From 96666ab30712e9c451253f9b689aa6caa1340c26 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 7 Dec 2021 10:19:32 -0500
Subject: [PATCH] add receiver node

---
 .../assigned_hostgroups.local.map.yaml        |  3 ++-
 files/firewall/hostgroups.local.yaml          |  4 ++++
 pillar/logstash/receiver.sls                  | 10 ++++++++
 pillar/top.sls                                |  8 +++++++
 .../config/so/9999_output_redis.conf.jinja    |  2 +-
 salt/top.sls                                  | 24 +++++++++++++++++++
 setup/so-functions                            |  5 +++-
 setup/so-whiptail                             |  3 ++-
 8 files changed, 55 insertions(+), 4 deletions(-)
 create mode 100644 pillar/logstash/receiver.sls

diff --git a/files/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml
index 50ef751a4..ee871ad80 100644
--- a/files/firewall/assigned_hostgroups.local.map.yaml
+++ b/files/firewall/assigned_hostgroups.local.map.yaml
@@ -16,6 +16,7 @@ role:
   import:
   manager:
   managersearch:
+  receiver:
   standalone:
   searchnode:
-  sensor:
\ No newline at end of file
+  sensor:
diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml
index d02d7c785..334b090d1 100644
--- a/files/firewall/hostgroups.local.yaml
+++ b/files/firewall/hostgroups.local.yaml
@@ -44,6 +44,10 @@ firewall:
       ips:
         delete:
         insert:
+    receiver:
+      ips:
+        delete:
+        insert:
     search_node:
       ips:
         delete:
diff --git a/pillar/logstash/receiver.sls b/pillar/logstash/receiver.sls
new file mode 100644
index 000000000..fc0788824
--- /dev/null
+++ b/pillar/logstash/receiver.sls
@@ -0,0 +1,10 @@
+{%- set PIPELINE = salt['pillar.get']('global:pipeline', 'redis') %}
+logstash:
+  pipelines:
+    manager:
+      config:
+        - so/0009_input_beats.conf      
+        - so/0010_input_hhbeats.conf
+        - so/0011_input_endgame.conf
+        - so/9999_output_redis.conf.jinja
+        
\ No newline at end of file
diff --git a/pillar/top.sls b/pillar/top.sls
index 5401b83e3..a81fdc862 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -104,6 +104,14 @@ base:
     - minions.{{ grains.id }}
     - data.nodestab
 
+  '*_receiver':
+    - logstash
+    - logstash.receiver
+    - elasticsearch.auth
+    - global
+    - minions.{{ grains.id }}
+    - data.receivertab
+
   '*_import':
     - zeeklogs
     - secrets
diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
index 6b9c62e2f..eac5fe304 100644
--- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
@@ -1,4 +1,4 @@
-{%- if grains.role in ['so-heavynode'] %}
+{%- if grains.role in ['so-heavynode', 'so-receiver'] %}
   {%- set HOST = salt['grains.get']('host') %}
 {%- else %}
   {%- set HOST = salt['grains.get']('master') %}
diff --git a/salt/top.sls b/salt/top.sls
index a8f2018a6..18f37e713 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -478,3 +478,27 @@ base:
     - docker_clean
     - pipeline.load
     - learn
+
+  '*_receiver and G@saltversion:{{saltversion}}':
+    - match: compound
+    - ca
+    - ssl
+    - telegraf
+    - firewall
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
+    {%- if LOGSTASH %}
+    - logstash
+    {%- endif %}
+    {%- if REDIS %}
+    - redis
+    {%- endif %}
+    {%- if FILEBEAT %}
+    - filebeat
+    {%- endif %}
+    {%- if FLEETMANAGER or FLEETNODE %}
+    - fleet.install_package
+    {%- endif %}
+    - schedule
+    - docker_clean
diff --git a/setup/so-functions b/setup/so-functions
index daf609f67..20818aa72 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -2665,7 +2665,7 @@ set_initial_firewall_policy() {
 			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
             $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP"
 			;;
-		'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET')
+		'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'RECEIVER')
 			$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
 			case "$install_type" in
 				'SENSOR')
@@ -2685,6 +2685,9 @@ set_initial_firewall_policy() {
 				'FLEET')
 				    $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP"
 					;;
+				'RECEIVER')
+					$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost receiver "$MAINIP"
+					$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh receivertab "$MINION_ID" "$MAINIP"
 			esac
 			;;
 		'PARSINGNODE')
diff --git a/setup/so-whiptail b/setup/so-whiptail
index c49e7396a..bdaa50849 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -796,11 +796,12 @@ whiptail_install_type_dist_existing() {
 	Note: Heavy nodes (HEAVYNODE) are NOT recommended for most users.
 	EOM
 	
-	install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 18 58 4 \
+	install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 18 58 5 \
 		"SENSOR" "Create a forward only sensor " ON \
 		"SEARCHNODE" "Add a search node with parsing " OFF \
 		"FLEET" "Dedicated Fleet Osquery Node " OFF \
 		"HEAVYNODE" "Sensor + Search Node " OFF \
+		"RECEIVER" "Receiver Node " OFF \
 		3>&1 1>&2 2>&3
 		# "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO
 		# "WARMNODE" "Add Warm Node to existing Hot or Search node" OFF \ # TODO