CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix conflict

Browse Source
This commit is contained in:
Mike Reeves
2023-02-22 10:20:14 -05:00
parent c3784fe548 3a2ec8e8bf
commit 76011c96d6
104 changed files with 2331 additions and 1784 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pillar/data/addtotab.sh
View File

@@ -45,12 +45,10 @@ echo " rootfs: $ROOTFS" >> $local_salt_dir/pillar/data/$TYPE.sls
echo " nsmfs: $NSM" >> $local_salt_dir/pillar/data/$TYPE.sls
if [ $TYPE == 'sensorstab' ]; then
echo " monint: bond0" >> $local_salt_dir/pillar/data/$TYPE.sls
salt-call state.apply grafana queue=True
fi
if [ $TYPE == 'evaltab' ] || [ $TYPE == 'standalonetab' ]; then
echo " monint: bond0" >> $local_salt_dir/pillar/data/$TYPE.sls
if [ ! $10 ]; then
salt-call state.apply grafana queue=True
salt-call state.apply utility queue=True
fi
fi

5
salt/allowed_states.map.jinja
View File

@@ -33,7 +33,6 @@
'nginx',
'telegraf',
'influxdb',
'grafana',
'soc',
'kratos',
'elastic-fleet',
@@ -82,7 +81,6 @@
'ssl',
'telegraf',
'firewall',
'filebeat',
'idh',
'schedule',
'docker_clean'
@@ -119,7 +117,6 @@
'nginx',
'telegraf',
'influxdb',
'grafana',
'soc',
'kratos',
'elastic-fleet',
@@ -139,7 +136,6 @@
'nginx',
'telegraf',
'influxdb',
'grafana',
'soc',
'kratos',
'elastic-fleet',
@@ -169,7 +165,6 @@
'nginx',
'telegraf',
'influxdb',
'grafana',
'soc',
'kratos',
'elastic-fleet',

0
salt/common/tools/sbin/so-elastic-fleet-agent-policy-view Normal file → Executable file
View File

0
salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete Normal file → Executable file
View File

2
salt/common/tools/sbin/so-elastic-fleet-setup
View File

@@ -24,7 +24,7 @@ mkdir -p /opt/so/conf/elastic-fleet/certs
cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs
cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs
{% if grains.role == 'so-import' %}
{% if grains.role in ['so-import', 'so-standalone', 'so-eval'] %}
# Add SO-Manager Elasticsearch Ouput
ESCACRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt)
JSON_STRING=$( jq -n \

15
salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status Executable file
View File

@@ -0,0 +1,15 @@
#/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
if [ "$1" == "" ]; then
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_all/_ilm/explain | jq .
else
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/$1/_ilm/explain | jq .[]
fi

9
salt/common/tools/sbin/so-grafana-stop → salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete
View File

@@ -1,12 +1,11 @@
#!/bin/bash
#/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
/usr/sbin/so-stop grafana $1
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X DELETE https://{{ NODEIP }}:9200/_ilm/policy/$1

21
salt/common/tools/sbin/so-elasticsearch-ilm-policy-load Executable file
View File

@@ -0,0 +1,21 @@
#/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %}
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
{%- for index, settings in ES_INDEX_SETTINGS.items() %}
{%- if settings.policy is defined %}
echo
echo "Setting up {{ index }}-logs policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/{{ index }}-logs" -H 'Content-Type: application/json' -d'{ "policy": {{ settings.policy | tojson(true) }} }'
echo
{%- endif %}
{%- endfor %}
echo

15
salt/common/tools/sbin/so-elasticsearch-ilm-policy-view Executable file
View File

@@ -0,0 +1,15 @@
#/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
if [ "$1" == "" ]; then
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/policy | jq .
else
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/policy/$1 | jq .[]
fi

8
salt/common/tools/sbin/so-grafana-restart → salt/common/tools/sbin/so-elasticsearch-ilm-restart
View File

@@ -1,12 +1,10 @@
#!/bin/bash
#/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
/usr/sbin/so-restart grafana $1
so-elasticsearch-ilm-stop
so-elasticsearch-ilm-start

12
salt/common/tools/sbin/so-elasticsearch-ilm-start Executable file
View File

@@ -0,0 +1,12 @@
/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
echo "Starting ILM..."
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://{{ NODEIP }}:9200/_ilm/start

9
salt/common/tools/sbin/so-grafana-start → salt/common/tools/sbin/so-elasticsearch-ilm-status
View File

@@ -1,12 +1,11 @@
#!/bin/bash
/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
/usr/sbin/so-start grafana $1
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/status | jq .

12
salt/common/tools/sbin/so-elasticsearch-ilm-stop Executable file
View File

@@ -0,0 +1,12 @@
#/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
echo "Stopping ILM..."
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://{{ NODEIP }}:9200/_ilm/stop

2
salt/common/tools/sbin/so-firewall-minion
View File

@@ -69,7 +69,7 @@ fi
so-firewall --apply --role=heavynodes --ip="$IP"
;;
'IDH')
so-firewall --apply --role=beats_endpoint_ssl --ip="$IP"
so-firewall --apply --role=sensors --ip="$IP"
;;
'RECEIVER')
so-firewall --apply --role=receivers --ip="$IP"

20
salt/common/tools/sbin/so-grafana-dashboard-folder-delete
View File

@@ -1,20 +0,0 @@
# this script is used to delete the default Grafana dashboard folders that existed prior to Grafana dashboard and Salt management changes in 2.3.70
# Exit if an error occurs. The next highstate will retry.
set -e
folders=$(curl -X GET http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders | jq -r '.[] | @base64')
delfolder=("Manager" "Manager Search" "Sensor Nodes" "Search Nodes" "Standalone" "Eval Mode")
for row in $folders; do
title=$(echo ${row} | base64 --decode | jq -r '.title')
uid=$(echo ${row} | base64 --decode | jq -r '.uid')
if [[ " ${delfolder[@]} " =~ " ${title} " ]]; then
curl -X DELETE http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders/$uid
fi
done
echo "so-grafana-dashboard-folder-delete has been run to delete default Grafana dashboard folders that existed prior to 2.3.70" > /opt/so/state/so-grafana-dashboard-folder-delete-complete
exit 0

4
salt/common/tools/sbin/so-image-common
View File

@@ -25,7 +25,6 @@ container_list() {
if [ $MANAGERCHECK == 'so-import' ]; then
TRUSTED_CONTAINERS=(
"so-elasticsearch"
"so-filebeat"
"so-idstools"
"so-influxdb"
"so-kibana"
@@ -47,8 +46,6 @@ container_list() {
"so-elastic-agent"
"so-elastic-agent-builder"
"so-elasticsearch"
"so-filebeat"
"so-grafana"
"so-idh"
"so-idstools"
"so-influxdb"
@@ -73,7 +70,6 @@ container_list() {
)
else
TRUSTED_CONTAINERS=(
"so-filebeat"
"so-idstools"
"so-elasticsearch"
"so-logstash"

45
salt/common/tools/sbin/so-influxdb-clean
View File

@@ -1,45 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
wdurregex="^[0-9]+w$"
ddurregex="^[0-9]+d$"
echo -e "\nThis script is used to reduce the size of InfluxDB by removing old data and retaining only the duration specified."
echo "The duration will need to be specified as an integer followed by the duration unit without a space."
echo -e "\nFor example, to purge all data but retain the past 12 weeks, specify 12w for the duration."
echo "The duration units are as follows:"
echo " w - week(s)"
echo " d - day(s)"
while true; do
echo ""
read -p 'Enter the duration of past data that you would like to retain: ' duration
duration=$(echo $duration | tr '[:upper:]' '[:lower:]')
if [[ "$duration" =~ $wdurregex ]] || [[ "$duration" =~ $ddurregex ]]; then
break
fi
echo -e "\nInvalid duration."
done
echo -e "\nInfluxDB will now be cleaned and leave only the past $duration worth of data."
read -r -p "Are you sure you want to continue? [y/N] " yorn
if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then
echo -e "\nCleaning InfluxDb and saving only the past $duration. This may could take several minutes depending on how much data needs to be cleaned."
if docker exec -t so-influxdb /bin/bash -c "influx -ssl -unsafeSsl -database telegraf -execute \"DELETE FROM /.*/ WHERE \"time\" >= '2020-01-01T00:00:00.0000000Z' AND \"time\" <= now() - $duration\""; then
echo -e "\nInfluxDb clean complete."
else
echo -e "\nSomething went wrong with cleaning InfluxDB. Please verify that the so-influxdb Docker container is running, and check the log at /opt/so/log/influxdb/influxdb.log for any details."
fi
else
echo -e "\nExiting as requested."
fi

55
salt/common/tools/sbin/so-influxdb-downsample
View File

@@ -1,55 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set role = grains.id.split('_') | last %}
{%- if role in ['manager', 'managersearch', 'eval', 'standalone'] %}
{%- import_yaml 'influxdb/defaults.yaml' as default_settings %}
{%- set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %}
. /usr/sbin/so-common
echo -e "\nThis script is used to reduce the size of InfluxDB by downsampling old data into the so_long_term retention policy."
echo -e "\nInfluxDB will now be downsampled. This could take a few hours depending on how large the database is and hardware resources available."
read -r -p "Are you sure you want to continue? [y/N] " yorn
if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then
echo -e "\nDownsampling InfluxDb started at `date`. This may take several hours depending on how much data needs to be downsampled."
{% for dest_rp in influxdb.downsample.keys() -%}
{% for measurement in influxdb.downsample[dest_rp].get('measurements', []) -%}
day=0
startdate=`date`
while docker exec -t so-influxdb /bin/bash -c "influx -ssl -unsafeSsl -database telegraf -execute \"SELECT mean(*) INTO \"so_long_term\".\"{{measurement}}\" FROM \"autogen\".\"{{measurement}}\" WHERE \"time\" >= '2020-07-21T00:00:00.0000000Z' + ${day}d AND \"time\" <= '2020-07-21T00:00:00.0000000Z' + $((day+1))d GROUP BY time(5m),*\""; do
# why 2020-07-21?
migrationdate=`date -d "2020-07-21 + ${day} days" +"%y-%m-%d"`
echo "Downsampling of measurement: {{measurement}} from $migrationdate started at $startdate and completed at `date`."
newdaytomigrate=$(date -d "$migrationdate + 1 days" +"%s")
today=$(date +"%s")
if [ $newdaytomigrate -ge $today ]; then
break
else
((day=day+1))
startdate=`date`
echo -e "\nDownsampling the next day's worth of data for measurement: {{measurement}}."
fi
done
{% endfor -%}
{% endfor -%}
echo -e "\nInfluxDb data downsampling complete."
else
echo -e "\nExiting as requested."
fi
{%- else %}
echo -e "\nThis script can only be run on a node running InfluxDB."
{%- endif %}

26
salt/common/tools/sbin/so-influxdb-drop-autogen
View File

@@ -1,26 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
echo -e "\nThis script is used to reduce the size of InfluxDB by dropping the autogen retention policy."
echo "If you want to retain historical data prior to 2.3.60, then this should only be run after you have downsampled your data using so-influxdb-downsample."
echo -e "\nThe autogen retention policy will now be dropped from InfluxDB."
read -r -p "Are you sure you want to continue? [y/N] " yorn
if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then
echo -e "\nDropping autogen retention policy."
if docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -execute "drop retention policy autogen on telegraf"; then
echo -e "\nAutogen retention policy dropped from InfluxDb."
else
echo -e "\nSomething went wrong dropping then autogen retention policy from InfluxDB. Please verify that the so-influxdb Docker container is running, and check the log at /opt/so/log/influxdb/influxdb.log for any details."
fi
else
echo -e "\nExiting as requested."
fi

285
salt/common/tools/sbin/so-influxdb-manage Normal file
View File

@@ -0,0 +1,285 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
usage() {
echo "Usage: $0 <operation> [args]"
echo ""
echo "Supported Operations:"
echo " dashboardpath Returns the URL path for a dashboard, requires: <name-of-dashboard>"
echo " export Exports all templates to stdout"
echo " setup Loads all templates and creates all required buckets"
echo " userlist Lists users"
echo " useradd Adds a new user, requires: <email>"
echo " userdel Removes an existing user, requires: <email>"
echo " userenable Enables a user, requires: <email>"
echo " userdisable Disables a user, requires: <email>"
echo " userpass Updates a user's password, requires: <email>"
echo " userpromote Promotes a user to admin: <email>"
echo " userdemote Demotes a user from admin: <email>"
echo ""
echo "If required, the password will be read from STDIN."
exit 1
}
if [ $# -lt 1 ]; then
usage
fi
COMMAND=$(basename $0)
OP=$1
shift
set -eo pipefail
log() {
echo -e "$(date) | $COMMAND | $@" >&2
}
check_response() {
response=$1
if [[ "$response" =~ "\"code\":" ]]; then
log "Failed. Check the response for more details.\n$response"
exit 1
fi
}
request() {
curl -skK /opt/so/conf/influxdb/curl.config "https://localhost:8086/api/v2/$@"
}
lookup_user_id() {
email=$1
response=$(request users?limit=100)
check_response "$response"
uid=$(echo "$response" | jq -r ".users[] | select(.name == \"$email\").id")
if [[ -z "$uid" ]]; then
log "User not found"
exit 1
fi
echo "$uid"
}
lookup_stack_id() {
oid=$1
response=$(request "stacks?orgID=$oid&name=Security+Onion")
check_response "$response"
stackid=$(echo "$response" | jq -r ".stacks[0].id")
if [[ -z "$stackid" || "$stackid" == null ]]; then
response=$(request stacks -X POST -d "{\"name\":\"Security Onion\",\"orgID\":\"$oid\"}")
check_response "$response"
stackid=$(echo "$response" | jq -r .id)
fi
echo "$stackid"
}
change_password() {
uid=$1
set +e
test -t 0
if [[ $? == 0 ]]; then
echo "Enter new password:"
fi
set -e
read -rs pass
check_password_and_exit "$pass"
response=$(request users/$uid/password -X POST -d "{\"password\":\"$pass\"}")
check_response "$response"
}
apply_templates() {
oid=$1
stackid=$2
template_objects_array=$3
body="{\"orgID\":\"$oid\",\"stackID\":\"$stackid\",\"templates\":$template_objects_array}"
response=$(request templates/apply -X POST -d "$body")
check_response "$response"
}
setup_bucket() {
oid=$1
name=$2
age=$3
shardduration=$4
response=$(request "buckets?orgID=$oid&name=$name")
bucketid=$(echo "$response" | jq -r ".buckets[0].id")
if [[ -z "$bucketid" || "$bucketid" == null ]]; then
response=$(request buckets -X POST -d "{\"name\":\"$name\",\"orgID\":\"$oid\"}")
check_response "$response"
bucketid=$(echo "$response" | jq -r .id)
fi
response=$(request buckets/$bucketid -X PATCH -d "{\"name\":\"$name\",\"retentionRules\":[{\"everySeconds\":$age,\"shardGroupDurationSeconds\":$shardduration,\"type\":\"expire\"}]}")
check_response "$response"
}
lookup_org_id_with_wait() {
max_attempts=30
attempts=0
wait=10
while [[ $attempts -lt $max_attempts ]]; do
response=$(request orgs?org=Security+Onion)
oid=$(echo "$response" | jq -r ".orgs[] | select(.name == \"Security Onion\").id")
if [[ -z $oid ]]; then
attempts=$((attempts+1))
log "Server does not appear to be running or fully initialized - will try again in $wait seconds ($attempts / $max_attempts)"
sleep $wait
else
echo "$oid"
return
fi
done
log "Server has not started after $max_attempts attempts - aborting"
exit 1
}
oid=$(lookup_org_id_with_wait)
case "$OP" in
setup)
log "Ensuring organization is setup correctly"
# Load templates if at least one has been modified since the last setup
newest=$(ls -1t /opt/so/conf/influxdb/templates/ | head -1)
if [ /opt/so/conf/influxdb/templates/$newest -nt /opt/so/conf/influxdb/last_template_setup ]; then
log "Updating templates"
stackid=$(lookup_stack_id "$oid")
for file in /opt/so/conf/influxdb/templates/*; do
if [[ "$templates_array" != "" ]]; then
templates_array="$templates_array,"
fi
template=$(cat "$file")
templates_array="$templates_array{\"contents\":$template}"
done
apply_templates "$oid" "$stackid" "[$templates_array]"
echo $(date) > /opt/so/conf/influxdb/last_template_setup
else
log "Templates have not been modified since last setup"
fi
# Setup buckets and retention periods if at least one has been modified since the last setup
if [ /opt/so/conf/influxdb/buckets.json -nt /opt/so/conf/influxdb/last_bucket_setup ]; then
log "Updating buckets and retention periods"
for rp in so_short_term so_long_term; do
bucket=telegraf/$rp
log "Ensuring bucket is created and configured; bucket=$bucket"
age=$(cat /opt/so/conf/influxdb/buckets.json | jq -r .$rp.duration)
shard_duration=$(cat /opt/so/conf/influxdb/buckets.json | jq -r .$rp.shard_duration)
setup_bucket "$oid" "$bucket" "$age" "$shard_duration"
done
echo $(date) > /opt/so/conf/influxdb/last_bucket_setup
else
log "Buckets have not been modified since last setup"
fi
;;
userlist)
log "Listing existing users"
response=$(request users)
check_response "$response"
echo "$response" | jq -r '.users[] | "\(.id): \(.name) (\(.status))"'
;;
useradd)
[ $# -ne 1 ] && usage
email=$1
log "Adding new user; email=$email"
response=$(request users -X POST -d "{\"name\":\"$email\"}")
check_response "$response"
uid=$(echo "$response" | jq -r .id)
log "Adding new user to organization"
response=$(request orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}")
check_response "$response"
change_password "$uid"
;;
userpass)
[ $# -ne 1 ] && usage
email=$1
log "Updating user password; email=$email"
uid=$(lookup_user_id "$email")
change_password "$uid"
;;
userdel)
[ $# -ne 1 ] && usage
email=$1
log "Deleting user; email=$email"
uid=$(lookup_user_id "$email")
response=$(request users/$uid -X DELETE)
check_response "$response"
;;
userenable)
[ $# -ne 1 ] && usage
email=$1
log "Enabling user; email=$email"
uid=$(lookup_user_id "$email")
response=$(request users/$uid -X PATCH -d "{\"name\":\"$email\",\"status\":\"active\"}")
check_response "$response"
;;
userdisable)
[ $# -ne 1 ] && usage
email=$1
log "Disabling user; email=$email"
uid=$(lookup_user_id "$email")
response=$(request users/$uid -X PATCH -d "{\"name\":\"$email\",\"status\":\"inactive\"}")
check_response "$response"
;;
userpromote)
[ $# -ne 1 ] && usage
email=$1
log "Promoting user to admin; email=$email"
uid=$(lookup_user_id "$email")
response=$(request orgs/$oid/members/$uid -X DELETE)
response=$(request orgs/$oid/owners -X POST -d "{\"id\":\"$uid\"}")
check_response "$response"
;;
userdemote)
[ $# -ne 1 ] && usage
email=$1
log "Demoting user from admin; email=$email"
uid=$(lookup_user_id "$email")
response=$(request orgs/$oid/owners/$uid -X DELETE)
response=$(request orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}")
check_response "$response"
;;
export)
log "Exporting all organization templates"
request templates/export -X POST -d "{\"orgIDs\":[{\"orgID\":\"$oid\"}]}" -H "Content-Type: application/json"
;;
dashboardpath)
[ $# -ne 1 ] && usage
name=$1
response=$(request dashboards?limit=100&orgID=$oid)
check_response "$response"
dbid=$(echo "$response" | jq -r ".dashboards[] | select(.name == \"$name\").id")
if [[ -z "$dbid" ]]; then
log "Dashboard not found"
exit 1
fi
echo -n "/influxdb/orgs/$oid/dashboards/$dbid"
;;
*)
usage
;;
esac

16
salt/common/tools/sbin/so-minion
View File

@@ -119,6 +119,18 @@ function add_elastic_to_minion() {
" " >> $PILLARFILE
}
# Add IDH Services info to the minion file
function add_idh_to_minion() {
printf '%s\n'\
"idh:"\
" restrict_management_ip: $IDH_MGTRESTRICT"\
" services:" >> "$PILLARFILE"
IFS=',' read -ra IDH_SERVICES_ARRAY <<< "$IDH_SERVICES"
for service in ${IDH_SERVICES_ARRAY[@]}; do
echo " - $service" | tr '[:upper:]' '[:lower:]' | tr -d '"' >> "$PILLARFILE"
done
}
function add_logstash_to_minion() {
# Create the logstash advanced pillar
printf '%s\n'\
@@ -183,8 +195,8 @@ function createEVAL() {
add_sensor_to_minion
}
function createIDHNODE() {
echo "Nothing custom needed for IDH nodes"
function createIDH() {
add_idh_to_minion
}
function createIMPORT() {

18
salt/common/tools/sbin/so-user
View File

@@ -587,7 +587,10 @@ case "${operation}" in
createUser "$email" "${role:-$DEFAULT_ROLE}" "${firstName}" "${lastName}" "${note}"
syncAll
echo "Successfully added new user to SOC"
check_container fleet && echo "$password" | so-fleet-user-add "$email"
echo "$password" | so-influxdb-manage useradd "$email"
if [[ "$role" == "superuser" ]]; then
echo "$password" | so-influxdb-manage userpromote "$email"
fi
;;
"list")
@@ -605,6 +608,9 @@ case "${operation}" in
if addUserRole "$email" "$role"; then
syncElastic
echo "Successfully added role to user"
if [[ "$role" == "superuser" ]]; then
echo "$password" | so-influxdb-manage userpromote "$email"
fi
fi
;;
@@ -618,6 +624,9 @@ case "${operation}" in
deleteUserRole "$email" "$role"
syncElastic
echo "Successfully removed role from user"
if [[ "$role" == "superuser" ]]; then
echo "$password" | so-influxdb-manage userdemote "$email"
fi
;;
"password")
@@ -628,6 +637,7 @@ case "${operation}" in
updateUserPassword "$email"
syncAll
echo "Successfully updated user password"
echo "$password" | so-influxdb-manage userpass "$email"
;;
"profile")
@@ -647,7 +657,7 @@ case "${operation}" in
updateStatus "$email" 'active'
syncAll
echo "Successfully enabled user"
echo "Fleet user will need to be recreated manually with so-fleet-user-add"
so-influxdb-manage userenable "$email"
;;
"disable")
@@ -658,7 +668,7 @@ case "${operation}" in
updateStatus "$email" 'locked'
syncAll
echo "Successfully disabled user"
check_container fleet && so-fleet-user-delete "$email"
so-influxdb-manage userdisable "$email"
;;
"delete")
@@ -669,7 +679,7 @@ case "${operation}" in
deleteUser "$email"
syncAll
echo "Successfully deleted user"
check_container fleet && so-fleet-user-delete "$email"
so-influxdb-manage userdel "$email"
;;
"sync")

6
salt/docker/defaults.yaml
View File

@@ -23,10 +23,6 @@ docker:
- 0.0.0.0:514:514/udp
- 0.0.0.0:514:514/tcp
- 0.0.0.0:5066:5066/tcp
'so-grafana':
final_octet: 24
port_bindings:
- 0.0.0.0:3000:3000
'so-idstools':
final_octet: 25
'so-influxdb':
@@ -106,3 +102,5 @@ docker:
final_octet: 44
port_bindings:
- 0.0.0.0:8080:8080/tcp
'so-idh':
final_octet: 45

202
salt/elasticsearch/defaults.yaml
View File

@@ -1430,6 +1430,8 @@ elasticsearch:
date_detection: false
settings:
index:
lifecycle:
name: so-elasticsearch-logs
mapping:
total_fields:
limit: 5000
@@ -1498,6 +1500,25 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-endgame:
index_sorting: False
index_template:
@@ -2183,6 +2204,8 @@ elasticsearch:
date_detection: false
settings:
index:
lifecycle:
name: so-suricata-logs
mapping:
total_fields:
limit: 5000
@@ -2251,6 +2274,25 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-imperva:
index_sorting: False
index_template:
@@ -2351,6 +2393,8 @@ elasticsearch:
date_detection: false
settings:
index:
lifecycle:
name: so-import-logs
mapping:
total_fields:
limit: 5000
@@ -2419,6 +2463,25 @@ elasticsearch:
- common-dynamic-mappings
- winlog-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-infoblox:
index_sorting: False
index_template:
@@ -2671,6 +2734,25 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-kratos:
warm: 7
close: 30
@@ -2754,6 +2836,25 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-logstash:
index_sorting: False
index_template:
@@ -2770,6 +2871,8 @@ elasticsearch:
date_detection: false
settings:
index:
lifecycle:
name: so-logstash-logs
mapping:
total_fields:
limit: 5000
@@ -2838,6 +2941,25 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-microsoft:
index_sorting: False
index_template:
@@ -3691,6 +3813,8 @@ elasticsearch:
date_detection: false
settings:
index:
lifecycle:
name: so-redis-logs
mapping:
total_fields:
limit: 5000
@@ -3759,6 +3883,25 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-snort:
index_sorting: False
index_template:
@@ -4262,6 +4405,25 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-syslog:
index_sorting: False
index_template:
@@ -4347,6 +4509,25 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-tomcat:
index_sorting: False
index_template:
@@ -4447,6 +4628,8 @@ elasticsearch:
date_detection: false
settings:
index:
lifecycle:
name: so-zeek-logs
mapping:
total_fields:
limit: 5000
@@ -4517,6 +4700,25 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-zscaler:
index_sorting: False
index_template:

20
salt/elasticsearch/init.sls
View File

@@ -53,9 +53,19 @@ es_sync_scripts:
- source: salt://elasticsearch/tools/sbin
- exclude_pat:
- so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state
- so-elasticsearch-ilm-policy-load
- defaults:
GLOBALS: {{ GLOBALS }}
so-elasticsearch-ilm-policy-load-script:
file.managed:
- name: /usr/sbin/so-elasticsearch-ilm-policy-load
- source: salt://elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load
- user: 930
- group: 939
- mode: 754
- template: jinja
so-elasticsearch-pipelines-script:
file.managed:
- name: /usr/sbin/so-elasticsearch-pipelines
@@ -362,6 +372,16 @@ so-es-cluster-settings:
- docker_container: so-elasticsearch
- file: es_sync_scripts
so-elasticsearch-ilm-policy-load:
cmd.run:
- name: /usr/sbin/so-elasticsearch-ilm-policy-load
- cwd: /opt/so
- require:
- docker_container: so-elasticsearch
- file: so-elasticsearch-ilm-policy-load-script
- onchanges:
- file: so-elasticsearch-ilm-policy-load-script
so-elasticsearch-templates:
cmd.run:
- name: /usr/sbin/so-elasticsearch-templates-load

72
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -36,7 +36,7 @@ elasticsearch:
global: True
helpLink: elasticsearch.html
index_settings:
so-aws: &indexSettings
so-elasticsearch: &indexSettings
warm:
description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch.
global: True
@@ -75,45 +75,51 @@ elasticsearch:
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
global: True
helpLink: elasticsearch.html
so-azure: *indexSettings
so-barracuda: *indexSettings
so-beats: *indexSettings
so-bluecoat: *indexSettings
so-cef: *indexSettings
so-checkpoint: *indexSettings
so-cisco: *indexSettings
so-cyberark: *indexSettings
so-cylance: *indexSettings
so-elasticsearch: *indexSettings
policy:
phases:
hot:
min_age:
description: Minimum age
global: True
helpLink: elasticsearch.html
actions:
set_priority:
priority:
description: Priority of index, used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
global: True
helpLink: elasticsearch.html
rollover:
max_age:
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
global: True
helpLink: elasticsearch.html
max_primary_shard_size:
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
global: True
helpLink: elasticsearch.html
cold:
min_age:
description: Minimum age of index, determining when it should be sent to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed.
global: True
helpLink: elasticsearch.html
actions:
set_priority:
priority:
description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
global: True
helpLink: elasticsearch.html
delete:
min_age:
description: Minimum age of index, determining when it should be deleted.
global: True
helpLink: elastic
so-endgame: *indexSettings
so-f5: *indexSettings
so-firewall: *indexSettings
so-fortinet: *indexSettings
so-gcp: *indexSettings
so-google_workspace: *indexSettings
so-ids: *indexSettings
so-imperva: *indexSettings
so-import: *indexSettings
so-infoblox: *indexSettings
so-juniper: *indexSettings
so-kibana: *indexSettings
so-logstash: *indexSettings
so-microsoft: *indexSettings
so-misp: *indexSettings
so-netflow: *indexSettings
so-netscout: *indexSettings
so-o365: *indexSettings
so-okta: *indexSettings
so-osquery: *indexSettings
so-proofpoint: *indexSettings
so-radware: *indexSettings
so-redis: *indexSettings
so-snort: *indexSettings
so-snyk: *indexSettings
so-sonicwall: *indexSettings
so-sophos: *indexSettings
so-strelka: *indexSettings
so-syslog: *indexSettings
so-tomcat: *indexSettings
so-zeek: *indexSettings
so-zscaler: *indexSettings

21
salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load Executable file
View File

@@ -0,0 +1,21 @@
#/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %}
{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
{%- for index, settings in ES_INDEX_SETTINGS.items() %}
{%- if settings.policy is defined %}
echo
echo "Setting up {{ index }}-logs policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/{{ index }}-logs" -H 'Content-Type: application/json' -d'{ "policy": {{ settings.policy | tojson(true) }} }'
echo
{%- endif %}
{%- endfor %}
echo

8
salt/firewall/assigned_hostgroups.map.yaml
View File

@@ -2,6 +2,7 @@
{% import_yaml 'firewall/ports/ports.yaml' as portgroups %}
{% set portgroups = portgroups.firewall.ports %}
{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
role:
eval:
@@ -576,7 +577,7 @@ role:
portgroups:
{% set idh_services = salt['pillar.get']('idh:services', []) %}
{% for service in idh_services %}
- {{ portgroups['idh_'~service] }}
- {{ IDH_PORTGROUPS['idh_'~service] }}
{% endfor %}
dockernet:
portgroups:
@@ -586,4 +587,7 @@ role:
- {{ portgroups.all }}
manager:
portgroups:
- {{ portgroups.ssh }}
- {{ IDH_PORTGROUPS.openssh }}
standalone:
portgroups:
- {{ IDH_PORTGROUPS.openssh }}

85
salt/firewall/containers.map.jinja
View File

@@ -1,3 +1,31 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if GLOBALS.role == 'so-eval' %}
{% set NODE_CONTAINERS = [
'so-curator',
'so-dockerregistry',
'so-elasticsearch',
'so-elastic-fleet',
'so-elastic-fleet-package-registry',
'so-grafana',
'so-influxdb',
'so-kibana',
'so-kratos',
'so-mysql',
'so-nginx',
'so-redis',
'so-soc',
'so-soctopus',
'so-strelka-coordinator',
'so-strelka-gatekeeper',
'so-strelka-frontend',
'so-strelka-backend',
'so-strelka-manager',
'so-strelka-filestream'
] %}
{% endif %}
{% if GLOBALS.role == 'so-manager' or GLOBALS.role == 'so-standalone' or GLOBALS.role == 'so-managersearch' %}
{% set NODE_CONTAINERS = [
'so-curator',
'so-dockerregistry',
@@ -5,7 +33,6 @@
'so-elastic-fleet',
'so-elastic-fleet-package-registry',
'so-filebeat',
'so-grafana',
'so-influxdb',
'so-kibana',
'so-kratos',
@@ -22,3 +49,59 @@
'so-strelka-manager',
'so-strelka-filestream'
] %}
{% endif %}
{% if GLOBALS.role == 'so-searchnode' %}
{% set NODE_CONTAINERS = [
'so-elasticsearch',
'so-filebeat',
'so-logstash',
'so-nginx'
] %}
{% endif %}
{% if GLOBALS.role == 'so-heavynode' %}
{% set NODE_CONTAINERS = [
'so-curator',
'so-elasticsearch',
'so-filebeat',
'so-logstash',
'so-nginx',
'so-redis',
'so-strelka-coordinator',
'so-strelka-gatekeeper',
'so-strelka-frontend',
'so-strelka-backend',
'so-strelka-manager',
'so-strelka-filestream'
] %}
{% endif %}
{% if GLOBALS.role == 'so-import' %}
{% set NODE_CONTAINERS = [
'so-dockerregistry',
'so-elasticsearch',
'so-elastic-fleet',
'so-elastic-fleet-package-registry',
'so-filebeat',
'so-influxdb',
'so-kibana',
'so-kratos',
'so-nginx',
'so-soc'
] %}
{% endif %}
{% if GLOBALS.role == 'so-receiver' %}
{% set NODE_CONTAINERS = [
'so-filebeat',
'so-logstash',
'so-redis',
] %}
{% endif %}
{% if GLOBALS.role == 'so-idh' %}
{% set NODE_CONTAINERS = [
'so-idh',
] %}
{% endif %}

7
salt/firewall/map.jinja
View File

@@ -1,3 +1,4 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% set role = grains.id.split('_') | last %}
{% set translated_pillar_assigned_hostgroups = {} %}
@@ -9,9 +10,15 @@
{% else %}
{% set local_portgroups = {} %}
{% endif %}
{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
{% set defined_portgroups = portgroups %}
{% if GLOBALS.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
{% do salt['defaults.merge'](defined_portgroups, IDH_PORTGROUPS, in_place=True) %}
{% endif %}
{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %}
{% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %}

22
salt/idh/opencanary_config.map.jinja
View File

@@ -1,11 +1,25 @@
{% set idh_services = salt['pillar.get']('idh:services', []) %}
{% import_yaml "idh/defaults/defaults.yaml" as OPENCANARYCONFIG with context %}
{% set IDH_PORTGROUPS = {} %}
{% import_yaml "idh/defaults/defaults.yaml" as IDHCONFIG with context %}
{% for service in idh_services %}
{% import_yaml "idh/defaults/" ~ service ~ ".defaults.yaml" as SERVICECONFIG with context %}
{% do salt['defaults.merge'](OPENCANARYCONFIG, SERVICECONFIG, in_place=True) %}
{% do salt['defaults.merge'](IDHCONFIG, SERVICECONFIG, in_place=True) %}
{% endfor %}
{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=OPENCANARYCONFIG.idh.opencanary.config, merge=True) %}
{% do OPENCANARYCONFIG.idh.opencanary.config.update({'device.node_id': grains.host}) %}
{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %}
{% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %}
{% for service in idh_services %}
{% if service in ["smnp","ntp", "tftp"] %}
{% set proto = 'udp' %}
{% else %}
{% set proto = 'tcp' %}
{% endif %}
{% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '.port']]}}) %}
{% endfor %}
{% do IDH_PORTGROUPS.update({'openssh': {'tcp': [OPENSSH.config.port]}}) %}
{% do OPENCANARYCONFIG.update({'device.node_id': grains.host}) %}

1
salt/influxdb/buckets.json.jinja Normal file
View File

@@ -0,0 +1 @@
{{ INFLUXMERGED.buckets | json }}

1
salt/influxdb/config.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ INFLUXMERGED.config | yaml(false) }}

1
salt/influxdb/curl.config.jinja Normal file
View File

@@ -0,0 +1 @@
header = "Authorization: Token {{ salt['pillar.get']('secrets:influx_token') }}"

230
salt/influxdb/defaults.yaml
View File

@@ -1,167 +1,77 @@
influxdb:
config:
meta:
dir: /var/lib/influxdb/meta
retention-autocreate: true
logging-enabled: true
data:
dir: /var/lib/influxdb/data
wal-dir: /var/lib/influxdb/wal
wal-fsync-delay: 0s
index-version: inmem
race-logging-enabled: false
query-log-enabled: true
validate-keys: false
cache-max-memory-size: 1g
cache-snapshot-memory-size: 25m
cache-snapshot-write-cold-duration: 10m
compact-full-write-cold-duration: 4h
max-concurrent-compactions: 0
compact-throughput: 48m
compact-throughput-burst: 48m
max-index-log-file-size: 1m
max-series-per-database: 1000000
max-values-per-tag: 100000
tsm-use-madv-willneed: false
coordinator:
write-timeout: 10s
max-concurrent-queries: 0
query-timeout: 0s
log-queries-after: 0s
max-select-point: 0
max-select-series: 0
max-select-buckets: 0
retention:
enabled: true
check-interval: 30m
shard-precreation:
enabled: true
check-interval: 10m
advance-period: 30m
monitor:
store-enabled: true
store-database: _internal
store-interval: 10s
http:
enabled: true
flux-enabled: true
bind-address: ':8086'
auth-enabled: false
realm: InfluxDB
log-enabled: false
suppress-write-log: false
access-log-path: ''
access-log-status-filters: []
write-tracing: false
pprof-enabled: true
debug-pprof-enabled: false
https-enabled: true
https-certificate: /etc/ssl/influxdb.crt
https-private-key: /etc/ssl/influxdb.key
shared-secret: ''
max-row-limit: 0
max-connection-limit: 0
unix-socket-enabled: false
bind-socket: /var/run/influxdb.sock
max-body-size: 25000000
max-concurrent-write-limit: 0
max-enqueued-write-limit: 0
enqueued-write-timeout: 0
logging:
format: auto
level: info
suppress-logo: false
subscriber:
enabled: true
http-timeout: 30s
insecure-skip-verify: false
ca-certs: ''
write-concurrency: 40
write-buffer-size: 1000
graphite:
enabled: false
database: graphite
retention-policy: ''
bind-address: ':2003'
protocol: tcp
consistency-level: one
batch-size: 5000
batch-pending: 10
batch-timeout: 1s
udp-read-buffer: 0
separator: '.'
tags: []
templates: []
collectd:
enabled: false
bind-address: ':25826'
database: collectd
retention-policy: ''
typesdb: /usr/local/share/collectd
security-level: none
auth-file: /etc/collectd/auth_file
batch-size: 5000
bath-pending: 10
batch-timeout: 10s
read-buffer: 0
parse-multivalue-plugin: split
opentsdb:
enabled: false
bind-address: ':4242'
database: opentsdb
retention-policy: ''
consistency-level: one
tls-enabled: false
certificate: /etc/ssl/influxdb.pem
log-point-errors: true
batch-size: 1000
batch-pending: 5
bath-timeout: 1s
udp:
enabled: false
bind-address: ':8089'
database: udp
retention-policy: ''
precision: ''
batch-size: 5000
batch-pending: 10
batch-timeout: 1s
read-buffer: 0
continuous_queries:
enabled: true
log-enabled: true
query-stats-enabled: false
run-interval: 1s
tls:
ciphers:
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
min-version: tls1.2
max-version: tls1.2
retention_policies:
assets-path: /ui
bolt-path: /var/lib/influxdb2/influxd.bolt
engine-path: /var/lib/influxdb2/engine
feature-flags: ""
flux-log-enabled: false
hardening-enabled: true
http-bind-address: :8086
http-idle-timeout: 0
http-read-header-timeout: 10s
http-read-timeout: 0
http-write-timeout: 0
influxql-max-select-buckets: 0
influxql-max-select-point: 0
influxql-max-select-series: 0
instance-id: ""
log-level: info
metrics-disabled: true
no-tasks: false
pprof-disabled: true
query-concurrency: 100
query-initial-memory-bytes: 1073741824
query-max-memory-bytes: 107374182400
query-memory-bytes: 1073741824
query-queue-size: 500
reporting-disabled: true
secret-store: bolt
session-length: 10080
session-renew-disabled: false
sqlite-path: /var/lib/influxdb2/influxd.sqlite
storage-cache-max-memory-size: 1073741824
storage-cache-snapshot-memory-size: 26214400
storage-cache-snapshot-write-cold-duration: 10m0s
storage-compact-full-write-cold-duration: 4h0m0s
storage-compact-throughput-burst: 50331648
storage-max-concurrent-compactions: 0
storage-max-index-log-file-size: 1048576
storage-no-validate-field-size: false
storage-retention-check-interval: 30m0s
storage-series-file-max-concurrent-snapshot-compactions: 0
storage-series-id-set-cache-size: 100
storage-shard-precreator-advance-period: 30m0s
storage-shard-precreator-check-interval: 10m0s
storage-tsm-use-madv-willneed: false
storage-validate-keys: false
storage-wal-fsync-delay: 0s
storage-wal-max-concurrent-writes: 0
storage-wal-max-write-delay: 10m
storage-write-timeout: 10s
store: disk
tls-cert: /conf/influxdb.crt
tls-key: /conf/influxdb.key
tls-min-version: 1.2
tls-strict-ciphers: true
tracing-type: ""
ui-disabled: false
vault-addr: ""
vault-cacert: ""
vault-capath: ""
vault-client-cert: ""
vault-client-key: ""
vault-client-timeout: 60s
vault-max-retries: 2
vault-skip-verify: false
vault-tls-server-name: ""
vault-token: ""
buckets:
so_short_term:
default: True
duration: 30d
shard_duration: 1d
duration: 2592000
shard_duration: 86400
so_long_term:
default: False
duration: 0d
shard_duration: 7d
duration: 0
shard_duration: 604800
downsample:
so_long_term:
resolution: 5m

26
salt/influxdb/etc/influxdb.conf.jinja
View File

@@ -1,26 +0,0 @@
{%- import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %}
{%- set INFLUXMERGED = salt['pillar.get']('influxdb', default=INFLUXDEFAULTS.influxdb, merge=true) %}
{%- for header in INFLUXMERGED.config.keys() %}
{%- if header in ['graphite', 'collectd', 'opentsdb', 'udp'] %}
[[{{header}}]]
{%- else %}
[{{header}}]
{%- endif %}
{%- for k, v in INFLUXMERGED.config[header].items() %}
{#- is v a list? #}
{%- if v is iterable and (v is not string and v is not mapping) %}
{{k}} = [
{%- for li in v %}
"{{li}}",
{%- endfor %}
]
{%- elif v is string %}
{{k}} = "{{v}}"
{%- elif v is boolean %}
{{k}} = {{v|string|lower}}
{%- else %}
{{k}} = {{v}}
{%- endif %}
{%- endfor %}
{%- endfor %}

136
salt/influxdb/init.sls
View File

@@ -2,15 +2,11 @@
{% if sls in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
{% from 'influxdb/map.jinja' import INFLUXMERGED %}
{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %}
{% import_yaml 'influxdb/defaults.yaml' as default_settings %}
{% set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %}
{% from 'salt/map.jinja' import PYTHON3INFLUX with context %}
{% from 'salt/map.jinja' import PYTHONINFLUXVERSION with context %}
{% set PYTHONINFLUXVERSIONINSTALLED = salt['cmd.run']("python3 -c \"exec('try:import influxdb; print (influxdb.__version__)\\nexcept:print(\\'Module Not Found\\')')\"", python_shell=True) %}
{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
{% set TOKEN = salt['pillar.get']('secrets:influx_token') %}
include:
- salt.minion
@@ -19,7 +15,7 @@ include:
# Influx DB
influxconfdir:
file.directory:
- name: /opt/so/conf/influxdb/etc
- name: /opt/so/conf/influxdb
- makedirs: True
influxlogdir:
@@ -37,11 +33,43 @@ influxdbdir:
influxdbconf:
file.managed:
- name: /opt/so/conf/influxdb/etc/influxdb.conf
- name: /opt/so/conf/influxdb/config.yaml
- source: salt://influxdb/config.yaml.jinja
- user: 939
- group: 939
- template: jinja
- source: salt://influxdb/etc/influxdb.conf.jinja
- defaults:
INFLUXMERGED: {{ INFLUXMERGED }}
influxdbbucketsconf:
file.managed:
- name: /opt/so/conf/influxdb/buckets.json
- source: salt://influxdb/buckets.json.jinja
- user: 939
- group: 939
- template: jinja
- defaults:
INFLUXMERGED: {{ INFLUXMERGED }}
influxdb-templates:
file.recurse:
- name: /opt/so/conf/influxdb/templates
- source: salt://influxdb/templates
- user: 939
- group: 939
- template: jinja
- clean: True
- defaults:
INFLUXMERGED: {{ INFLUXMERGED }}
influxdb_curl_config:
file.managed:
- name: /opt/so/conf/influxdb/curl.config
- source: salt://influxdb/curl.config.jinja
- mode: 600
- template: jinja
- show_changes: False
- makedirs: True
so-influxdb:
docker_container.running:
@@ -51,13 +79,20 @@ so-influxdb:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
- environment:
- INFLUXD_CONFIG_PATH=/conf
- INFLUXDB_HTTP_LOG_ENABLED=false
- DOCKER_INFLUXDB_INIT_MODE=setup
- DOCKER_INFLUXDB_INIT_USERNAME=so
- DOCKER_INFLUXDB_INIT_PASSWORD={{ PASSWORD }}
- DOCKER_INFLUXDB_INIT_ORG=Security Onion
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
- binds:
- /opt/so/log/influxdb/:/log:rw
- /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro
- /nsm/influxdb:/var/lib/influxdb:rw
- /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro
- /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro
- /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro
- /nsm/influxdb:/var/lib/influxdb2:rw
- /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
- /etc/pki/influxdb.key:/conf/influxdb.key:ro
- port_bindings:
{% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
- {{ BINDING }}
@@ -74,6 +109,14 @@ append_so-influxdb_so-status.conf:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-influxdb
influxdb-setup:
cmd.run:
- name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log
- require:
- file: influxdbbucketsconf
- file: influxdb_curl_config
- docker_container: so-influxdb
# Install cron job to determine size of influxdb for telegraf
get_influxdb_size:
cron.present:
@@ -85,71 +128,6 @@ get_influxdb_size:
- month: '*'
- dayweek: '*'
# We have to make sure the influxdb module is the right version prior to state run since reload_modules is bugged
{% if PYTHONINFLUXVERSIONINSTALLED == PYTHONINFLUXVERSION %}
wait_for_influxdb:
http.query:
- name: 'https://{{GLOBALS.manager}}:8086/query?q=SHOW+DATABASES'
- ssl: True
- verify_ssl: False
- status: 200
- timeout: 10
- retry:
attempts: 20
interval: 5
- require:
- docker_container: so-influxdb
telegraf_database:
influxdb_database.present:
- name: telegraf
- database: telegraf
- ssl: True
- verify_ssl: /etc/pki/ca.crt
- cert: ['/etc/pki/influxdb.crt', '/etc/pki/influxdb.key']
- influxdb_host: {{ GLOBALS.manager }}
- require:
- docker_container: so-influxdb
- http: wait_for_influxdb
{% for rp in influxdb.retention_policies.keys() %}
{{rp}}_retention_policy:
influxdb_retention_policy.present:
- name: {{rp}}
- database: telegraf
- duration: {{influxdb.retention_policies[rp].duration}}
- shard_duration: {{influxdb.retention_policies[rp].shard_duration}}
- replication: 1
- default: {{influxdb.retention_policies[rp].get('default', 'False')}}
- ssl: True
- verify_ssl: /etc/pki/ca.crt
- cert: ['/etc/pki/influxdb.crt', '/etc/pki/influxdb.key']
- influxdb_host: {{ GLOBALS.manager }}
- require:
- docker_container: so-influxdb
- influxdb_database: telegraf_database
- file: influxdb_retention_policy.present_patch
{% endfor %}
{% for dest_rp in influxdb.downsample.keys() %}
{% for measurement in influxdb.downsample[dest_rp].get('measurements', []) %}
so_downsample_{{measurement}}_cq:
influxdb_continuous_query.present:
- name: so_downsample_{{measurement}}_cq
- database: telegraf
- query: SELECT mean(*) INTO "{{dest_rp}}"."{{measurement}}" FROM "{{measurement}}" GROUP BY time({{influxdb.downsample[dest_rp].resolution}}),*
- ssl: True
- verify_ssl: /etc/pki/ca.crt
- cert: ['/etc/pki/influxdb.crt', '/etc/pki/influxdb.key']
- influxdb_host: {{ GLOBALS.manager }}
- require:
- docker_container: so-influxdb
- influxdb_database: telegraf_database
- file: influxdb_continuous_query.present_patch
{% endfor %}
{% endfor %}
{% endif %}
{% endif %}
{% else %}

11
salt/influxdb/map.jinja
View File

@@ -1,9 +1,2 @@
{% import_yaml 'influxdb/defaults.yaml' as INFLUXDB %}
{% set measurements = salt['cmd.shell']('docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -database telegraf -execute "show measurements" 2> /root/measurement_query.log | jq -r .results[0].series[0].values[]?[0] 2>> /root/measurement_query.log', shell='/bin/bash') %}
{% if measurements|length > 0 %}
{% do INFLUXDB.influxdb.downsample.so_long_term.update('measurements': [])%}
{% for measurement in measurements.splitlines() %}
{% do INFLUXDB.influxdb.downsample.so_long_term.measurements.append(measurement)%}
{% endfor %}
{% endif %}
{%- import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %}
{%- set INFLUXMERGED = salt['pillar.get']('influxdb', default=INFLUXDEFAULTS.influxdb, merge=true) %}

683
salt/influxdb/soc_influxdb.yaml
View File

@@ -1,362 +1,355 @@
influxdb:
config:
meta:
logging-enabled:
description: Enable InfluxDB meta server logging.
global: True
helpLink: influxdb.html
data:
wal-fsync-delay:
description: The amount of time that a write will wait before fsyncing.
global: True
helpLink: influxdb.html
index-version:
description: The type of shard index to use for new shards.
global: True
helpLink: influxdb.html
trace-logging-enabled:
description: Trace logging provides more verbose output around the tsm engine.
global: True
advanced: True
helpLink: influxdb.html
query-log-enabled:
description: Whether queries should be logged before execution.
global: True
helpLink: influxdb.html
validate-keys:
description: Validates incoming writes to ensure keys only have valid unicode characters.
global: True
advanced: True
helpLink: influxdb.html
cache-max-memory-size:
description: The maximum size a shard's cache can reach before it starts rejecting writes.
global: True
helpLink: influxdb.html
cache-snapshot-memory-size:
description: The size at which the engine will snapshot the cache and write it to a TSM file, freeing up memory.
global: True
advanced: True
helpLink: influxdb.html
cache-snapshot-write-cold-duration:
description: The length of time at which the engine will snapshot the cache and write it to a new TSM file if the shard hasn't received writes or deletes.
global: True
advanced: True
helpLink: influxdb.html
compact-full-write-cold-duration:
description: The duration at which the engine will compact all TSM files in a shard if it hasn't received a write or delete.
global: True
advanced: True
helpLink: influxdb.html
max-concurrent-compactions:
description: The maximum number of concurrent full and level compactions that can run at one time.
global: True
helpLink: influxdb.html
compact-throughput:
description: The rate limit in bytes per second that we will allow TSM compactions to write to disk.
global: True
advanced: True
helpLink: influxdb.html
compact-throughput-burst:
description: The rate limit in bytes per second that we will allow TSM compactions to write to disk.
global: True
advanced: True
helpLink: influxdb.html
max-index-log-file-size:
description: The threshold, in bytes, when an index write-ahead log file will compact into an index file.
global: True
advanced: True
helpLink: influxdb.html
max-series-per-database:
description: The maximum series allowed per database before writes are dropped.
global: True
advanced: True
helpLink: influxdb.html
max-values-per-tag:
description: The maximum number of tag values per tag that are allowed before writes are dropped.
global: True
advanced: True
helpLink: influxdb.html
tsm-use-madv-willneed:
description: If true, then the mmap advise value MADV_WILLNEED will be provided to the kernel with respect to TSM files.
global: True
advanced: True
helpLink: influxdb.html
coordinator:
write-timeout:
description: The default time a write request will wait until a "timeout" error is returned to the caller.
global: True
helpLink: influxdb.html
max-concurrent-queries:
description: The maximum number of concurrent queries allowed to be executing at one time.
global: True
helpLink: influxdb.html
query-timeout:
description: The maximum time a query will is allowed to execute before being killed by the system.
global: True
helpLink: influxdb.html
log-queries-after:
description: The time threshold when a query will be logged as a slow query.
global: True
helpLink: influxdb.html
max-select-point:
description: The maximum number of points a SELECT can process.
global: True
advanced: True
helpLink: influxdb.html
max-select-series:
description: The maximum number of series a SELECT can run.
global: True
advanced: True
helpLink: influxdb.html
max-select-buckets:
description: The maxium number of group by time bucket a SELECT can create.
global: True
advanced: True
helpLink: influxdb.html
retention:
enabled:
description: Determines whether retention policy enforcement enabled.
global: True
advanced: True
helpLink: influxdb.html
check-interval:
description: The interval of time when retention policy enforcement checks run.
global: True
helpLink: influxdb.html
shard-precreation:
enabled:
description: Determines whether shard pre-creation service is enabled.
global: True
advanced: True
helpLink: influxdb.html
check-interval:
description: The interval of time when the check to pre-create new shards runs.
global: True
helpLink: influxdb.html
advance-period:
description: The default period ahead of the endtime of a shard group that its successor group is created.
global: True
advanced: True
helpLink: influxdb.html
monitor:
store-enabled:
description: Whether to record statistics internally.
global: True
helpLink: influxdb.html
store-database:
description: The destination database for recorded statistics.
global: True
advanced: True
helpLink: influxdb.html
store-interval:
description: The interval at which to record statistics.
global: True
helpLink: influxdb.html
http:
enabled:
description: Determines whether HTTP endpoint is enabled.
global: True
advanced: True
helpLink: influxdb.html
flux-enabled:
description: Determines whether the Flux query endpoint is enabled.
global: True
advanced: True
helpLink: influxdb.html
bind-address:
description: The bind address used by the HTTP service.
global: True
advanced: True
helpLink: influxdb.html
auth-enabled:
description: Determines whether user authentication is enabled over HTTP/HTTPS.
global: True
advanced: True
helpLink: influxdb.html
realm:
description: The default realm sent back when issuing a basic auth challenge.
global: True
advanced: True
helpLink: influxdb.html
log-enabled:
description: Determines whether HTTP request logging is enabled.
global: True
helpLink: influxdb.html
suppress-write-log:
description: Determines whether the HTTP write request logs should be suppressed when the log is enabled.
global: True
helpLink: influxdb.html
access-log-path:
description: Path for http access logs.
global: True
advanced: True
helpLink: influxdb.html
access-log-status-filters:
description: Filters which requests should be logged.
global: True
advanced: True
helpLink: influxdb.html
write-tracing:
description: Determines whether detailed write logging is enabled.
global: True
advanced: True
helpLink: influxdb.html
pprof-enabled:
description: Determines whether the pprof endpoint is enabled.
global: True
advanced: True
helpLink: influxdb.html
debug-pprof-enabled:
description: Determines whether the pprof endpoint is enabled in debug mode.
global: True
advanced: True
helpLink: influxdb.html
https-enabled:
description: Determines whether HTTPS is enabled.
global: True
helpLink: influxdb.html
https-certificate:
description: The SSL certificate to use when HTTPS is enabled.
global: True
advanced: True
helpLink: influxdb.html
https-private-key:
description: Use a separate private key location.
global: True
advanced: True
helpLink: influxdb.html
shared-secret:
description: The JWT auth shared secret to validate requests using JSON web tokens.
global: True
advanced: True
helpLink: influxdb.html
max-row-limit:
description: The default chunk size for result sets that should be chunked.
global: True
helpLink: influxdb.html
max-connection-limit:
description: The maximum number of HTTP connections that may be open at once.
global: True
helpLink: influxdb.html
unix-socket-enabled:
description: Enable http service over unix domain socket.
global: True
advanced: True
helpLink: influxdb.html
bind-socket:
description: The path of the unix domain socket.
global: True
advanced: True
helpLink: influxdb.html
max-body-size:
description: The maximum size of a client request body, in bytes.
global: True
helpLink: influxdb.html
max-concurrent-write-limit:
description: The maximum number of writes processed concurrently.
global: True
helpLink: influxdb.html
max-enqueued-write-limit:
description: The maximum number of writes queued for processing.
global: True
helpLink: influxdb.html
enqueued-write-timeout:
description: The maximum duration for a write to wait in the queue to be processed.
global: True
helpLink: influxdb.html
logging:
format:
description: Determines which log encoder to use for logs.
global: True
helpLink: influxdb.html
level:
description: Determines which level of logs will be emitted.
global: True
helpLink: influxdb.html
suppress-logo:
description: Suppresses the logo output that is printed when the program is started.
global: True
helpLink: influxdb.html
subscriber:
enabled:
description: Determines whether the subscriber service is enabled.
global: True
advanced: True
helpLink: influxdb.html
http-timeout:
description: The default timeout for HTTP writes to subscribers.
global: True
helpLink: influxdb.html
insecure-skip-verify:
description: Allows insecure HTTPS connections to subscribers.
global: True
advanced: True
helpLink: influxdb.html
ca-certs:
description: The path to the PEM encoded CA certs file.
global: True
advanced: True
helpLink: influxdb.html
write-concurrency:
description: he number of writer goroutines processing the write channel.
global: True
helpLink: influxdb.html
write-buffer-size:
description: The number of in-flight writes buffered in the write channel.
global: True
helpLink: influxdb.html
continuous_queries:
enabled:
description: Determines whether the continuous query service is enabled.
global: True
helpLink: influxdb.html
log-enabled:
description: Controls whether queries are logged when executed by the CQ service.
global: True
helpLink: influxdb.html
query-stats-enabled:
description: Controls whether queries are logged to the self-monitoring data store.
global: True
helpLink: influxdb.html
run-interval:
description: Interval for how often continuous queries will be checked if they need to run.
global: True
helpLink: influxdb.html
tls:
ciphers:
description: Determines the available set of cipher suites.
global: True
helpLink: influxdb.html
min-version:
description: Minimum version of the tls protocol that will be negotiated.
global: True
helpLink: influxdb.html
max-version:
description: Maximum version of the tls protocol that will be negotiated.
global: True
helpLink: influxdb.html
retention_policies:
assets-path:
description: Path to the InfluxDB user interface assets located inside the so-influxdb container.
global: True
advanced: True
helpLink: influxdb.html
bolt-path:
description: Path to the bolt DB file located inside the so-influxdb container.
global: True
advanced: True
helpLink: influxdb.html
engine-path:
description: Path to the engine directory located inside the so-influxdb container. This directory stores the time series data.
global: True
advanced: True
helpLink: influxdb.html
feature-flags:
description: List of key=value flags to enable.
global: True
advanced: True
helpLink: influxdb.html
flux-log-enabled:
description: Controls whether detailed flux query logging is enabled.
global: True
advanced: True
helpLink: influxdb.html
hardening-enabled:
description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address.
global: True
advanced: True
helpLink: influxdb.html
http-bind-address:
description: The URL and port on which InfluxDB will listen for new connections.
global: True
advanced: True
helpLink: influxdb.html
http-idle-timeout:
description: Keep-alive timeout while a connection waits for new requests. A value of 0 is the same as no timeout enforced.
global: True
advanced: True
helpLink: influxdb.html
http-read-header-timeout:
description: The duration to wait for a request header before closing the connection. A value of 0 is the same as no timeout enforced.
global: True
advanced: True
helpLink: influxdb.html
http-read-timeout:
description: The duration to wait for the request to be fully read before closing the connection. A value of 0 is the same as no timeout enforced.
global: True
advanced: True
helpLink: influxdb.html
http-write-timeout:
description: The duration to wait for the response to be fully written before closing the connection. A value of 0 is the same as no timeout enforced.
global: True
advanced: True
helpLink: influxdb.html
influxql-max-select-buckets:
description: Maximum number of group-by clauses in a SELECT statement. A value of 0 is the same as unlimited.
global: True
advanced: True
helpLink: influxdb.html
influxql-max-select-point:
description: Maximum number of points that can be queried in a SELECT statement. A value of 0 is the same as unlimited.
global: True
advanced: True
helpLink: influxdb.html
influxql-max-select-series:
description: Maximum number of series that can be returned in a SELECT statement. A value of 0 is the same as unlimited.
global: True
advanced: True
helpLink: influxdb.html
instance-id:
description: Unique instance ID for this server, to avoid collisions in a replicated cluster.
global: True
advanced: True
helpLink: influxdb.html
log-level:
description: The log level to use for outputting log statements. Allowed values are debug, info, or error.
global: True
advanced: false
regex: ^(info|debug|error)$
helpLink: influxdb.html
metrics-disabled:
description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible.
global: True
advanced: True
helpLink: influxdb.html
no-tasks:
description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems.
global: True
advanced: True
helpLink: influxdb.html
pprof-disabled:
description: If true, the profiling data HTTP endpoint will be inaccessible.
global: True
advanced: True
helpLink: influxdb.html
query-concurrency:
description: Maximum number of queries to execute concurrently. A value of 0 is the same as unlimited.
global: True
advanced: True
helpLink: influxdb.html
query-initial-memory-bytes:
description: The initial number of bytes of memory to allocate for a new query.
global: True
advanced: True
helpLink: influxdb.html
query-max-memory-bytes:
description: The number of bytes of memory to allocate to all running queries. Should typically be the query bytes times the max concurrent queries.
global: True
advanced: True
helpLink: influxdb.html
query-memory-bytes:
description: Maximum number of bytes of memory to allocate to a query.
global: True
advanced: True
helpLink: influxdb.html
query-queue-size:
description: Maximum number of queries that can be queued at one time. If this value is reached, new queries will not be queued. A value of 0 is the same as unlimited.
global: True
advanced: True
helpLink: influxdb.html
reporting-disabled:
description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers.
global: True
advanced: True
helpLink: influxdb.html
secret-store:
description: Determines the type of storage used for secrets. Allowed values are bolt or vault.
global: True
advanced: True
regex: ^(bolt|vault)$
helpLink: influxdb.html
session-length:
description: Number of minutes that a user login session can remain authenticated.
global: True
advanced: True
helpLink: influxdb.html
session-renew-disabled:
description: If true, user login sessions will renew after each request.
global: True
advanced: True
helpLink: influxdb.html
sqlite-path:
description: Path to the Sqlite3 database inside the container. This database stored user data and other information about the database.
global: True
advanced: True
helpLink: influxdb.html
storage-cache-max-memory-size:
description: Maximum number of bytes to allocate to cache data per shard. If exceeded, new data writes will be rejected.
global: True
advanced: True
helpLink: influxdb.html
storage-cache-snapshot-memory-size:
description: Number of bytes to allocate to cache snapshot data. When the cache reaches this size, it will be written to disk to increase available memory.
global: True
advanced: True
helpLink: influxdb.html
storage-cache-snapshot-write-cold-duration:
description: Duration between snapshot writes to disk when the shard data hasn't been modified.
global: True
advanced: True
helpLink: influxdb.html
storage-compact-full-write-cold-duration:
description: Duration between shard compactions when the shard data hasn't been modified.
global: True
advanced: True
helpLink: influxdb.html
storage-compact-throughput-burst:
description: Maximum throughput (number of bytes per second) that compactions be written to disk.
global: True
advanced: True
helpLink: influxdb.html
storage-max-concurrent-compactions:
description: Maximum number of concurrent compactions. A value of 0 is the same as half the available CPU processors (procs).
global: True
advanced: True
helpLink: influxdb.html
storage-max-index-log-file-size:
description: Maximum number of bytes of a write-ahead log (WAL) file before it will be compacted into an index on disk.
global: True
advanced: True
helpLink: influxdb.html
storage-no-validate-field-size:
description: If true, incoming requests will skip the field size validation.
global: True
advanced: True
helpLink: influxdb.html
storage-retention-check-interval:
description: Interval between reviewing each bucket's retention policy and the age of the associated data.
global: True
advanced: True
helpLink: influxdb.html
storage-series-file-max-concurrent-snapshot-compactions:
description: Maximum number of concurrent snapshot compactions across all database partitions.
global: True
advanced: True
helpLink: influxdb.html
storage-series-id-set-cache-size:
description: Maximum size of the series cache results. Higher values may increase performance for repeated data lookups.
global: True
advanced: True
helpLink: influxdb.html
storage-shard-precreator-advance-period:
description: The duration before a successor shard group is created after the end-time has been reached.
global: True
advanced: True
helpLink: influxdb.html
storage-shard-precreator-check-interval:
description: Interval between checking if new shards should be created.
global: True
advanced: True
helpLink: influxdb.html
storage-tsm-use-madv-willneed:
description: If true, InfluxDB will manage TSM memory paging.
global: True
advanced: True
helpLink: influxdb.html
storage-validate-keys:
description: If true, validates incoming requests for supported characters.
global: True
advanced: True
helpLink: influxdb.html
storage-wal-fsync-delay:
description: Duration to wait before calling fsync. Useful for handling conflicts on slower disks.
global: True
advanced: True
helpLink: influxdb.html
storage-wal-max-concurrent-writes:
description: Maximum number of concurrent write-ahead log (WAL) writes to disk. The value of 0 is the same as CPU processors (procs) x 2.
global: True
advanced: True
helpLink: influxdb.html
storage-wal-max-write-delay:
description: Maximum duration to wait before writing the write-ahead log (WAL) to disk, when the concurrency limit has been exceeded. A value of 0 is the same as no timeout.
global: True
advanced: True
helpLink: influxdb.html
storage-write-timeout:
description: Maximum time to wait for a write-ahead log (WAL) to write to disk before aborting.
global: True
advanced: True
helpLink: influxdb.html
store:
description: The type of data store to use for HTTP resources. Allowed values are disk or memory. Memory should not be used for production Security Onion installations.
global: True
advanced: True
regex: ^(disk|memory)$
helpLink: influxdb.html
tls-cert:
description: The container path to the certificate to use for TLS encryption of the HTTP requests and responses.
global: True
advanced: True
helpLink: influxdb.html
tls-key:
description: The container path to the certificate key to use for TLS encryption of the HTTP requests and responses.
global: True
advanced: True
helpLink: influxdb.html
tls-min-version:
description: The minimum supported version of TLS to be enforced on all incoming HTTP requests.
global: True
advanced: True
helpLink: influxdb.html
tls-strict-ciphers:
description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA.
global: True
advanced: True
helpLink: influxdb.html
tracing-type:
description: The tracing format for debugging purposes. Allowed values are log or jaeger, or leave blank to disable tracing.
global: True
advanced: True
helpLink: influxdb.html
ui-disabled:
description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations.
global: True
advanced: True
helpLink: influxdb.html
vault-addr:
description: Vault server address.
global: True
advanced: True
helpLink: influxdb.html
vault-cacert:
description: Path to the Vault's single certificate authority certificate file within the container.
global: True
advanced: True
helpLink: influxdb.html
vault-capath:
description: Path to the Vault's certificate authority directory within the container.
global: True
advanced: True
helpLink: influxdb.html
vault-client-cert:
description: Vault client certificate path within the container.
global: True
advanced: True
helpLink: influxdb.html
vault-client-key:
description: Vault client certificate key path within the container.
global: True
advanced: True
helpLink: influxdb.html
vault-client-timeout:
description: Duration to wait for a response from the Vault server before aborting.
global: True
advanced: True
helpLink: influxdb.html
vault-max-retries:
description: Maximum number of retries when attempting to contact the Vault server. A value of 0 is the same as disabling retries.
global: True
advanced: True
helpLink: influxdb.html
vault-skip-verify:
description: Skip certification validation of the Vault server.
global: True
advanced: True
helpLink: influxdb.html
vault-tls-server-name:
description: SNI host to specify when using TLS to connect to the Vault server.
global: True
advanced: True
helpLink: influxdb.html
vault-token:
description: Vault token used for authentication.
global: True
advanced: True
helpLink: influxdb.html
buckets:
so_short_term:
duration:
description: Amount of time to keep short term data.
description: Amount of time (in seconds) to keep short term data.
global: True
helpLink: grafana.html#data
helpLink: influxdb.html
shard_duration:
description: Time range
description: Amount of the time (in seconds) range covered by the shard group.
global: True
helpLink: grafana.html#data
helpLink: influxdb.html
so_long_term:
duration:
description: Amount of time to keep long term downsampled data.
description: Amount of time (in seconds) to keep long term downsampled data.
global: True
helpLink: grafana.html#data
helpLink: influxdb.html
shard_duration:
description: Amount of the time range covered by the shard group.
description: Amount of the time (in seconds) range covered by the shard group.
global: True
helpLink: grafana.html#data
helpLink: influxdb.html
downsample:
so_long_term:
resolution:
description: Amount of time to turn into a single data point.
global: True
helpLink: grafana.html#data
helpLink: influxdb.html

18
salt/influxdb/templates/alarm_deadman.json Normal file
View File

@@ -0,0 +1,18 @@
[{
"apiVersion": "influxdata.com/v2alpha1",
"kind": "CheckDeadman",
"metadata": {
"name": "alarm-deadman"
},
"spec": {
"description": "Data has not been received from Telegraf for an extended period.",
"every": "1m0s",
"level": "CRIT",
"name": "Telegraf Data Outage",
"query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")",
"staleTime": "15m0s",
"status": "active",
"statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }",
"timeSince": "2m0s"
}
}]

21
salt/influxdb/templates/alarm_logstash_eps.json Normal file
View File

@@ -0,0 +1,21 @@
[{
"apiVersion": "influxdata.com/v2alpha1",
"kind": "CheckThreshold",
"metadata": {
"name": "alarm-logstash-eps"
},
"spec": {
"every": "1m0s",
"name": "Logstash EPS at 0",
"query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"logstash_events\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"in\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")",
"status": "active",
"statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }",
"thresholds": [
{
"level": "CRIT",
"type": "lesser",
"value": 1
}
]
}
}]

32
salt/influxdb/templates/alarm_nsm_disk.json Normal file
View File

@@ -0,0 +1,32 @@
[{
"apiVersion": "influxdata.com/v2alpha1",
"kind": "CheckThreshold",
"metadata": {
"name": "alarm-nsm-disk"
},
"spec": {
"description": "Percent used space on the root partition of at least one node has exceeded the alarm threshold.",
"every": "1m0s",
"name": "NSM Disk High Usage",
"query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> aggregateWindow(every: 1m, fn: max, createEmpty: false)\n |> yield(name: \"max\")",
"status": "active",
"statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }",
"thresholds": [
{
"level": "CRIT",
"type": "greater",
"value": 95
},
{
"level": "INFO",
"type": "greater",
"value": 85
},
{
"level": "WARN",
"type": "greater",
"value": 90
}
]
}
}]

32
salt/influxdb/templates/alarm_root_disk.json Normal file
View File

@@ -0,0 +1,32 @@
[{
"apiVersion": "influxdata.com/v2alpha1",
"kind": "CheckThreshold",
"metadata": {
"name": "alarm-root-disk"
},
"spec": {
"description": "Percent used space on the root partition of at least one node has exceeded the alarm threshold.",
"every": "1m0s",
"name": "Root Disk High Usage",
"query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> aggregateWindow(every: 1m, fn: max, createEmpty: false)\n |> yield(name: \"max\")",
"status": "active",
"statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }",
"thresholds": [
{
"level": "CRIT",
"type": "greater",
"value": 95
},
{
"level": "INFO",
"type": "greater",
"value": 85
},
{
"level": "WARN",
"type": "greater",
"value": 90
}
]
}
}]

1
salt/influxdb/templates/dashboard-security_onion_performance.json Normal file
View File

File diff suppressed because one or more lines are too long

1
salt/influxdb/templates/downsample.json Normal file
View File

@@ -0,0 +1 @@
[{"apiVersion":"influxdata.com/v2alpha1","kind":"Task","metadata":{"name":"task-downsample"},"spec":{"every":"{{ INFLUXMERGED.downsample.so_long_term.resolution }}","name":"Downsample","query":"import \"types\"\n\n\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: -task.every)\n |> filter(fn: (r) => types.isNumeric(v: r._value))\n |> aggregateWindow(every: task.every, fn: mean)\n |> to(bucket: \"telegraf/so_long_term\")"}}]

1
salt/influxdb/templates/variable-container.json Normal file
View File

@@ -0,0 +1 @@
[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-container"},"spec":{"language":"flux","name":"Container","query":"import \"array\"\n\ndynamic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"host\"] == v.Host)\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> keep(columns: [\"container_name\"])\n |> rename(fn: (column) => \"_value\")\n |> unique()\n\nstatic = array.from(\n rows: [\n {\n _value: \"(All)\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["cool_gauss"],"type":"query"}}]

1
salt/influxdb/templates/variable-host.json Normal file
View File

@@ -0,0 +1 @@
[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-host"},"spec":{"language":"flux","name":"Host","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"host\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"(All)\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["dev"],"type":"query"}}]

1
salt/influxdb/templates/variable-role.json Normal file
View File

@@ -0,0 +1 @@
[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-role"},"spec":{"language":"flux","name":"Role","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"role\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"(All)\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["standalone"],"type":"query"}}]

2
salt/kibana/bin/so-kibana-config-load
View File

@@ -63,7 +63,7 @@ update() {
IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))'
for i in "${LINES[@]}"; do
RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.6.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.6.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
done

2
salt/kibana/files/config_saved_objects.ndjson
View File

@@ -1 +1 @@
{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.1","id": "8.6.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.2","id": "8.6.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}

1648
salt/kibana/files/saved_objects.ndjson
View File

File diff suppressed because one or more lines are too long

2
salt/logstash/map.jinja
View File

@@ -1,7 +1,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% set REDIS_NODES = [] %}
{% set LOGSTASH_NODES = [] %}
{% set node_data = salt['pillar.get']('logstash:nodes') %}
{% set node_data = salt['pillar.get']('logstash:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
{% for node_type, node_details in node_data.items() | sort %}
{% if GLOBALS.role in ['so-searchnode', 'so-standalone', 'so-managersearch'] %}

13
salt/nginx/etc/nginx.conf
View File

@@ -1,5 +1,9 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- set role = grains.id.split('_') | last %}
{%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
{%- set influxauth = ('so:' + influxpass) | base64_encode %}
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
@@ -179,17 +183,18 @@ http {
autoindex_localtime on;
}
location /grafana/ {
location /influxdb/ {
auth_request /auth/sessions/whoami;
rewrite /grafana/(.*) /$1 break;
proxy_pass http://{{ GLOBALS.manager_ip }}:3000/;
proxy_read_timeout 90;
rewrite /influxdb/api/(.*) /api/$1 break;
proxy_pass https://{{ GLOBALS.manager_ip }}:8086/;
proxy_read_timeout 300;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_path /api/ /influxdb/api/;
}
location /kibana/ {

1
salt/nginx/init.sls
View File

@@ -28,6 +28,7 @@ nginxconf:
- group: 939
- template: jinja
- source: salt://nginx/etc/nginx.conf
- show_changes: False
nginxlogdir:
file.directory:

4
salt/salt/files/influxdb_continuous_query.py.patch
View File

@@ -1,4 +0,0 @@
56c56
< database, name, query, resample_time, coverage_period
---
> database, name, query, resample_time, coverage_period, **client_args

16
salt/salt/files/influxdb_retention_policy.py.patch
View File

@@ -1,16 +0,0 @@
34c34
< hours = int(duration.split("h"))
---
> hours = int(duration.split("h")[0])
48c48
< def present(name, database, duration="7d", replication=1, default=False, **client_args):
---
> def present(name, database, duration="7d", replication=1, default=False, shard_duration="1d", **client_args):
73c73
< database, name, duration, replication, default, **client_args
---
> database, name, duration, replication, shard_duration, default, **client_args
113c113
< database, name, duration, replication, default, **client_args
---
> database, name, duration, replication, shard_duration, default, **client_args

16
salt/salt/files/influxdbmod.py.patch
View File

@@ -1,16 +0,0 @@
421c421
< database, name, duration, replication, default=False, **client_args
---
> database, name, duration, replication, shard_duration, default=False, **client_args
456c456
< client.create_retention_policy(name, duration, replication, database, default)
---
> client.create_retention_policy(name, duration, replication, database, default, shard_duration)
462c462
< database, name, duration, replication, default=False, **client_args
---
> database, name, duration, replication, shard_duration, default=False, **client_args
498c498
< client.alter_retention_policy(name, database, duration, replication, default)
---
> client.alter_retention_policy(name, database, duration, replication, default, shard_duration)

8
salt/salt/map.jinja
View File

@@ -7,10 +7,6 @@
{% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion'] %}
{% set SALT_STATE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/states' %}
{% set SALT_MODULE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/modules' %}
{% set PYTHONINFLUXVERSION = '5.3.1' %}
{% set PYTHON3INFLUX= 'influxdb == ' ~ PYTHONINFLUXVERSION %}
{% set PYTHON3INFLUXDEPS= ['certifi', 'chardet', 'python-dateutil', 'pytz', 'requests'] %}
{% set PYTHONINSTALLER = 'pip' %}
{% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
{% else %}
{% set SPLITCHAR = '-' %}
@@ -18,10 +14,6 @@
{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion'] %}
{% set SALT_STATE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/states' %}
{% set SALT_MODULE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/modules' %}
{% set PYTHONINFLUXVERSION = '5.3.1' %}
{% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %}
{% set PYTHON3INFLUXDEPS= ['python36-certifi', 'python36-chardet', 'python36-dateutil', 'python36-pytz', 'python36-requests'] %}
{% set PYTHONINSTALLER = 'pkg' %}
{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
{% endif %}

12
salt/soc/defaults.map.jinja
View File

@@ -1,6 +1,8 @@
{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER -%}
{%- set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %}
{%- set METRICS_LINK = salt['cmd.run']('so-influxdb-manage dashboardpath "Security Onion Performance"') %}
{% for module, application_url in GLOBALS.application_urls.items() %}
{% do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %}
@@ -15,9 +17,13 @@
{% do SOCDEFAULTS.soc.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}
{% if GLOBALS.role != 'so-import' %}
{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
{% endif %}
{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %}
{% for tool in SOCDEFAULTS.soc.server.client.tools %}
{% if tool.name == "toolInfluxDb" %}
{% do tool.update({'link': METRICS_LINK}) %}
{% endif %}
{% endfor %}
{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.sensoronikey}) %}

14
salt/soc/defaults.yaml
View File

@@ -1031,9 +1031,9 @@ soc:
asyncThreshold: 10
influxdb:
hostUrl:
token: ''
org: ''
bucket: telegraf
token:
org: Security Onion
bucket: telegraf/so_short_term
verifyCert: false
salt:
saltPipe: /opt/sensoroni/salt/pipe
@@ -1076,11 +1076,11 @@ soc:
icon: fa-external-link-alt
target: so-osquery-manager
link: /kibana/app/osquery/live_queries
- name: toolGrafana
description: toolGrafanaHelp
- name: toolInfluxDb
description: toolInfluxDbHelp
icon: fa-external-link-alt
target: so-grafana
link: /grafana/d/so_overview
target: so-influxdb
link: /influxdb
- name: toolCyberchef
description: toolCyberchefHelp
icon: fa-external-link-alt

5
salt/soc/merged.map.jinja
View File

@@ -27,11 +27,6 @@
{% do SOCMERGED.server.client.inactiveTools.append('toolFleet') %}
{% if pillar.manager.grafana == 0 %}
{% do SOCMERGED.server.client.inactiveTools.append('toolGrafana') %}
{% endif %}
{% set standard_actions = SOCMERGED.pop('actions') %}
{% if pillar.global.endgamehost is defined %}
{% set endgame_dict = {

6
salt/telegraf/etc/telegraf.conf
View File

@@ -2,6 +2,7 @@
{%- set INFLUXDBHOST = GLOBALS.influxdb_host %}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
{%- set TOKEN = salt['pillar.get']('secrets:influx_token', '') %}
{%- set NODEIP = GLOBALS.node_ip %}
{%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %}
{%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %}
@@ -71,8 +72,11 @@
###############################################################################
# Configuration for sending metrics to InfluxDB
[[outputs.influxdb]]
[[outputs.influxdb_v2]]
urls = ["https://{{ INFLUXDBHOST }}:8086"]
token = "{{ TOKEN }}"
organization = "Security Onion"
bucket = "telegraf/so_short_term"
## Optional TLS Config for use on HTTP connections.
tls_ca = "/etc/telegraf/ca.crt"

2
salt/telegraf/init.sls
View File

@@ -53,7 +53,7 @@ tgrafconf:
TGMERGED: {{ TGMERGED }}
# this file will be read by telegraf to send node details (management interface, monitor interface, etc)
# into influx so that Grafana can build dashboards using queries
# into influx
node_config:
file.managed:
- name: /opt/so/conf/telegraf/node_config.json

4
salt/top.sls
View File

@@ -293,9 +293,9 @@ base:
- sensoroni
- manager
- nginx
- soc
- influxdb
- telegraf
- influxdb
- soc
- kratos
- firewall
- idstools

1
salt/vars/idh.map.jinja Normal file
View File

@@ -0,0 +1 @@
{% set ROLE_GLOBALS = {} %}

1
setup/automation/distributed-airgap-manager
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-airgap-search
View File

@@ -21,7 +21,6 @@ ADMINPASS2=onionuser
# ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-airgap-sensor
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-cloud-manager
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-cloud-search
View File

@@ -21,7 +21,6 @@ ADMINPASS2=onionuser
#ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
#GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-cloud-sensor
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
#GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-iso-manager
View File

@@ -21,7 +21,6 @@ BASICSURI=7
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-iso-search
View File

@@ -21,7 +21,6 @@ ADMINPASS2=onionuser
# ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-iso-sensor
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-net-centos-manager
View File

@@ -21,7 +21,6 @@ BASICSURI=7
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-net-centos-search
View File

@@ -21,7 +21,6 @@ ADMINPASS2=onionuser
# ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-net-centos-sensor
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-net-ubuntu-manager
View File

@@ -21,7 +21,6 @@ BASICSURI=7
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-net-ubuntu-search
View File

@@ -21,7 +21,6 @@ ADMINPASS2=onionuser
# ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-net-ubuntu-sensor
View File

@@ -21,7 +21,6 @@ BNICS=ens19
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-net-ubuntu-suricata-manager
View File

@@ -21,7 +21,6 @@ BASICSURI=7
ZEEKVERSION=SURICATA
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-net-ubuntu-suricata-search
View File

@@ -21,7 +21,6 @@ ADMINPASS2=onionuser
# ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/distributed-net-ubuntu-suricata-sensor
View File

@@ -21,7 +21,6 @@ BNICS=ens19
ZEEKVERSION=SURICATA
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/eval-airgap
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/eval-cloud
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/eval-iso
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/eval-net-centos
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/eval-net-ubuntu
View File

@@ -21,7 +21,6 @@ BNICS=ens19
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/import-airgap
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/import-cloud
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/import-iso
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/import-net-centos
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/import-net-ubuntu
View File

@@ -21,7 +21,6 @@ BASICSURI=2
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/standalone-airgap
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/standalone-cloud
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/standalone-iso
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/standalone-iso-logscan
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/standalone-iso-suricata
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=SURICATA
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/standalone-net-centos
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

1
setup/automation/standalone-net-centos-proxy
View File

@@ -21,7 +21,6 @@ BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit

Some files were not shown because too many files have changed in this diff Show More