CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9421 from Security-Onion-Solutions/mkr24

Browse Source 
Redis defaults.yaml
This commit is contained in:
Mike Reeves
2022-12-21 09:15:49 -05:00
committed by GitHub
parent f7150d423c aa7690864a
commit ab9edd4e6b
18 changed files with 1147 additions and 2514 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
pillar/top.sls
View File

@@ -14,7 +14,7 @@ base:
'* and not *_eval and not *_import':
- logstash.nodes
'*_eval or *_helixsensor or *_heavynode or *_sensor or *_standalone or *_import':
'*_eval or *_heavynode or *_sensor or *_standalone or *_import':
- match: compound
- zeek
@@ -45,6 +45,12 @@ base:
- manager.adv_manager
- soc.soc_soc
- soc.adv_soc
- kratos.soc_kratos
- kratos.adv_kratos
- redis.soc_redis
- redis.adv_redis
- influxdb.soc_influxdb
- influxdb.adv_influxdb
- backup.soc_backup
- backup.adv_backup
- minions.{{ grains.id }}
@@ -72,6 +78,12 @@ base:
- elasticsearch.soc_elasticsearch
- manager.soc_manager
- soc.soc_soc
- kratos.soc_kratos
- kratos.adv_kratos
- redis.soc_redis
- redis.adv_redis
- influxdb.soc_influxdb
- influxdb.adv_influxdb
- backup.soc_backup
- backup.adv_backup
- minions.{{ grains.id }}
@@ -93,6 +105,11 @@ base:
- healthcheck.standalone
- soc_global
- kratos.soc_kratos
- kratos.adv_kratos
- redis.soc_redis
- redis.adv_redis
- influxdb.soc_influxdb
- influxdb.adv_influxdb
- elasticsearch.soc_elasticsearch
- manager.soc_manager
- soc.soc_soc
@@ -154,6 +171,12 @@ base:
- adv_global
- backup.soc_backup
- backup.adv_backup
- kratos.soc_kratos
- kratos.adv_kratos
- redis.soc_redis
- redis.adv_redis
- influxdb.soc_influxdb
- influxdb.adv_influxdb
- minions.{{ grains.id }}
- minions.adv_{{ grains.id }}

154
salt/influxdb/defaults.yaml
View File

@@ -1,4 +1,158 @@
influxdb:
config:
meta:
dir: /var/lib/influxdb/meta
retention-autocreate: true
logging-enabled: true
data:
dir: /var/lib/influxdb/data
wal-dir: /var/lib/influxdb/wal
wal-fsync-delay: 0s
index-version: inmem
race-logging-enabled: false
query-log-enabled: true
validate-keys: false
cache-max-memory-size: 1g
cache-snapshot-memory-size: 25m
cache-snapshot-write-cold-duration: 10m
compact-full-write-cold-duration: 4h
max-concurrent-compactions: 0
compact-throughput: 48m
compact-throughput-burst: 48m
max-index-log-file-size: 1m
max-series-per-database: 1000000
max-values-per-tag: 100000
tsm-use-madv-willneed: false
coordinator:
write-timeout: 10s
max-concurrent-queries: 0
query-timeout: 0s
log-queries-after: 0s
max-select-point: 0
max-select-series: 0
max-select-buckets: 0
retention:
enabled: true
check-interval: 30m
shard-precreation:
enabled: true
check-interval: 10m
advance-period: 30m
monitor:
store-enabled: true
store-database: _internal
store-interval: 10s
http:
enabled: true
flux-enabled: true
bind-address: ':8086'
auth-enabled: false
realm: InfluxDB
log-enabled: false
suppress-write-log: false
access-log-path: ''
access-log-status-filters: []
write-tracing: false
pprof-enabled: true
debug-pprof-enabled: false
https-enabled: true
https-certificate: /etc/ssl/influxdb.crt
https-private-key: /etc/ssl/influxdb.key
shared-secret: ''
max-row-limit: 0
max-connection-limit: 0
unix-socket-enabled: false
bind-socket: /var/run/influxdb.sock
max-body-size: 25000000
max-concurrent-write-limit: 0
max-enqueued-write-limit: 0
enqueued-write-timeout: 0
logging:
format: auto
level: info
suppress-logo: false
subscriber:
enabled: true
http-timeout: 30s
insecure-skip-verify: false
ca-certs: ''
write-concurrency: 40
write-buffer-size: 1000
graphite:
enabled: false
database: graphite
retention-policy: ''
bind-address: ':2003'
protocol: tcp
consistency-level: one
batch-size: 5000
batch-pending: 10
batch-timeout: 1s
udp-read-buffer: 0
separator: '.'
tags: []
templates: []
collectd:
enabled: false
bind-address: ':25826'
database: collectd
retention-policy: ''
typesdb: /usr/local/share/collectd
security-level: none
auth-file: /etc/collectd/auth_file
batch-size: 5000
bath-pending: 10
batch-timeout: 10s
read-buffer: 0
parse-multivalue-plugin: split
opentsdb:
enabled: false
bind-address: ':4242'
database: opentsdb
retention-policy: ''
consistency-level: one
tls-enabled: false
certificate: /etc/ssl/influxdb.pem
log-point-errors: true
batch-size: 1000
batch-pending: 5
bath-timeout: 1s
udp:
enabled: false
bind-address: ':8089'
database: udp
retention-policy: ''
precision: ''
batch-size: 5000
batch-pending: 10
batch-timeout: 1s
read-buffer: 0
continuous_queries:
enabled: true
log-enabled: true
query-stats-enabled: false
run-interval: 1s
tls:
ciphers:
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
min-version: tls1.2
max-version: tls1.2
retention_policies:
so_short_term:
default: True

579
salt/influxdb/etc/influxdb.conf
View File

@@ -1,579 +0,0 @@
### Welcome to the InfluxDB configuration file.
# The values in this file override the default values used by the system if
# a config option is not specified. The commented out lines are the configuration
# field and the default value used. Uncommenting a line and changing the value
# will change the value used at runtime when the process is restarted.
# Once every 24 hours InfluxDB will report usage data to usage.influxdata.com
# The data includes a random ID, os, arch, version, the number of series and other
# usage data. No data from user databases is ever transmitted.
# Change this option to true to disable reporting.
# reporting-disabled = false
# Bind address to use for the RPC service for backup and restore.
# bind-address = "127.0.0.1:8088"
###
### [meta]
###
### Controls the parameters for the Raft consensus group that stores metadata
### about the InfluxDB cluster.
###
[meta]
# Where the metadata/raft database is stored
dir = "/var/lib/influxdb/meta"
# Automatically create a default retention policy when creating a database.
# retention-autocreate = true
# If log messages are printed for the meta service
# logging-enabled = true
###
### [data]
###
### Controls where the actual shard data for InfluxDB lives and how it is
### flushed from the WAL. "dir" may need to be changed to a suitable place
### for your system, but the WAL settings are an advanced configuration. The
### defaults should work for most systems.
###
[data]
# The directory where the TSM storage engine stores TSM files.
dir = "/var/lib/influxdb/data"
# The directory where the TSM storage engine stores WAL files.
wal-dir = "/var/lib/influxdb/wal"
# The amount of time that a write will wait before fsyncing. A duration
# greater than 0 can be used to batch up multiple fsync calls. This is useful for slower
# disks or when WAL write contention is seen. A value of 0s fsyncs every write to the WAL.
# Values in the range of 0-100ms are recommended for non-SSD disks.
# wal-fsync-delay = "0s"
# The type of shard index to use for new shards. The default is an in-memory index that is
# recreated at startup. A value of "tsi1" will use a disk based index that supports higher
# cardinality datasets.
# index-version = "inmem"
# Trace logging provides more verbose output around the tsm engine. Turning
# this on can provide more useful output for debugging tsm engine issues.
# trace-logging-enabled = false
# Whether queries should be logged before execution. Very useful for troubleshooting, but will
# log any sensitive data contained within a query.
# query-log-enabled = true
# Validates incoming writes to ensure keys only have valid unicode characters.
# This setting will incur a small overhead because every key must be checked.
# validate-keys = false
# Settings for the TSM engine
# CacheMaxMemorySize is the maximum size a shard's cache can
# reach before it starts rejecting writes.
# Valid size suffixes are k, m, or g (case insensitive, 1024 = 1k).
# Values without a size suffix are in bytes.
# cache-max-memory-size = "1g"
# CacheSnapshotMemorySize is the size at which the engine will
# snapshot the cache and write it to a TSM file, freeing up memory
# Valid size suffixes are k, m, or g (case insensitive, 1024 = 1k).
# Values without a size suffix are in bytes.
# cache-snapshot-memory-size = "25m"
# CacheSnapshotWriteColdDuration is the length of time at
# which the engine will snapshot the cache and write it to
# a new TSM file if the shard hasn't received writes or deletes
# cache-snapshot-write-cold-duration = "10m"
# CompactFullWriteColdDuration is the duration at which the engine
# will compact all TSM files in a shard if it hasn't received a
# write or delete
# compact-full-write-cold-duration = "4h"
# The maximum number of concurrent full and level compactions that can run at one time. A
# value of 0 results in 50% of runtime.GOMAXPROCS(0) used at runtime. Any number greater
# than 0 limits compactions to that value. This setting does not apply
# to cache snapshotting.
# max-concurrent-compactions = 0
# CompactThroughput is the rate limit in bytes per second that we
# will allow TSM compactions to write to disk. Note that short bursts are allowed
# to happen at a possibly larger value, set by CompactThroughputBurst
# compact-throughput = "48m"
# CompactThroughputBurst is the rate limit in bytes per second that we
# will allow TSM compactions to write to disk.
# compact-throughput-burst = "48m"
# The threshold, in bytes, when an index write-ahead log file will compact
# into an index file. Lower sizes will cause log files to be compacted more
# quickly and result in lower heap usage at the expense of write throughput.
# Higher sizes will be compacted less frequently, store more series in-memory,
# and provide higher write throughput.
# Valid size suffixes are k, m, or g (case insensitive, 1024 = 1k).
# Values without a size suffix are in bytes.
# max-index-log-file-size = "1m"
# The maximum series allowed per database before writes are dropped. This limit can prevent
# high cardinality issues at the database level. This limit can be disabled by setting it to
# 0.
# max-series-per-database = 1000000
# The maximum number of tag values per tag that are allowed before writes are dropped. This limit
# can prevent high cardinality tag values from being written to a measurement. This limit can be
# disabled by setting it to 0.
# max-values-per-tag = 100000
# If true, then the mmap advise value MADV_WILLNEED will be provided to the kernel with respect to
# TSM files. This setting has been found to be problematic on some kernels, and defaults to off.
# It might help users who have slow disks in some cases.
# tsm-use-madv-willneed = false
###
### [coordinator]
###
### Controls the clustering service configuration.
###
[coordinator]
# The default time a write request will wait until a "timeout" error is returned to the caller.
# write-timeout = "10s"
# The maximum number of concurrent queries allowed to be executing at one time. If a query is
# executed and exceeds this limit, an error is returned to the caller. This limit can be disabled
# by setting it to 0.
# max-concurrent-queries = 0
# The maximum time a query will is allowed to execute before being killed by the system. This limit
# can help prevent run away queries. Setting the value to 0 disables the limit.
# query-timeout = "0s"
# The time threshold when a query will be logged as a slow query. This limit can be set to help
# discover slow or resource intensive queries. Setting the value to 0 disables the slow query logging.
# log-queries-after = "0s"
# The maximum number of points a SELECT can process. A value of 0 will make
# the maximum point count unlimited. This will only be checked every second so queries will not
# be aborted immediately when hitting the limit.
# max-select-point = 0
# The maximum number of series a SELECT can run. A value of 0 will make the maximum series
# count unlimited.
# max-select-series = 0
# The maxium number of group by time bucket a SELECT can create. A value of zero will max the maximum
# number of buckets unlimited.
# max-select-buckets = 0
###
### [retention]
###
### Controls the enforcement of retention policies for evicting old data.
###
[retention]
# Determines whether retention policy enforcement enabled.
# enabled = true
# The interval of time when retention policy enforcement checks run.
# check-interval = "30m"
###
### [shard-precreation]
###
### Controls the precreation of shards, so they are available before data arrives.
### Only shards that, after creation, will have both a start- and end-time in the
### future, will ever be created. Shards are never precreated that would be wholly
### or partially in the past.
[shard-precreation]
# Determines whether shard pre-creation service is enabled.
# enabled = true
# The interval of time when the check to pre-create new shards runs.
# check-interval = "10m"
# The default period ahead of the endtime of a shard group that its successor
# group is created.
# advance-period = "30m"
###
### Controls the system self-monitoring, statistics and diagnostics.
###
### The internal database for monitoring data is created automatically if
### if it does not already exist. The target retention within this database
### is called 'monitor' and is also created with a retention period of 7 days
### and a replication factor of 1, if it does not exist. In all cases the
### this retention policy is configured as the default for the database.
[monitor]
# Whether to record statistics internally.
# store-enabled = true
# The destination database for recorded statistics
# store-database = "_internal"
# The interval at which to record statistics
# store-interval = "10s"
###
### [http]
###
### Controls how the HTTP endpoints are configured. These are the primary
### mechanism for getting data into and out of InfluxDB.
###
[http]
# Determines whether HTTP endpoint is enabled.
# enabled = true
# Determines whether the Flux query endpoint is enabled.
flux-enabled = true
# The bind address used by the HTTP service.
# bind-address = ":8086"
# Determines whether user authentication is enabled over HTTP/HTTPS.
# auth-enabled = false
# The default realm sent back when issuing a basic auth challenge.
# realm = "InfluxDB"
# Determines whether HTTP request logging is enabled.
# log-enabled = true
# Determines whether the HTTP write request logs should be suppressed when the log is enabled.
# suppress-write-log = false
# When HTTP request logging is enabled, this option specifies the path where
# log entries should be written. If unspecified, the default is to write to stderr, which
# intermingles HTTP logs with internal InfluxDB logging.
#
# If influxd is unable to access the specified path, it will log an error and fall back to writing
# the request log to stderr.
# access-log-path = ""
# Filters which requests should be logged. Each filter is of the pattern NNN, NNX, or NXX where N is
# a number and X is a wildcard for any number. To filter all 5xx responses, use the string 5xx.
# If multiple filters are used, then only one has to match. The default is to have no filters which
# will cause every request to be printed.
# access-log-status-filters = []
# Determines whether detailed write logging is enabled.
# write-tracing = false
# Determines whether the pprof endpoint is enabled. This endpoint is used for
# troubleshooting and monitoring.
# pprof-enabled = true
# Enables a pprof endpoint that binds to localhost:6060 immediately on startup.
# This is only needed to debug startup issues.
# debug-pprof-enabled = false
# Determines whether HTTPS is enabled.
https-enabled = true
# The SSL certificate to use when HTTPS is enabled.
https-certificate = "/etc/ssl/influxdb.crt"
# Use a separate private key location.
https-private-key = "/etc/ssl/influxdb.key"
# The JWT auth shared secret to validate requests using JSON web tokens.
# shared-secret = ""
# The default chunk size for result sets that should be chunked.
# max-row-limit = 0
# The maximum number of HTTP connections that may be open at once. New connections that
# would exceed this limit are dropped. Setting this value to 0 disables the limit.
# max-connection-limit = 0
# Enable http service over unix domain socket
# unix-socket-enabled = false
# The path of the unix domain socket.
# bind-socket = "/var/run/influxdb.sock"
# The maximum size of a client request body, in bytes. Setting this value to 0 disables the limit.
# max-body-size = 25000000
# The maximum number of writes processed concurrently.
# Setting this to 0 disables the limit.
# max-concurrent-write-limit = 0
# The maximum number of writes queued for processing.
# Setting this to 0 disables the limit.
# max-enqueued-write-limit = 0
# The maximum duration for a write to wait in the queue to be processed.
# Setting this to 0 or setting max-concurrent-write-limit to 0 disables the limit.
# enqueued-write-timeout = 0
###
### [logging]
###
### Controls how the logger emits logs to the output.
###
[logging]
# Determines which log encoder to use for logs. Available options
# are auto, logfmt, and json. auto will use a more a more user-friendly
# output format if the output terminal is a TTY, but the format is not as
# easily machine-readable. When the output is a non-TTY, auto will use
# logfmt.
# format = "auto"
# Determines which level of logs will be emitted. The available levels
# are error, warn, info, and debug. Logs that are equal to or above the
# specified level will be emitted.
# level = "info"
# Suppresses the logo output that is printed when the program is started.
# The logo is always suppressed if STDOUT is not a TTY.
# suppress-logo = false
###
### [subscriber]
###
### Controls the subscriptions, which can be used to fork a copy of all data
### received by the InfluxDB host.
###
[subscriber]
# Determines whether the subscriber service is enabled.
# enabled = true
# The default timeout for HTTP writes to subscribers.
# http-timeout = "30s"
# Allows insecure HTTPS connections to subscribers. This is useful when testing with self-
# signed certificates.
# insecure-skip-verify = false
# The path to the PEM encoded CA certs file. If the empty string, the default system certs will be used
# ca-certs = ""
# The number of writer goroutines processing the write channel.
# write-concurrency = 40
# The number of in-flight writes buffered in the write channel.
# write-buffer-size = 1000
###
### [[graphite]]
###
### Controls one or many listeners for Graphite data.
###
[[graphite]]
# Determines whether the graphite endpoint is enabled.
# enabled = false
# database = "graphite"
# retention-policy = ""
# bind-address = ":2003"
# protocol = "tcp"
# consistency-level = "one"
# These next lines control how batching works. You should have this enabled
# otherwise you could get dropped metrics or poor performance. Batching
# will buffer points in memory if you have many coming in.
# Flush if this many points get buffered
# batch-size = 5000
# number of batches that may be pending in memory
# batch-pending = 10
# Flush at least this often even if we haven't hit buffer limit
# batch-timeout = "1s"
# UDP Read buffer size, 0 means OS default. UDP listener will fail if set above OS max.
# udp-read-buffer = 0
### This string joins multiple matching 'measurement' values providing more control over the final measurement name.
# separator = "."
### Default tags that will be added to all metrics. These can be overridden at the template level
### or by tags extracted from metric
# tags = ["region=us-east", "zone=1c"]
### Each template line requires a template pattern. It can have an optional
### filter before the template and separated by spaces. It can also have optional extra
### tags following the template. Multiple tags should be separated by commas and no spaces
### similar to the line protocol format. There can be only one default template.
# templates = [
# "*.app env.service.resource.measurement",
# # Default template
# "server.*",
# ]
###
### [collectd]
###
### Controls one or many listeners for collectd data.
###
[[collectd]]
# enabled = false
# bind-address = ":25826"
# database = "collectd"
# retention-policy = ""
#
# The collectd service supports either scanning a directory for multiple types
# db files, or specifying a single db file.
# typesdb = "/usr/local/share/collectd"
#
# security-level = "none"
# auth-file = "/etc/collectd/auth_file"
# These next lines control how batching works. You should have this enabled
# otherwise you could get dropped metrics or poor performance. Batching
# will buffer points in memory if you have many coming in.
# Flush if this many points get buffered
# batch-size = 5000
# Number of batches that may be pending in memory
# batch-pending = 10
# Flush at least this often even if we haven't hit buffer limit
# batch-timeout = "10s"
# UDP Read buffer size, 0 means OS default. UDP listener will fail if set above OS max.
# read-buffer = 0
# Multi-value plugins can be handled two ways.
# "split" will parse and store the multi-value plugin data into separate measurements
# "join" will parse and store the multi-value plugin as a single multi-value measurement.
# "split" is the default behavior for backward compatability with previous versions of influxdb.
# parse-multivalue-plugin = "split"
###
### [opentsdb]
###
### Controls one or many listeners for OpenTSDB data.
###
[[opentsdb]]
# enabled = false
# bind-address = ":4242"
# database = "opentsdb"
# retention-policy = ""
# consistency-level = "one"
# tls-enabled = false
# certificate= "/etc/ssl/influxdb.pem"
# Log an error for every malformed point.
# log-point-errors = true
# These next lines control how batching works. You should have this enabled
# otherwise you could get dropped metrics or poor performance. Only points
# metrics received over the telnet protocol undergo batching.
# Flush if this many points get buffered
# batch-size = 1000
# Number of batches that may be pending in memory
# batch-pending = 5
# Flush at least this often even if we haven't hit buffer limit
# batch-timeout = "1s"
###
### [[udp]]
###
### Controls the listeners for InfluxDB line protocol data via UDP.
###
[[udp]]
# enabled = false
# bind-address = ":8089"
# database = "udp"
# retention-policy = ""
# InfluxDB precision for timestamps on received points ("" or "n", "u", "ms", "s", "m", "h")
# precision = ""
# These next lines control how batching works. You should have this enabled
# otherwise you could get dropped metrics or poor performance. Batching
# will buffer points in memory if you have many coming in.
# Flush if this many points get buffered
# batch-size = 5000
# Number of batches that may be pending in memory
# batch-pending = 10
# Will flush at least this often even if we haven't hit buffer limit
# batch-timeout = "1s"
# UDP Read buffer size, 0 means OS default. UDP listener will fail if set above OS max.
# read-buffer = 0
###
### [continuous_queries]
###
### Controls how continuous queries are run within InfluxDB.
###
[continuous_queries]
# Determines whether the continuous query service is enabled.
# enabled = true
# Controls whether queries are logged when executed by the CQ service.
# log-enabled = true
# Controls whether queries are logged to the self-monitoring data store.
# query-stats-enabled = false
# interval for how often continuous queries will be checked if they need to run
# run-interval = "1s"
###
### [tls]
###
### Global configuration settings for TLS in InfluxDB.
###
[tls]
# Determines the available set of cipher suites. See https://golang.org/pkg/crypto/tls/#pkg-constants
# for a list of available ciphers, which depends on the version of Go (use the query
# SHOW DIAGNOSTICS to see the version of Go used to build InfluxDB). If not specified, uses
# the default settings from Go's crypto/tls package.
# ciphers = [
# "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
# "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
# ]
ciphers = [
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
]
# Minimum version of the tls protocol that will be negotiated. If not specified, uses the
# default settings from Go's crypto/tls package.
# min-version = "tls1.2"
# Maximum version of the tls protocol that will be negotiated. If not specified, uses the
# default settings from Go's crypto/tls package.
# max-version = "tls1.2"

26
salt/influxdb/etc/influxdb.conf.jinja Normal file
View File

@@ -0,0 +1,26 @@
{%- import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %}
{%- set INFLUXMERGED = salt['pillar.get']('influxdb', default=INFLUXDEFAULTS.influxdb, merge=true) %}
{%- for header in INFLUXMERGED.config.keys() %}
{%- if header in ['graphite', 'collectd', 'opentsdb', 'udp'] %}
[[{{header}}]]
{%- else %}
[{{header}}]
{%- endif %}
{%- for k, v in INFLUXMERGED.config[header].items() %}
{#- is v a list? #}
{%- if v is iterable and (v is not string and v is not mapping) %}
{{k}} = [
{%- for li in v %}
"{{li}}",
{%- endfor %}
]
{%- elif v is string %}
{{k}} = "{{v}}"
{%- elif v is boolean %}
{{k}} = {{v|string|lower}}
{%- else %}
{{k}} = {{v}}
{%- endif %}
{%- endfor %}
{%- endfor %}

4
salt/influxdb/init.sls
View File

@@ -41,14 +41,12 @@ influxdbconf:
- user: 939
- group: 939
- template: jinja
- source: salt://influxdb/etc/influxdb.conf
- source: salt://influxdb/etc/influxdb.conf.jinja
so-influxdb:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }}
- hostname: influxdb
- environment:
- INFLUXDB_HTTP_LOG_ENABLED=false
- binds:
- /opt/so/log/influxdb/:/log:rw
- /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro

336
salt/influxdb/soc_influxdb.yaml
View File

@@ -1,4 +1,340 @@
influxdb:
config:
meta:
logging-enabled:
description: Enable InfluxDB meta server logging.
global: True
helpLink: influxdb.html
data:
wal-fsync-delay:
description: The amount of time that a write will wait before fsyncing.
global: True
helpLink: influxdb.html
index-version:
description: The type of shard index to use for new shards.
global: True
helpLink: influxdb.html
trace-logging-enabled:
description: Trace logging provides more verbose output around the tsm engine.
global: True
advanced: True
helpLink: influxdb.html
query-log-enabled:
description: Whether queries should be logged before execution.
global: True
helpLink: influxdb.html
validate-keys:
description: Validates incoming writes to ensure keys only have valid unicode characters.
global: True
advanced: True
helpLink: influxdb.html
cache-max-memory-size:
description: The maximum size a shard's cache can reach before it starts rejecting writes.
global: True
helpLink: influxdb.html
cache-snapshot-memory-size:
description: The size at which the engine will snapshot the cache and write it to a TSM file, freeing up memory.
global: True
advanced: True
helpLink: influxdb.html
cache-snapshot-write-cold-duration:
description: The length of time at which the engine will snapshot the cache and write it to a new TSM file if the shard hasn't received writes or deletes.
global: True
advanced: True
helpLink: influxdb.html
compact-full-write-cold-duration:
description: The duration at which the engine will compact all TSM files in a shard if it hasn't received a write or delete.
global: True
advanced: True
helpLink: influxdb.html
max-concurrent-compactions:
description: The maximum number of concurrent full and level compactions that can run at one time.
global: True
helpLink: influxdb.html
compact-throughput:
description: The rate limit in bytes per second that we will allow TSM compactions to write to disk.
global: True
advanced: True
helpLink: influxdb.html
compact-throughput-burst:
description: The rate limit in bytes per second that we will allow TSM compactions to write to disk.
global: True
advanced: True
helpLink: influxdb.html
max-index-log-file-size:
description: The threshold, in bytes, when an index write-ahead log file will compact into an index file.
global: True
advanced: True
helpLink: influxdb.html
max-series-per-database:
description: The maximum series allowed per database before writes are dropped.
global: True
advanced: True
helpLink: influxdb.html
max-values-per-tag:
description: The maximum number of tag values per tag that are allowed before writes are dropped.
global: True
advanced: True
helpLink: influxdb.html
tsm-use-madv-willneed:
description: If true, then the mmap advise value MADV_WILLNEED will be provided to the kernel with respect to TSM files.
global: True
advanced: True
helpLink: influxdb.html
coordinator:
write-timeout:
description: The default time a write request will wait until a "timeout" error is returned to the caller.
global: True
helpLink: influxdb.html
max-concurrent-queries:
description: The maximum number of concurrent queries allowed to be executing at one time.
global: True
helpLink: influxdb.html
query-timeout:
description: The maximum time a query will is allowed to execute before being killed by the system.
global: True
helpLink: influxdb.html
log-queries-after:
description: The time threshold when a query will be logged as a slow query.
global: True
helpLink: influxdb.html
max-select-point:
description: The maximum number of points a SELECT can process.
global: True
advanced: True
helpLink: influxdb.html
max-select-series:
description: The maximum number of series a SELECT can run.
global: True
advanced: True
helpLink: influxdb.html
max-select-buckets:
description: The maxium number of group by time bucket a SELECT can create.
global: True
advanced: True
helpLink: influxdb.html
retention:
enabled:
description: Determines whether retention policy enforcement enabled.
global: True
advanced: True
helpLink: influxdb.html
check-interval:
description: The interval of time when retention policy enforcement checks run.
global: True
helpLink: influxdb.html
shard-precreation:
enabled:
description: Determines whether shard pre-creation service is enabled.
global: True
advanced: True
helpLink: influxdb.html
check-interval:
description: The interval of time when the check to pre-create new shards runs.
global: True
helpLink: influxdb.html
advance-period:
description: The default period ahead of the endtime of a shard group that its successor group is created.
global: True
advanced: True
helpLink: influxdb.html
monitor:
store-enabled:
description: Whether to record statistics internally.
global: True
helpLink: influxdb.html
store-database:
description: The destination database for recorded statistics.
global: True
advanced: True
helpLink: influxdb.html
store-interval:
description: The interval at which to record statistics.
global: True
helpLink: influxdb.html
http:
enabled:
description: Determines whether HTTP endpoint is enabled.
global: True
advanced: True
helpLink: influxdb.html
flux-enabled:
description: Determines whether the Flux query endpoint is enabled.
global: True
advanced: True
helpLink: influxdb.html
bind-address:
description: The bind address used by the HTTP service.
global: True
advanced: True
helpLink: influxdb.html
auth-enabled:
description: Determines whether user authentication is enabled over HTTP/HTTPS.
global: True
advanced: True
helpLink: influxdb.html
realm:
description: The default realm sent back when issuing a basic auth challenge.
global: True
advanced: True
helpLink: influxdb.html
log-enabled:
description: Determines whether HTTP request logging is enabled.
global: True
helpLink: influxdb.html
suppress-write-log:
description: Determines whether the HTTP write request logs should be suppressed when the log is enabled.
global: True
helpLink: influxdb.html
access-log-path:
description: Path for http access logs.
global: True
advanced: True
helpLink: influxdb.html
access-log-status-filters:
description: Filters which requests should be logged.
global: True
advanced: True
helpLink: influxdb.html
write-tracing:
description: Determines whether detailed write logging is enabled.
global: True
advanced: True
helpLink: influxdb.html
pprof-enabled:
description: Determines whether the pprof endpoint is enabled.
global: True
advanced: True
helpLink: influxdb.html
debug-pprof-enabled:
description: Determines whether the pprof endpoint is enabled in debug mode.
global: True
advanced: True
helpLink: influxdb.html
https-enabled:
description: Determines whether HTTPS is enabled.
global: True
helpLink: influxdb.html
https-certificate:
description: The SSL certificate to use when HTTPS is enabled.
global: True
advanced: True
helpLink: influxdb.html
https-private-key:
description: Use a separate private key location.
global: True
advanced: True
helpLink: influxdb.html
shared-secret:
description: The JWT auth shared secret to validate requests using JSON web tokens.
global: True
advanced: True
helpLink: influxdb.html
max-row-limit:
description: The default chunk size for result sets that should be chunked.
global: True
helpLink: influxdb.html
max-connection-limit:
description: The maximum number of HTTP connections that may be open at once.
global: True
helpLink: influxdb.html
unix-socket-enabled:
description: Enable http service over unix domain socket.
global: True
advanced: True
helpLink: influxdb.html
bind-socket:
description: The path of the unix domain socket.
global: True
advanced: True
helpLink: influxdb.html
max-body-size:
description: The maximum size of a client request body, in bytes.
global: True
helpLink: influxdb.html
max-concurrent-write-limit:
description: The maximum number of writes processed concurrently.
global: True
helpLink: influxdb.html
max-enqueued-write-limit:
description: The maximum number of writes queued for processing.
global: True
helpLink: influxdb.html
enqueued-write-timeout:
description: The maximum duration for a write to wait in the queue to be processed.
global: True
helpLink: influxdb.html
logging:
format:
description: Determines which log encoder to use for logs.
global: True
helpLink: influxdb.html
level:
description: Determines which level of logs will be emitted.
global: True
helpLink: influxdb.html
suppress-logo:
description: Suppresses the logo output that is printed when the program is started.
global: True
helpLink: influxdb.html
subscriber:
enabled:
description: Determines whether the subscriber service is enabled.
global: True
advanced: True
helpLink: influxdb.html
http-timeout:
description: The default timeout for HTTP writes to subscribers.
global: True
helpLink: influxdb.html
insecure-skip-verify:
description: Allows insecure HTTPS connections to subscribers.
global: True
advanced: True
helpLink: influxdb.html
ca-certs:
description: The path to the PEM encoded CA certs file.
global: True
advanced: True
helpLink: influxdb.html
write-concurrency:
description: he number of writer goroutines processing the write channel.
global: True
helpLink: influxdb.html
write-buffer-size:
description: The number of in-flight writes buffered in the write channel.
global: True
helpLink: influxdb.html
continuous_queries:
enabled:
description: Determines whether the continuous query service is enabled.
global: True
helpLink: influxdb.html
log-enabled:
description: Controls whether queries are logged when executed by the CQ service.
global: True
helpLink: influxdb.html
query-stats-enabled:
description: Controls whether queries are logged to the self-monitoring data store.
global: True
helpLink: influxdb.html
run-interval:
description: Interval for how often continuous queries will be checked if they need to run.
global: True
helpLink: influxdb.html
tls:
ciphers:
description: Determines the available set of cipher suites.
global: True
helpLink: influxdb.html
min-version:
description: Minimum version of the tls protocol that will be negotiated.
global: True
helpLink: influxdb.html
max-version:
description: Maximum version of the tls protocol that will be negotiated.
global: True
helpLink: influxdb.html
retention_policies:
so_short_term:
duration:

52
salt/kratos/defaults.yaml Normal file
View File

@@ -0,0 +1,52 @@
kratos:
config:
session:
lifespan: 24h
whoami:
required_aal: highest_available
selfservice:
methods:
password:
enabled: true
config:
haveibeenpwned_enabled: false
totp:
enabled: true
config:
issuer: Security Onion
flows:
settings:
ui_url: https://URL_BASE/?r=/settings
required_aal: highest_available
verification:
ui_url: https://URL_BASE/
login:
ui_url: https://URL_BASE/login/
error:
ui_url: https://URL_BASE/login/
registration:
ui_url: https://URL_BASE/login/
default_browser_return_url: https://URL_BASE/
allowed_return_urls:
- http://127.0.0.1
log:
level: debug
format: json
secrets:
default: []
serve:
public:
base_url: https://URL_BASE/auth/
admin:
base_url: https://URL_BASE/kratos/
hashers:
bcrypt:
cost: 12
identity:
default_schema_id: default
schemas:
- id: default
url: file:///kratos-conf/schema.json
courier:
smtp:
connection_uri: smtps://URL_BASE:25

68
salt/kratos/files/kratos.yaml
View File

@@ -1,68 +0,0 @@
{%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%}
{%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '') -%}
{%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', '') -%}
session:
lifespan: {{ SESSIONTIMEOUT }}
whoami:
required_aal: highest_available
selfservice:
methods:
password:
enabled: true
config:
haveibeenpwned_enabled: false
totp:
enabled: true
config:
issuer: {{ MFA_ISSUER }}
flows:
settings:
ui_url: https://{{ GLOBALS.url_base }}/?r=/settings
required_aal: highest_available
verification:
ui_url: https://{{ GLOBALS.url_base }}/
login:
ui_url: https://{{ GLOBALS.url_base }}/login/
error:
ui_url: https://{{ GLOBALS.url_base }}/login/
registration:
ui_url: https://{{ GLOBALS.url_base }}/login/
default_browser_return_url: https://{{ GLOBALS.url_base }}/
allowed_return_urls:
- http://127.0.0.1
log:
level: debug
format: json
secrets:
default:
- {{ KRATOSKEY }}
serve:
public:
base_url: https://{{ GLOBALS.url_base }}/auth/
admin:
base_url: https://{{ GLOBALS.url_base }}/kratos/
hashers:
bcrypt:
cost: 12
identity:
default_schema_id: default
schemas:
- id: default
url: file:///kratos-conf/schema.json
courier:
smtp:
connection_uri: smtps://{{ GLOBALS.url_base }}:25

14
salt/kratos/files/kratos.yaml.jinja Normal file
View File

@@ -0,0 +1,14 @@
{%- import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.error.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.error.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.update({'default_browser_return_url': KRATOSDEFAULTS.kratos.config.selfservice.default_browser_return_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.serve.public.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.public.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.serve.admin.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.admin.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.courier.smtp.update({'connection_uri': KRATOSDEFAULTS.kratos.config.courier.smtp.connection_uri | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- set KRATOSMERGED = salt['pillar.get']('kratos:config', default=KRATOSDEFAULTS.kratos.config, merge=true) %}
{{- KRATOSMERGED | yaml(false) }}

33
salt/kratos/init.sls
View File

@@ -43,25 +43,25 @@ kratoslogdir:
- group: 928
- makedirs: True
kratossync:
file.recurse:
- name: /opt/so/conf/kratos
- source: salt://kratos/files
kratosschema:
file.managed:
- name: /opt/so/conf/kratos/schema.json
- source: salt://kratos/files/schema.json
- user: 928
- group: 928
- file_mode: 600
- mode: 600
kratosconfig:
file.managed:
- name: /opt/so/conf/kratos/kratos.yaml
- source: salt://kratos/files/kratos.yaml.jinja
- user: 928
- group: 928
- mode: 600
- template: jinja
- defaults:
GLOBALS: {{ GLOBALS }}
kratos_schema:
file.exists:
- name: /opt/so/conf/kratos/schema.json
kratos_yaml:
file.exists:
- name: /opt/so/conf/kratos/kratos.yaml
so-kratos:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }}
@@ -77,10 +77,11 @@ so-kratos:
- 0.0.0.0:4434:4434
- restart_policy: unless-stopped
- watch:
- file: /opt/so/conf/kratos
- file: kratosschema
- file: kratosconfig
- require:
- file: kratos_schema
- file: kratos_yaml
- file: kratosschema
- file: kratosconfig
- file: kratoslogdir
- file: kratosdir

128
salt/kratos/soc_kratos.yaml Normal file
View File

@@ -0,0 +1,128 @@
kratos:
config:
session:
lifespan:
description: Defines the length of a login session.
global: True
helpLink: kratos.html
whoami:
required_aal:
description: Sets the Authenticator Assurance Level. Leave as default to ensure proper security protections remain in place.
global: True
advanced: True
helpLink: kratos.html
selfservice:
methods:
password:
enabled:
description: Set to True to enable traditional password authentication. Leave as default to ensure proper security protections remain in place.
global: True
advanced: True
helpLink: kratos.html
config:
haveibeenpwned_enabled:
description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
global: True
advanced: True
helpLink: kratos.html
totp:
enabled:
description: Set to True to enable Time-based One-Time Password (TOTP) MFA authentication. Leave as default to ensure proper security protections remain in place.
global: True
advanced: True
helpLink: kratos.html
config:
issuer:
description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address.
global: True
advanced: True
helpLink: kratos.html
flows:
settings:
ui_url:
description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
required_aal:
description: Sets the Authenticator Assurance Level for accessing user self-service profile and security settings. Leave as default to ensure proper security enforcement remains in place.
global: True
advanced: True
helpLink: kratos.html
verification:
ui_url:
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
login:
ui_url:
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
error:
ui_url:
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
registration:
ui_url:
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
default_browser_return_url:
description: Security Onion Console landing page URL. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
allowed_return_urls:
description: Internal redirect URL. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
log:
level:
description: Log level to use for Kratos logs.
global: True
helpLink: kratos.html
format:
description: Log output format for Kratos logs.
global: True
helpLink: kratos.html
secrets:
default:
description: Secret key used for protecting session cookie data. Generated during installation.
global: True
sensitive: True
advanced: True
helpLink: kratos.html
serve:
public:
base_url:
description: User accessible URL for authenticating to Kratos. Leave as default for proper operation.
global: True
advanced: True
helpLink: kratos.html
admin:
base_url:
description: User accessible URL for accessing Kratos administration API. Leave as default for proper operation.
global: True
advanced: True
helpLink: kratos.html
hashers:
bcrypt:
cost:
description: Bcrypt hashing algorithm cost. Higher values consume more CPU and take longer to complete. Actual cost is computed as 2^X where X is the value in this setting.
global: True
advanced: True
helpLink: kratos.html
courier:
smtp:
connection_uri:
description: SMTPS URL for sending outbound account-related emails. Not utilized with the standard Security Onion installation.
global: True
advanced: True
helpLink: kratos.html

89
salt/redis/defaults.yaml Normal file
View File

@@ -0,0 +1,89 @@
redis:
config:
bind: '0.0.0.0'
protected-mode: 'no'
tls-cert-file: '/certs/redis.crt'
tls-key-file: '/certs/redis.key'
tls-ca-cert-file: '/certs/ca.crt'
tls-port: 9696
tls-auth-clients: 'no'
port: 6379
tcp-backlog: 511
timeout: 0
tcp-keepalive: 300
tls-replication: 'no'
tls-cluster: 'no'
tls-protocols: '"TLSv1.2 TLSv1.3"'
tls-prefer-server-ciphers: 'yes'
tls-session-caching: 'yes'
tls-session-cache-size: 20480
tls-session-cache-timeout: 300
daemonize: 'no'
supervised: 'no'
pidfile: '/var/run/redis_6379.pid'
loglevel: 'notice'
logfile: '"/var/log/redis/redis-server.log"'
syslog-enabled: 'no'
syslog-ident: 'redis'
syslog-facility: 'local0'
databases: 16
always-show-logo: 'yes'
save:
900: 1
300: 10
60: 1000
stop-writes-on-bgsave-error: 'yes'
rdbcompression: 'yes'
rdbchecksum: 'yes'
dbfilename: 'dump.rdb'
rdb-del-sync-files: 'no'
dir: './'
replica-serve-stale-data: 'yes'
replica-read-only: 'yes'
repl-diskless-sync: 'no'
repl-diskless-sync-delay: 5
repl-diskless-load: 'disabled'
repl-disable-tcp-nodelay: 'no'
replica-priority: 100
acllog-max-len: 128
maxmemory: '812m'
maxmemory-policy: 'noeviction'
maxmemory-samples: 5
lazyfree-lazy-eviction: 'no'
lazyfree-lazy-expire: 'no'
lazyfree-lazy-server-del: 'no'
replica-lazy-flush: 'no'
lazyfree-lazy-user-del: 'no'
appendonly: 'no'
appendfilename: '"appendonly.aof"'
appendfsync: 'everysec'
no-appendfsync-on-rewrite: 'no'
auto-aof-rewrite-percentage: 100
auto-aof-rewrite-min-size: '64mb'
aof-load-truncated: 'yes'
aof-use-rdb-preamble: 'yes'
lua-time-limit: 5000
slowlog-log-slower-than: 10000
slowlog-max-len: 128
latency-monitor-threshold: 0
notify-keyspace-events: '""'
hash-max-ziplist-entries: 512
hash-max-ziplist-value: 64
list-max-ziplist-size: -2
list-compress-depth: 0
set-max-intset-entries: 512
zset-max-ziplist-entries: 128
zset-max-ziplist-value: 64
hll-sparse-max-bytes: 3000
stream-node-max-bytes: 4096
stream-node-max-entries: 100
activerehashing: 'yes'
client-output-buffer-limit:
normal: '0 0 0'
replica: '256mb 64mb 60'
pubsub: '32mb 8mb 60'
hz: 10
dynamic-hz: 'yes'
aof-rewrite-incremental-fsync: 'yes'
rdb-save-incremental-fsync: 'yes'
jemalloc-bg-thread: 'yes'

1839
salt/redis/etc/redis.conf
View File

File diff suppressed because it is too large Load Diff

12
salt/redis/etc/redis.conf.jinja Normal file
View File

@@ -0,0 +1,12 @@
{%- import_yaml 'redis/defaults.yaml' as REDISDEFAULTS %}
{%- set REDISMERGED = salt['pillar.get']('redis', default=REDISDEFAULTS.redis, merge=true) %}
{%- for k, v in REDISMERGED.config.items() %}
{%- if v is iterable and v is not string %}
{%- for v1, v2 in v.items() %}
{{k}} {{v1}} {{v2}}
{%- endfor %}
{%- else %}
{{ k }} {{ v }}
{%- endif %}
{%- endfor %}

2
salt/redis/init.sls
View File

@@ -36,7 +36,7 @@ redislogdir:
redisconf:
file.managed:
- name: /opt/so/conf/redis/etc/redis.conf
- source: salt://redis/etc/redis.conf
- source: salt://redis/etc/redis.conf.jinja
- user: 939
- group: 939
- template: jinja

275
salt/redis/soc_redis.yaml Normal file
View File

@@ -0,0 +1,275 @@
redis:
config:
bind:
description: The IP address to bind to.
global: True
advanced: True
helpLink: redis.html
protected-mode:
description: Force authentication to access redis.
global: True
advanced: True
helpLink: redis.html
tls-cert-file:
description: TLS cert file location.
global: True
advanced: True
helpLink: redis.html
tls-key-file:
description: TLS key file location.
global: True
advanced: True
helpLink: redis.html
tls-ca-cert-file:
description: TLS CA file location.
global: True
advanced: True
helpLink: redis.html
tls-port:
description: Port to use TLS encryption on.
global: True
advanced: True
helpLink: redis.html
tls-auth-clients:
description: Force TLS authentication.
global: True
advanced: True
helpLink: redis.html
port:
description: Non TLS port for Redis access.
global: True
advanced: True
helpLink: redis.html
tcp-backlog:
description: Set the TCP backlog value. This is normally increasd in high request environments.
global: True
advanced: True
helpLink: redis.html
timeout:
description: Time in seconds to close an idle connection. 0 to disable.
global: True
helpLink: redis.html
tcp-keepalive:
description: Time in seconds to send a keepalive.
global: True
helpLink: redis.html
tls-replication:
description: Enable TLS replication links.
global: True
advanced: True
helpLink: redis.html
tls-protocols:
description: List of acceptable TLS protocols separated by spaces.
global: True
advanced: True
helpLink: redis.html
tls-prefer-server-ciphers:
description: Prefer the server side ciphers.
global: True
advanced: True
helpLink: redis.html
tls-session-caching:
description: Enable TLS session caching.
global: True
helpLink: redis.html
tls-session-cache-size:
description: The number of TLS sessions to cache.
global: True
advanced: True
helpLink: redis.html
tls-session-cache-timeout:
description: Timeout in seconds to cache TLS sessions.
global: True
advanced: True
helpLink: redis.html
loglevel:
description: Log verbosity level.
global: True
helpLink: redis.html
logfile:
description: Log file name.
global: True
advanced: True
helpLink: redis.html
syslog-enabled:
description: Enable syslog output.
global: True
advanced: True
helpLink: redis.html
syslog-ident:
description: Set the syslog identity.
global: True
advanced: True
helpLink: redis.html
syslog-facility:
description: Set the syslog facility.
global: True
advanced: True
helpLink: redis.html
databases:
description: Total amount of databases.
global: True
advanced: True
helpLink: redis.html
always-show-logo:
description: The amount of time that a write will wait before fsyncing.
global: True
advanced: True
helpLink: redis.html
save:
900:
description: Set the amount of keys that need to change to save after 15 minutes.
global: True
helpLink: redis.html
300:
description: Set the amount of keys that need to change to save after 5 minutes.
global: True
helpLink: redis.html
60:
description: Set the amount of keys that need to change to save after 1 minute
global: True
helpLink: redis.html
stop-writes-on-bgsave-error:
description: Stop writes to redis is there is an error with the save.
global: True
advanced: True
helpLink: redis.html
rdbcompression:
description: Compress string objects with LZF.
global: True
advanced: True
helpLink: redis.html
rdbchecksum:
description: Enable checksum of rdb files.
global: True
advanced: True
helpLink: redis.html
dbfilename:
description: Filename of the rdb saves.
global: True
advanced: True
helpLink: redis.html
acllog-max-len:
description: Maximum length of the ACL log.
global: True
advanced: True
helpLink: redis.html
maxmemory:
description: Maximum memory for storing redis objects.
global: True
helpLink: redis.html
maxmemory-policy:
description: The policy to use when maxmemory is reached.
global: True
helpLink: redis.html
maxmemory-samples:
description: maxmemory sample size.
global: True
advanced: True
helpLink: redis.html
lua-time-limit:
description: Maximum execution time of LUA scripts.
global: True
advanced: True
helpLink: redis.html
slowlog-log-slower-than:
description: Time in microseconds to write to the slow log.
global: True
advanced: True
helpLink: redis.html
slowlog-max-len:
description: Maximum size of the slow log.
global: True
advanced: True
helpLink: redis.html
hash-max-ziplist-entries:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
hash-max-ziplist-value:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
list-max-ziplist-size:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
list-compress-depth:
description: Depth for list compression.
global: True
advanced: True
helpLink: redis.html
set-max-intset-entries:
description: Sets the limit on the size of the set in order to use the special memory saving encoding.
global: True
advanced: True
helpLink: redis.html
zset-max-ziplist-entries:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
zset-max-ziplist-value:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
hll-sparse-max-bytes:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
stream-node-max-bytes:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
stream-node-max-entries:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
activerehashing:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
client-output-buffer-limit:
normal:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
replica:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
pubsub:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
hz:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
dynamic-hz:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
rdb-save-incremental-fsync:
description: fsync redis data.
global: True
advanced: True
helpLink: redis.html
jemalloc-bg-thread:
description: Jemalloc background thread for purging.
global: True
advanced: True
helpLink: redis.html

17
setup/so-functions
View File

@@ -1383,9 +1383,10 @@ kratos_pillar() {
touch $adv_kratos_pillar_file
printf '%s\n'\
"kratos:"\
" kratoskey: '$KRATOSKEY'"\
" sessiontimeout: '24h'"\
" mfa_issuer: 'Security Onion'"\
" config:"\
" secrets:"\
" default:"\
" - '$KRATOSKEY'"\
"" > "$kratos_pillar_file"
}
@@ -1494,9 +1495,13 @@ docker_pillar() {
redis_pillar() {
title "Create the redis pillar file"
touch $adv_redis_pillar_file
printf '%s\n'\
"redis_settings:"\
" redis_maxmemory: 812" > "$redis_pillar_file"
touch $redis_pillar_file
}
influxdb_pillar() {
title "Create the influxdb pillar file"
touch $adv_influxdb_pillar_file
touch $influxdb_pillar_file
}
mark_version() {

8
setup/so-variables
View File

@@ -84,7 +84,7 @@ mkdir -p $local_salt_dir/salt/firewall/hostgroups
mkdir -p $local_salt_dir/salt/firewall/portgroups
mkdir -p $local_salt_dir/salt/firewall/ports
for THEDIR in bpf pcap elasticsearch ntp firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx telegraf filebeat logstash soc manager kratos idstools idh elastalert
for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni curator soc soctopus docker zeek suricata nginx telegraf filebeat logstash soc manager kratos idstools idh elastalert
do
mkdir -p $local_salt_dir/pillar/$THEDIR
touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
@@ -210,3 +210,9 @@ export telegraf_pillar_file
adv_telegraf_pillar_file="$local_salt_dir/pillar/telegraf/adv_telegraf.sls"
export adv_telegraf_pillar_file
influxdb_pillar_file="$local_salt_dir/pillar/influxdb/soc_influxdb.sls"
export influxdb_pillar_file
adv_influxdb_pillar_file="$local_salt_dir/pillar/influxdb/adv_influxdb.sls"
export adv_influxdb_pillar_file