Merge pull request #1440 from Security-Onion-Solutions/feature/generate-playbook-api-key

Feature/generate playbook api key
2026-04-17 10:12:05 +02:00 · 2020-10-02 14:37:58 -04:00
parent 15f0c98281 2a100c0dcc
commit 8310559273
10 changed files with 1895 additions and 31 deletions
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -169,7 +169,7 @@ masterunlock() {
 playbook() {
  echo "Applying playbook settings"
  if [[ "$INSTALLEDVERSION" =~ rc.1 ]]; then
-    salt-call state.apply playbook.db_init
+    salt-call state.apply playbook.OLD_db_init
    rm -f /opt/so/rules/elastalert/playbook/*.yaml
    so-playbook-ruleupdate >> /root/soup_playbook_rule_update.log 2>&1 &
  fi
@@ -251,9 +251,13 @@ rc3_to_2.3.0() {
  if [ ! -f /etc/profile.d/securityonion.sh ]; then
    echo "complete -cf sudo" > /etc/profile.d/securityonion.sh
  fi
-  # Add Redis settings to global pillar
-  echo "redis_settings:" >> /opt/so/saltstack/local/pillar/global.sls
-  echo "  redis_maxmemory: 827" >> /opt/so/saltstack/local/pillar/global.sls
+
+  {
+      echo "redis_settings:"
+      echo "  redis_maxmemory: 827"
+      echo "playbook:"
+      echo "  api_key: de6639318502476f2fa5aa06f43f51fb389a3d7f" 
+  } >> /opt/so/saltstack/local/pillar/global.sls
 }

 space_check() {
--- a/salt/playbook/OLD_db_init.sls
+++ b/salt/playbook/OLD_db_init.sls
@@ -0,0 +1,14 @@
+
+# This state will import the initial default playbook database. 
+# If there is an existing playbook database, it will be overwritten - no backups are made.
+
+include:
+  - mysql
+
+salt://playbook/files/OLD_playbook_db_init.sh:
+  cmd.script:
+    - cwd: /root
+    - template: jinja
+
+'sleep 5':
+  cmd.run
--- a/salt/playbook/automation_user_create.sls
+++ b/salt/playbook/automation_user_create.sls
@@ -0,0 +1,9 @@
+# This state will create the SecOps Automation user within Playbook
+
+include:
+  - playbook
+
+salt://playbook/files/automation_user_create.sh:
+  cmd.script:
+    - cwd: /root
+    - template: jinja
--- a/salt/playbook/files/OLD_playbook_db_init.sh
+++ b/salt/playbook/files/OLD_playbook_db_init.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %}
+
+default_salt_dir=/opt/so/saltstack/default
+
+docker cp $default_salt_dir/salt/playbook/files/OLD_playbook_db_init.sql so-mysql:/tmp/playbook_db_init.sql
+docker exec so-mysql /bin/bash -c "/usr/bin/mysql -b  -uroot -p{{MYSQLPASS}}  < /tmp/playbook_db_init.sql"
--- a/salt/playbook/files/OLD_playbook_db_init.sql
+++ b/salt/playbook/files/OLD_playbook_db_init.sql
--- a/salt/playbook/files/automation_user_create.sh
+++ b/salt/playbook/files/automation_user_create.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+# {%- set admin_pass = salt['pillar.get']('secrets:playbook_admin', None) -%}
+# {%- set automation_pass = salt['pillar.get']('secrets:playbook_automation', None) %}
+
+local_salt_dir=/opt/so/saltstack/local
+
+try_count=6
+interval=10
+
+while [[ $try_count -le 6 ]]; do
+    if docker top "so-playbook" &>/dev/null; then
+        automation_group=6
+
+        # Create user and retrieve api_key and user_id from response
+        mapfile -t automation_res < <(
+            curl -s --location --request POST 'http://127.0.0.1:3200/playbook/users.json' --user "admin:{{ admin_pass }}" --header 'Content-Type: application/json' --data '{
+                "user" : {
+                    "login" : "automation",
+                    "password": "{{ automation_pass }}",
+                    "firstname": "SecOps",
+                    "lastname": "Automation",
+                    "mail": "automation2@localhost.local"
+                }
+            }' | jq -r '.user.api_key, .user.id'
+        )
+
+        automation_api_key=${automation_res[0]}
+        automation_user_id=${automation_res[1]}
+
+        # Add user_id from newly created user to Automation group
+        curl -s --location --request POST "http://127.0.0.1:3200/playbook/groups/${automation_group}/users.json" \
+            --user "admin:{{ admin_pass }}" \
+            --header 'Content-Type: application/json' \
+            --data "{
+                \"user_id\" : ${automation_user_id}
+            }"
+
+        # Search for the needed keys in the global pillar file, if missing then add them
+        if (grep -Pzq 'playbook:\n  api_key:.*' $local_salt_dir/pillar/global.sls); then
+            sed -e '1h;2,$H;$!d;g' -e "s/playbook:\n  api_key:.*/playbook:\n  api_key: ${automation_api_key}/m" -i $local_salt_dir/pillar/global.sls
+        else
+            {
+                echo "playbook:"
+                echo "  api_key: ${automation_api_key}" 
+            } >> $local_salt_dir/pillar/global.sls
+        fi
+    fi
+    ((try_count++))
+    sleep "${interval}s"
+done
--- a/salt/playbook/files/playbook_db_init.sh
+++ b/salt/playbook/files/playbook_db_init.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 # {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%}
-# {%- set admin_pass = salt['pillar.get']('secrets:playbook_admin', None) -%}
-# {%- set automation_pass = salt['pillar.get']('secrets:playbook_automation', None) %}
+# {%- set admin_pass = salt['pillar.get']('secrets:playbook_admin', None) %}

 default_salt_dir=/opt/so/saltstack/default

@@ -12,13 +11,6 @@ admin_hash=$(echo -n "${admin_salt}${admin_stage1_hash}" | sha1sum | awk '{print
 sed -i "s/ADMIN_HASH/${admin_hash}/g" $default_salt_dir/salt/playbook/files/playbook_db_init.sql
 sed -i "s/ADMIN_SALT/${admin_salt}/g" $default_salt_dir/salt/playbook/files/playbook_db_init.sql

-# Generate salt + hash for automation user
-automation_salt=$(tr -dc "a-zA-Z0-9" < /dev/urandom | fold -w 32 | head -n 1)
-auto_stage1_hash=$(echo -n '{{ automation_pass }}' | sha1sum | awk '{print $1}')
-automation_hash=$(echo -n "${automation_salt}${auto_stage1_hash}" | sha1sum | awk '{print $1}')
-sed -i "s/AUTO_HASH/${automation_hash}/g" $default_salt_dir/salt/playbook/files/playbook_db_init.sql
-sed -i "s/AUTO_SALT/${automation_salt}/g" $default_salt_dir/salt/playbook/files/playbook_db_init.sql
-
-# Copy file to destination
+# Copy file to destination + execute SQL
 docker cp $default_salt_dir/salt/playbook/files/playbook_db_init.sql so-mysql:/tmp/playbook_db_init.sql
-docker exec so-mysql /bin/bash -c "/usr/bin/mysql -b  -uroot -p{{MYSQLPASS}}  < /tmp/playbook_db_init.sql"
+docker exec so-mysql /bin/bash -c "/usr/bin/mysql -b  -uroot -p{{MYSQLPASS}}  < /tmp/playbook_db_init.sql"
--- a/salt/playbook/files/playbook_db_init.sql
+++ b/salt/playbook/files/playbook_db_init.sql
@@ -606,7 +606,7 @@ CREATE TABLE `groups_users` (

 LOCK TABLES `groups_users` WRITE;
 /*!40000 ALTER TABLE `groups_users` DISABLE KEYS */;
-INSERT INTO `groups_users` VALUES (6,9),(7,1);
+INSERT INTO `groups_users` VALUES (7,1);
 /*!40000 ALTER TABLE `groups_users` ENABLE KEYS */;
 UNLOCK TABLES;

@@ -1380,7 +1380,19 @@ CREATE TABLE `tokens` (

 LOCK TABLES `tokens` WRITE;
 /*!40000 ALTER TABLE `tokens` DISABLE KEYS */;
-INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(59,1,'session','2afe6590653d59a697d1436729c64f322a2eff82','2020-07-01 18:11:07','2020-07-01 20:30:43'),(61,1,'session','b01f95709ca1ab086a049cf9c5afd81ca9d4526e','2020-07-15 16:30:42','2020-07-15 16:31:40'),(62,1,'session','d29acdcd0b8e4ebf78ef8f696d3e76df7e2ab2ac','2020-08-17 14:51:59','2020-08-17 14:53:22');
+INSERT INTO `tokens` 
+  VALUES 
+    (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),
+    (4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),
+    (5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),
+    (9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),
+    (19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),
+    (20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),
+    (23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),
+    (46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),
+    (59,1,'session','2afe6590653d59a697d1436729c64f322a2eff82','2020-07-01 18:11:07','2020-07-01 20:30:43'),
+    (61,1,'session','b01f95709ca1ab086a049cf9c5afd81ca9d4526e','2020-07-15 16:30:42','2020-07-15 16:31:40'),
+    (62,1,'session','d29acdcd0b8e4ebf78ef8f696d3e76df7e2ab2ac','2020-08-17 14:51:59','2020-08-17 14:53:22');
 /*!40000 ALTER TABLE `tokens` ENABLE KEYS */;
 UNLOCK TABLES;

@@ -1489,8 +1501,7 @@ INSERT INTO `users`
    (4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),
    (5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),
    (6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),
-    (7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),
-    (9,'automation','AUTO_HASH','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','AUTO_SALT',0,'2020-05-01 18:26:10')
+    (7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL)
 ;
 /*!40000 ALTER TABLE `users` ENABLE KEYS */;
 UNLOCK TABLES;
--- a/salt/soctopus/files/SOCtopus.conf
+++ b/salt/soctopus/files/SOCtopus.conf
@@ -1,6 +1,8 @@
 {%- set MANAGER = salt['pillar.get']('global:url_base', '') %}
 {%- set HIVEKEY = salt['pillar.get']('global:hivekey', '') %}
 {%- set CORTEXKEY = salt['pillar.get']('global:cortexorguserkey', '') %}
+{%- set PLAYBOOK_KEY = salt['pillar.get']('playbook:api_key', '') %}
+

 [es]
 es_url = http://{{MANAGER}}:9200
@@ -65,7 +67,7 @@ soc_url = http://{{MANAGER}}:9822
 [playbook]
 playbook_url = http://{{MANAGER}}:3200/playbook
 playbook_ext_url = https://{{MANAGER}}/playbook
-playbook_key = de6639318502476f2fa5aa06f43f51fb389a3d7f
+playbook_key = {{ PLAYBOOK_KEY }}
 playbook_verifycert = no
 playbook_unit_test_index = playbook-testing
 playbook_rulesets = {{ salt['pillar.get']('soctopus:playbook:rulesets')|join(",") }}
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -640,21 +640,28 @@ fi
 		salt-call state.apply -l info kibana >> $setup_log 2>&1
 	fi

-	if [[ $is_manager ]]; then
-		set_progress_str 71 "$(print_salt_state_apply 'elastalert')"
-		salt-call state.apply -l info elastalert >> $setup_log 2>&1
-
-		set_progress_str 72 "$(print_salt_state_apply 'soctopus')"
-		salt-call state.apply -l info soctopus >> $setup_log 2>&1
-	fi
-
 	if [[ "$PLAYBOOK" = 1 ]]; then
-		set_progress_str 73 "$(print_salt_state_apply 'playbook.db_init')"
+		set_progress_str 71 "$(print_salt_state_apply 'playbook.db_init')"
 		salt-call state.apply -l info playbook.db_init >> $setup_log 2>&1

-		set_progress_str 73 "$(print_salt_state_apply 'playbook')"
+		set_progress_str 71 "$(print_salt_state_apply 'playbook')"
 		salt-call state.apply -l info playbook >> $setup_log 2>&1
-		so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 &
+
+		set_progress_str 71 "$(print_salt_state_apply 'playbook.automation_user_create')"
+		salt-call state.apply -l info playbook.automation_user_create >> $setup_log 2>&1
+	fi
+
+	if [[ $is_manager ]]; then
+		set_progress_str 72 "$(print_salt_state_apply 'elastalert')"
+		salt-call state.apply -l info elastalert >> $setup_log 2>&1
+
+		set_progress_str 73 "$(print_salt_state_apply 'soctopus')"
+		salt-call state.apply -l info soctopus >> $setup_log 2>&1
+
+		if [[ "$PLAYBOOK" = 1 ]]; then
+			set_progress_str 73 "Update playbook rules"
+			so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 &
+		fi
 	fi
 	
 	if [[ "$OSQUERY" = 1 ]]; then