From 71e001411519ce233401129205094cb84c172073 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 19 Jan 2021 17:51:23 -0500 Subject: [PATCH 01/11] Wrap parenthesis around correlation filter to allow additional filtering --- salt/soc/files/soc/alerts.actions.json | 8 ++++---- salt/soc/files/soc/hunt.actions.json | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json index 46c4ea68d..364c59d27 100644 --- a/salt/soc/files/soc/alerts.actions.json +++ b/salt/soc/files/soc/alerts.actions.json @@ -5,10 +5,10 @@ ]}, { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", "links": [ - "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json index 46c4ea68d..364c59d27 100644 --- a/salt/soc/files/soc/hunt.actions.json +++ b/salt/soc/files/soc/hunt.actions.json @@ -5,10 +5,10 @@ ]}, { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", "links": [ - "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" From caaa8cc7641d78c4e81657c8b8795d363ccf5790 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 Jan 2021 09:46:49 -0500 Subject: [PATCH 02/11] add schedule state to fleet node so it gets highstate schedule --- salt/top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/top.sls b/salt/top.sls index 18dd1b61a..f7f73d4a6 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -494,6 +494,7 @@ base: - fleet - fleet.install_package - filebeat + - schedule - docker_clean '*_import and G@saltversion:{{saltversion}}': From b1c5b83fd5ac076aaa52d39267499fa2ae2068d4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 Jan 2021 09:53:42 -0500 Subject: [PATCH 03/11] removing old search node logic and managersensor from salt top --- salt/top.sls | 58 +--------------------------------------------------- 1 file changed, 1 insertion(+), 57 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index f7f73d4a6..bab7b475f 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -292,48 +292,7 @@ base: {%- endif %} - docker_clean - # Search node logic - - '*_node and I@node:node_type:parser and G@saltversion:{{saltversion}}': - - match: compound - - firewall - {%- if LOGSTASH %} - - logstash - {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - - schedule - - docker_clean - - '*_node and I@node:node_type:hot and G@saltversion:{{saltversion}}': - - match: compound - - firewall - {%- if LOGSTASH %} - - logstash - {%- endif %} - {%- if CURATOR %} - - curator - {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - - schedule - - docker_clean - - '*_node and I@node:node_type:warm and G@saltversion:{{saltversion}}': - - match: compound - - firewall - {%- if ELASTICSEARCH %} - - elasticsearch - {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - - schedule - - docker_clean - - '*_searchnode and G@saltversion:{{saltversion}}': + '*_searchnode and G@saltversion:{{saltversion}}': - match: compound - ca - ssl @@ -361,21 +320,6 @@ base: - schedule - docker_clean - '*_managersensor and G@saltversion:{{saltversion}}': - - match: compound - - nginx - - telegraf - - influxdb - - grafana - - firewall - - sensor - - manager - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - - schedule - - docker_clean - '*_managersearch and G@saltversion:{{saltversion}}': - match: compound - salt.master From 58f922aac36bfae10d258a416d149138cc1fdd1f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 20 Jan 2021 11:17:10 -0500 Subject: [PATCH 04/11] Skip image pull if so-tcpreplay image already exists and is current --- salt/common/tools/sbin/so-tcpreplay | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay index 22722ac9b..b5dbb4155 100755 --- a/salt/common/tools/sbin/so-tcpreplay +++ b/salt/common/tools/sbin/so-tcpreplay @@ -48,9 +48,15 @@ if ! docker ps | grep -q so-tcpreplay; then echo if is_manager_node; then - TRUSTED_CONTAINERS=("so-tcpreplay") - mkdir -p /opt/so/log/tcpreplay - update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log" + set_version + if ! docker images | grep so-tcpreplay | grep ":5000" | grep -q $VERSION ; then + echo "Pulling so-tcpreplay image" + TRUSTED_CONTAINERS=("so-tcpreplay") + mkdir -p /opt/so/log/tcpreplay + update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log" + else + echo "so-tcpreplay image exists." + fi fi if is_sensor_node; then if ! is_manager_node; then From b693373d8d2f5eb5d59212d579b4851d998c22bc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 Jan 2021 15:09:53 -0500 Subject: [PATCH 05/11] change how we allow or disallow states to be run https://github.com/Security-Onion-Solutions/securityonion/issues/2679 --- salt/airgap/init.sls | 13 +- salt/allowed_states.map.jinja | 297 ++++++++++++++++++++++++++++++++++ salt/ca/init.sls | 10 +- salt/common/init.sls | 10 +- salt/curator/init.sls | 10 +- salt/docker/init.sls | 10 +- salt/docker_clean/init.sls | 11 ++ salt/domainstats/init.sls | 10 +- salt/elastalert/init.sls | 10 +- salt/elasticsearch/init.sls | 10 +- salt/filebeat/init.sls | 10 +- salt/firewall/init.sls | 10 +- salt/fleet/init.sls | 1 + salt/freqserver/init.sls | 10 +- salt/grafana/init.sls | 10 +- salt/healthcheck/init.sls | 10 +- salt/idstools/init.sls | 10 +- salt/influxdb/init.sls | 10 +- salt/kibana/init.sls | 10 +- salt/logstash/init.sls | 10 +- salt/manager/init.sls | 10 +- salt/minio/init.sls | 10 +- salt/motd/init.sls | 10 +- salt/mysql/init.sls | 10 +- salt/nginx/init.sls | 10 +- salt/nodered/init.sls | 10 +- salt/pcap/init.sls | 10 +- salt/playbook/init.sls | 10 +- salt/redis/init.sls | 10 +- salt/registry/init.sls | 10 +- salt/salt/master.sls | 12 +- salt/soc/init.sls | 10 +- salt/soctopus/init.sls | 10 +- salt/ssl/init.sls | 10 +- salt/strelka/init.sls | 10 +- salt/suricata/init.sls | 10 +- salt/suricata/manager.sls | 13 +- salt/tcpreplay/init.sls | 8 +- salt/telegraf/init.sls | 10 +- salt/thehive/init.sls | 10 +- salt/utility/init.sls | 10 +- salt/wazuh/init.sls | 10 +- salt/yum/init.sls | 10 +- salt/zeek/init.sls | 10 +- 44 files changed, 491 insertions(+), 234 deletions(-) create mode 100644 salt/allowed_states.map.jinja diff --git a/salt/airgap/init.sls b/salt/airgap/init.sls index b7ad3da1b..818bb3a3b 100644 --- a/salt/airgap/init.sls +++ b/salt/airgap/init.sls @@ -1,3 +1,6 @@ +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + {% set MANAGER = salt['grains.get']('master') %} airgapyum: file.managed: @@ -57,4 +60,12 @@ agssrepo: agwazrepo: file.absent: - - name: /etc/yum.repos.d/wazuh.repo \ No newline at end of file + - name: /etc/yum.repos.d/wazuh.repo + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} \ No newline at end of file diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja new file mode 100644 index 000000000..920a60aab --- /dev/null +++ b/salt/allowed_states.map.jinja @@ -0,0 +1,297 @@ +{% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} +{% set WAZUH = salt['pillar.get']('global:wazuh', '0') %} +{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %} +{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} +{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} +{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} +{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} +{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} +{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} +{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} +{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} +{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %} +{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} +{% set CURATOR = salt['pillar.get']('curator:enabled', True) %} +{% set REDIS = salt['pillar.get']('redis:enabled', True) %} +{% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} +{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} +{% import_yaml 'salt/minion.defaults.yaml' as saltversion %} +{% set saltversion = saltversion.salt.minion.version %} + +{# this is the list we are returning from this map file, it gets built below #} +{% set allowed_states= [] %} + +{% if grains.saltversion | string == saltversion | string %} + + {% set allowed_states= salt['grains.filter_by']({ + 'so-eval': [ + 'salt.master', + 'ca', + 'ssl', + 'registry', + 'manager', + 'nginx', + 'telegraf', + 'influxdb', + 'grafana', + 'soc', + 'firewall', + 'idstools', + 'suricata.manager', + 'healthcheck', + 'pcap', + 'suricata', + 'utility', + 'schedule', + 'soctopus', + 'tcpreplay', + 'docker_clean' + ], + 'so-heavynode': [ + 'ca', + 'ssl', + 'nginx', + 'telegraf', + 'firewall', + 'pcap', + 'suricata', + 'schedule', + 'tcpreplay', + 'docker_clean' + ], + 'so-helixsensor': [ + 'salt.master', + 'ca', + 'ssl', + 'registry', + 'telegraf', + 'firewall', + 'idstools', + 'suricata.manager', + 'zeek', + 'redis', + 'elasticsearch', + 'logstash', + 'schedule', + 'tcpreplay', + 'docker_clean' + ], + 'so-fleet': [ + 'ca', + 'ssl', + 'nginx', + 'telegraf', + 'firewall', + 'mysql', + 'redis', + 'fleet', + 'fleet.install_package', + 'filebeat', + 'schedule', + 'docker_clean' + ], + 'so-import': [ + 'salt.master', + 'ca', + 'ssl', + 'registry', + 'manager', + 'nginx', + 'soc', + 'firewall', + 'idstools', + 'suricata.manager', + 'pcap', + 'utility', + 'suricata', + 'zeek', + 'schedule', + 'tcpreplay', + 'docker_clean' + ], + 'so-manager': [ + 'salt.master', + 'ca', + 'ssl', + 'registry', + 'manager', + 'nginx', + 'telegraf', + 'influxdb', + 'grafana', + 'soc', + 'firewall', + 'idstools', + 'suricata.manager', + 'utility', + 'schedule', + 'soctopus', + 'docker_clean' + ], + 'so-managersearch': [ + 'salt.master', + 'ca', + 'ssl', + 'registry', + 'nginx', + 'telegraf', + 'influxdb', + 'grafana', + 'soc', + 'firewall', + 'manager', + 'idstools', + 'suricata.manager', + 'utility', + 'schedule', + 'soctopus', + 'docker_clean' + ], + 'so-searchnode': [ + 'ca', + 'ssl', + 'nginx', + 'telegraf', + 'firewall', + 'schedule', + 'docker_clean' + ], + 'so-standalone': [ + 'salt.master', + 'ca', + 'ssl', + 'registry', + 'manager', + 'nginx', + 'telegraf', + 'influxdb', + 'grafana', + 'soc', + 'firewall', + 'idstools', + 'suricata.manager', + 'pcap', + 'suricata', + 'utility', + 'schedule', + 'soctopus', + 'tcpreplay', + 'docker_clean' + ], + 'so-sensor': [ + 'ca', + 'ssl', + 'telegraf', + 'firewall', + 'nginx', + 'pcap', + 'suricata', + 'healthcheck', + 'wazuh', + 'filebeat', + 'schedule', + 'tcpreplay', + 'docker_clean' + ], + }, grain='role') %} + + {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %} + {% do allowed_states.append('filebeat') %} + {% endif %} + + {% if ((FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %} + {% do allowed_states.append('mysql') %} + {% endif %} + + {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode'] %} + {% do allowed_states.append('fleet.install_package') %} + {% endif %} + + {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %} + {% do allowed_states.append('fleet') %} + {% endif %} + + {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval'] %} + {% do allowed_states.append('redis') %} + {% endif %} + + {%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %} + {% do allowed_states.append('zeek') %} + {%- endif %} + + {% if STRELKA and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %} + {% do allowed_states.append('strelka') %} + {% endif %} + + {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode']%} + {% do allowed_states.append('wazuh') %} + {% endif %} + + {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %} + {% do allowed_states.append('elasticsearch') %} + {% endif %} + + {% if KIBANA and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %} + {% do allowed_states.append('kibana') %} + {% endif %} + + {% if CURATOR and grains.role in ['so-eval', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode'] %} + {% do allowed_states.append('curator') %} + {% endif %} + + {% if ELASTALERT and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} + {% do allowed_states.append('elastalert') %} + {% endif %} + + {% if (THEHIVE != 0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} + {% do allowed_states.append('thehive') %} + {% endif %} + + {% if (PLAYBOOK !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} + {% do allowed_states.append('playbook') %} + {% endif %} + + {% if (PLAYBOOK !=0) and grains.role in ['so-eval'] %} + {% do allowed_states.append('redis') %} + {% endif %} + + {% if (FREQSERVER !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} + {% do allowed_states.append('freqserver') %} + {% endif %} + + {% if (DOMAINSTATS !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} + {% do allowed_states.append('domainstats') %} + {% endif %} + + {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode'] %} + {% do allowed_states.append('logstash') %} + {% endif %} + + {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %} + {% do allowed_states.append('redis') %} + {% endif %} + + {% if grains.os == 'CentOS' %} + {% if not ISAIRGAP %} + {% do allowed_states.append('yum') %} + {% endif %} + {% do allowed_states.append('yum.packages') %} + {% endif %} + + {# all nodes on the right salt version can run the following states #} + {% do allowed_states.append('common') %} + {% do allowed_states.append('patch.os.schedule') %} + {% do allowed_states.append('motd') %} + {% do allowed_states.append('salt.minion-check') %} + {% do allowed_states.append('sensoroni') %} + {% do allowed_states.append('salt.lasthighstate') %} + +{% endif %} + + +{% if ISAIRGAP %} + {% do allowed_states.append('airgap') %} +{% endif %} + +{# all nodes can always run salt.minion state #} +{% do allowed_states.append('salt.minion') %} \ No newline at end of file diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 84c74ef3d..07cb75f31 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'ca' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set manager = salt['grains.get']('master') %} /etc/salt/minion.d/signing_policies.conf: @@ -60,8 +58,8 @@ cakeyperms: {% else %} -ca_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: ca_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/common/init.sls b/salt/common/init.sls index 337103fd9..60ff87fd4 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'common' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set role = grains.id.split('_') | last %} @@ -260,8 +258,8 @@ docker: {% else %} -common_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: common_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 2f0147794..245b700d0 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'curator' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -145,8 +143,8 @@ append_so-curator_so-status.conf: {% else %} -curator_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: curator_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 273dbae91..c01bb8e67 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'docker' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} installdocker: pkg.installed: @@ -14,8 +12,8 @@ docker: {% else %} -docker_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: docker_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index 9c5ce0d17..21e672c00 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -1,3 +1,6 @@ +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0','2.3.1','2.3.2']%} @@ -43,3 +46,11 @@ remove_images_{{ VERSION }}: - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }}' - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}' {% endfor %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} \ No newline at end of file diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls index 965d87426..da9c2926c 100644 --- a/salt/domainstats/init.sls +++ b/salt/domainstats/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'domainstats' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -63,8 +61,8 @@ append_so-domainstats_so-status.conf: {% else %} -domainstats_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: domainstats_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 7caef532f..fcab3f57c 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'elastalert' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -131,8 +129,8 @@ append_so-elastalert_so-status.conf: {% else %} -elastalert_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: elastalert_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 2d83f9882..089a21e1c 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'elasticsearch' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -265,8 +263,8 @@ so-elasticsearch-templates: {% else %} -elasticsearch_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: elasticsearch_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} {# if 'elasticsearch' in top_states #} diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 98229ca35..47dc2f3a9 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -11,10 +11,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'filebeat' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -93,8 +91,8 @@ append_so-filebeat_so-status.conf: {% else %} -filebeat_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: filebeat_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 27f04bee0..687774a58 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'firewall' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} # Firewall Magic for the grid {% from 'firewall/map.jinja' import hostgroups with context %} @@ -138,8 +136,8 @@ iptables_drop_all_the_things: {% else %} -firewall_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: firewall_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index db3414a18..f286af347 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -1,3 +1,4 @@ +{# this state can run regardless if in allowed_states or not #} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%} {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%} diff --git a/salt/freqserver/init.sls b/salt/freqserver/init.sls index f514353a1..36a17b6aa 100644 --- a/salt/freqserver/init.sls +++ b/salt/freqserver/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'freqserver' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -63,9 +61,9 @@ append_so-freq_so-status.conf: {% else %} -freqserver_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: freqserver_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 9c596ca98..4a0cc7b08 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'grafana' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set MANAGER = salt['grains.get']('master') %} @@ -281,8 +279,8 @@ append_so-grafana_so-status.conf: {% else %} -grafana_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: grafana_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/healthcheck/init.sls b/salt/healthcheck/init.sls index af1de6d83..610891980 100644 --- a/salt/healthcheck/init.sls +++ b/salt/healthcheck/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'healthcheck' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set CHECKS = salt['pillar.get']('healthcheck:checks', {}) %} {% set ENABLED = salt['pillar.get']('healthcheck:enabled', False) %} @@ -31,8 +29,8 @@ healthcheck_schedule_{{ STATUS[1] }}: {% else %} -healthcheck_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: healthcheck_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 2aacb973d..56f15a93d 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'idstools' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -83,8 +81,8 @@ append_so-idstools_so-status.conf: {% else %} -idstools_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: idstools_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif%} diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 9dc7ee692..61b97fc56 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'influxdb' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set MANAGER = salt['grains.get']('master') %} @@ -63,8 +61,8 @@ append_so-influxdb_so-status.conf: {% else %} -influxdb_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: influxdb_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 02e76495d..7d6b541cd 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'kibana' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -128,8 +126,8 @@ so-kibana-config-load: {% else %} -kibana_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: kibana_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index e23e4eef2..61f533865 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'logstash' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -209,8 +207,8 @@ append_so-logstash_so-status.conf: {% else %} -logstash_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: logstash_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 597ca3c43..908ef4502 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'manager' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -110,8 +108,8 @@ strelka_yara_update: - minute: '1' {% else %} -manager_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: manager_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/minio/init.sls b/salt/minio/init.sls index 484eac1f9..f61209c8b 100644 --- a/salt/minio/init.sls +++ b/salt/minio/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'minio' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set access_key = salt['pillar.get']('minio:access_key', '') %} {% set access_secret = salt['pillar.get']('minio:access_secret', '') %} @@ -69,8 +67,8 @@ append_so-minio_so-status.conf: {% else %} -minio_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: minio_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/motd/init.sls b/salt/motd/init.sls index bf9d276a6..c3b9c0209 100644 --- a/salt/motd/init.sls +++ b/salt/motd/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'motd' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} so_motd: file.managed: @@ -11,8 +9,8 @@ so_motd: {% else %} -motd_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: motd_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 5fb187ab8..be44b652c 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'mysql' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %} {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} @@ -112,8 +110,8 @@ append_so-mysql_so-status.conf: {% else %} -mysql_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: mysql_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 8d6dd46f7..15c1acc8e 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'nginx' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} {% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} @@ -105,8 +103,8 @@ append_so-nginx_so-status.conf: {% else %} -nginx_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: nginx_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls index c4fb8cb37..58145a6b7 100644 --- a/salt/nodered/init.sls +++ b/salt/nodered/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'nodered' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -86,8 +84,8 @@ so-nodered-flows: {% else %} -nodered_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: nodered_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index b8580fd86..06ff30972 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'pcap' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -150,8 +148,8 @@ delete_so-steno_so-status.disabled: {% else %} -pcap_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: pcap_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index dca898eec..ef538e5f6 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'playbook' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -114,8 +112,8 @@ so-playbookruleupdatecron: {% else %} -playbook_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: playbook_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 57f189865..d28aa57c3 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'redis' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -77,8 +75,8 @@ append_so-redis_so-status.conf: {% else %} -redis_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: redis_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/registry/init.sls b/salt/registry/init.sls index 43b9d8fa6..d733b6f54 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'registry' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} # Create the config directory for the docker registry dockerregistryconfdir: @@ -64,8 +62,8 @@ append_so-dockerregistry_so-status.conf: {% else %} -registry_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: registry_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/salt/master.sls b/salt/salt/master.sls index 442a9d240..3c23bbb36 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -1,10 +1,8 @@ +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + {% from 'salt/map.jinja' import COMMON with context %} -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'salt.master' in top_states %} - include: - salt.minion @@ -37,8 +35,8 @@ engines_config: {% else %} -salt_master_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: salt_master_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 0f58aab32..d31898e72 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'soc' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -141,8 +139,8 @@ append_so-kratos_so-status.conf: {% else %} -soc_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: soc_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 2137a4511..c2c8dc1ac 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'soctopus' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -80,8 +78,8 @@ append_so-soctopus_so-status.conf: {% else %} -soctopus_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: soctopus_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 221c58c93..d6c06d6fd 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'ssl' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set manager = salt['grains.get']('master') %} {% set managerip = salt['pillar.get']('global:managerip', '') %} @@ -578,8 +576,8 @@ elastickeyperms: {% else %} -ssl_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: ssl_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 1bd9e3aad..315486519 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'strelka' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set MANAGER = salt['grains.get']('master') %} {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} @@ -194,8 +192,8 @@ strelka_zeek_extracted_sync: {% else %} -strelka_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: strelka_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 99609be32..0452364c5 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -12,10 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'suricata' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} {% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} @@ -193,8 +191,8 @@ surilogrotate: {% else %} -suricata_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: suricata_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/suricata/manager.sls b/salt/suricata/manager.sls index 5998a484b..c196c5cae 100644 --- a/salt/suricata/manager.sls +++ b/salt/suricata/manager.sls @@ -1,3 +1,6 @@ +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + surilocaldir: file.directory: - name: /opt/so/saltstack/local/salt/suricata @@ -16,4 +19,12 @@ refresh_salt_master_fileserver_suricata_ruleslink: salt.runner: - name: fileserver.update - onchanges: - - file: ruleslink \ No newline at end of file + - file: ruleslink + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} \ No newline at end of file diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls index a684d2fef..0fa853d22 100644 --- a/salt/tcpreplay/init.sls +++ b/salt/tcpreplay/init.sls @@ -1,4 +1,6 @@ -{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' or grains['role'] == 'so-standalone' %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -17,8 +19,8 @@ so-tcpreplay: {% else %} -tcpreplay_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: tcpreplay_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 1ff34ceae..fb4cacbc6 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'telegraf' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -81,8 +79,8 @@ append_so-telegraf_so-status.conf: {% else %} -telegraf_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: telegraf_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index 6c3d4d5ac..d1ee8a4bf 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'thehive' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -152,8 +150,8 @@ thehivescript: {% else %} -thehive_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: thehive_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/utility/init.sls b/salt/utility/init.sls index d18ad5e1c..d8b8539fa 100644 --- a/salt/utility/init.sls +++ b/salt/utility/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'utility' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} # This state is for checking things {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %} @@ -27,8 +25,8 @@ fixsearch: {% else %} -utility_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: utility_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 3cad6c367..089b60846 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'wazuh' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {%- set HOSTNAME = salt['grains.get']('host', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -164,8 +162,8 @@ hidsruledir: {% else %} -wazuh_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: wazuh_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} diff --git a/salt/yum/init.sls b/salt/yum/init.sls index b8a4df9ee..339a6f2a7 100644 --- a/salt/yum/init.sls +++ b/salt/yum/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'yum' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} yumconf: file.managed: @@ -12,8 +10,8 @@ yumconf: {% else %} -yum_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: yum_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 6fa289d5c..8cb9f5d21 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -1,7 +1,5 @@ -{% set show_top = salt['state.show_top']() %} -{% set top_states = show_top.values() | join(', ') %} - -{% if 'zeek' in top_states %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} {% from "zeek/map.jinja" import START with context %} @@ -211,8 +209,8 @@ disable_so-zeek_so-status.conf: {% else %} -zeek_state_not_allowed: +{{sls}}_state_not_allowed: test.fail_without_changes: - - name: zeek_state_not_allowed + - name: {{sls}}_state_not_allowed {% endif %} \ No newline at end of file From 18278a97acaf9dceb2e8fb0ff1564a9e3692a264 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 Jan 2021 15:13:55 -0500 Subject: [PATCH 06/11] fix salt top formatting --- salt/top.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/top.sls b/salt/top.sls index bab7b475f..68c392c25 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -292,7 +292,7 @@ base: {%- endif %} - docker_clean - '*_searchnode and G@saltversion:{{saltversion}}': + '*_searchnode and G@saltversion:{{saltversion}}': - match: compound - ca - ssl From 6e756b3586a39792883b1db2ae7b72a74666718b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 Jan 2021 17:34:53 -0500 Subject: [PATCH 07/11] allow heathcheck state for standalone and heavynode --- salt/allowed_states.map.jinja | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 920a60aab..5ec218c8c 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -55,6 +55,7 @@ 'firewall', 'pcap', 'suricata', + 'healthcheck', 'schedule', 'tcpreplay', 'docker_clean' @@ -172,6 +173,7 @@ 'suricata.manager', 'pcap', 'suricata', + 'healthcheck', 'utility', 'schedule', 'soctopus', From 18217ba38bdddb4b218e9899cb4b667967edc050 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 20 Jan 2021 17:40:02 -0500 Subject: [PATCH 08/11] change so-searchnode role to so-node https://github.com/Security-Onion-Solutions/securityonion/issues/2679 --- salt/allowed_states.map.jinja | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 5ec218c8c..665fdbe3d 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -148,7 +148,7 @@ 'soctopus', 'docker_clean' ], - 'so-searchnode': [ + 'so-node': [ 'ca', 'ssl', 'nginx', @@ -197,7 +197,7 @@ ], }, grain='role') %} - {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %} + {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %} {% do allowed_states.append('filebeat') %} {% endif %} @@ -205,7 +205,7 @@ {% do allowed_states.append('mysql') %} {% endif %} - {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode'] %} + {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %} {% do allowed_states.append('fleet.install_package') %} {% endif %} @@ -225,11 +225,11 @@ {% do allowed_states.append('strelka') %} {% endif %} - {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode']%} + {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode']%} {% do allowed_states.append('wazuh') %} {% endif %} - {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %} + {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %} {% do allowed_states.append('elasticsearch') %} {% endif %} @@ -237,7 +237,7 @@ {% do allowed_states.append('kibana') %} {% endif %} - {% if CURATOR and grains.role in ['so-eval', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode'] %} + {% if CURATOR and grains.role in ['so-eval', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %} {% do allowed_states.append('curator') %} {% endif %} @@ -265,7 +265,7 @@ {% do allowed_states.append('domainstats') %} {% endif %} - {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode'] %} + {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %} {% do allowed_states.append('logstash') %} {% endif %} From 74e315841a14e782322d65e0b211fec37f7a8435 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 21 Jan 2021 13:17:16 +0000 Subject: [PATCH 09/11] Modify common to reserve Docker proxy ports --- salt/common/init.sls | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index 60ff87fd4..8b17cc7f5 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -256,6 +256,17 @@ docker: - watch: - file: docker_daemon +# Reserve OS ports for Docker proxy in case boot settings are not already applied/present +dockerapplyports: + cmd.run: + - name: if [ ! -f /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314"; fi + +# Reserve OS ports for Docker proxy +dockerreserveports: + file.managed: + - source: salt://common/files/99-reserved-ports.conf + - name: /etc/sysctl.d/99-reserved-ports.conf + {% else %} {{sls}}_state_not_allowed: From 9a916746887a037358ba6ce85f8f9f9695e25780 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 21 Jan 2021 13:18:22 +0000 Subject: [PATCH 10/11] Add reserved ports file for sysctl --- salt/common/files/99-reserved-ports.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 salt/common/files/99-reserved-ports.conf diff --git a/salt/common/files/99-reserved-ports.conf b/salt/common/files/99-reserved-ports.conf new file mode 100644 index 000000000..a578ab9a5 --- /dev/null +++ b/salt/common/files/99-reserved-ports.conf @@ -0,0 +1 @@ +net.ipv4.ip_local_reserved_ports="55000,57314" From 0039877779ecc20906dabf3b25a3569b0aa6bbeb Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 21 Jan 2021 13:29:09 +0000 Subject: [PATCH 11/11] Check for port availability for Wazuh and Strelka --- salt/strelka/init.sls | 5 +++++ salt/wazuh/init.sls | 7 +------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 315486519..46d9ef35d 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -92,6 +92,11 @@ strelkaunprocessed: - group: 939 - makedirs: True +# Check to see if Strelka frontend port is available +strelkaportavailable: + cmd.run: + - name: netstat -utanp | grep ":57314" | grep -qv docker && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314. Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0 + strelka_coordinator: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 089b60846..d6c7ac15e 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -94,15 +94,10 @@ wazuhmgrwhitelist: - mode: 755 - template: jinja -# Reserve OS port for Wazuh API -wazuhreserveport: - cmd.run: - - name: grep -q 55000 /proc/sys/net/ipv4/ip_local_reserved_ports || sysctl -w net.ipv4.ip_local_reserved_ports="55000" > /dev/null && echo "55000" >> /proc/sys/net/ipv4/ip_local_reserved_ports - # Check to see if Wazuh API port is available wazuhportavailable: cmd.run: - - name: netstat -anp | grep 55000 | grep -qv docker && PROCESS=$(netstat -anp | grep 55000 | awk '{print $NF}' | uniq) && echo "Another process ($PROCESS) appears to be using port 55000. Please terminate this process, or reboot to ensure a clean state so that the Wazuh API can start properly." && exit 1 || exit 0 + -name: netstat -utanp | grep ":55000" | grep -qv docker && PROCESS=$(netstat -utanp | grep ":55000" | uniq) && echo "Another process ($PROCESS) appears to be using port 55000. Please terminate this process, or reboot to ensure a clean state so that the Wazuh API can start properly." && exit 1 || exit 0 so-wazuh: docker_container.running: