mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-01-24 00:43:28 +01:00
Merge pull request #8771 from Security-Onion-Solutions/funstuff
Add NTP and NGINX
This commit is contained in:
Mike Reeves
GitHub
@@ -1,6 +1,8 @@
|
||||
base:
|
||||
'*':
|
||||
- patch.needs_restarting
|
||||
- ntp.soc_ntp
|
||||
- ntp.adv_ntp
|
||||
- logrotate
|
||||
- docker.soc_docker
|
||||
- docker.adv_docker
|
||||
|
||||
1
salt/nginx/config/ssl.crt
Normal file
1
salt/nginx/config/ssl.crt
Normal file
@@ -0,0 +1 @@
|
||||
# Replace this text with the text from the .crt
|
||||
1
salt/nginx/config/ssl.key
Normal file
1
salt/nginx/config/ssl.key
Normal file
@@ -0,0 +1 @@
|
||||
# Replace this text with the text from the .crt
|
||||
3
salt/nginx/defaults.yaml
Normal file
3
salt/nginx/defaults.yaml
Normal file
@@ -0,0 +1,3 @@
|
||||
nginx:
|
||||
config:
|
||||
replace_cert: False
|
||||
@@ -1,11 +1,5 @@
|
||||
{%- from 'vars/globals.map.jinja' import GLOBALS %}
|
||||
{%- set role = grains.id.split('_') | last %}
|
||||
|
||||
{%- set manager_ip = salt['pillar.get']('global:managerip', '') %}
|
||||
{%- set url_base = salt['pillar.get']('global:url_base') %}
|
||||
|
||||
{%- set airgap = salt['pillar.get']('global:airgap', 'False') %}
|
||||
|
||||
|
||||
worker_processes auto;
|
||||
error_log /var/log/nginx/error.log;
|
||||
pid /run/nginx.pid;
|
||||
@@ -42,13 +36,13 @@ http {
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
return 307 https://{{ url_base }}$request_uri;
|
||||
return 307 https://{{ GLOBALS.url_base }}$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
server_name _;
|
||||
return 307 https://{{ url_base }}$request_uri;
|
||||
return 307 https://{{ GLOBALS.url_base }}$request_uri;
|
||||
|
||||
ssl_certificate "/etc/pki/nginx/server.crt";
|
||||
ssl_certificate_key "/etc/pki/nginx/server.key";
|
||||
@@ -66,7 +60,7 @@ http {
|
||||
|
||||
server {
|
||||
listen 7788;
|
||||
server_name {{ url_base }};
|
||||
server_name {{ GLOBALS.url_base }};
|
||||
root /opt/socore/html/repo;
|
||||
location /rules/ {
|
||||
allow all;
|
||||
@@ -81,7 +75,7 @@ http {
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name {{ url_base }};
|
||||
server_name {{ GLOBALS.url_base }};
|
||||
root /opt/socore/html;
|
||||
index index.html;
|
||||
|
||||
@@ -100,7 +94,7 @@ http {
|
||||
ssl_protocols TLSv1.2;
|
||||
|
||||
location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) {
|
||||
proxy_pass http://{{ manager_ip }}:9822;
|
||||
proxy_pass http://{{ GLOBALS.manager_ip }}:9822;
|
||||
proxy_read_timeout 90;
|
||||
proxy_connect_timeout 90;
|
||||
proxy_set_header x-user-id "";
|
||||
@@ -117,7 +111,7 @@ http {
|
||||
auth_request /auth/sessions/whoami;
|
||||
auth_request_set $userid $upstream_http_x_kratos_authenticated_identity_id;
|
||||
proxy_set_header x-user-id $userid;
|
||||
proxy_pass http://{{ manager_ip }}:9822/;
|
||||
proxy_pass http://{{ GLOBALS.manager_ip }}:9822/;
|
||||
proxy_read_timeout 300;
|
||||
proxy_connect_timeout 300;
|
||||
proxy_set_header Host $host;
|
||||
@@ -131,7 +125,7 @@ http {
|
||||
|
||||
location ~ ^/auth/.*?(whoami|login|logout|settings) {
|
||||
rewrite /auth/(.*) /$1 break;
|
||||
proxy_pass http://{{ manager_ip }}:4433;
|
||||
proxy_pass http://{{ GLOBALS.manager_ip }}:4433;
|
||||
proxy_read_timeout 90;
|
||||
proxy_connect_timeout 90;
|
||||
proxy_set_header Host $host;
|
||||
@@ -188,7 +182,7 @@ http {
|
||||
location /grafana/ {
|
||||
auth_request /auth/sessions/whoami;
|
||||
rewrite /grafana/(.*) /$1 break;
|
||||
proxy_pass http://{{ manager_ip }}:3000/;
|
||||
proxy_pass http://{{ GLOBALS.manager_ip }}:3000/;
|
||||
proxy_read_timeout 90;
|
||||
proxy_connect_timeout 90;
|
||||
proxy_set_header Host $host;
|
||||
@@ -201,7 +195,7 @@ http {
|
||||
location /kibana/ {
|
||||
auth_request /auth/sessions/whoami;
|
||||
rewrite /kibana/(.*) /$1 break;
|
||||
proxy_pass http://{{ manager_ip }}:5601/;
|
||||
proxy_pass http://{{ GLOBALS.manager_ip }}:5601/;
|
||||
proxy_read_timeout 300;
|
||||
proxy_connect_timeout 300;
|
||||
proxy_set_header Host $host;
|
||||
@@ -213,7 +207,7 @@ http {
|
||||
|
||||
location /nodered/ {
|
||||
auth_request /auth/sessions/whoami;
|
||||
proxy_pass http://{{ manager_ip }}:1880/;
|
||||
proxy_pass http://{{ GLOBALS.manager_ip }}:1880/;
|
||||
proxy_read_timeout 90;
|
||||
proxy_connect_timeout 90;
|
||||
proxy_set_header Host $host;
|
||||
@@ -227,7 +221,7 @@ http {
|
||||
|
||||
location /playbook/ {
|
||||
auth_request /auth/sessions/whoami;
|
||||
proxy_pass http://{{ manager_ip }}:3200/playbook/;
|
||||
proxy_pass http://{{ GLOBALS.manager_ip }}:3200/playbook/;
|
||||
proxy_read_timeout 90;
|
||||
proxy_connect_timeout 90;
|
||||
proxy_set_header Host $host;
|
||||
@@ -240,7 +234,7 @@ http {
|
||||
|
||||
location /soctopus/ {
|
||||
auth_request /auth/sessions/whoami;
|
||||
proxy_pass http://{{ manager_ip }}:7000/;
|
||||
proxy_pass http://{{ GLOBALS.manager_ip }}:7000/;
|
||||
proxy_read_timeout 300;
|
||||
proxy_connect_timeout 300;
|
||||
proxy_set_header Host $host;
|
||||
@@ -262,7 +256,7 @@ http {
|
||||
if ($http_authorization = "") {
|
||||
return 403;
|
||||
}
|
||||
proxy_pass http://{{ manager_ip }}:9822/;
|
||||
proxy_pass http://{{ GLOBALS.manager_ip }}:9822/;
|
||||
proxy_read_timeout 90;
|
||||
proxy_connect_timeout 90;
|
||||
proxy_set_header x-user-id "";
|
||||
|
||||
@@ -1,11 +1,7 @@
|
||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||
{% if sls in allowed_states %}
|
||||
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set VERSION = salt['pillar.get']('global:soversion') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
|
||||
{% set ISAIRGAP = salt['pillar.get']('global:airgap') %}
|
||||
|
||||
include:
|
||||
- ssl
|
||||
|
||||
@@ -85,7 +81,7 @@ navigatorenterpriseattack:
|
||||
|
||||
so-nginx:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-nginx:{{ VERSION }}
|
||||
- image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }}
|
||||
- hostname: so-nginx
|
||||
- binds:
|
||||
- /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
||||
@@ -108,9 +104,6 @@ so-nginx:
|
||||
- port_bindings:
|
||||
- 80:80
|
||||
- 443:443
|
||||
{% if ISAIRGAP is sameas true %}
|
||||
- 7788:7788
|
||||
{% endif %}
|
||||
- watch:
|
||||
- file: nginxconf
|
||||
- file: nginxconfdir
|
||||
|
||||
19
salt/nginx/soc_nginx.yaml
Normal file
19
salt/nginx/soc_nginx.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
nginx:
|
||||
config:
|
||||
replace_cert:
|
||||
description: Replace the Security Onion Certificate with your own?
|
||||
global: True
|
||||
advanced: True
|
||||
title: Replace Default Cert
|
||||
ssl__key:
|
||||
description: Paste your .key file here
|
||||
file: True
|
||||
title: SSL Key File
|
||||
advanced: True
|
||||
global: True
|
||||
ssl__crt:
|
||||
description: Paste your .crt file here
|
||||
file: True
|
||||
title: SSL Cert File
|
||||
advanced: True
|
||||
global: True
|
||||
11
salt/ntp/chrony.conf
Normal file
11
salt/ntp/chrony.conf
Normal file
@@ -0,0 +1,11 @@
|
||||
|
||||
# NTP server list
|
||||
{%- for SERVER in NTPCONFIG.servers %}
|
||||
server {{ SERVER }} iburst
|
||||
{%- endfor %}
|
||||
|
||||
# Config options
|
||||
driftfile /var/lib/chrony/drift
|
||||
makestep 1.0 3
|
||||
rtcsync
|
||||
logdir /var/log/chrony
|
||||
3
salt/ntp/config.map.jinja
Normal file
3
salt/ntp/config.map.jinja
Normal file
@@ -0,0 +1,3 @@
|
||||
{% import_yaml 'ntp/defaults.yaml' as NTP with context %}
|
||||
|
||||
{% set NTPCONFIG = salt['pillar.get']('ntp:config', default=NTP.ntp.config, merge=True) %}
|
||||
5
salt/ntp/defaults.yaml
Normal file
5
salt/ntp/defaults.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
ntp:
|
||||
config:
|
||||
servers:
|
||||
- 0.pool.ntp.org
|
||||
- 1.pool.ntp.org
|
||||
19
salt/ntp/init.sls
Normal file
19
salt/ntp/init.sls
Normal file
@@ -0,0 +1,19 @@
|
||||
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
||||
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
||||
# Elastic License 2.0.
|
||||
{% from 'ntp/config.map.jinja' import NTPCONFIG %}
|
||||
|
||||
chronyconf:
|
||||
file.managed:
|
||||
- name: /etc/chrony.conf
|
||||
- source: salt://ntp/chrony.conf
|
||||
- template: jinja
|
||||
- defaults:
|
||||
NTPCONFIG: {{ NTPCONFIG }}
|
||||
|
||||
chronyd:
|
||||
service.running:
|
||||
- enable: True
|
||||
- watch:
|
||||
- file: chronyconf
|
||||
5
salt/ntp/soc_ntp.yaml
Normal file
5
salt/ntp/soc_ntp.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
ntp:
|
||||
config:
|
||||
servers:
|
||||
description: NTP Server List
|
||||
title: NTP Servers
|
||||
@@ -22,6 +22,7 @@ base:
|
||||
'*':
|
||||
- cron.running
|
||||
- repo.client
|
||||
- ntp
|
||||
|
||||
'not G@saltversion:{{saltversion}}':
|
||||
- match: compound
|
||||
|
||||
@@ -81,7 +81,7 @@ export whiptail_title
|
||||
|
||||
mkdir -p $local_salt_dir/pillar/minions
|
||||
|
||||
for THEDIR in bpf pcap elasticsearch firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert
|
||||
for THEDIR in bpf pcap elasticsearch ntp firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert
|
||||
do
|
||||
mkdir -p $local_salt_dir/pillar/$THEDIR
|
||||
touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
|
||||
|
||||
Reference in New Issue
Block a user