From f93c6146f5ebe1a41fdb9addcb80d460d1e6e970 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 21 Oct 2021 15:24:55 -0400 Subject: [PATCH 01/21] docker binds requires --- salt/ca/init.sls | 5 +++-- salt/domainstats/init.sls | 4 +++- salt/elastalert/init.sls | 4 ++++ salt/elasticsearch/init.sls | 21 ++++++++++++++++++++- salt/ssl/init.sls | 3 +++ 5 files changed, 33 insertions(+), 4 deletions(-) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 485b01d3e..9c30b5c5e 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -24,8 +24,9 @@ pki_private_key: - x509: /etc/pki/ca.crt {%- endif %} -/etc/pki/ca.crt: +pki_public_ca_crt: x509.certificate_managed: + - name: /etc/pki/ca.crt - signing_private_key: /etc/pki/ca.key - CN: {{ manager }} - C: US @@ -66,4 +67,4 @@ cakeyperms: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls index 72ccf2f76..225db7e72 100644 --- a/salt/domainstats/init.sls +++ b/salt/domainstats/init.sls @@ -53,6 +53,8 @@ so-domainstats: - user: domainstats - binds: - /opt/so/log/domainstats:/var/log/domain_stats + - require: + - file: dstatslogdir append_so-domainstats_so-status.conf: file.append: @@ -65,4 +67,4 @@ append_so-domainstats_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index a5c3a3b67..f94e0c1d0 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -122,6 +122,10 @@ so-elastalert: - {{MANAGER_URL}}:{{MANAGER_IP}} - require: - cmd: wait_for_elasticsearch + - file: elastarules + - file: elastalogdir + - file: elastacustmodulesdir + - file: elastaconf - watch: - file: elastaconf diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 9f475c2c3..f3908fd60 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -15,7 +15,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - +include: + - ssl {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -280,6 +281,24 @@ so-elasticsearch: - file: esyml - file: esingestconf - file: so-elasticsearch-pipelines-file + - require: + - file: esyml + - file: eslog4jfile + - file: nsmesdir + - file: eslogdir + - file: cacertz + - file: /etc/pki/elasticsearch.crt + - file: /etc/pki/elasticsearch.key + - file: elasticp12perms + {% if ismanager %} + - file: pki_public_ca_crt + {% else %} + - file: trusttheca + {% endif %} + {% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} + - cmd: auth_users_roles_inode + - cmd: auth_users_inode + {% endif %} append_so-elasticsearch_so-status.conf: file.append: diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 5690691fc..8ec404a5b 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -30,6 +30,9 @@ {% set ca_server = global_ca_server[0] %} {% endif %} +include: + - ca + # Trust the CA trusttheca: x509.pem_managed: From 451b19dc4d843286f1f6c890c36e117299527b5e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 22 Oct 2021 09:53:20 -0400 Subject: [PATCH 02/21] change from file to x509 --- salt/elasticsearch/init.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index f3908fd60..41a9f4504 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -287,13 +287,13 @@ so-elasticsearch: - file: nsmesdir - file: eslogdir - file: cacertz - - file: /etc/pki/elasticsearch.crt - - file: /etc/pki/elasticsearch.key + - x509: /etc/pki/elasticsearch.crt + - x509: /etc/pki/elasticsearch.key - file: elasticp12perms {% if ismanager %} - - file: pki_public_ca_crt + - x509: pki_public_ca_crt {% else %} - - file: trusttheca + - x509: trusttheca {% endif %} {% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} - cmd: auth_users_roles_inode From fed8bfac674e8c0434c61a627acc66f214400391 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 22 Oct 2021 14:10:59 -0400 Subject: [PATCH 03/21] more requires on docker containers --- salt/domainstats/init.sls | 3 +-- salt/filebeat/init.sls | 16 ++++++++++++---- salt/fleet/init.sls | 6 +++++- salt/grafana/init.sls | 2 ++ salt/influxdb/init.sls | 6 ++++++ salt/learn/logscan.sls | 2 ++ salt/logstash/init.sls | 16 ++++++++++++---- salt/ssl/init.sls | 36 +++++++++++++++++++++++------------- 8 files changed, 63 insertions(+), 24 deletions(-) diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls index 225db7e72..e2167d161 100644 --- a/salt/domainstats/init.sls +++ b/salt/domainstats/init.sls @@ -45,8 +45,6 @@ so-domainstatsimage: so-domainstats: docker_container.running: - - require: - - so-domainstatsimage - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-domainstats:{{ VERSION }} - hostname: domainstats - name: so-domainstats @@ -55,6 +53,7 @@ so-domainstats: - /opt/so/log/domainstats:/var/log/domain_stats - require: - file: dstatslogdir + - cmd: so-domainstatsimage append_so-domainstats_so-status.conf: file.append: diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index f03d3dc1a..ac45a50cd 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -25,9 +25,10 @@ {% from 'filebeat/map.jinja' import SO with context %} {% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %} +include: + - ssl #only include elastic state for certain nodes {% if grains.role in ES_INCLUDED_NODES %} -include: - elasticsearch {% endif %} @@ -66,7 +67,7 @@ fileregistrydir: - makedirs: True # This needs to be owned by root -filebeatconfsync: +filebeatconf: file.managed: - name: /opt/so/conf/filebeat/etc/filebeat.yml - source: salt://filebeat/etc/filebeat.yml @@ -78,7 +79,7 @@ filebeatconfsync: OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} # Filebeat module config file -filebeatmoduleconfsync: +filebeatmoduleconf: file.managed: - name: /opt/so/conf/filebeat/etc/module-setup.yml - source: salt://filebeat/etc/module-setup.yml @@ -135,7 +136,14 @@ so-filebeat: {% endfor %} {% endfor %} - watch: - - file: /opt/so/conf/filebeat/etc/filebeat.yml + - file: filebeatconf + - require: + - file: filebeatconf + - file: filebeatmoduleconf + - file: filebeatmoduledir + - x509: filebeat_crt + - x509: filebeat_key + - x509: trusttheca {% if grains.role in ES_INCLUDED_NODES %} run_module_setup: diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 1bb4e73d6..2a0ac540b 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -17,6 +17,7 @@ include: + - ssl - mysql # Fleet Setup @@ -136,10 +137,13 @@ so-fleet: - /opt/so/conf/fleet/packs:/packs - watch: - /opt/so/conf/fleet/etc + - require: + - x509: fleet_key + - x509: fleet_crt append_so-fleet_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf - text: so-fleet -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 42df29af4..9113cdbe1 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -132,6 +132,8 @@ so-grafana: - 0.0.0.0:3000:3000 - watch: - file: /opt/so/conf/grafana/* + - require: + - file: grafana-config append_so-grafana_so-status.conf: file.append: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index f270c9f73..218d2d18e 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -17,6 +17,8 @@ include: - salt.minion - salt.python3-influxdb + - ssl + # Influx DB influxconfdir: file.directory: @@ -60,6 +62,10 @@ so-influxdb: - 0.0.0.0:8086:8086 - watch: - file: influxdbconf + - require: + - file: influxdbconf + - x509: influxdb_key + - x509: influxdb_crt append_so-influxdb_so-status.conf: file.append: diff --git a/salt/learn/logscan.sls b/salt/learn/logscan.sls index cc8bb2996..91f64420a 100644 --- a/salt/learn/logscan.sls +++ b/salt/learn/logscan.sls @@ -51,6 +51,8 @@ so-logscan: - /opt/so/log/logscan:/logscan/output:rw - /opt/so/log:/logscan/logs:ro - cpu_period: {{ logscan_cpu_period }} + - require: + - file: logscan_conf {% else %} - force: true {% endif %} diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index cd6a8918c..50abd1e5b 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -45,6 +45,7 @@ {% endif %} include: + - ssl - elasticsearch # Create the logstash group @@ -162,9 +163,7 @@ so-logstash: {% endfor %} - binds: - /opt/so/conf/elasticsearch/templates/:/templates/:ro - - /opt/so/conf/logstash/etc/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro - - /opt/so/conf/logstash/etc/logstash.yml:/usr/share/logstash/config/logstash.yml:ro - - /opt/so/conf/logstash/etc/pipelines.yml:/usr/share/logstash/config/pipelines.yml + - /opt/so/conf/logstash/etc/:/usr/share/logstash/config/:ro - /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro - /opt/so/rules:/etc/nsm/rules:ro - /nsm/import:/nsm/import:ro @@ -181,7 +180,6 @@ so-logstash: {% endif %} - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro - - /etc/pki/ca.cer:/ca/ca.crt:ro {%- if grains['role'] == 'so-eval' %} - /nsm/zeek:/nsm/zeek:ro - /nsm/suricata:/suricata:ro @@ -201,6 +199,16 @@ so-logstash: {% for TEMPLATE in TEMPLATES %} - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} {% endfor %} + - require: + - x509: filebeat_crt + - x509: filebeat_key +{% if grains['role'] == 'so-heavynode' %} + - x509: trusttheca +{% else %} + - x509: pki_public_ca_crt +{% endif %} + - file: cacertz + - file: capemz append_so-logstash_so-status.conf: file.append: diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 8ec404a5b..1e63a8980 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -67,8 +67,9 @@ removeesp12dir: - name: /etc/pki/elasticsearch.p12 - onlyif: "[ -d /etc/pki/elasticsearch.p12 ]" -/etc/pki/influxdb.key: +influxdb_key: x509.private_key_managed: + - name: /etc/pki/influxdb.key - CN: {{ manager }} - bits: 4096 - days_remaining: 0 @@ -85,8 +86,9 @@ removeesp12dir: interval: 30 # Create a cert for the talking to influxdb -/etc/pki/influxdb.crt: +influxdb_crt: x509.certificate_managed: + - name: /etc/pki/influxdb.crt - ca_server: {{ ca_server }} - signing_policy: influxdb - public_key: /etc/pki/influxdb.key @@ -161,8 +163,9 @@ rediskeyperms: {% endif %} {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %} -/etc/pki/filebeat.key: +filebeat_key: x509.private_key_managed: + - name: /etc/pki/filebeat.key - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 @@ -179,8 +182,9 @@ rediskeyperms: interval: 30 # Request a cert and drop it where it needs to go to be distributed -/etc/pki/filebeat.crt: +filebeat_crt: x509.certificate_managed: + - name: /etc/pki/filebeat.crt - ca_server: {{ ca_server }} - signing_policy: filebeat - public_key: /etc/pki/filebeat.key @@ -201,7 +205,7 @@ rediskeyperms: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" - onchanges: - - x509: /etc/pki/filebeat.key + - x509: filebeat_key fbperms: @@ -427,8 +431,9 @@ msslkeyperms: - group: 939 # Create a private key and cert for OSQuery -/etc/pki/fleet.key: +fleet_key: x509.private_key_managed: + - name: /etc/pki/fleet.key - CN: {{ manager }} - bits: 4096 - days_remaining: 0 @@ -444,8 +449,9 @@ msslkeyperms: attempts: 5 interval: 30 -/etc/pki/fleet.crt: +fleet_crt: x509.certificate_managed: + - name: /etc/pki/fleet.crt - signing_private_key: /etc/pki/fleet.key - CN: {{ manager }} - subjectAltName: DNS:{{ manager }},IP:{{ managerip }} @@ -476,8 +482,9 @@ fbcertdir: - name: /opt/so/conf/filebeat/etc/pki - makedirs: True -/opt/so/conf/filebeat/etc/pki/filebeat.key: +filebeat_key: x509.private_key_managed: + - name: /opt/so/conf/filebeat/etc/pki/filebeat.key - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 @@ -486,7 +493,7 @@ fbcertdir: - new: True {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%} - prereq: - - x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt + - x509: filebeat_crt {%- endif %} - timeout: 30 - retry: @@ -494,8 +501,9 @@ fbcertdir: interval: 30 # Request a cert and drop it where it needs to go to be distributed -/opt/so/conf/filebeat/etc/pki/filebeat.crt: +filebeat_crt: x509.certificate_managed: + - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt - ca_server: {{ ca_server }} - signing_policy: filebeat - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key @@ -519,7 +527,7 @@ filebeatpkcs: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:" - onchanges: - - x509: /opt/so/conf/filebeat/etc/pki/filebeat.key + - x509: filebeat_key filebeatkeyperms: file.managed: @@ -585,8 +593,9 @@ msslkeyperms: - group: 939 # Create a private key and cert for Fleet -/etc/pki/fleet.key: +fleet_key: x509.private_key_managed: + - name: /etc/pki/fleet.key - CN: {{ manager }} - bits: 4096 - days_remaining: 0 @@ -602,8 +611,9 @@ msslkeyperms: attempts: 5 interval: 30 -/etc/pki/fleet.crt: +fleet_crt: x509.certificate_managed: + - name: /etc/pki/fleet.crt - signing_private_key: /etc/pki/fleet.key - CN: {{ HOSTNAME }} - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} From f61400680dad58f92bef1bc6e1b7563b94cd35e8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 22 Oct 2021 14:22:15 -0400 Subject: [PATCH 04/21] fix dupe ids --- salt/filebeat/init.sls | 2 +- salt/logstash/init.sls | 1 - salt/ssl/init.sls | 8 ++++---- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index ac45a50cd..83f73de4f 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -142,7 +142,7 @@ so-filebeat: - file: filebeatmoduleconf - file: filebeatmoduledir - x509: filebeat_crt - - x509: filebeat_key + - x509: conf_filebeat_key - x509: trusttheca {% if grains.role in ES_INCLUDED_NODES %} diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 50abd1e5b..a7ed361d6 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -201,7 +201,6 @@ so-logstash: {% endfor %} - require: - x509: filebeat_crt - - x509: filebeat_key {% if grains['role'] == 'so-heavynode' %} - x509: trusttheca {% else %} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 1e63a8980..645ef0fe0 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -163,7 +163,7 @@ rediskeyperms: {% endif %} {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %} -filebeat_key: +etc_filebeat_key: x509.private_key_managed: - name: /etc/pki/filebeat.key - CN: {{ COMMONNAME }} @@ -205,7 +205,7 @@ filebeat_crt: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" - onchanges: - - x509: filebeat_key + - x509: etc_filebeat_key fbperms: @@ -482,7 +482,7 @@ fbcertdir: - name: /opt/so/conf/filebeat/etc/pki - makedirs: True -filebeat_key: +conf_filebeat_key: x509.private_key_managed: - name: /opt/so/conf/filebeat/etc/pki/filebeat.key - CN: {{ COMMONNAME }} @@ -527,7 +527,7 @@ filebeatpkcs: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:" - onchanges: - - x509: filebeat_key + - x509: conf_filebeat_key filebeatkeyperms: file.managed: From 9f6407fcb0502df8e7ca9fd793de8c3cf81fdc02 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 22 Oct 2021 14:26:04 -0400 Subject: [PATCH 05/21] fix dupe ids --- salt/filebeat/init.sls | 2 +- salt/logstash/init.sls | 2 +- salt/ssl/init.sls | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 83f73de4f..2693663db 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -141,7 +141,7 @@ so-filebeat: - file: filebeatconf - file: filebeatmoduleconf - file: filebeatmoduledir - - x509: filebeat_crt + - x509: conf_filebeat_crt - x509: conf_filebeat_key - x509: trusttheca diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index a7ed361d6..c27631685 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -200,7 +200,7 @@ so-logstash: - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} {% endfor %} - require: - - x509: filebeat_crt + - x509: etc_filebeat_crt {% if grains['role'] == 'so-heavynode' %} - x509: trusttheca {% else %} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 645ef0fe0..a741272d6 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -174,7 +174,7 @@ etc_filebeat_key: - new: True {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%} - prereq: - - x509: /etc/pki/filebeat.crt + - x509: etc_filebeat_crt {%- endif %} - timeout: 30 - retry: @@ -182,7 +182,7 @@ etc_filebeat_key: interval: 30 # Request a cert and drop it where it needs to go to be distributed -filebeat_crt: +etc_filebeat_crt: x509.certificate_managed: - name: /etc/pki/filebeat.crt - ca_server: {{ ca_server }} @@ -493,7 +493,7 @@ conf_filebeat_key: - new: True {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%} - prereq: - - x509: filebeat_crt + - x509: conf_filebeat_crt {%- endif %} - timeout: 30 - retry: @@ -501,7 +501,7 @@ conf_filebeat_key: interval: 30 # Request a cert and drop it where it needs to go to be distributed -filebeat_crt: +conf_filebeat_crt: x509.certificate_managed: - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt - ca_server: {{ ca_server }} From 283f7296bc59cabf5cc633e7c1a2bda228a74785 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 22 Oct 2021 14:45:22 -0400 Subject: [PATCH 06/21] fix require --- salt/filebeat/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 2693663db..75beb66c9 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -150,7 +150,7 @@ run_module_setup: cmd.run: - name: /usr/sbin/so-filebeat-module-setup - require: - - file: filebeatmoduleconfsync + - file: filebeatmoduleconf - docker_container: so-filebeat - onchanges: - docker_container: so-elasticsearch From d7e5377a449f80a90450b5cd1744eec61bb24ea7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 22 Oct 2021 16:46:45 -0400 Subject: [PATCH 07/21] more requires --- salt/manager/init.sls | 5 +++-- salt/minio/init.sls | 8 +++++++- salt/mysql/init.sls | 10 ++++++---- salt/nginx/init.sls | 11 ++++++++++- salt/pcap/init.sls | 4 +++- salt/redis/init.sls | 18 +++++++++++++----- salt/registry/init.sls | 4 ++++ salt/sensoroni/init.sls | 4 +++- salt/soctopus/init.sls | 8 +++++++- salt/ssl/init.sls | 30 ++++++++++++++++++++---------- salt/suricata/init.sls | 8 ++++++-- salt/telegraf/init.sls | 11 ++++++++++- salt/thehive/init.sls | 15 +++++++++++++-- salt/zeek/init.sls | 11 ++++++++--- 14 files changed, 113 insertions(+), 34 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 1d6577e5f..4a3769e1e 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -60,8 +60,7 @@ aptcacherlogdir: - group: 939 - makedirs: true -# Copy the config -acngcopyconf: +acngconf: file.managed: - name: /opt/so/conf/aptcacher-ng/etc/acng.conf - source: salt://manager/files/acng/acng.conf @@ -80,6 +79,8 @@ so-aptcacherng: - /opt/so/conf/aptcacher-ng/cache:/var/cache/apt-cacher-ng:rw - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro + - require: + - file: acngconf append_so-aptcacherng_so-status.conf: file.append: diff --git a/salt/minio/init.sls b/salt/minio/init.sls index f61209c8b..8e4d548f6 100644 --- a/salt/minio/init.sls +++ b/salt/minio/init.sls @@ -21,6 +21,9 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} +include: + - ssl + # Minio Setup minioconfdir: file.directory: @@ -59,6 +62,9 @@ so-minio: - /etc/pki/minio.key:/.minio/certs/private.key:ro - /etc/pki/minio.crt:/.minio/certs/public.crt:ro - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data" + - require: + - file: minio_key + - file: minio_crt append_so-minio_so-status.conf: file.append: @@ -71,4 +77,4 @@ append_so-minio_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 46e62fcc0..b4c87eed4 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -45,13 +45,14 @@ mysqlpiddir: - group: 939 - makedirs: True -mysqletcsync: +mysqletc: file.recurse: - name: /opt/so/conf/mysql/etc - source: salt://mysql/etc - user: 939 - group: 939 - template: jinja + - mode: 640 mysqllogdir: file.directory: @@ -88,12 +89,13 @@ so-mysql: - MYSQL_ROOT_HOST={{ MAINIP }} - MYSQL_ROOT_PASSWORD=/etc/mypass - binds: - - /opt/so/conf/mysql/etc/my.cnf:/etc/my.cnf:ro - - /opt/so/conf/mysql/etc/mypass:/etc/mypass + - /opt/so/conf/mysql/etc/:/etc/:ro - /nsm/mysql:/var/lib/mysql:rw - /opt/so/log/mysql:/var/log/mysql:rw - watch: - /opt/so/conf/mysql/etc + - require: + - file: mysqletc cmd.run: - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done - timeout: 600 @@ -118,4 +120,4 @@ append_so-mysql_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 15c1acc8e..12e0b1fdc 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -8,6 +8,9 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set ISAIRGAP = salt['pillar.get']('global:airgap') %} +include: + - ssl + # Drop the correct nginx config based on role nginxconfdir: file.directory: @@ -95,6 +98,12 @@ so-nginx: - watch: - file: nginxconf - file: nginxconfdir + - require: + - file: nginxconf + - x509: managerssl_key + - x509: managerssl_crt + - file: navigatorconfig + - file: navigatordefaultlayer append_so-nginx_so-status.conf: file.append: @@ -107,4 +116,4 @@ append_so-nginx_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 641300fdf..a29398db6 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -127,7 +127,9 @@ so-steno: - /nsm/pcaptmp:/tmp:rw - /opt/so/log/stenographer:/var/log/stenographer:rw - watch: - - file: /opt/so/conf/steno/config + - file: stenoconf + - require: + - file: stenoconf {% else %} {# if stenographer isn't enabled, then stop and remove the container #} - force: True {% endif %} diff --git a/salt/redis/init.sls b/salt/redis/init.sls index a99df219f..d52c49d5b 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -19,6 +19,9 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} +include: + - ssl + # Redis Setup redisconfdir: file.directory: @@ -41,10 +44,10 @@ redislogdir: - group: 939 - makedirs: True -redisconfsync: - file.recurse: - - name: /opt/so/conf/redis/etc - - source: salt://redis/etc +redisconf: + file.managed: + - name: /opt/so/conf/redis/etc/redis.conf + - source: salt://redis/etc/redis.conf - user: 939 - group: 939 - template: jinja @@ -67,6 +70,11 @@ so-redis: - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - watch: - file: /opt/so/conf/redis/etc + - require: + - file: redisconf + - x509: redis_crt + - x509: redis_key + - x509: pki_public_ca_crt append_so-redis_so-status.conf: file.append: @@ -79,4 +87,4 @@ append_so-redis_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/registry/init.sls b/salt/registry/init.sls index eb0c2df0c..b89bd5dff 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -47,6 +47,10 @@ so-dockerregistry: - retry: attempts: 5 interval: 30 + - require: + - file: dockerregistryconf + - x509: registry_crt + - x509: registry_key append_so-dockerregistry_so-status.conf: file.append: diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls index a55049c06..1405c72bf 100644 --- a/salt/sensoroni/init.sls +++ b/salt/sensoroni/init.sls @@ -38,8 +38,10 @@ so-sensoroni: - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw - watch: - file: /opt/so/conf/sensoroni/sensoroni.json + - require: + - file: sensoroniagentconf append_so-sensoroni_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf - - text: so-sensoroni \ No newline at end of file + - text: so-sensoroni diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 724e5a617..576cc573d 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -8,6 +8,9 @@ {% set MANAGER_IP = salt['pillar.get']('global:managerip', '') %} {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} +include: + - nginx + soctopusdir: file.directory: - name: /opt/so/conf/soctopus/sigma-import @@ -71,6 +74,9 @@ so-soctopus: - 0.0.0.0:7000:7000 - extra_hosts: - {{MANAGER_URL}}:{{MANAGER_IP}} + - require: + - file: soctopusconf + - file: navigatordefaultlayer append_so-soctopus_so-status.conf: file.append: @@ -83,4 +89,4 @@ append_so-soctopus_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index a741272d6..e18c71fc5 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -117,8 +117,9 @@ influxkeyperms: {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-fleet'] %} # Create a cert for Redis encryption -/etc/pki/redis.key: +redis_key: x509.private_key_managed: + - name: /etc/pki/redis.key - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 @@ -134,8 +135,9 @@ influxkeyperms: attempts: 5 interval: 30 -/etc/pki/redis.crt: +redis_crt: x509.certificate_managed: + - name: /etc/pki/redis.crt - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/redis.key @@ -244,8 +246,9 @@ fbcrtlink: - user: socore - group: socore -/etc/pki/registry.key: +registry_key: x509.private_key_managed: + - name: /etc/pki/registry.key - CN: {{ manager }} - bits: 4096 - days_remaining: 0 @@ -262,8 +265,9 @@ fbcrtlink: interval: 30 # Create a cert for the docker registry -/etc/pki/registry.crt: +registry_crt: x509.certificate_managed: + - name: /etc/pki/registry.crt - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/registry.key @@ -287,8 +291,9 @@ regkeyperms: - mode: 640 - group: 939 -/etc/pki/minio.key: +minio_key: x509.private_key_managed: + - name: /etc/pki/minio.key - CN: {{ manager }} - bits: 4096 - days_remaining: 0 @@ -305,8 +310,9 @@ regkeyperms: interval: 30 # Create a cert for minio -/etc/pki/minio.crt: +minio_crt: x509.certificate_managed: + - name: /etc/pki/minio.crt - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/minio.key @@ -386,8 +392,9 @@ elasticp12perms: - mode: 640 - group: 930 -/etc/pki/managerssl.key: +managerssl_key: x509.private_key_managed: + - name: /etc/pki/managerssl.key - CN: {{ manager }} - bits: 4096 - days_remaining: 0 @@ -404,8 +411,9 @@ elasticp12perms: interval: 30 # Create a cert for the reverse proxy -/etc/pki/managerssl.crt: +managerssl_crt: x509.certificate_managed: + - name: /etc/pki/managerssl.crt - ca_server: {{ ca_server }} - signing_policy: managerssl - public_key: /etc/pki/managerssl.key @@ -548,8 +556,9 @@ chownfilebeatp8: {% if grains['role'] == 'so-fleet' %} -/etc/pki/managerssl.key: +managerssl_key: x509.private_key_managed: + - name: /etc/pki/managerssl.key - CN: {{ manager }} - bits: 4096 - days_remaining: 0 @@ -566,8 +575,9 @@ chownfilebeatp8: interval: 30 # Create a cert for the reverse proxy -/etc/pki/managerssl.crt: +managerssl_crt: x509.certificate_managed: + - name: /etc/pki/managerssl.crt - ca_server: {{ ca_server }} - signing_policy: managerssl - public_key: /etc/pki/managerssl.key diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 73c4d2395..f83f54c5c 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -93,7 +93,7 @@ surilogscript: - month: '*' - dayweek: '*' -suriconfigsync: +suriconfig: file.managed: - name: /opt/so/conf/suricata/suricata.yaml - source: salt://suricata/files/suricata.yaml.jinja @@ -155,10 +155,14 @@ so-suricata: - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro - network_mode: host - watch: - - file: /opt/so/conf/suricata/suricata.yaml + - file: suriconfig - file: surithresholding - file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/bpf + - require: + - file: suriconfig + - file: surithresholding + - file: suribpf {% else %} {# if Suricata isn't enabled, then stop and remove the container #} - force: True diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 615cfc237..d71916430 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -88,7 +88,16 @@ so-telegraf: - file: tgrafconf - file: tgrafsyncscripts - file: node_config - + - require: + - file: tgrafconf + - file: node_config + {% if grains['role'] == 'so-manager' or grains['role'] == 'so-eval' or grains['role'] == 'so-managersearch' %} + - x509: pki_public_ca_crt + {% else %} + - x509: trusttheca + {% endif %} + - x509: influxdb_crt + - x509: influxdb_key append_so-telegraf_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index d1ee8a4bf..61a7a053c 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -83,8 +83,7 @@ so-thehive-es: - tty: True - binds: - /nsm/thehive/esdata:/usr/share/elasticsearch/data:rw - - /opt/so/conf/thehive/etc/es/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro - - /opt/so/conf/thehive/etc/es/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro + - /opt/so/conf/thehive/etc/es/:/usr/share/elasticsearch/config/:ro - /opt/so/log/thehive:/var/log/elasticsearch:rw - environment: - ES_JAVA_OPTS=-Xms512m -Xmx512m @@ -97,6 +96,14 @@ append_so-thehive-es_so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - text: so-thehive-es +cortex_application_conf: + file.exists: + - name: /opt/so/conf/thehive/etc/cortex-application.conf + +application_conf: + file.exists: + - name: /opt/so/conf/thehive/etc/application.conf + # Install Cortex so-cortex: docker_container.running: @@ -110,6 +117,8 @@ so-cortex: - /opt/so/conf/cortex/custom-responders:/custom-responders:ro - port_bindings: - 0.0.0.0:9001:9001 + - require: + - file: cortex_application_conf append_so-cortex_so-status.conf: file.append: @@ -135,6 +144,8 @@ so-thehive: - /opt/so/conf/thehive/etc/application.conf:/opt/thehive/conf/application.conf:ro - port_bindings: - 0.0.0.0:9000:9000 + - require: + - file: application_conf append_so-thehive_so-status.conf: file.append: diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 5f5adfaa6..e4b83a9e1 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -116,7 +116,7 @@ zeekctlcfg: ZEEKCTL: {{ ZEEK.zeekctl | tojson }} # Sync node.cfg -nodecfgsync: +nodecfg: file.managed: - name: /opt/so/conf/zeek/node.cfg - source: salt://zeek/files/node.cfg @@ -182,7 +182,7 @@ zeekbpf: {% endif %} -localzeeksync: +localzeek: file.managed: - name: /opt/so/conf/zeek/local.zeek - source: salt://zeek/files/local.zeek.jinja @@ -219,6 +219,11 @@ so-zeek: - file: /opt/so/conf/zeek/zeekctl.cfg - file: /opt/so/conf/zeek/policy - file: /opt/so/conf/zeek/bpf + - require: + - file: localzeek + - file: nodecfg + - file: zeekctlcfg + - file: zeekbpf {% else %} {# if Zeek isn't enabled, then stop and remove the container #} - force: True {% endif %} @@ -247,4 +252,4 @@ delete_so-zeek_so-status.disabled: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} From ee7e714f435688b1db66b2e6f12ff41ed0b703dd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 22 Oct 2021 16:55:23 -0400 Subject: [PATCH 08/21] change to file_mode --- salt/mysql/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index b4c87eed4..d958f55de 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -52,7 +52,7 @@ mysqletc: - user: 939 - group: 939 - template: jinja - - mode: 640 + - file_mode: 640 mysqllogdir: file.directory: From 9a78d13bee022122e5100f2f5a7bd6927cfeba9c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 25 Oct 2021 15:37:23 -0400 Subject: [PATCH 09/21] change perms on mysql --- salt/mysql/etc/mypass | 1 - salt/mysql/init.sls | 24 ++++++++++++++++++------ 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/salt/mysql/etc/mypass b/salt/mysql/etc/mypass index f5f781c10..b38bf75ec 100644 --- a/salt/mysql/etc/mypass +++ b/salt/mysql/etc/mypass @@ -1,2 +1 @@ -{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {{ MYSQLPASS }} diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index d958f55de..750ae1c5e 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -45,14 +45,24 @@ mysqlpiddir: - group: 939 - makedirs: True -mysqletc: - file.recurse: - - name: /opt/so/conf/mysql/etc - - source: salt://mysql/etc +mysqlcnf: + file.managed: + - name: /opt/so/conf/mysql/etc/my.cnf + - source: salt://mysql/etc/my.cnf + - user: 939 + - group: 939 + - file_mode: 640 + +mysqlpass: + file.managed: + - name: /opt/so/conf/mysql/etc/mypass + - source: salt://mysql/etc/mypass - user: 939 - group: 939 - template: jinja - file_mode: 640 + - defaults: + MYSQLPASS: {{ MYSQLPASS }} mysqllogdir: file.directory: @@ -89,13 +99,15 @@ so-mysql: - MYSQL_ROOT_HOST={{ MAINIP }} - MYSQL_ROOT_PASSWORD=/etc/mypass - binds: - - /opt/so/conf/mysql/etc/:/etc/:ro + - /opt/so/conf/mysql/etc/my.cnf:/etc/my.cnf:ro + - /opt/so/conf/mysql/etc/mypass:/etc/mypass - /nsm/mysql:/var/lib/mysql:rw - /opt/so/log/mysql:/var/log/mysql:rw - watch: - /opt/so/conf/mysql/etc - require: - - file: mysqletc + - file: mysqlcnf + - file: mysqlpass cmd.run: - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done - timeout: 600 From 7e8d74e770bfffbc32192ed9cd81a864182de6bc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 25 Oct 2021 15:50:27 -0400 Subject: [PATCH 10/21] just use mode --- salt/mysql/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 750ae1c5e..54523ad17 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -51,7 +51,7 @@ mysqlcnf: - source: salt://mysql/etc/my.cnf - user: 939 - group: 939 - - file_mode: 640 + - mode: 640 mysqlpass: file.managed: @@ -60,7 +60,7 @@ mysqlpass: - user: 939 - group: 939 - template: jinja - - file_mode: 640 + - mode: 640 - defaults: MYSQLPASS: {{ MYSQLPASS }} From fa2edb2b592c66f069d18a13971fd67204d5b22d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 26 Oct 2021 08:39:30 -0400 Subject: [PATCH 11/21] make cortex_init and hive_init time out after 1 minutes vs 5 minutes --- salt/thehive/scripts/cortex_init | 4 ++-- salt/thehive/scripts/hive_init | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init index c2f00390d..d2002231b 100644 --- a/salt/thehive/scripts/cortex_init +++ b/salt/thehive/scripts/cortex_init @@ -29,7 +29,7 @@ cortex_init(){ CORTEX_ORG_USER_KEY="{{CORTEXORGUSERKEY}}" SOCTOPUS_CONFIG="$default_salt_dir/salt/soctopus/files/SOCtopus.conf" - if wait_for_web_response $CORTEX_URL "Cortex"; then + if wait_for_web_response $CORTEX_URL "Cortex" 60; then # Migrate DB curl -sk -XPOST -L "$CORTEX_API_URL/maintenance/migrate" @@ -65,7 +65,7 @@ if [ -f /opt/so/state/cortex.txt ]; then cortex_clean exit 0 else - if wait_for_web_response http://{{MANAGERIP}}:9400/_cluster/health '"status":"green"'; then + if wait_for_web_response http://{{MANAGERIP}}:9400/_cluster/health '"status":"green"' 60; then cortex_init cortex_clean else diff --git a/salt/thehive/scripts/hive_init b/salt/thehive/scripts/hive_init index ca6f7aa2b..454d484dd 100755 --- a/salt/thehive/scripts/hive_init +++ b/salt/thehive/scripts/hive_init @@ -20,7 +20,7 @@ thehive_init(){ SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf" echo -n "Waiting for TheHive..." - if wait_for_web_response $THEHIVE_URL "TheHive"; then + if wait_for_web_response $THEHIVE_URL "TheHive" 60; then # Migrate DB curl -sk -XPOST -L "$THEHIVE_API_URL/maintenance/migrate" @@ -43,7 +43,7 @@ if [ -f /opt/so/state/thehive.txt ]; then thehive_clean exit 0 else - if wait_for_web_response http://{{MANAGERIP}}:9400/_cluster/health '"status":"green"'; then + if wait_for_web_response http://{{MANAGERIP}}:9400/_cluster/health '"status":"green"' 60; then thehive_init thehive_clean else From 682cbfd223f3c4792f37b4e009a7bbf4f96844c2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 26 Oct 2021 09:23:24 -0400 Subject: [PATCH 12/21] remove the mode --- salt/mysql/init.sls | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 54523ad17..cb9586984 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -51,7 +51,6 @@ mysqlcnf: - source: salt://mysql/etc/my.cnf - user: 939 - group: 939 - - mode: 640 mysqlpass: file.managed: @@ -60,7 +59,6 @@ mysqlpass: - user: 939 - group: 939 - template: jinja - - mode: 640 - defaults: MYSQLPASS: {{ MYSQLPASS }} From 36ae07b78edfbdfba3e4a2526b545a2b91d5f017 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 26 Oct 2021 10:49:50 -0400 Subject: [PATCH 13/21] change timeout from 60 to 120 --- salt/thehive/scripts/cortex_init | 4 ++-- salt/thehive/scripts/hive_init | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init index d2002231b..fd0387131 100644 --- a/salt/thehive/scripts/cortex_init +++ b/salt/thehive/scripts/cortex_init @@ -29,7 +29,7 @@ cortex_init(){ CORTEX_ORG_USER_KEY="{{CORTEXORGUSERKEY}}" SOCTOPUS_CONFIG="$default_salt_dir/salt/soctopus/files/SOCtopus.conf" - if wait_for_web_response $CORTEX_URL "Cortex" 60; then + if wait_for_web_response $CORTEX_URL "Cortex" 120; then # Migrate DB curl -sk -XPOST -L "$CORTEX_API_URL/maintenance/migrate" @@ -65,7 +65,7 @@ if [ -f /opt/so/state/cortex.txt ]; then cortex_clean exit 0 else - if wait_for_web_response http://{{MANAGERIP}}:9400/_cluster/health '"status":"green"' 60; then + if wait_for_web_response http://{{MANAGERIP}}:9400/_cluster/health '"status":"green"' 120; then cortex_init cortex_clean else diff --git a/salt/thehive/scripts/hive_init b/salt/thehive/scripts/hive_init index 454d484dd..7ace6137b 100755 --- a/salt/thehive/scripts/hive_init +++ b/salt/thehive/scripts/hive_init @@ -20,7 +20,7 @@ thehive_init(){ SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf" echo -n "Waiting for TheHive..." - if wait_for_web_response $THEHIVE_URL "TheHive" 60; then + if wait_for_web_response $THEHIVE_URL "TheHive" 120; then # Migrate DB curl -sk -XPOST -L "$THEHIVE_API_URL/maintenance/migrate" @@ -43,7 +43,7 @@ if [ -f /opt/so/state/thehive.txt ]; then thehive_clean exit 0 else - if wait_for_web_response http://{{MANAGERIP}}:9400/_cluster/health '"status":"green"' 60; then + if wait_for_web_response http://{{MANAGERIP}}:9400/_cluster/health '"status":"green"' 120; then thehive_init thehive_clean else From c0dd9efd9b485ad2c0a5c0e6d065461cea531a7b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 26 Oct 2021 10:50:16 -0400 Subject: [PATCH 14/21] change so-thehive-es binds and requires --- salt/thehive/init.sls | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index 61a7a053c..d7050e226 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -73,6 +73,14 @@ thehiveesdata: - user: 939 - group: 939 +thehive_elasticsearch_yml: + file.exists: + - name: /opt/so/conf/thehive/etc/es/elasticsearch.yml + +log4j2_properties: + file.exists: + - name: /opt/so/conf/thehive/etc/es/log4j2.properties + so-thehive-es: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive-es:{{ VERSION }} @@ -83,13 +91,17 @@ so-thehive-es: - tty: True - binds: - /nsm/thehive/esdata:/usr/share/elasticsearch/data:rw - - /opt/so/conf/thehive/etc/es/:/usr/share/elasticsearch/config/:ro + - /opt/so/conf/thehive/etc/es/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro + - /opt/so/conf/thehive/etc/es/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro - /opt/so/log/thehive:/var/log/elasticsearch:rw - environment: - ES_JAVA_OPTS=-Xms512m -Xmx512m - port_bindings: - 0.0.0.0:9400:9400 - 0.0.0.0:9500:9500 + - require: + - file: thehive_elasticsearch_yml + - file: log4j2_properties append_so-thehive-es_so-status.conf: file.append: From 58d62f29eac4d3cc500c810fb32d2d472e17fe50 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 26 Oct 2021 11:55:47 -0400 Subject: [PATCH 15/21] include ssl state in registry state --- salt/registry/init.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/registry/init.sls b/salt/registry/init.sls index b89bd5dff..76ccbf070 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -1,6 +1,9 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +include: + - ssl + # Create the config directory for the docker registry dockerregistryconfdir: file.directory: From bf403a8307ffab7bd964312bab0a73824305cdf2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 Oct 2021 09:47:12 -0400 Subject: [PATCH 16/21] only manager nodes get cert, key and att&ck binds --- salt/nginx/init.sls | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 12e0b1fdc..c732db636 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -76,34 +76,38 @@ so-nginx: - /opt/so/log/nginx/:/var/log/nginx:rw - /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/run:rw + - /opt/so/conf/fleet/packages:/opt/socore/html/packages + {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro - - /opt/so/conf/fleet/packages:/opt/socore/html/packages - {% if ISAIRGAP is sameas true %} - - /nsm/repo:/opt/socore/html/repo:ro - {% endif %} # ATT&CK Navigator binds - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro - /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro + {% endif %} + {% if ISAIRGAP is sameas true %} + - /nsm/repo:/opt/socore/html/repo:ro + {% endif %} - cap_add: NET_BIND_SERVICE - port_bindings: - 80:80 - 443:443 - {% if ISAIRGAP is sameas true %} + {% if ISAIRGAP is sameas true %} - 7788:7788 - {% endif %} - {%- if FLEETMANAGER or FLEETNODE %} + {% endif %} + {%- if FLEETMANAGER or FLEETNODE %} - 8090:8090 - {%- endif %} + {%- endif %} - watch: - file: nginxconf - file: nginxconfdir - require: - file: nginxconf + {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} - x509: managerssl_key - x509: managerssl_crt - file: navigatorconfig - file: navigatordefaultlayer + {% endif %} append_so-nginx_so-status.conf: file.append: From e7f43cff5e3749636f6e6fb6263bceccf9af2187 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 Oct 2021 10:45:10 -0400 Subject: [PATCH 17/21] limit nodes that bind filebeat certs in so-logstash --- salt/logstash/init.sls | 102 +++++++++++++++++++++-------------------- 1 file changed, 53 insertions(+), 49 deletions(-) diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index c27631685..069b2f7bd 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -15,34 +15,34 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set MANAGERIP = salt['pillar.get']('global:managerip') %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} + {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} + {% set MANAGER = salt['grains.get']('master') %} + {% set MANAGERIP = salt['pillar.get']('global:managerip') %} -# Logstash Section - Decide which pillar to use -{% set lsheap = salt['pillar.get']('logstash_settings:lsheap', '') %} -{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} - {% set freq = salt['pillar.get']('manager:freq', '0') %} - {% set dstats = salt['pillar.get']('manager:domainstats', '0') %} - {% set nodetype = salt['grains.get']('role', '') %} -{% elif grains['role'] == 'so-helix' %} - {% set freq = salt['pillar.get']('manager:freq', '0') %} - {% set dstats = salt['pillar.get']('manager:domainstats', '0') %} - {% set nodetype = salt['grains.get']('role', '') %} -{% endif %} + # Logstash Section - Decide which pillar to use + {% set lsheap = salt['pillar.get']('logstash_settings:lsheap', '') %} + {% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} + {% set freq = salt['pillar.get']('manager:freq', '0') %} + {% set dstats = salt['pillar.get']('manager:domainstats', '0') %} + {% set nodetype = salt['grains.get']('role', '') %} + {% elif grains['role'] == 'so-helix' %} + {% set freq = salt['pillar.get']('manager:freq', '0') %} + {% set dstats = salt['pillar.get']('manager:domainstats', '0') %} + {% set nodetype = salt['grains.get']('role', '') %} + {% endif %} -{% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} -{% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} -{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} + {% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} + {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} + {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} -{% if grains.role in ['so-heavynode'] %} - {% set EXTRAHOSTHOSTNAME = salt['grains.get']('host') %} - {% set EXTRAHOSTIP = salt['pillar.get']('sensor:mainip') %} -{% else %} - {% set EXTRAHOSTHOSTNAME = MANAGER %} - {% set EXTRAHOSTIP = MANAGERIP %} -{% endif %} + {% if grains.role in ['so-heavynode'] %} + {% set EXTRAHOSTHOSTNAME = salt['grains.get']('host') %} + {% set EXTRAHOSTIP = salt['pillar.get']('sensor:mainip') %} + {% else %} + {% set EXTRAHOSTHOSTNAME = MANAGER %} + {% set EXTRAHOSTIP = MANAGERIP %} + {% endif %} include: - ssl @@ -74,22 +74,22 @@ lspipelinedir: - user: 931 - group: 939 -{% for PL in PIPELINES %} - {% for CONFIGFILE in PIPELINES[PL].config %} + {% for PL in PIPELINES %} + {% for CONFIGFILE in PIPELINES[PL].config %} ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}: file.managed: - source: salt://logstash/pipelines/config/{{CONFIGFILE}} - {% if 'jinja' in CONFIGFILE.split('.')[-1] %} + {% if 'jinja' in CONFIGFILE.split('.')[-1] %} - name: /opt/so/conf/logstash/pipelines/{{PL}}/{{CONFIGFILE.split('/')[1] | replace(".jinja", "")}} - template: jinja - {% else %} + {% else %} - name: /opt/so/conf/logstash/pipelines/{{PL}}/{{CONFIGFILE.split('/')[1]}} - {% endif %} + {% endif %} - user: 931 - group: 939 - mode: 660 - makedirs: True - {% endfor %} + {% endfor %} ls_pipeline_{{PL}}: file.directory: @@ -97,12 +97,12 @@ ls_pipeline_{{PL}}: - user: 931 - group: 939 - require: - {% for CONFIGFILE in PIPELINES[PL].config %} + {% for CONFIGFILE in PIPELINES[PL].config %} - file: ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }} - {% endfor %} + {% endfor %} - clean: True -{% endfor %} + {% endfor %} lspipelinesyml: file.managed: @@ -158,9 +158,9 @@ so-logstash: - environment: - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} - port_bindings: -{% for BINDING in DOCKER_OPTIONS.port_bindings %} + {% for BINDING in DOCKER_OPTIONS.port_bindings %} - {{ BINDING }} -{% endfor %} + {% endfor %} - binds: - /opt/so/conf/elasticsearch/templates/:/templates/:ro - /opt/so/conf/logstash/etc/:/usr/share/logstash/config/:ro @@ -170,42 +170,46 @@ so-logstash: - /nsm/logstash:/usr/share/logstash/data:rw - /opt/so/log/logstash:/var/log/logstash:rw - /sys/fs/cgroup:/sys/fs/cgroup:ro + {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %} - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro + {% endif %} - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro - {% if grains['role'] == 'so-heavynode' %} + {% if grains['role'] == 'so-heavynode' %} - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro - {% else %} + {% else %} - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro - {% endif %} + {% endif %} - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro - {%- if grains['role'] == 'so-eval' %} + {%- if grains['role'] == 'so-eval' %} - /nsm/zeek:/nsm/zeek:ro - /nsm/suricata:/suricata:ro - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro - /nsm/wazuh/logs/archives:/wazuh/archives:ro - /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/log/strelka:/strelka:ro - {%- endif %} + {%- endif %} - watch: - file: lsetcsync -{% for PL in PIPELINES %} + {% for PL in PIPELINES %} - file: ls_pipeline_{{PL}} - {% for CONFIGFILE in PIPELINES[PL].config %} + {% for CONFIGFILE in PIPELINES[PL].config %} - file: ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }} + {% endfor %} {% endfor %} -{% endfor %} -{% for TEMPLATE in TEMPLATES %} + {% for TEMPLATE in TEMPLATES %} - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} -{% endfor %} + {% endfor %} - require: + {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %} - x509: etc_filebeat_crt -{% if grains['role'] == 'so-heavynode' %} + {% endif %} + {% if grains['role'] == 'so-heavynode' %} - x509: trusttheca -{% else %} + {% else %} - x509: pki_public_ca_crt -{% endif %} + {% endif %} - file: cacertz - file: capemz From c8c8cf203f54fdc42051bf1864d2de13907e9d29 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 27 Oct 2021 15:44:52 -0400 Subject: [PATCH 18/21] Enable cluster stats --- salt/telegraf/etc/telegraf.conf | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 59d806fe0..649fcc241 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -16,9 +16,9 @@ {%- set MANAGER = salt['grains.get']('master') %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %} -{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} -{% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %} +{%- set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} +{%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} # Global tags can be specified here in key="value" format. @@ -621,23 +621,25 @@ # # Read stats from one or more Elasticsearch servers or clusters -{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} +{%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} [[inputs.elasticsearch]] servers = ["https://{{ MANAGER }}:9200"] -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} + cluster_stats = true +{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ ES_USER }}" password = "{{ ES_PASS }}" -{% endif %} +{%- endif %} insecure_skip_verify = true -{% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} +{%- elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} [[inputs.elasticsearch]] servers = ["https://{{ NODEIP }}:9200"] -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} + cluster_stats = true +{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ ES_USER }}" password = "{{ ES_PASS }}" -{% endif %} +{%- endif %} insecure_skip_verify = true -{% endif %} +{%- endif %} # # ## Timeout for HTTP requests to the elastic search server(s) From 18ce9c781943a23f371a722fee96877311518ba8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 28 Oct 2021 07:46:02 -0400 Subject: [PATCH 19/21] disable zeekpacketlosscron and telegraf checks if zeek is diabled via pillar --- salt/telegraf/etc/telegraf.conf | 23 +++++++++++++---------- salt/zeek/init.sls | 2 +- salt/zeek/map.jinja | 4 +++- 3 files changed, 17 insertions(+), 12 deletions(-) diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 649fcc241..92fcb4106 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -20,6 +20,9 @@ {%- set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} +{%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', 'True') %} +{%- set MDENGINE = salt['pillar.get']('global:mdengine', 'ZEEK') %} + # Global tags can be specified here in key="value" format. [global_tags] @@ -740,10 +743,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", - {% endif %} + {%- endif %} "/scripts/oldpcap.sh", "/scripts/raid.sh", "/scripts/beatseps.sh" @@ -757,10 +760,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", - {% endif %} + {%- endif %} "/scripts/oldpcap.sh", "/scripts/eps.sh", "/scripts/raid.sh", @@ -776,10 +779,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", - {% endif %} + {%- endif %} "/scripts/oldpcap.sh", "/scripts/eps.sh", "/scripts/raid.sh", @@ -794,10 +797,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", - {% endif %} + {%- endif %} "/scripts/oldpcap.sh", "/scripts/influxdbsize.sh", "/scripts/raid.sh", @@ -811,10 +814,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", - {% endif %} + {%- endif %} "/scripts/oldpcap.sh", "/scripts/helixeps.sh" ] diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index e4b83a9e1..2c9fb9846 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -146,7 +146,7 @@ plcronscript: - mode: 755 zeekpacketlosscron: - cron.present: + cron.{{ZEEKOPTIONS.pl_cron_state}}: - name: /usr/local/bin/packetloss.sh - user: root - minute: '*/10' diff --git a/salt/zeek/map.jinja b/salt/zeek/map.jinja index b5713c6d5..5ae8894bc 100644 --- a/salt/zeek/map.jinja +++ b/salt/zeek/map.jinja @@ -4,12 +4,14 @@ # don't start the docker container if it is an import node or disabled via pillar {% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %} {% do ZEEKOPTIONS.update({'start': False}) %} + {% do ZEEKOPTIONS.update({'pl_cron_state': 'absent'}) %} {% else %} {% do ZEEKOPTIONS.update({'start': True}) %} + {% do ZEEKOPTIONS.update({'pl_cron_state': 'present'}) %} {% endif %} {% if ENABLED is sameas false %} {% do ZEEKOPTIONS.update({'status': 'absent'}) %} {% else %} {% do ZEEKOPTIONS.update({'status': 'running'}) %} -{% endif %} \ No newline at end of file +{% endif %} From 7eb42fa6bdb386562a03970fb94bb20ed316f822 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 28 Oct 2021 08:43:03 -0400 Subject: [PATCH 20/21] change boolean --- salt/telegraf/etc/telegraf.conf | 12 ++++++------ salt/zeek/map.jinja | 6 +++--- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 92fcb4106..fa7dabe09 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -20,7 +20,7 @@ {%- set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} -{%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', 'True') %} +{%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %} {%- set MDENGINE = salt['pillar.get']('global:mdengine', 'ZEEK') %} @@ -743,7 +743,7 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", {%- endif %} @@ -760,7 +760,7 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", {%- endif %} @@ -779,7 +779,7 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", {%- endif %} @@ -797,7 +797,7 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", {%- endif %} @@ -814,7 +814,7 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", {%- endif %} diff --git a/salt/zeek/map.jinja b/salt/zeek/map.jinja index 5ae8894bc..a0f92463e 100644 --- a/salt/zeek/map.jinja +++ b/salt/zeek/map.jinja @@ -1,8 +1,8 @@ {% set ZEEKOPTIONS = {} %} -{% set ENABLED = salt['pillar.get']('zeek:enabled', 'True') %} +{% set ENABLED = salt['pillar.get']('zeek:enabled', True) %} # don't start the docker container if it is an import node or disabled via pillar -{% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %} +{% if grains.id.split('_')|last == 'import' or not ENABLED %} {% do ZEEKOPTIONS.update({'start': False}) %} {% do ZEEKOPTIONS.update({'pl_cron_state': 'absent'}) %} {% else %} @@ -10,7 +10,7 @@ {% do ZEEKOPTIONS.update({'pl_cron_state': 'present'}) %} {% endif %} -{% if ENABLED is sameas false %} +{% if not ENABLED %} {% do ZEEKOPTIONS.update({'status': 'absent'}) %} {% else %} {% do ZEEKOPTIONS.update({'status': 'running'}) %} From 0cea5e8f2269ca6147fbf83ef015c5bb34ac2b2a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 28 Oct 2021 08:46:27 -0400 Subject: [PATCH 21/21] include ssl state in telegraf state --- salt/telegraf/init.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index d71916430..2c188367b 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -5,6 +5,9 @@ {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} +include: + - ssl + # Add Telegraf to monitor all the things. tgraflogdir: file.directory: