

@@ -1,12 +1,11 @@
#!/bin/bash #/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
. /usr/sbin/so-common . /usr/sbin/so-common
/usr/sbin/so-stop grafana $1 {%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X DELETE https://{{ NODEIP }}:9200/_ilm/policy/$1

21
salt/common/tools/sbin/so-elasticsearch-ilm-policy-load Executable file
View File

@@ -0,0 +1,21 @@
#/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %}
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
{%- for index, settings in ES_INDEX_SETTINGS.items() %}
{%- if settings.policy is defined %}
echo
echo "Setting up {{ index }}-logs policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/{{ index }}-logs" -H 'Content-Type: application/json' -d'{ "policy": {{ settings.policy | tojson(true) }} }'
echo
{%- endif %}
{%- endfor %}
echo

15
salt/common/tools/sbin/so-elasticsearch-ilm-policy-view Executable file
View File

@@ -0,0 +1,15 @@
#/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
if [ "$1" == "" ]; then
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/policy | jq .
else
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/policy/$1 | jq .[]
fi

8
salt/common/tools/sbin/so-grafana-restart → salt/common/tools/sbin/so-elasticsearch-ilm-restart
View File

@@ -1,12 +1,10 @@
#!/bin/bash #/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
. /usr/sbin/so-common . /usr/sbin/so-common
/usr/sbin/so-restart grafana $1 so-elasticsearch-ilm-stop
so-elasticsearch-ilm-start

12
salt/common/tools/sbin/so-elasticsearch-ilm-start Executable file
View File

@@ -0,0 +1,12 @@
/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
echo "Starting ILM..."
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://{{ NODEIP }}:9200/_ilm/start

9
salt/common/tools/sbin/so-grafana-start → salt/common/tools/sbin/so-elasticsearch-ilm-status
View File

@@ -1,12 +1,11 @@
#!/bin/bash /bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
. /usr/sbin/so-common . /usr/sbin/so-common
/usr/sbin/so-start grafana $1 {%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/status | jq .

12
salt/common/tools/sbin/so-elasticsearch-ilm-stop Executable file
View File

@@ -0,0 +1,12 @@
#/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
echo "Stopping ILM..."
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://{{ NODEIP }}:9200/_ilm/stop

2
salt/common/tools/sbin/so-firewall-minion
View File

@@ -69,7 +69,7 @@ fi
so-firewall --apply --role=heavynodes --ip="$IP" so-firewall --apply --role=heavynodes --ip="$IP"
;; ;;
'IDH') 'IDH')
so-firewall --apply --role=beats_endpoint_ssl --ip="$IP" so-firewall --apply --role=sensors --ip="$IP"
;; ;;
'RECEIVER') 'RECEIVER')
so-firewall --apply --role=receivers --ip="$IP" so-firewall --apply --role=receivers --ip="$IP"

20
salt/common/tools/sbin/so-grafana-dashboard-folder-delete
View File

@@ -1,20 +0,0 @@
# this script is used to delete the default Grafana dashboard folders that existed prior to Grafana dashboard and Salt management changes in 2.3.70
# Exit if an error occurs. The next highstate will retry.
set -e
folders=$(curl -X GET http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders | jq -r '.[] | @base64')
delfolder=("Manager" "Manager Search" "Sensor Nodes" "Search Nodes" "Standalone" "Eval Mode")
for row in $folders; do
title=$(echo ${row} | base64 --decode | jq -r '.title')
uid=$(echo ${row} | base64 --decode | jq -r '.uid')
if [[ " ${delfolder[@]} " =~ " ${title} " ]]; then
curl -X DELETE http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders/$uid
fi
done
echo "so-grafana-dashboard-folder-delete has been run to delete default Grafana dashboard folders that existed prior to 2.3.70" > /opt/so/state/so-grafana-dashboard-folder-delete-complete
exit 0

4
salt/common/tools/sbin/so-image-common
View File

@@ -25,7 +25,6 @@ container_list() {
if [ $MANAGERCHECK == 'so-import' ]; then if [ $MANAGERCHECK == 'so-import' ]; then
TRUSTED_CONTAINERS=( TRUSTED_CONTAINERS=(
"so-elasticsearch" "so-elasticsearch"
"so-filebeat"
"so-idstools" "so-idstools"
"so-influxdb" "so-influxdb"
"so-kibana" "so-kibana"
@@ -47,8 +46,6 @@ container_list() {
"so-elastic-agent" "so-elastic-agent"
"so-elastic-agent-builder" "so-elastic-agent-builder"
"so-elasticsearch" "so-elasticsearch"
"so-filebeat"
"so-grafana"
"so-idh" "so-idh"
"so-idstools" "so-idstools"
"so-influxdb" "so-influxdb"
@@ -73,7 +70,6 @@ container_list() {
) )
else else
TRUSTED_CONTAINERS=( TRUSTED_CONTAINERS=(
"so-filebeat"
"so-idstools" "so-idstools"
"so-elasticsearch" "so-elasticsearch"
"so-logstash" "so-logstash"

45
salt/common/tools/sbin/so-influxdb-clean
View File

@@ -1,45 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
wdurregex="^[0-9]+w$"
ddurregex="^[0-9]+d$"
echo -e "\nThis script is used to reduce the size of InfluxDB by removing old data and retaining only the duration specified."
echo "The duration will need to be specified as an integer followed by the duration unit without a space."
echo -e "\nFor example, to purge all data but retain the past 12 weeks, specify 12w for the duration."
echo "The duration units are as follows:"
echo " w - week(s)"
echo " d - day(s)"
while true; do
echo ""
read -p 'Enter the duration of past data that you would like to retain: ' duration
duration=$(echo $duration | tr '[:upper:]' '[:lower:]')
if [[ "$duration" =~ $wdurregex ]] || [[ "$duration" =~ $ddurregex ]]; then
break
fi
echo -e "\nInvalid duration."
done
echo -e "\nInfluxDB will now be cleaned and leave only the past $duration worth of data."
read -r -p "Are you sure you want to continue? [y/N] " yorn
if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then
echo -e "\nCleaning InfluxDb and saving only the past $duration. This may could take several minutes depending on how much data needs to be cleaned."
if docker exec -t so-influxdb /bin/bash -c "influx -ssl -unsafeSsl -database telegraf -execute \"DELETE FROM /.*/ WHERE \"time\" >= '2020-01-01T00:00:00.0000000Z' AND \"time\" <= now() - $duration\""; then
echo -e "\nInfluxDb clean complete."
else
echo -e "\nSomething went wrong with cleaning InfluxDB. Please verify that the so-influxdb Docker container is running, and check the log at /opt/so/log/influxdb/influxdb.log for any details."
fi
else
echo -e "\nExiting as requested."
fi

55
salt/common/tools/sbin/so-influxdb-downsample
View File

@@ -1,55 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set role = grains.id.split('_') | last %}
{%- if role in ['manager', 'managersearch', 'eval', 'standalone'] %}
{%- import_yaml 'influxdb/defaults.yaml' as default_settings %}
{%- set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %}
. /usr/sbin/so-common
echo -e "\nThis script is used to reduce the size of InfluxDB by downsampling old data into the so_long_term retention policy."
echo -e "\nInfluxDB will now be downsampled. This could take a few hours depending on how large the database is and hardware resources available."
read -r -p "Are you sure you want to continue? [y/N] " yorn
if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then
echo -e "\nDownsampling InfluxDb started at `date`. This may take several hours depending on how much data needs to be downsampled."
{% for dest_rp in influxdb.downsample.keys() -%}
{% for measurement in influxdb.downsample[dest_rp].get('measurements', []) -%}
day=0
startdate=`date`
while docker exec -t so-influxdb /bin/bash -c "influx -ssl -unsafeSsl -database telegraf -execute \"SELECT mean(*) INTO \"so_long_term\".\"{{measurement}}\" FROM \"autogen\".\"{{measurement}}\" WHERE \"time\" >= '2020-07-21T00:00:00.0000000Z' + ${day}d AND \"time\" <= '2020-07-21T00:00:00.0000000Z' + $((day+1))d GROUP BY time(5m),*\""; do
# why 2020-07-21?
migrationdate=`date -d "2020-07-21 + ${day} days" +"%y-%m-%d"`
echo "Downsampling of measurement: {{measurement}} from $migrationdate started at $startdate and completed at `date`."
newdaytomigrate=$(date -d "$migrationdate + 1 days" +"%s")
today=$(date +"%s")
if [ $newdaytomigrate -ge $today ]; then
break
else
((day=day+1))
startdate=`date`
echo -e "\nDownsampling the next day's worth of data for measurement: {{measurement}}."
fi
done
{% endfor -%}
{% endfor -%}
echo -e "\nInfluxDb data downsampling complete."
else
echo -e "\nExiting as requested."
fi
{%- else %}
echo -e "\nThis script can only be run on a node running InfluxDB."
{%- endif %}

26
salt/common/tools/sbin/so-influxdb-drop-autogen
View File

@@ -1,26 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
echo -e "\nThis script is used to reduce the size of InfluxDB by dropping the autogen retention policy."
echo "If you want to retain historical data prior to 2.3.60, then this should only be run after you have downsampled your data using so-influxdb-downsample."
echo -e "\nThe autogen retention policy will now be dropped from InfluxDB."
read -r -p "Are you sure you want to continue? [y/N] " yorn
if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then
echo -e "\nDropping autogen retention policy."
if docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -execute "drop retention policy autogen on telegraf"; then
echo -e "\nAutogen retention policy dropped from InfluxDb."
else
echo -e "\nSomething went wrong dropping then autogen retention policy from InfluxDB. Please verify that the so-influxdb Docker container is running, and check the log at /opt/so/log/influxdb/influxdb.log for any details."
fi
else
echo -e "\nExiting as requested."
fi

285
salt/common/tools/sbin/so-influxdb-manage Normal file
View File

@@ -0,0 +1,285 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
usage() {
echo "Usage: $0 <operation> [args]"
echo ""
echo "Supported Operations:"
echo " dashboardpath Returns the URL path for a dashboard, requires: <name-of-dashboard>"
echo " export Exports all templates to stdout"
echo " setup Loads all templates and creates all required buckets"
echo " userlist Lists users"
echo " useradd Adds a new user, requires: <email>"
echo " userdel Removes an existing user, requires: <email>"
echo " userenable Enables a user, requires: <email>"
echo " userdisable Disables a user, requires: <email>"
echo " userpass Updates a user's password, requires: <email>"
echo " userpromote Promotes a user to admin: <email>"
echo " userdemote Demotes a user from admin: <email>"
echo ""
echo "If required, the password will be read from STDIN."
exit 1
}
if [ $# -lt 1 ]; then
usage
fi
COMMAND=$(basename $0)
OP=$1
shift
set -eo pipefail
log() {
echo -e "$(date) | $COMMAND | $@" >&2
}
check_response() {
response=$1
if [[ "$response" =~ "\"code\":" ]]; then
log "Failed. Check the response for more details.\n$response"
exit 1
fi
}
request() {
curl -skK /opt/so/conf/influxdb/curl.config "https://localhost:8086/api/v2/$@"
}
lookup_user_id() {
email=$1
response=$(request users?limit=100)
check_response "$response"
uid=$(echo "$response" | jq -r ".users[] | select(.name == \"$email\").id")
if [[ -z "$uid" ]]; then
log "User not found"
exit 1
fi
echo "$uid"
}
lookup_stack_id() {
oid=$1
response=$(request "stacks?orgID=$oid&name=Security+Onion")
check_response "$response"
stackid=$(echo "$response" | jq -r ".stacks[0].id")
if [[ -z "$stackid" || "$stackid" == null ]]; then
response=$(request stacks -X POST -d "{\"name\":\"Security Onion\",\"orgID\":\"$oid\"}")
check_response "$response"
stackid=$(echo "$response" | jq -r .id)
fi
echo "$stackid"
}
change_password() {
uid=$1
set +e
test -t 0
if [[ $? == 0 ]]; then
echo "Enter new password:"
fi
set -e
read -rs pass
check_password_and_exit "$pass"
response=$(request users/$uid/password -X POST -d "{\"password\":\"$pass\"}")
check_response "$response"
}
apply_templates() {
oid=$1
stackid=$2
template_objects_array=$3
body="{\"orgID\":\"$oid\",\"stackID\":\"$stackid\",\"templates\":$template_objects_array}"
response=$(request templates/apply -X POST -d "$body")
check_response "$response"
}
setup_bucket() {
oid=$1
name=$2
age=$3
shardduration=$4
response=$(request "buckets?orgID=$oid&name=$name")
bucketid=$(echo "$response" | jq -r ".buckets[0].id")
if [[ -z "$bucketid" || "$bucketid" == null ]]; then
response=$(request buckets -X POST -d "{\"name\":\"$name\",\"orgID\":\"$oid\"}")
check_response "$response"
bucketid=$(echo "$response" | jq -r .id)
fi
response=$(request buckets/$bucketid -X PATCH -d "{\"name\":\"$name\",\"retentionRules\":[{\"everySeconds\":$age,\"shardGroupDurationSeconds\":$shardduration,\"type\":\"expire\"}]}")
check_response "$response"
}
lookup_org_id_with_wait() {
max_attempts=30
attempts=0
wait=10
while [[ $attempts -lt $max_attempts ]]; do
response=$(request orgs?org=Security+Onion)
oid=$(echo "$response" | jq -r ".orgs[] | select(.name == \"Security Onion\").id")
if [[ -z $oid ]]; then
attempts=$((attempts+1))
log "Server does not appear to be running or fully initialized - will try again in $wait seconds ($attempts / $max_attempts)"
sleep $wait
else
echo "$oid"
return
fi
done
log "Server has not started after $max_attempts attempts - aborting"
exit 1
}
oid=$(lookup_org_id_with_wait)
case "$OP" in
setup)
log "Ensuring organization is setup correctly"
# Load templates if at least one has been modified since the last setup
newest=$(ls -1t /opt/so/conf/influxdb/templates/ | head -1)
if [ /opt/so/conf/influxdb/templates/$newest -nt /opt/so/conf/influxdb/last_template_setup ]; then
log "Updating templates"
stackid=$(lookup_stack_id "$oid")
for file in /opt/so/conf/influxdb/templates/*; do
if [[ "$templates_array" != "" ]]; then
templates_array="$templates_array,"
fi
template=$(cat "$file")
templates_array="$templates_array{\"contents\":$template}"
done
apply_templates "$oid" "$stackid" "[$templates_array]"
echo $(date) > /opt/so/conf/influxdb/last_template_setup
else
log "Templates have not been modified since last setup"
fi
# Setup buckets and retention periods if at least one has been modified since the last setup
if [ /opt/so/conf/influxdb/buckets.json -nt /opt/so/conf/influxdb/last_bucket_setup ]; then
log "Updating buckets and retention periods"
for rp in so_short_term so_long_term; do
bucket=telegraf/$rp
log "Ensuring bucket is created and configured; bucket=$bucket"
age=$(cat /opt/so/conf/influxdb/buckets.json | jq -r .$rp.duration)
shard_duration=$(cat /opt/so/conf/influxdb/buckets.json | jq -r .$rp.shard_duration)
setup_bucket "$oid" "$bucket" "$age" "$shard_duration"
done
echo $(date) > /opt/so/conf/influxdb/last_bucket_setup
else
log "Buckets have not been modified since last setup"
fi
;;
userlist)
log "Listing existing users"
response=$(request users)
check_response "$response"
echo "$response" | jq -r '.users[] | "\(.id): \(.name) (\(.status))"'
;;
useradd)
[ $# -ne 1 ] && usage
email=$1
log "Adding new user; email=$email"
response=$(request users -X POST -d "{\"name\":\"$email\"}")
check_response "$response"
uid=$(echo "$response" | jq -r .id)
log "Adding new user to organization"
response=$(request orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}")
check_response "$response"
change_password "$uid"
;;
userpass)
[ $# -ne 1 ] && usage
email=$1
log "Updating user password; email=$email"
uid=$(lookup_user_id "$email")
change_password "$uid"
;;
userdel)
[ $# -ne 1 ] && usage
email=$1
log "Deleting user; email=$email"
uid=$(lookup_user_id "$email")
response=$(request users/$uid -X DELETE)
check_response "$response"
;;
userenable)
[ $# -ne 1 ] && usage
email=$1
log "Enabling user; email=$email"
uid=$(lookup_user_id "$email")
response=$(request users/$uid -X PATCH -d "{\"name\":\"$email\",\"status\":\"active\"}")
check_response "$response"
;;
userdisable)
[ $# -ne 1 ] && usage
email=$1
log "Disabling user; email=$email"
uid=$(lookup_user_id "$email")
response=$(request users/$uid -X PATCH -d "{\"name\":\"$email\",\"status\":\"inactive\"}")
check_response "$response"
;;
userpromote)
[ $# -ne 1 ] && usage
email=$1
log "Promoting user to admin; email=$email"
uid=$(lookup_user_id "$email")
response=$(request orgs/$oid/members/$uid -X DELETE)
response=$(request orgs/$oid/owners -X POST -d "{\"id\":\"$uid\"}")
check_response "$response"
;;
userdemote)
[ $# -ne 1 ] && usage
email=$1
log "Demoting user from admin; email=$email"
uid=$(lookup_user_id "$email")
response=$(request orgs/$oid/owners/$uid -X DELETE)
response=$(request orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}")
check_response "$response"
;;
export)
log "Exporting all organization templates"
request templates/export -X POST -d "{\"orgIDs\":[{\"orgID\":\"$oid\"}]}" -H "Content-Type: application/json"
;;
dashboardpath)
[ $# -ne 1 ] && usage
name=$1
response=$(request dashboards?limit=100&orgID=$oid)
check_response "$response"
dbid=$(echo "$response" | jq -r ".dashboards[] | select(.name == \"$name\").id")
if [[ -z "$dbid" ]]; then
log "Dashboard not found"
exit 1
fi
echo -n "/influxdb/orgs/$oid/dashboards/$dbid"
;;
*)
usage
;;
esac

16
salt/common/tools/sbin/so-minion
View File

@@ -119,6 +119,18 @@ function add_elastic_to_minion() {
" " >> $PILLARFILE " " >> $PILLARFILE
} }
# Add IDH Services info to the minion file
function add_idh_to_minion() {
printf '%s\n'\
"idh:"\
" restrict_management_ip: $IDH_MGTRESTRICT"\
" services:" >> "$PILLARFILE"
IFS=',' read -ra IDH_SERVICES_ARRAY <<< "$IDH_SERVICES"
for service in ${IDH_SERVICES_ARRAY[@]}; do
echo " - $service" | tr '[:upper:]' '[:lower:]' | tr -d '"' >> "$PILLARFILE"
done
}
function add_logstash_to_minion() { function add_logstash_to_minion() {
# Create the logstash advanced pillar # Create the logstash advanced pillar
printf '%s\n'\ printf '%s\n'\
@@ -183,8 +195,8 @@ function createEVAL() {
add_sensor_to_minion add_sensor_to_minion
} }
function createIDHNODE() { function createIDH() {
echo "Nothing custom needed for IDH nodes" add_idh_to_minion
} }
function createIMPORT() { function createIMPORT() {

18
salt/common/tools/sbin/so-user
View File

@@ -587,7 +587,10 @@ case "${operation}" in
createUser "$email" "${role:-$DEFAULT_ROLE}" "${firstName}" "${lastName}" "${note}" createUser "$email" "${role:-$DEFAULT_ROLE}" "${firstName}" "${lastName}" "${note}"
syncAll syncAll
echo "Successfully added new user to SOC" echo "Successfully added new user to SOC"
check_container fleet && echo "$password" | so-fleet-user-add "$email" echo "$password" | so-influxdb-manage useradd "$email"
if [[ "$role" == "superuser" ]]; then
echo "$password" | so-influxdb-manage userpromote "$email"
fi
;; ;;
"list") "list")
@@ -605,6 +608,9 @@ case "${operation}" in
if addUserRole "$email" "$role"; then if addUserRole "$email" "$role"; then
syncElastic syncElastic
echo "Successfully added role to user" echo "Successfully added role to user"
if [[ "$role" == "superuser" ]]; then
echo "$password" | so-influxdb-manage userpromote "$email"
fi
fi fi
;; ;;
@@ -618,6 +624,9 @@ case "${operation}" in
deleteUserRole "$email" "$role" deleteUserRole "$email" "$role"
syncElastic syncElastic
echo "Successfully removed role from user" echo "Successfully removed role from user"
if [[ "$role" == "superuser" ]]; then
echo "$password" | so-influxdb-manage userdemote "$email"
fi
;; ;;
"password") "password")
@@ -628,6 +637,7 @@ case "${operation}" in
updateUserPassword "$email" updateUserPassword "$email"
syncAll syncAll
echo "Successfully updated user password" echo "Successfully updated user password"
echo "$password" | so-influxdb-manage userpass "$email"
;; ;;
"profile") "profile")
@@ -647,7 +657,7 @@ case "${operation}" in
updateStatus "$email" 'active' updateStatus "$email" 'active'
syncAll syncAll
echo "Successfully enabled user" echo "Successfully enabled user"
echo "Fleet user will need to be recreated manually with so-fleet-user-add" so-influxdb-manage userenable "$email"
;; ;;
"disable") "disable")
@@ -658,7 +668,7 @@ case "${operation}" in
updateStatus "$email" 'locked' updateStatus "$email" 'locked'
syncAll syncAll
echo "Successfully disabled user" echo "Successfully disabled user"
check_container fleet && so-fleet-user-delete "$email" so-influxdb-manage userdisable "$email"
;; ;;
"delete") "delete")
@@ -669,7 +679,7 @@ case "${operation}" in
deleteUser "$email" deleteUser "$email"
syncAll syncAll
echo "Successfully deleted user" echo "Successfully deleted user"
check_container fleet && so-fleet-user-delete "$email" so-influxdb-manage userdel "$email"
;; ;;
"sync") "sync")

6
salt/docker/defaults.yaml
View File

@@ -23,10 +23,6 @@ docker:
- 0.0.0.0:514:514/udp - 0.0.0.0:514:514/udp
- 0.0.0.0:514:514/tcp - 0.0.0.0:514:514/tcp
- 0.0.0.0:5066:5066/tcp - 0.0.0.0:5066:5066/tcp
'so-grafana':
final_octet: 24
port_bindings:
- 0.0.0.0:3000:3000
'so-idstools': 'so-idstools':
final_octet: 25 final_octet: 25
'so-influxdb': 'so-influxdb':
@@ -106,3 +102,5 @@ docker:
final_octet: 44 final_octet: 44
port_bindings: port_bindings:
- 0.0.0.0:8080:8080/tcp - 0.0.0.0:8080:8080/tcp
'so-idh':
final_octet: 45

202
salt/elasticsearch/defaults.yaml
View File

@@ -1430,6 +1430,8 @@ elasticsearch:
date_detection: false date_detection: false
settings: settings:
index: index:
lifecycle:
name: so-elasticsearch-logs
mapping: mapping:
total_fields: total_fields:
limit: 5000 limit: 5000
@@ -1498,6 +1500,25 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
priority: 500 priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-endgame: so-endgame:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -2183,6 +2204,8 @@ elasticsearch:
date_detection: false date_detection: false
settings: settings:
index: index:
lifecycle:
name: so-suricata-logs
mapping: mapping:
total_fields: total_fields:
limit: 5000 limit: 5000
@@ -2251,6 +2274,25 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
priority: 500 priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-imperva: so-imperva:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -2351,6 +2393,8 @@ elasticsearch:
date_detection: false date_detection: false
settings: settings:
index: index:
lifecycle:
name: so-import-logs
mapping: mapping:
total_fields: total_fields:
limit: 5000 limit: 5000
@@ -2419,6 +2463,25 @@ elasticsearch:
- common-dynamic-mappings - common-dynamic-mappings
- winlog-mappings - winlog-mappings
priority: 500 priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-infoblox: so-infoblox:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -2671,6 +2734,25 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
priority: 500 priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-kratos: so-kratos:
warm: 7 warm: 7
close: 30 close: 30
@@ -2754,6 +2836,25 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
priority: 500 priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-logstash: so-logstash:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -2770,6 +2871,8 @@ elasticsearch:
date_detection: false date_detection: false
settings: settings:
index: index:
lifecycle:
name: so-logstash-logs
mapping: mapping:
total_fields: total_fields:
limit: 5000 limit: 5000
@@ -2838,6 +2941,25 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
priority: 500 priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-microsoft: so-microsoft:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -3691,6 +3813,8 @@ elasticsearch:
date_detection: false date_detection: false
settings: settings:
index: index:
lifecycle:
name: so-redis-logs
mapping: mapping:
total_fields: total_fields:
limit: 5000 limit: 5000
@@ -3759,6 +3883,25 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
priority: 500 priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-snort: so-snort:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -4262,6 +4405,25 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
priority: 500 priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-syslog: so-syslog:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -4347,6 +4509,25 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
priority: 500 priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-tomcat: so-tomcat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -4447,6 +4628,8 @@ elasticsearch:
date_detection: false date_detection: false
settings: settings:
index: index:
lifecycle:
name: so-zeek-logs
mapping: mapping:
total_fields: total_fields:
limit: 5000 limit: 5000
@@ -4517,6 +4700,25 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
priority: 500 priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-zscaler: so-zscaler:
index_sorting: False index_sorting: False
index_template: index_template:

20
salt/elasticsearch/init.sls
View File

@@ -53,9 +53,19 @@ es_sync_scripts:
- source: salt://elasticsearch/tools/sbin - source: salt://elasticsearch/tools/sbin
- exclude_pat: - exclude_pat:
- so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state - so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state
- so-elasticsearch-ilm-policy-load
- defaults: - defaults:
GLOBALS: {{ GLOBALS }} GLOBALS: {{ GLOBALS }}
so-elasticsearch-ilm-policy-load-script:
file.managed:
- name: /usr/sbin/so-elasticsearch-ilm-policy-load
- source: salt://elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load
- user: 930
- group: 939
- mode: 754
- template: jinja
so-elasticsearch-pipelines-script: so-elasticsearch-pipelines-script:
file.managed: file.managed:
- name: /usr/sbin/so-elasticsearch-pipelines - name: /usr/sbin/so-elasticsearch-pipelines
@@ -362,6 +372,16 @@ so-es-cluster-settings:
- docker_container: so-elasticsearch - docker_container: so-elasticsearch
- file: es_sync_scripts - file: es_sync_scripts
so-elasticsearch-ilm-policy-load:
cmd.run:
- name: /usr/sbin/so-elasticsearch-ilm-policy-load
- cwd: /opt/so
- require:
- docker_container: so-elasticsearch
- file: so-elasticsearch-ilm-policy-load-script
- onchanges:
- file: so-elasticsearch-ilm-policy-load-script
so-elasticsearch-templates: so-elasticsearch-templates:
cmd.run: cmd.run:
- name: /usr/sbin/so-elasticsearch-templates-load - name: /usr/sbin/so-elasticsearch-templates-load

72
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -36,7 +36,7 @@ elasticsearch:
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
index_settings: index_settings:
so-aws: &indexSettings so-elasticsearch: &indexSettings
warm: warm:
description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch. description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch.
global: True global: True
@@ -75,45 +75,51 @@ elasticsearch:
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
so-azure: *indexSettings policy:
so-barracuda: *indexSettings phases:
so-beats: *indexSettings hot:
so-bluecoat: *indexSettings min_age:
so-cef: *indexSettings description: Minimum age
so-checkpoint: *indexSettings global: True
so-cisco: *indexSettings helpLink: elasticsearch.html
so-cyberark: *indexSettings actions:
so-cylance: *indexSettings set_priority:
so-elasticsearch: *indexSettings priority:
description: Priority of index, used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
global: True
helpLink: elasticsearch.html
rollover:
max_age:
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
global: True
helpLink: elasticsearch.html
max_primary_shard_size:
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
global: True
helpLink: elasticsearch.html
cold:
min_age:
description: Minimum age of index, determining when it should be sent to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed.
global: True
helpLink: elasticsearch.html
actions:
set_priority:
priority:
description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
global: True
helpLink: elasticsearch.html
delete:
min_age:
description: Minimum age of index, determining when it should be deleted.
global: True
helpLink: elastic
so-endgame: *indexSettings so-endgame: *indexSettings
so-f5: *indexSettings
so-firewall: *indexSettings so-firewall: *indexSettings
so-fortinet: *indexSettings
so-gcp: *indexSettings
so-google_workspace: *indexSettings
so-ids: *indexSettings
so-imperva: *indexSettings
so-import: *indexSettings so-import: *indexSettings
so-infoblox: *indexSettings
so-juniper: *indexSettings
so-kibana: *indexSettings so-kibana: *indexSettings
so-logstash: *indexSettings so-logstash: *indexSettings
so-microsoft: *indexSettings
so-misp: *indexSettings
so-netflow: *indexSettings
so-netscout: *indexSettings
so-o365: *indexSettings
so-okta: *indexSettings
so-osquery: *indexSettings so-osquery: *indexSettings
so-proofpoint: *indexSettings
so-radware: *indexSettings
so-redis: *indexSettings so-redis: *indexSettings
so-snort: *indexSettings
so-snyk: *indexSettings
so-sonicwall: *indexSettings
so-sophos: *indexSettings
so-strelka: *indexSettings so-strelka: *indexSettings
so-syslog: *indexSettings so-syslog: *indexSettings
so-tomcat: *indexSettings
so-zeek: *indexSettings so-zeek: *indexSettings
so-zscaler: *indexSettings

21
salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load Executable file
View File

@@ -0,0 +1,21 @@
#/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %}
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
{%- for index, settings in ES_INDEX_SETTINGS.items() %}
{%- if settings.policy is defined %}
echo
echo "Setting up {{ index }}-logs policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/{{ index }}-logs" -H 'Content-Type: application/json' -d'{ "policy": {{ settings.policy | tojson(true) }} }'
echo
{%- endif %}
{%- endfor %}
echo

8
salt/firewall/assigned_hostgroups.map.yaml
View File

@@ -2,6 +2,7 @@
{% import_yaml 'firewall/ports/ports.yaml' as portgroups %} {% import_yaml 'firewall/ports/ports.yaml' as portgroups %}
{% set portgroups = portgroups.firewall.ports %} {% set portgroups = portgroups.firewall.ports %}
{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %} {% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
role: role:
eval: eval:
@@ -576,7 +577,7 @@ role:
portgroups: portgroups:
{% set idh_services = salt['pillar.get']('idh:services', []) %} {% set idh_services = salt['pillar.get']('idh:services', []) %}
{% for service in idh_services %} {% for service in idh_services %}
- {{ portgroups['idh_'~service] }} - {{ IDH_PORTGROUPS['idh_'~service] }}
{% endfor %} {% endfor %}
dockernet: dockernet:
portgroups: portgroups:
@@ -586,4 +587,7 @@ role:
- {{ portgroups.all }} - {{ portgroups.all }}
manager: manager:
portgroups: portgroups:
- {{ portgroups.ssh }} - {{ IDH_PORTGROUPS.openssh }}
standalone:
portgroups:
- {{ IDH_PORTGROUPS.openssh }}

85
salt/firewall/containers.map.jinja
View File

@@ -1,3 +1,31 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if GLOBALS.role == 'so-eval' %}
{% set NODE_CONTAINERS = [
'so-curator',
'so-dockerregistry',
'so-elasticsearch',
'so-elastic-fleet',
'so-elastic-fleet-package-registry',
'so-grafana',
'so-influxdb',
'so-kibana',
'so-kratos',
'so-mysql',
'so-nginx',
'so-redis',
'so-soc',
'so-soctopus',
'so-strelka-coordinator',
'so-strelka-gatekeeper',
'so-strelka-frontend',
'so-strelka-backend',
'so-strelka-manager',
'so-strelka-filestream'
] %}
{% endif %}
{% if GLOBALS.role == 'so-manager' or GLOBALS.role == 'so-standalone' or GLOBALS.role == 'so-managersearch' %}
{% set NODE_CONTAINERS = [ {% set NODE_CONTAINERS = [
'so-curator', 'so-curator',
'so-dockerregistry', 'so-dockerregistry',
@@ -5,7 +33,6 @@
'so-elastic-fleet', 'so-elastic-fleet',
'so-elastic-fleet-package-registry', 'so-elastic-fleet-package-registry',
'so-filebeat', 'so-filebeat',
'so-grafana',
'so-influxdb', 'so-influxdb',
'so-kibana', 'so-kibana',
'so-kratos', 'so-kratos',
@@ -22,3 +49,59 @@
'so-strelka-manager', 'so-strelka-manager',
'so-strelka-filestream' 'so-strelka-filestream'
] %} ] %}
{% endif %}
{% if GLOBALS.role == 'so-searchnode' %}
{% set NODE_CONTAINERS = [
'so-elasticsearch',
'so-filebeat',
'so-logstash',
'so-nginx'
] %}
{% endif %}
{% if GLOBALS.role == 'so-heavynode' %}
{% set NODE_CONTAINERS = [
'so-curator',
'so-elasticsearch',
'so-filebeat',
'so-logstash',
'so-nginx',
'so-redis',
'so-strelka-coordinator',
'so-strelka-gatekeeper',
'so-strelka-frontend',
'so-strelka-backend',
'so-strelka-manager',
'so-strelka-filestream'
] %}
{% endif %}
{% if GLOBALS.role == 'so-import' %}
{% set NODE_CONTAINERS = [
'so-dockerregistry',
'so-elasticsearch',
'so-elastic-fleet',
'so-elastic-fleet-package-registry',
'so-filebeat',
'so-influxdb',
'so-kibana',
'so-kratos',
'so-nginx',
'so-soc'
] %}
{% endif %}
{% if GLOBALS.role == 'so-receiver' %}
{% set NODE_CONTAINERS = [
'so-filebeat',
'so-logstash',
'so-redis',
] %}
{% endif %}
{% if GLOBALS.role == 'so-idh' %}
{% set NODE_CONTAINERS = [
'so-idh',
] %}
{% endif %}

7
salt/firewall/map.jinja
View File

@@ -1,3 +1,4 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% set role = grains.id.split('_') | last %} {% set role = grains.id.split('_') | last %}
{% set translated_pillar_assigned_hostgroups = {} %} {% set translated_pillar_assigned_hostgroups = {} %}
@@ -9,9 +10,15 @@
{% else %} {% else %}
{% set local_portgroups = {} %} {% set local_portgroups = {} %}
{% endif %} {% endif %}
{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %} {% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
{% set defined_portgroups = portgroups %} {% set defined_portgroups = portgroups %}
{% if GLOBALS.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
{% do salt['defaults.merge'](defined_portgroups, IDH_PORTGROUPS, in_place=True) %}
{% endif %}
{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %} {% set local_hostgroups = {'firewall': {'hostgroups': {}}} %}
{% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %} {% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %}

22
salt/idh/opencanary_config.map.jinja
View File

@@ -1,11 +1,25 @@
{% set idh_services = salt['pillar.get']('idh:services', []) %} {% set idh_services = salt['pillar.get']('idh:services', []) %}
{% import_yaml "idh/defaults/defaults.yaml" as OPENCANARYCONFIG with context %} {% set IDH_PORTGROUPS = {} %}
{% import_yaml "idh/defaults/defaults.yaml" as IDHCONFIG with context %}
{% for service in idh_services %} {% for service in idh_services %}
{% import_yaml "idh/defaults/" ~ service ~ ".defaults.yaml" as SERVICECONFIG with context %} {% import_yaml "idh/defaults/" ~ service ~ ".defaults.yaml" as SERVICECONFIG with context %}
{% do salt['defaults.merge'](OPENCANARYCONFIG, SERVICECONFIG, in_place=True) %} {% do salt['defaults.merge'](IDHCONFIG, SERVICECONFIG, in_place=True) %}
{% endfor %} {% endfor %}
{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=OPENCANARYCONFIG.idh.opencanary.config, merge=True) %} {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %}
{% do OPENCANARYCONFIG.idh.opencanary.config.update({'device.node_id': grains.host}) %} {% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %}
{% for service in idh_services %}
{% if service in ["smnp","ntp", "tftp"] %}
{% set proto = 'udp' %}
{% else %}
{% set proto = 'tcp' %}
{% endif %}
{% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '.port']]}}) %}
{% endfor %}
{% do IDH_PORTGROUPS.update({'openssh': {'tcp': [OPENSSH.config.port]}}) %}
{% do OPENCANARYCONFIG.update({'device.node_id': grains.host}) %}

1
salt/influxdb/buckets.json.jinja Normal file
View File

@@ -0,0 +1 @@
{{ INFLUXMERGED.buckets | json }}

1
salt/influxdb/config.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ INFLUXMERGED.config | yaml(false) }}

1
salt/influxdb/curl.config.jinja Normal file
View File

@@ -0,0 +1 @@
header = "Authorization: Token {{ salt['pillar.get']('secrets:influx_token') }}"

230
salt/influxdb/defaults.yaml
View File

@@ -1,167 +1,77 @@
influxdb: influxdb:
config: config:
meta: assets-path: /ui
dir: /var/lib/influxdb/meta bolt-path: /var/lib/influxdb2/influxd.bolt
retention-autocreate: true engine-path: /var/lib/influxdb2/engine
logging-enabled: true feature-flags: ""
data: flux-log-enabled: false
dir: /var/lib/influxdb/data hardening-enabled: true
wal-dir: /var/lib/influxdb/wal http-bind-address: :8086
wal-fsync-delay: 0s http-idle-timeout: 0
index-version: inmem http-read-header-timeout: 10s
race-logging-enabled: false http-read-timeout: 0
query-log-enabled: true http-write-timeout: 0
validate-keys: false influxql-max-select-buckets: 0
cache-max-memory-size: 1g influxql-max-select-point: 0
cache-snapshot-memory-size: 25m influxql-max-select-series: 0
cache-snapshot-write-cold-duration: 10m instance-id: ""
compact-full-write-cold-duration: 4h log-level: info
max-concurrent-compactions: 0 metrics-disabled: true
compact-throughput: 48m no-tasks: false
compact-throughput-burst: 48m pprof-disabled: true
max-index-log-file-size: 1m query-concurrency: 100
max-series-per-database: 1000000 query-initial-memory-bytes: 1073741824
max-values-per-tag: 100000 query-max-memory-bytes: 107374182400
tsm-use-madv-willneed: false query-memory-bytes: 1073741824
coordinator: query-queue-size: 500
write-timeout: 10s reporting-disabled: true
max-concurrent-queries: 0 secret-store: bolt
query-timeout: 0s session-length: 10080
log-queries-after: 0s session-renew-disabled: false
max-select-point: 0 sqlite-path: /var/lib/influxdb2/influxd.sqlite
max-select-series: 0 storage-cache-max-memory-size: 1073741824
max-select-buckets: 0 storage-cache-snapshot-memory-size: 26214400
retention: storage-cache-snapshot-write-cold-duration: 10m0s
enabled: true storage-compact-full-write-cold-duration: 4h0m0s
check-interval: 30m storage-compact-throughput-burst: 50331648
shard-precreation: storage-max-concurrent-compactions: 0
enabled: true storage-max-index-log-file-size: 1048576
check-interval: 10m storage-no-validate-field-size: false
advance-period: 30m storage-retention-check-interval: 30m0s
monitor: storage-series-file-max-concurrent-snapshot-compactions: 0
store-enabled: true storage-series-id-set-cache-size: 100
store-database: _internal storage-shard-precreator-advance-period: 30m0s
store-interval: 10s storage-shard-precreator-check-interval: 10m0s
http: storage-tsm-use-madv-willneed: false
enabled: true storage-validate-keys: false
flux-enabled: true storage-wal-fsync-delay: 0s
bind-address: ':8086' storage-wal-max-concurrent-writes: 0
auth-enabled: false storage-wal-max-write-delay: 10m
realm: InfluxDB storage-write-timeout: 10s
log-enabled: false store: disk
suppress-write-log: false tls-cert: /conf/influxdb.crt
access-log-path: '' tls-key: /conf/influxdb.key
access-log-status-filters: [] tls-min-version: 1.2
write-tracing: false tls-strict-ciphers: true
pprof-enabled: true tracing-type: ""
debug-pprof-enabled: false ui-disabled: false
https-enabled: true vault-addr: ""
https-certificate: /etc/ssl/influxdb.crt vault-cacert: ""
https-private-key: /etc/ssl/influxdb.key vault-capath: ""
shared-secret: '' vault-client-cert: ""
max-row-limit: 0 vault-client-key: ""
max-connection-limit: 0 vault-client-timeout: 60s
unix-socket-enabled: false vault-max-retries: 2
bind-socket: /var/run/influxdb.sock vault-skip-verify: false
max-body-size: 25000000 vault-tls-server-name: ""
max-concurrent-write-limit: 0 vault-token: ""
max-enqueued-write-limit: 0 buckets:
enqueued-write-timeout: 0
logging:
format: auto
level: info
suppress-logo: false
subscriber:
enabled: true
http-timeout: 30s
insecure-skip-verify: false
ca-certs: ''
write-concurrency: 40
write-buffer-size: 1000
graphite:
enabled: false
database: graphite
retention-policy: ''
bind-address: ':2003'
protocol: tcp
consistency-level: one
batch-size: 5000
batch-pending: 10
batch-timeout: 1s
udp-read-buffer: 0
separator: '.'
tags: []
templates: []
collectd:
enabled: false
bind-address: ':25826'
database: collectd
retention-policy: ''
typesdb: /usr/local/share/collectd
security-level: none
auth-file: /etc/collectd/auth_file
batch-size: 5000
bath-pending: 10
batch-timeout: 10s
read-buffer: 0
parse-multivalue-plugin: split
opentsdb:
enabled: false
bind-address: ':4242'
database: opentsdb
retention-policy: ''
consistency-level: one
tls-enabled: false
certificate: /etc/ssl/influxdb.pem
log-point-errors: true
batch-size: 1000
batch-pending: 5
bath-timeout: 1s
udp:
enabled: false
bind-address: ':8089'
database: udp
retention-policy: ''
precision: ''
batch-size: 5000
batch-pending: 10
batch-timeout: 1s
read-buffer: 0
continuous_queries:
enabled: true
log-enabled: true
query-stats-enabled: false
run-interval: 1s
tls:
ciphers:
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
min-version: tls1.2
max-version: tls1.2
retention_policies:
so_short_term: so_short_term:
default: True duration: 2592000
duration: 30d shard_duration: 86400
shard_duration: 1d
so_long_term: so_long_term:
default: False duration: 0
duration: 0d shard_duration: 604800
shard_duration: 7d
downsample: downsample:
so_long_term: so_long_term:
resolution: 5m resolution: 5m

26
salt/influxdb/etc/influxdb.conf.jinja
View File

@@ -1,26 +0,0 @@
{%- import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %}
{%- set INFLUXMERGED = salt['pillar.get']('influxdb', default=INFLUXDEFAULTS.influxdb, merge=true) %}
{%- for header in INFLUXMERGED.config.keys() %}
{%- if header in ['graphite', 'collectd', 'opentsdb', 'udp'] %}
[[{{header}}]]
{%- else %}
[{{header}}]
{%- endif %}
{%- for k, v in INFLUXMERGED.config[header].items() %}
{#- is v a list? #}
{%- if v is iterable and (v is not string and v is not mapping) %}
{{k}} = [
{%- for li in v %}
"{{li}}",
{%- endfor %}
]
{%- elif v is string %}
{{k}} = "{{v}}"
{%- elif v is boolean %}
{{k}} = {{v|string|lower}}
{%- else %}
{{k}} = {{v}}
{%- endif %}
{%- endfor %}
{%- endfor %}

136
salt/influxdb/init.sls
View File

@@ -2,15 +2,11 @@
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'influxdb/map.jinja' import INFLUXMERGED %}
{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %} {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %}
{% import_yaml 'influxdb/defaults.yaml' as default_settings %} {% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
{% set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %} {% set TOKEN = salt['pillar.get']('secrets:influx_token') %}
{% from 'salt/map.jinja' import PYTHON3INFLUX with context %}
{% from 'salt/map.jinja' import PYTHONINFLUXVERSION with context %}
{% set PYTHONINFLUXVERSIONINSTALLED = salt['cmd.run']("python3 -c \"exec('try:import influxdb; print (influxdb.__version__)\\nexcept:print(\\'Module Not Found\\')')\"", python_shell=True) %}
include: include:
- salt.minion - salt.minion
@@ -19,7 +15,7 @@ include:
# Influx DB # Influx DB
influxconfdir: influxconfdir:
file.directory: file.directory:
- name: /opt/so/conf/influxdb/etc - name: /opt/so/conf/influxdb
- makedirs: True - makedirs: True
influxlogdir: influxlogdir:
@@ -37,11 +33,43 @@ influxdbdir:
influxdbconf: influxdbconf:
file.managed: file.managed:
- name: /opt/so/conf/influxdb/etc/influxdb.conf - name: /opt/so/conf/influxdb/config.yaml
- source: salt://influxdb/config.yaml.jinja
- user: 939 - user: 939
- group: 939 - group: 939
- template: jinja - template: jinja
- source: salt://influxdb/etc/influxdb.conf.jinja - defaults:
INFLUXMERGED: {{ INFLUXMERGED }}
influxdbbucketsconf:
file.managed:
- name: /opt/so/conf/influxdb/buckets.json
- source: salt://influxdb/buckets.json.jinja
- user: 939
- group: 939
- template: jinja
- defaults:
INFLUXMERGED: {{ INFLUXMERGED }}
influxdb-templates:
file.recurse:
- name: /opt/so/conf/influxdb/templates
- source: salt://influxdb/templates
- user: 939
- group: 939
- template: jinja
- clean: True
- defaults:
INFLUXMERGED: {{ INFLUXMERGED }}
influxdb_curl_config:
file.managed:
- name: /opt/so/conf/influxdb/curl.config
- source: salt://influxdb/curl.config.jinja
- mode: 600
- template: jinja
- show_changes: False
- makedirs: True
so-influxdb: so-influxdb:
docker_container.running: docker_container.running:
@@ -51,13 +79,20 @@ so-influxdb:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }} - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
- environment: - environment:
- INFLUXD_CONFIG_PATH=/conf
- INFLUXDB_HTTP_LOG_ENABLED=false - INFLUXDB_HTTP_LOG_ENABLED=false
- DOCKER_INFLUXDB_INIT_MODE=setup
- DOCKER_INFLUXDB_INIT_USERNAME=so
- DOCKER_INFLUXDB_INIT_PASSWORD={{ PASSWORD }}
- DOCKER_INFLUXDB_INIT_ORG=Security Onion
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
- binds: - binds:
- /opt/so/log/influxdb/:/log:rw - /opt/so/log/influxdb/:/log:rw
- /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro - /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro
- /nsm/influxdb:/var/lib/influxdb:rw - /nsm/influxdb:/var/lib/influxdb2:rw
- /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
- /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro - /etc/pki/influxdb.key:/conf/influxdb.key:ro
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %} {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
@@ -74,6 +109,14 @@ append_so-influxdb_so-status.conf:
- name: /opt/so/conf/so-status/so-status.conf - name: /opt/so/conf/so-status/so-status.conf
- text: so-influxdb - text: so-influxdb
influxdb-setup:
cmd.run:
- name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log
- require:
- file: influxdbbucketsconf
- file: influxdb_curl_config
- docker_container: so-influxdb
# Install cron job to determine size of influxdb for telegraf # Install cron job to determine size of influxdb for telegraf
get_influxdb_size: get_influxdb_size:
cron.present: cron.present:
@@ -85,71 +128,6 @@ get_influxdb_size:
- month: '*' - month: '*'
- dayweek: '*' - dayweek: '*'
# We have to make sure the influxdb module is the right version prior to state run since reload_modules is bugged
{% if PYTHONINFLUXVERSIONINSTALLED == PYTHONINFLUXVERSION %}
wait_for_influxdb:
http.query:
- name: 'https://{{GLOBALS.manager}}:8086/query?q=SHOW+DATABASES'
- ssl: True
- verify_ssl: False
- status: 200
- timeout: 10
- retry:
attempts: 20
interval: 5
- require:
- docker_container: so-influxdb
telegraf_database:
influxdb_database.present:
- name: telegraf
- database: telegraf
- ssl: True
- verify_ssl: /etc/pki/ca.crt
- cert: ['/etc/pki/influxdb.crt', '/etc/pki/influxdb.key']
- influxdb_host: {{ GLOBALS.manager }}
- require:
- docker_container: so-influxdb
- http: wait_for_influxdb
{% for rp in influxdb.retention_policies.keys() %}
{{rp}}_retention_policy:
influxdb_retention_policy.present:
- name: {{rp}}
- database: telegraf
- duration: {{influxdb.retention_policies[rp].duration}}
- shard_duration: {{influxdb.retention_policies[rp].shard_duration}}
- replication: 1
- default: {{influxdb.retention_policies[rp].get('default', 'False')}}
- ssl: True
- verify_ssl: /etc/pki/ca.crt
- cert: ['/etc/pki/influxdb.crt', '/etc/pki/influxdb.key']
- influxdb_host: {{ GLOBALS.manager }}
- require:
- docker_container: so-influxdb
- influxdb_database: telegraf_database
- file: influxdb_retention_policy.present_patch
{% endfor %}
{% for dest_rp in influxdb.downsample.keys() %}
{% for measurement in influxdb.downsample[dest_rp].get('measurements', []) %}
so_downsample_{{measurement}}_cq:
influxdb_continuous_query.present:
- name: so_downsample_{{measurement}}_cq
- database: telegraf
- query: SELECT mean(*) INTO "{{dest_rp}}"."{{measurement}}" FROM "{{measurement}}" GROUP BY time({{influxdb.downsample[dest_rp].resolution}}),*
- ssl: True
- verify_ssl: /etc/pki/ca.crt
- cert: ['/etc/pki/influxdb.crt', '/etc/pki/influxdb.key']
- influxdb_host: {{ GLOBALS.manager }}
- require:
- docker_container: so-influxdb
- influxdb_database: telegraf_database
- file: influxdb_continuous_query.present_patch
{% endfor %}
{% endfor %}
{% endif %}
{% endif %} {% endif %}
{% else %} {% else %}

11
salt/influxdb/map.jinja
View File

@@ -1,9 +1,2 @@
{% import_yaml 'influxdb/defaults.yaml' as INFLUXDB %} {%- import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %}
{% set measurements = salt['cmd.shell']('docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -database telegraf -execute "show measurements" 2> /root/measurement_query.log | jq -r .results[0].series[0].values[]?[0] 2>> /root/measurement_query.log', shell='/bin/bash') %} {%- set INFLUXMERGED = salt['pillar.get']('influxdb', default=INFLUXDEFAULTS.influxdb, merge=true) %}
{% if measurements|length > 0 %}
{% do INFLUXDB.influxdb.downsample.so_long_term.update('measurements': [])%}
{% for measurement in measurements.splitlines() %}
{% do INFLUXDB.influxdb.downsample.so_long_term.measurements.append(measurement)%}
{% endfor %}
{% endif %}

683
salt/influxdb/soc_influxdb.yaml
View File

@@ -1,362 +1,355 @@
influxdb: influxdb:
config: config:
meta: assets-path:
logging-enabled: description: Path to the InfluxDB user interface assets located inside the so-influxdb container.
description: Enable InfluxDB meta server logging. global: True
global: True advanced: True
helpLink: influxdb.html helpLink: influxdb.html
data: bolt-path:
wal-fsync-delay: description: Path to the bolt DB file located inside the so-influxdb container.
description: The amount of time that a write will wait before fsyncing. global: True
global: True advanced: True
helpLink: influxdb.html helpLink: influxdb.html
index-version: engine-path:
description: The type of shard index to use for new shards. description: Path to the engine directory located inside the so-influxdb container. This directory stores the time series data.
global: True global: True
helpLink: influxdb.html advanced: True
trace-logging-enabled: helpLink: influxdb.html
description: Trace logging provides more verbose output around the tsm engine. feature-flags:
global: True description: List of key=value flags to enable.
advanced: True global: True
helpLink: influxdb.html advanced: True
query-log-enabled: helpLink: influxdb.html
description: Whether queries should be logged before execution. flux-log-enabled:
global: True description: Controls whether detailed flux query logging is enabled.
helpLink: influxdb.html global: True
validate-keys: advanced: True
description: Validates incoming writes to ensure keys only have valid unicode characters. helpLink: influxdb.html
global: True hardening-enabled:
advanced: True description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address.
helpLink: influxdb.html global: True
cache-max-memory-size: advanced: True
description: The maximum size a shard's cache can reach before it starts rejecting writes. helpLink: influxdb.html
global: True http-bind-address:
helpLink: influxdb.html description: The URL and port on which InfluxDB will listen for new connections.
cache-snapshot-memory-size: global: True
description: The size at which the engine will snapshot the cache and write it to a TSM file, freeing up memory. advanced: True
global: True helpLink: influxdb.html
advanced: True http-idle-timeout:
helpLink: influxdb.html description: Keep-alive timeout while a connection waits for new requests. A value of 0 is the same as no timeout enforced.
cache-snapshot-write-cold-duration: global: True
description: The length of time at which the engine will snapshot the cache and write it to a new TSM file if the shard hasn't received writes or deletes. advanced: True
global: True helpLink: influxdb.html
advanced: True http-read-header-timeout:
helpLink: influxdb.html description: The duration to wait for a request header before closing the connection. A value of 0 is the same as no timeout enforced.
compact-full-write-cold-duration: global: True
description: The duration at which the engine will compact all TSM files in a shard if it hasn't received a write or delete. advanced: True
global: True helpLink: influxdb.html
advanced: True http-read-timeout:
helpLink: influxdb.html description: The duration to wait for the request to be fully read before closing the connection. A value of 0 is the same as no timeout enforced.
max-concurrent-compactions: global: True
description: The maximum number of concurrent full and level compactions that can run at one time. advanced: True
global: True helpLink: influxdb.html
helpLink: influxdb.html http-write-timeout:
compact-throughput: description: The duration to wait for the response to be fully written before closing the connection. A value of 0 is the same as no timeout enforced.
description: The rate limit in bytes per second that we will allow TSM compactions to write to disk. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html influxql-max-select-buckets:
compact-throughput-burst: description: Maximum number of group-by clauses in a SELECT statement. A value of 0 is the same as unlimited.
description: The rate limit in bytes per second that we will allow TSM compactions to write to disk. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html influxql-max-select-point:
max-index-log-file-size: description: Maximum number of points that can be queried in a SELECT statement. A value of 0 is the same as unlimited.
description: The threshold, in bytes, when an index write-ahead log file will compact into an index file. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html influxql-max-select-series:
max-series-per-database: description: Maximum number of series that can be returned in a SELECT statement. A value of 0 is the same as unlimited.
description: The maximum series allowed per database before writes are dropped. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html instance-id:
max-values-per-tag: description: Unique instance ID for this server, to avoid collisions in a replicated cluster.
description: The maximum number of tag values per tag that are allowed before writes are dropped. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html log-level:
tsm-use-madv-willneed: description: The log level to use for outputting log statements. Allowed values are debug, info, or error.
description: If true, then the mmap advise value MADV_WILLNEED will be provided to the kernel with respect to TSM files. global: True
global: True advanced: false
advanced: True regex: ^(info|debug|error)$
helpLink: influxdb.html helpLink: influxdb.html
coordinator: metrics-disabled:
write-timeout: description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible.
description: The default time a write request will wait until a "timeout" error is returned to the caller. global: True
global: True advanced: True
helpLink: influxdb.html helpLink: influxdb.html
max-concurrent-queries: no-tasks:
description: The maximum number of concurrent queries allowed to be executing at one time. description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems.
global: True global: True
helpLink: influxdb.html advanced: True
query-timeout: helpLink: influxdb.html
description: The maximum time a query will is allowed to execute before being killed by the system. pprof-disabled:
global: True description: If true, the profiling data HTTP endpoint will be inaccessible.
helpLink: influxdb.html global: True
log-queries-after: advanced: True
description: The time threshold when a query will be logged as a slow query. helpLink: influxdb.html
global: True query-concurrency:
helpLink: influxdb.html description: Maximum number of queries to execute concurrently. A value of 0 is the same as unlimited.
max-select-point: global: True
description: The maximum number of points a SELECT can process. advanced: True
global: True helpLink: influxdb.html
advanced: True query-initial-memory-bytes:
helpLink: influxdb.html description: The initial number of bytes of memory to allocate for a new query.
max-select-series: global: True
description: The maximum number of series a SELECT can run. advanced: True
global: True helpLink: influxdb.html
advanced: True query-max-memory-bytes:
helpLink: influxdb.html description: The number of bytes of memory to allocate to all running queries. Should typically be the query bytes times the max concurrent queries.
max-select-buckets: global: True
description: The maxium number of group by time bucket a SELECT can create. advanced: True
global: True helpLink: influxdb.html
advanced: True query-memory-bytes:
helpLink: influxdb.html description: Maximum number of bytes of memory to allocate to a query.
retention: global: True
enabled: advanced: True
description: Determines whether retention policy enforcement enabled. helpLink: influxdb.html
global: True query-queue-size:
advanced: True description: Maximum number of queries that can be queued at one time. If this value is reached, new queries will not be queued. A value of 0 is the same as unlimited.
helpLink: influxdb.html global: True
check-interval: advanced: True
description: The interval of time when retention policy enforcement checks run. helpLink: influxdb.html
global: True reporting-disabled:
helpLink: influxdb.html description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers.
shard-precreation: global: True
enabled: advanced: True
description: Determines whether shard pre-creation service is enabled. helpLink: influxdb.html
global: True secret-store:
advanced: True description: Determines the type of storage used for secrets. Allowed values are bolt or vault.
helpLink: influxdb.html global: True
check-interval: advanced: True
description: The interval of time when the check to pre-create new shards runs. regex: ^(bolt|vault)$
global: True helpLink: influxdb.html
helpLink: influxdb.html session-length:
advance-period: description: Number of minutes that a user login session can remain authenticated.
description: The default period ahead of the endtime of a shard group that its successor group is created. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html session-renew-disabled:
monitor: description: If true, user login sessions will renew after each request.
store-enabled: global: True
description: Whether to record statistics internally. advanced: True
global: True helpLink: influxdb.html
helpLink: influxdb.html sqlite-path:
store-database: description: Path to the Sqlite3 database inside the container. This database stored user data and other information about the database.
description: The destination database for recorded statistics. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html storage-cache-max-memory-size:
store-interval: description: Maximum number of bytes to allocate to cache data per shard. If exceeded, new data writes will be rejected.
description: The interval at which to record statistics. global: True
global: True advanced: True
helpLink: influxdb.html helpLink: influxdb.html
http: storage-cache-snapshot-memory-size:
enabled: description: Number of bytes to allocate to cache snapshot data. When the cache reaches this size, it will be written to disk to increase available memory.
description: Determines whether HTTP endpoint is enabled. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html storage-cache-snapshot-write-cold-duration:
flux-enabled: description: Duration between snapshot writes to disk when the shard data hasn't been modified.
description: Determines whether the Flux query endpoint is enabled. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html storage-compact-full-write-cold-duration:
bind-address: description: Duration between shard compactions when the shard data hasn't been modified.
description: The bind address used by the HTTP service. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html storage-compact-throughput-burst:
auth-enabled: description: Maximum throughput (number of bytes per second) that compactions be written to disk.
description: Determines whether user authentication is enabled over HTTP/HTTPS. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html storage-max-concurrent-compactions:
realm: description: Maximum number of concurrent compactions. A value of 0 is the same as half the available CPU processors (procs).
description: The default realm sent back when issuing a basic auth challenge. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html storage-max-index-log-file-size:
log-enabled: description: Maximum number of bytes of a write-ahead log (WAL) file before it will be compacted into an index on disk.
description: Determines whether HTTP request logging is enabled. global: True
global: True advanced: True
helpLink: influxdb.html helpLink: influxdb.html
suppress-write-log: storage-no-validate-field-size:
description: Determines whether the HTTP write request logs should be suppressed when the log is enabled. description: If true, incoming requests will skip the field size validation.
global: True global: True
helpLink: influxdb.html advanced: True
access-log-path: helpLink: influxdb.html
description: Path for http access logs. storage-retention-check-interval:
global: True description: Interval between reviewing each bucket's retention policy and the age of the associated data.
advanced: True global: True
helpLink: influxdb.html advanced: True
access-log-status-filters: helpLink: influxdb.html
description: Filters which requests should be logged. storage-series-file-max-concurrent-snapshot-compactions:
global: True description: Maximum number of concurrent snapshot compactions across all database partitions.
advanced: True global: True
helpLink: influxdb.html advanced: True
write-tracing: helpLink: influxdb.html
description: Determines whether detailed write logging is enabled. storage-series-id-set-cache-size:
global: True description: Maximum size of the series cache results. Higher values may increase performance for repeated data lookups.
advanced: True global: True
helpLink: influxdb.html advanced: True
pprof-enabled: helpLink: influxdb.html
description: Determines whether the pprof endpoint is enabled. storage-shard-precreator-advance-period:
global: True description: The duration before a successor shard group is created after the end-time has been reached.
advanced: True global: True
helpLink: influxdb.html advanced: True
debug-pprof-enabled: helpLink: influxdb.html
description: Determines whether the pprof endpoint is enabled in debug mode. storage-shard-precreator-check-interval:
global: True description: Interval between checking if new shards should be created.
advanced: True global: True
helpLink: influxdb.html advanced: True
https-enabled: helpLink: influxdb.html
description: Determines whether HTTPS is enabled. storage-tsm-use-madv-willneed:
global: True description: If true, InfluxDB will manage TSM memory paging.
helpLink: influxdb.html global: True
https-certificate: advanced: True
description: The SSL certificate to use when HTTPS is enabled. helpLink: influxdb.html
global: True storage-validate-keys:
advanced: True description: If true, validates incoming requests for supported characters.
helpLink: influxdb.html global: True
https-private-key: advanced: True
description: Use a separate private key location. helpLink: influxdb.html
global: True storage-wal-fsync-delay:
advanced: True description: Duration to wait before calling fsync. Useful for handling conflicts on slower disks.
helpLink: influxdb.html global: True
shared-secret: advanced: True
description: The JWT auth shared secret to validate requests using JSON web tokens. helpLink: influxdb.html
global: True storage-wal-max-concurrent-writes:
advanced: True description: Maximum number of concurrent write-ahead log (WAL) writes to disk. The value of 0 is the same as CPU processors (procs) x 2.
helpLink: influxdb.html global: True
max-row-limit: advanced: True
description: The default chunk size for result sets that should be chunked. helpLink: influxdb.html
global: True storage-wal-max-write-delay:
helpLink: influxdb.html description: Maximum duration to wait before writing the write-ahead log (WAL) to disk, when the concurrency limit has been exceeded. A value of 0 is the same as no timeout.
max-connection-limit: global: True
description: The maximum number of HTTP connections that may be open at once. advanced: True
global: True helpLink: influxdb.html
helpLink: influxdb.html storage-write-timeout:
unix-socket-enabled: description: Maximum time to wait for a write-ahead log (WAL) to write to disk before aborting.
description: Enable http service over unix domain socket. global: True
global: True advanced: True
advanced: True helpLink: influxdb.html
helpLink: influxdb.html store:
bind-socket: description: The type of data store to use for HTTP resources. Allowed values are disk or memory. Memory should not be used for production Security Onion installations.
description: The path of the unix domain socket. global: True
global: True advanced: True
advanced: True regex: ^(disk|memory)$
helpLink: influxdb.html helpLink: influxdb.html
max-body-size: tls-cert:
description: The maximum size of a client request body, in bytes. description: The container path to the certificate to use for TLS encryption of the HTTP requests and responses.
global: True global: True
helpLink: influxdb.html advanced: True
max-concurrent-write-limit: helpLink: influxdb.html
description: The maximum number of writes processed concurrently. tls-key:
global: True description: The container path to the certificate key to use for TLS encryption of the HTTP requests and responses.
helpLink: influxdb.html global: True
max-enqueued-write-limit: advanced: True
description: The maximum number of writes queued for processing. helpLink: influxdb.html
global: True tls-min-version:
helpLink: influxdb.html description: The minimum supported version of TLS to be enforced on all incoming HTTP requests.
enqueued-write-timeout: global: True
description: The maximum duration for a write to wait in the queue to be processed. advanced: True
global: True helpLink: influxdb.html
helpLink: influxdb.html tls-strict-ciphers:
logging: description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA.
format: global: True
description: Determines which log encoder to use for logs. advanced: True
global: True helpLink: influxdb.html
helpLink: influxdb.html tracing-type:
level: description: The tracing format for debugging purposes. Allowed values are log or jaeger, or leave blank to disable tracing.
description: Determines which level of logs will be emitted. global: True
global: True advanced: True
helpLink: influxdb.html helpLink: influxdb.html
suppress-logo: ui-disabled:
description: Suppresses the logo output that is printed when the program is started. description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations.
global: True global: True
helpLink: influxdb.html advanced: True
subscriber: helpLink: influxdb.html
enabled: vault-addr:
description: Determines whether the subscriber service is enabled. description: Vault server address.
global: True global: True
advanced: True advanced: True
helpLink: influxdb.html helpLink: influxdb.html
http-timeout: vault-cacert:
description: The default timeout for HTTP writes to subscribers. description: Path to the Vault's single certificate authority certificate file within the container.
global: True global: True
helpLink: influxdb.html advanced: True
insecure-skip-verify: helpLink: influxdb.html
description: Allows insecure HTTPS connections to subscribers. vault-capath:
global: True description: Path to the Vault's certificate authority directory within the container.
advanced: True global: True
helpLink: influxdb.html advanced: True
ca-certs: helpLink: influxdb.html
description: The path to the PEM encoded CA certs file. vault-client-cert:
global: True description: Vault client certificate path within the container.
advanced: True global: True
helpLink: influxdb.html advanced: True
write-concurrency: helpLink: influxdb.html
description: he number of writer goroutines processing the write channel. vault-client-key:
global: True description: Vault client certificate key path within the container.
helpLink: influxdb.html global: True
write-buffer-size: advanced: True
description: The number of in-flight writes buffered in the write channel. helpLink: influxdb.html
global: True vault-client-timeout:
helpLink: influxdb.html description: Duration to wait for a response from the Vault server before aborting.
continuous_queries: global: True
enabled: advanced: True
description: Determines whether the continuous query service is enabled. helpLink: influxdb.html
global: True vault-max-retries:
helpLink: influxdb.html description: Maximum number of retries when attempting to contact the Vault server. A value of 0 is the same as disabling retries.
log-enabled: global: True
description: Controls whether queries are logged when executed by the CQ service. advanced: True
global: True helpLink: influxdb.html
helpLink: influxdb.html vault-skip-verify:
query-stats-enabled: description: Skip certification validation of the Vault server.
description: Controls whether queries are logged to the self-monitoring data store. global: True
global: True advanced: True
helpLink: influxdb.html helpLink: influxdb.html
run-interval: vault-tls-server-name:
description: Interval for how often continuous queries will be checked if they need to run. description: SNI host to specify when using TLS to connect to the Vault server.
global: True global: True
helpLink: influxdb.html advanced: True
tls: helpLink: influxdb.html
ciphers: vault-token:
description: Determines the available set of cipher suites. description: Vault token used for authentication.
global: True global: True
helpLink: influxdb.html advanced: True
min-version: helpLink: influxdb.html
description: Minimum version of the tls protocol that will be negotiated. buckets:
global: True
helpLink: influxdb.html
max-version:
description: Maximum version of the tls protocol that will be negotiated.
global: True
helpLink: influxdb.html
retention_policies:
so_short_term: so_short_term:
duration: duration:
description: Amount of time to keep short term data. description: Amount of time (in seconds) to keep short term data.
global: True global: True
helpLink: grafana.html#data helpLink: influxdb.html
shard_duration: shard_duration:
description: Time range description: Amount of the time (in seconds) range covered by the shard group.
global: True global: True
helpLink: grafana.html#data helpLink: influxdb.html
so_long_term: so_long_term:
duration: duration:
description: Amount of time to keep long term downsampled data. description: Amount of time (in seconds) to keep long term downsampled data.
global: True global: True
helpLink: grafana.html#data helpLink: influxdb.html
shard_duration: shard_duration:
description: Amount of the time range covered by the shard group. description: Amount of the time (in seconds) range covered by the shard group.
global: True global: True
helpLink: grafana.html#data helpLink: influxdb.html
downsample: downsample:
so_long_term: so_long_term:
resolution: resolution:
description: Amount of time to turn into a single data point. description: Amount of time to turn into a single data point.
global: True global: True
helpLink: grafana.html#data helpLink: influxdb.html

18
salt/influxdb/templates/alarm_deadman.json Normal file
View File

@@ -0,0 +1,18 @@
[{
"apiVersion": "influxdata.com/v2alpha1",
"kind": "CheckDeadman",
"metadata": {
"name": "alarm-deadman"
},
"spec": {
"description": "Data has not been received from Telegraf for an extended period.",
"every": "1m0s",
"level": "CRIT",
"name": "Telegraf Data Outage",
"query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")",
"staleTime": "15m0s",
"status": "active",
"statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }",
"timeSince": "2m0s"
}
}]

21
salt/influxdb/templates/alarm_logstash_eps.json Normal file
View File

@@ -0,0 +1,21 @@
[{
"apiVersion": "influxdata.com/v2alpha1",
"kind": "CheckThreshold",
"metadata": {
"name": "alarm-logstash-eps"
},
"spec": {
"every": "1m0s",
"name": "Logstash EPS at 0",
"query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"logstash_events\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"in\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")",
"status": "active",
"statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }",
"thresholds": [
{
"level": "CRIT",
"type": "lesser",
"value": 1
}
]
}
}]

32
salt/influxdb/templates/alarm_nsm_disk.json Normal file
View File

@@ -0,0 +1,32 @@
[{
"apiVersion": "influxdata.com/v2alpha1",
"kind": "CheckThreshold",
"metadata": {
"name": "alarm-nsm-disk"
},
"spec": {
"description": "Percent used space on the root partition of at least one node has exceeded the alarm threshold.",
"every": "1m0s",
"name": "NSM Disk High Usage",
"query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> aggregateWindow(every: 1m, fn: max, createEmpty: false)\n |> yield(name: \"max\")",
"status": "active",
"statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }",
"thresholds": [
{
"level": "CRIT",
"type": "greater",
"value": 95
},
{
"level": "INFO",
"type": "greater",
"value": 85
},
{
"level": "WARN",
"type": "greater",
"value": 90
}
]
}
}]

32
salt/influxdb/templates/alarm_root_disk.json Normal file
View File

@@ -0,0 +1,32 @@
[{
"apiVersion": "influxdata.com/v2alpha1",
"kind": "CheckThreshold",
"metadata": {
"name": "alarm-root-disk"
},
"spec": {
"description": "Percent used space on the root partition of at least one node has exceeded the alarm threshold.",
"every": "1m0s",
"name": "Root Disk High Usage",
"query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> aggregateWindow(every: 1m, fn: max, createEmpty: false)\n |> yield(name: \"max\")",
"status": "active",
"statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }",
"thresholds": [
{
"level": "CRIT",
"type": "greater",
"value": 95
},
{
"level": "INFO",
"type": "greater",
"value": 85
},
{
"level": "WARN",
"type": "greater",
"value": 90
}
]
}
}]

1
salt/influxdb/templates/dashboard-security_onion_performance.json Normal file
View File

File diff suppressed because one or more lines are too long

1
salt/influxdb/templates/downsample.json Normal file
View File

@@ -0,0 +1 @@
[{"apiVersion":"influxdata.com/v2alpha1","kind":"Task","metadata":{"name":"task-downsample"},"spec":{"every":"{{ INFLUXMERGED.downsample.so_long_term.resolution }}","name":"Downsample","query":"import \"types\"\n\n\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: -task.every)\n |> filter(fn: (r) => types.isNumeric(v: r._value))\n |> aggregateWindow(every: task.every, fn: mean)\n |> to(bucket: \"telegraf/so_long_term\")"}}]

1
salt/influxdb/templates/variable-container.json Normal file
View File

@@ -0,0 +1 @@
[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-container"},"spec":{"language":"flux","name":"Container","query":"import \"array\"\n\ndynamic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"host\"] == v.Host)\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> keep(columns: [\"container_name\"])\n |> rename(fn: (column) => \"_value\")\n |> unique()\n\nstatic = array.from(\n rows: [\n {\n _value: \"(All)\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["cool_gauss"],"type":"query"}}]

1
salt/influxdb/templates/variable-host.json Normal file
View File

@@ -0,0 +1 @@
[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-host"},"spec":{"language":"flux","name":"Host","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"host\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"(All)\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["dev"],"type":"query"}}]

1
salt/influxdb/templates/variable-role.json Normal file
View File

@@ -0,0 +1 @@
[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-role"},"spec":{"language":"flux","name":"Role","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"role\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"(All)\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["standalone"],"type":"query"}}]

2
salt/kibana/bin/so-kibana-config-load
View File

@@ -63,7 +63,7 @@ update() {
IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))'
for i in "${LINES[@]}"; do for i in "${LINES[@]}"; do
RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.6.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.6.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
done done

2
salt/kibana/files/config_saved_objects.ndjson
View File

@@ -1 +1 @@
{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.1","id": "8.6.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} {"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.2","id": "8.6.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}

1648
salt/kibana/files/saved_objects.ndjson
View File

File diff suppressed because one or more lines are too long

2
salt/logstash/map.jinja
View File

@@ -1,7 +1,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% set REDIS_NODES = [] %} {% set REDIS_NODES = [] %}
{% set LOGSTASH_NODES = [] %} {% set LOGSTASH_NODES = [] %}
{% set node_data = salt['pillar.get']('logstash:nodes') %} {% set node_data = salt['pillar.get']('logstash:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
{% for node_type, node_details in node_data.items() | sort %} {% for node_type, node_details in node_data.items() | sort %}
{% if GLOBALS.role in ['so-searchnode', 'so-standalone', 'so-managersearch'] %} {% if GLOBALS.role in ['so-searchnode', 'so-standalone', 'so-managersearch'] %}

13
salt/nginx/etc/nginx.conf
View File

@@ -1,5 +1,9 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- set role = grains.id.split('_') | last %} {%- set role = grains.id.split('_') | last %}
{%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
{%- set influxauth = ('so:' + influxpass) | base64_encode %}
worker_processes auto; worker_processes auto;
error_log /var/log/nginx/error.log; error_log /var/log/nginx/error.log;
pid /run/nginx.pid; pid /run/nginx.pid;
@@ -179,17 +183,18 @@ http {
autoindex_localtime on; autoindex_localtime on;
} }
location /grafana/ { location /influxdb/ {
auth_request /auth/sessions/whoami; auth_request /auth/sessions/whoami;
rewrite /grafana/(.*) /$1 break; rewrite /influxdb/api/(.*) /api/$1 break;
proxy_pass http://{{ GLOBALS.manager_ip }}:3000/; proxy_pass https://{{ GLOBALS.manager_ip }}:8086/;
proxy_read_timeout 90; proxy_read_timeout 300;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy ""; proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_path /api/ /influxdb/api/;
} }
location /kibana/ { location /kibana/ {

1
salt/nginx/init.sls
View File

@@ -28,6 +28,7 @@ nginxconf:
- group: 939 - group: 939
- template: jinja - template: jinja
- source: salt://nginx/etc/nginx.conf - source: salt://nginx/etc/nginx.conf
- show_changes: False
nginxlogdir: nginxlogdir:
file.directory: file.directory:

4
salt/salt/files/influxdb_continuous_query.py.patch
View File

@@ -1,4 +0,0 @@
56c56
< database, name, query, resample_time, coverage_period
---
> database, name, query, resample_time, coverage_period, **client_args

16
salt/salt/files/influxdb_retention_policy.py.patch
View File

@@ -1,16 +0,0 @@
34c34
< hours = int(duration.split("h"))
---
> hours = int(duration.split("h")[0])
48c48
< def present(name, database, duration="7d", replication=1, default=False, **client_args):
---
> def present(name, database, duration="7d", replication=1, default=False, shard_duration="1d", **client_args):
73c73
< database, name, duration, replication, default, **client_args
---
> database, name, duration, replication, shard_duration, default, **client_args
113c113
< database, name, duration, replication, default, **client_args
---
> database, name, duration, replication, shard_duration, default, **client_args

16
salt/salt/files/influxdbmod.py.patch
View File

@@ -1,16 +0,0 @@
421c421
< database, name, duration, replication, default=False, **client_args
---
> database, name, duration, replication, shard_duration, default=False, **client_args
456c456
< client.create_retention_policy(name, duration, replication, database, default)
---
> client.create_retention_policy(name, duration, replication, database, default, shard_duration)
462c462
< database, name, duration, replication, default=False, **client_args
---
> database, name, duration, replication, shard_duration, default=False, **client_args
498c498
< client.alter_retention_policy(name, database, duration, replication, default)
---
> client.alter_retention_policy(name, database, duration, replication, default, shard_duration)

8
salt/salt/map.jinja
View File

@@ -7,10 +7,6 @@
{% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion'] %} {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion'] %}
{% set SALT_STATE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/states' %} {% set SALT_STATE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/states' %}
{% set SALT_MODULE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/modules' %} {% set SALT_MODULE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/modules' %}
{% set PYTHONINFLUXVERSION = '5.3.1' %}
{% set PYTHON3INFLUX= 'influxdb == ' ~ PYTHONINFLUXVERSION %}
{% set PYTHON3INFLUXDEPS= ['certifi', 'chardet', 'python-dateutil', 'pytz', 'requests'] %}
{% set PYTHONINSTALLER = 'pip' %}
{% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %} {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
{% else %} {% else %}
{% set SPLITCHAR = '-' %} {% set SPLITCHAR = '-' %}
@@ -18,10 +14,6 @@
{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion'] %} {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion'] %}
{% set SALT_STATE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/states' %} {% set SALT_STATE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/states' %}
{% set SALT_MODULE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/modules' %} {% set SALT_MODULE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/modules' %}
{% set PYTHONINFLUXVERSION = '5.3.1' %}
{% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %}
{% set PYTHON3INFLUXDEPS= ['python36-certifi', 'python36-chardet', 'python36-dateutil', 'python36-pytz', 'python36-requests'] %}
{% set PYTHONINSTALLER = 'pkg' %}
{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %} {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
{% endif %} {% endif %}

12
salt/soc/defaults.map.jinja
View File

@@ -1,6 +1,8 @@
{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %} {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER -%} {% from 'docker/docker.map.jinja' import DOCKER -%}
{%- set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %}
{%- set METRICS_LINK = salt['cmd.run']('so-influxdb-manage dashboardpath "Security Onion Performance"') %}
{% for module, application_url in GLOBALS.application_urls.items() %} {% for module, application_url in GLOBALS.application_urls.items() %}
{% do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %} {% do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %}
@@ -15,9 +17,13 @@
{% do SOCDEFAULTS.soc.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %} {% do SOCDEFAULTS.soc.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}
{% if GLOBALS.role != 'so-import' %} {% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %} {% do SOCDEFAULTS.soc.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %}
{% endif %} {% for tool in SOCDEFAULTS.soc.server.client.tools %}
{% if tool.name == "toolInfluxDb" %}
{% do tool.update({'link': METRICS_LINK}) %}
{% endif %}
{% endfor %}
{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.sensoronikey}) %} {% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.sensoronikey}) %}

14
salt/soc/defaults.yaml
View File

@@ -1031,9 +1031,9 @@ soc:
asyncThreshold: 10 asyncThreshold: 10
influxdb: influxdb:
hostUrl: hostUrl:
token: '' token:
org: '' org: Security Onion
bucket: telegraf bucket: telegraf/so_short_term
verifyCert: false verifyCert: false
salt: salt:
saltPipe: /opt/sensoroni/salt/pipe saltPipe: /opt/sensoroni/salt/pipe
@@ -1076,11 +1076,11 @@ soc:
icon: fa-external-link-alt icon: fa-external-link-alt
target: so-osquery-manager target: so-osquery-manager
link: /kibana/app/osquery/live_queries link: /kibana/app/osquery/live_queries
- name: toolGrafana - name: toolInfluxDb
description: toolGrafanaHelp description: toolInfluxDbHelp
icon: fa-external-link-alt icon: fa-external-link-alt
target: so-grafana target: so-influxdb
link: /grafana/d/so_overview link: /influxdb
- name: toolCyberchef - name: toolCyberchef
description: toolCyberchefHelp description: toolCyberchefHelp
icon: fa-external-link-alt icon: fa-external-link-alt

5
salt/soc/merged.map.jinja
View File

@@ -27,11 +27,6 @@
{% do SOCMERGED.server.client.inactiveTools.append('toolFleet') %} {% do SOCMERGED.server.client.inactiveTools.append('toolFleet') %}
{% if pillar.manager.grafana == 0 %}
{% do SOCMERGED.server.client.inactiveTools.append('toolGrafana') %}
{% endif %}
{% set standard_actions = SOCMERGED.pop('actions') %} {% set standard_actions = SOCMERGED.pop('actions') %}
{% if pillar.global.endgamehost is defined %} {% if pillar.global.endgamehost is defined %}
{% set endgame_dict = { {% set endgame_dict = {

6
salt/telegraf/etc/telegraf.conf
View File

@@ -2,6 +2,7 @@
{%- set INFLUXDBHOST = GLOBALS.influxdb_host %} {%- set INFLUXDBHOST = GLOBALS.influxdb_host %}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
{%- set TOKEN = salt['pillar.get']('secrets:influx_token', '') %}
{%- set NODEIP = GLOBALS.node_ip %} {%- set NODEIP = GLOBALS.node_ip %}
{%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %}
{%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %} {%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %}
@@ -71,8 +72,11 @@
############################################################################### ###############################################################################
# Configuration for sending metrics to InfluxDB # Configuration for sending metrics to InfluxDB
[[outputs.influxdb]] [[outputs.influxdb_v2]]
urls = ["https://{{ INFLUXDBHOST }}:8086"] urls = ["https://{{ INFLUXDBHOST }}:8086"]
token = "{{ TOKEN }}"
organization = "Security Onion"
bucket = "telegraf/so_short_term"
## Optional TLS Config for use on HTTP connections. ## Optional TLS Config for use on HTTP connections.
tls_ca = "/etc/telegraf/ca.crt" tls_ca = "/etc/telegraf/ca.crt"

2
salt/telegraf/init.sls
View File

@@ -53,7 +53,7 @@ tgrafconf:
TGMERGED: {{ TGMERGED }} TGMERGED: {{ TGMERGED }}
# this file will be read by telegraf to send node details (management interface, monitor interface, etc) # this file will be read by telegraf to send node details (management interface, monitor interface, etc)
# into influx so that Grafana can build dashboards using queries # into influx
node_config: node_config:
file.managed: file.managed:
- name: /opt/so/conf/telegraf/node_config.json - name: /opt/so/conf/telegraf/node_config.json

4
salt/top.sls
View File

@@ -293,9 +293,9 @@ base:
- sensoroni - sensoroni
- manager - manager
- nginx - nginx
- soc
- influxdb
- telegraf - telegraf
- influxdb
- soc
- kratos - kratos
- firewall - firewall
- idstools - idstools

1
salt/vars/idh.map.jinja Normal file
View File

@@ -0,0 +1 @@
{% set ROLE_GLOBALS = {} %}

1
setup/automation/distributed-airgap-manager
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-airgap-search
View File

@@ -21,7 +21,6 @@ ADMINPASS2=onionuser
# ZEEKVERSION=ZEEK # ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-airgap-sensor
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-cloud-manager
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-cloud-search
View File

@@ -21,7 +21,6 @@ ADMINPASS2=onionuser
#ZEEKVERSION=ZEEK #ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
#GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-cloud-sensor
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
#GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-iso-manager
View File

@@ -21,7 +21,6 @@ BASICSURI=7
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-iso-search
View File

@@ -21,7 +21,6 @@ ADMINPASS2=onionuser
# ZEEKVERSION=ZEEK # ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-iso-sensor
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-net-centos-manager
View File

@@ -21,7 +21,6 @@ BASICSURI=7
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-net-centos-search
View File

@@ -21,7 +21,6 @@ ADMINPASS2=onionuser
# ZEEKVERSION=ZEEK # ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-net-centos-sensor
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-net-ubuntu-manager
View File

@@ -21,7 +21,6 @@ BASICSURI=7
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-net-ubuntu-search
View File

@@ -21,7 +21,6 @@ ADMINPASS2=onionuser
# ZEEKVERSION=ZEEK # ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-net-ubuntu-sensor
View File

@@ -21,7 +21,6 @@ BNICS=ens19
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-net-ubuntu-suricata-manager
View File

@@ -21,7 +21,6 @@ BASICSURI=7
ZEEKVERSION=SURICATA ZEEKVERSION=SURICATA
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-net-ubuntu-suricata-search
View File

@@ -21,7 +21,6 @@ ADMINPASS2=onionuser
# ZEEKVERSION=ZEEK # ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/distributed-net-ubuntu-suricata-sensor
View File

@@ -21,7 +21,6 @@ BNICS=ens19
ZEEKVERSION=SURICATA ZEEKVERSION=SURICATA
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/eval-airgap
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/eval-cloud
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/eval-iso
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/eval-net-centos
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/eval-net-ubuntu
View File

@@ -21,7 +21,6 @@ BNICS=ens19
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/import-airgap
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/import-cloud
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/import-iso
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/import-net-centos
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/import-net-ubuntu
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/standalone-airgap
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/standalone-cloud
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/standalone-iso
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/standalone-iso-logscan
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/standalone-iso-suricata
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=SURICATA ZEEKVERSION=SURICATA
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/standalone-net-centos
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

1
setup/automation/standalone-net-centos-proxy
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK ZEEKVERSION=ZEEK
# CURCLOSEDAYS= # CURCLOSEDAYS=
# EVALADVANCED=BASIC # EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit

Some files were not shown because too many files have changed in this diff Show More