CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-04-20 03:32:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

enabled/disable elastalert via web ui

Browse Source
This commit is contained in:
m0duspwnens
2023-05-08 15:56:26 -04:00
parent 9aaa33c224
commit 9049f9cf03
16 changed files with 284 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
salt/elastalert/config.sls Normal file
View File

@@ -0,0 +1,103 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'elastalert/map.jinja' import ELASTALERTMERGED %}
# Create the group
elastagroup:
group.present:
- name: elastalert
- gid: 933
# Add user
elastalert:
user.present:
- uid: 933
- gid: 933
- home: /opt/so/conf/elastalert
- createhome: False
elastalogdir:
file.directory:
- name: /opt/so/log/elastalert
- user: 933
- group: 933
- makedirs: True
elastalert_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://elastalert/tools/sbin
- user: 933
- group: 939
- file_mode: 755
#elastalert_sbin_jinja:
# file.recurse:
# - name: /usr/sbin
# - source: salt://elastalert/tools/sbin_jinja
# - user: 933
# - group: 939
# - file_mode: 755
# - template: jinja
elastarules:
file.directory:
- name: /opt/so/rules/elastalert
- user: 933
- group: 933
- makedirs: True
elastaconfdir:
file.directory:
- name: /opt/so/conf/elastalert
- user: 933
- group: 933
- makedirs: True
elastasomodulesdir:
file.directory:
- name: /opt/so/conf/elastalert/modules/so
- user: 933
- group: 933
- makedirs: True
elastacustmodulesdir:
file.directory:
- name: /opt/so/conf/elastalert/modules/custom
- user: 933
- group: 933
- makedirs: True
elastasomodulesync:
file.recurse:
- name: /opt/so/conf/elastalert/modules/so
- source: salt://elastalert/files/modules/so
- user: 933
- group: 933
- makedirs: True
elastaconf:
file.managed:
- name: /opt/so/conf/elastalert/elastalert_config.yaml
- source: salt://elastalert/files/elastalert_config.yaml.jinja
- context:
elastalert_config: {{ ELASTALERTMERGED.config }}
- user: 933
- group: 933
- mode: 660
- template: jinja
- show_changes: False
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

1
salt/elastalert/defaults.yaml
View File

@@ -1,4 +1,5 @@
elastalert:
enabled: False
config:
rules_folder: /opt/elastalert/rules/
scan_subdirectories: true

27
salt/elastalert/disabled.sls Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- elastalert.sostatus
so-elastalert:
docker_container.absent:
- force: True
so-elastalert_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-elastalert$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

11
salt/elastalert/elastalert_config.map.jinja
View File

@@ -1,11 +0,0 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'elastalert/defaults.yaml' as ELASTALERT %}
{% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
{% do ELASTALERT.elastalert.config.update({'es_host': GLOBALS.manager}) %}
{% do ELASTALERT.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
{% do ELASTALERT.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}
{% do salt['defaults.merge'](ELASTALERT.elastalert.config, elastalert_pillar, in_place=True) %}

58
salt/elastalert/enabled.sls Normal file
View File

@@ -0,0 +1,58 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- elastalert.config
- elastalert.sostatus
wait_for_elasticsearch:
cmd.run:
- name: so-elasticsearch-wait
so-elastalert:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastalert:{{ GLOBALS.so_version }}
- hostname: elastalert
- name: so-elastalert
- user: so-elastalert
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
- detach: True
- binds:
- /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
- /opt/so/log/elastalert:/var/log/elastalert:rw
- /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
- /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- require:
- cmd: wait_for_elasticsearch
- file: elastarules
- file: elastalogdir
- file: elastacustmodulesdir
- file: elastaconf
- watch:
- file: elastaconf
- onlyif:
- "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #}
delete_so-elastalert_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-elastalert$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

144
salt/elastalert/init.sls
View File

@@ -1,141 +1,13 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'elastalert/elastalert_config.map.jinja' import ELASTALERT as elastalert_config with context %}
# Create the group
elastagroup:
group.present:
- name: elastalert
- gid: 933
# Add user
elastalert:
user.present:
- uid: 933
- gid: 933
- home: /opt/so/conf/elastalert
- createhome: False
elastalogdir:
file.directory:
- name: /opt/so/log/elastalert
- user: 933
- group: 933
- makedirs: True
elastalert_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://elastalert/tools/sbin
- user: 933
- group: 939
- file_mode: 755
#elastalert_sbin_jinja:
# file.recurse:
# - name: /usr/sbin
# - source: salt://elastalert/tools/sbin_jinja
# - user: 933
# - group: 939
# - file_mode: 755
# - template: jinja
elastarules:
file.directory:
- name: /opt/so/rules/elastalert
- user: 933
- group: 933
- makedirs: True
elastaconfdir:
file.directory:
- name: /opt/so/conf/elastalert
- user: 933
- group: 933
- makedirs: True
elastasomodulesdir:
file.directory:
- name: /opt/so/conf/elastalert/modules/so
- user: 933
- group: 933
- makedirs: True
elastacustmodulesdir:
file.directory:
- name: /opt/so/conf/elastalert/modules/custom
- user: 933
- group: 933
- makedirs: True
elastasomodulesync:
file.recurse:
- name: /opt/so/conf/elastalert/modules/so
- source: salt://elastalert/files/modules/so
- user: 933
- group: 933
- makedirs: True
elastaconf:
file.managed:
- name: /opt/so/conf/elastalert/elastalert_config.yaml
- source: salt://elastalert/files/elastalert_config.yaml.jinja
- context:
elastalert_config: {{ elastalert_config.elastalert.config }}
- user: 933
- group: 933
- mode: 660
- template: jinja
- show_changes: False
wait_for_elasticsearch:
cmd.run:
- name: so-elasticsearch-wait
so-elastalert:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastalert:{{ GLOBALS.so_version }}
- hostname: elastalert
- name: so-elastalert
- user: so-elastalert
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
- detach: True
- binds:
- /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
- /opt/so/log/elastalert:/var/log/elastalert:rw
- /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
- /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- require:
- cmd: wait_for_elasticsearch
- file: elastarules
- file: elastalogdir
- file: elastacustmodulesdir
- file: elastaconf
- watch:
- file: elastaconf
- onlyif:
- "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #}
append_so-elastalert_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elastalert
{% from 'elastalert/map.jinja' import ELASTALERTMERGED %}
include:
{% if ELASTALERTMERGED.enabled %}
- elastalert.enabled
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
- elastalert.disabled
{% endif %}

15
salt/elastalert/map.jinja Normal file
View File

@@ -0,0 +1,15 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'elastalert/defaults.yaml' as ELASTALERTDEFAULTS %}
{% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_host': GLOBALS.manager}) %}
{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}
{% set ELASTALERTMERGED = salt['pillar.get']('elastalert', ELASTALERTDEFAULTS.elastalert, merge=True) %}

3
salt/elastalert/soc_elastalert.yaml
View File

@@ -1,4 +1,7 @@
elastalert:
enabled:
description: You can enable or disable Elastalert.
helpLink: elastalert.html
config:
disable_rules_on_error:
description: Disable rules on failure.

21
salt/elastalert/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-elastalert_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elastalert
- unless: grep -q so-elastalert /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}