diff --git a/salt/common/tools/sbin/so-cortex-user-add b/salt/common/tools/sbin/so-cortex-user-add index 5785a7f22..1fdada70d 100755 --- a/salt/common/tools/sbin/so-cortex-user-add +++ b/salt/common/tools/sbin/so-cortex-user-add @@ -31,7 +31,7 @@ fi USER=$1 CORTEX_KEY=$(lookup_pillar cortexkey) -CORTEX_IP=$(lookup_pillar managerip) +CORTEX_API_URL="$(lookup_pillar url_base)/cortex/api" CORTEX_ORG_NAME=$(lookup_pillar cortexorgname) CORTEX_USER=$USER @@ -43,7 +43,7 @@ fi read -rs CORTEX_PASS # Create new user in Cortex -resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_IP/cortex/api/user" -d "{\"name\": \"$CORTEX_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_USER\",\"password\" : \"$CORTEX_PASS\" }") +resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/user" -d "{\"name\": \"$CORTEX_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_USER\",\"password\" : \"$CORTEX_PASS\" }") if [[ "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully added user to Cortex." else diff --git a/salt/common/tools/sbin/so-cortex-user-enable b/salt/common/tools/sbin/so-cortex-user-enable index 5fded5c33..c67b358b2 100755 --- a/salt/common/tools/sbin/so-cortex-user-enable +++ b/salt/common/tools/sbin/so-cortex-user-enable @@ -31,7 +31,7 @@ fi USER=$1 CORTEX_KEY=$(lookup_pillar cortexkey) -CORTEX_IP=$(lookup_pillar managerip) +CORTEX_API_URL="$(lookup_pillar url_base)/cortex/api" CORTEX_USER=$USER case "${2^^}" in @@ -46,7 +46,7 @@ case "${2^^}" in ;; esac -resp=$(curl -sk -XPATCH -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_IP/cortex/api/user/${CORTEX_USER}" -d "{\"status\":\"${CORTEX_STATUS}\" }") +resp=$(curl -sk -XPATCH -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/user/${CORTEX_USER}" -d "{\"status\":\"${CORTEX_STATUS}\" }") if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully updated user in Cortex." else diff --git a/salt/common/tools/sbin/so-thehive-user-add b/salt/common/tools/sbin/so-thehive-user-add index 2fb9e6d4b..03e670dde 100755 --- a/salt/common/tools/sbin/so-thehive-user-add +++ b/salt/common/tools/sbin/so-thehive-user-add @@ -31,7 +31,7 @@ fi USER=$1 THEHIVE_KEY=$(lookup_pillar hivekey) -THEHIVE_IP=$(lookup_pillar managerip) +THEHVIE_API_URL="$(lookup_pillar url_base)/thehive/api" THEHIVE_USER=$USER # Read password for new user from stdin @@ -47,7 +47,7 @@ if ! check_password "$THEHIVE_PASS"; then fi # Create new user in TheHive -resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -L "https://$THEHIVE_IP/thehive/api/user" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASS\"}") +resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -L "https://$THEHVIE_API_URL/user" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASS\"}") if [[ "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully added user to TheHive" else diff --git a/salt/common/tools/sbin/so-thehive-user-enable b/salt/common/tools/sbin/so-thehive-user-enable index 714643a83..2f3d95a0f 100755 --- a/salt/common/tools/sbin/so-thehive-user-enable +++ b/salt/common/tools/sbin/so-thehive-user-enable @@ -31,7 +31,7 @@ fi USER=$1 THEHIVE_KEY=$(lookup_pillar hivekey) -THEHIVE_IP=$(lookup_pillar managerip) +THEHVIE_API_URL="$(lookup_pillar url_base)/thehive/api" THEHIVE_USER=$USER case "${2^^}" in @@ -46,7 +46,7 @@ case "${2^^}" in ;; esac -resp=$(curl -sk -XPATCH -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -L "https://$THEHIVE_IP/thehive/api/user/${THEHIVE_USER}" -d "{\"status\":\"${THEHIVE_STATUS}\" }") +resp=$(curl -sk -XPATCH -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -L "https://$THEHVIE_API_URL/user/${THEHIVE_USER}" -d "{\"status\":\"${THEHIVE_STATUS}\" }") if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully updated user in TheHive" else diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 6cc7427fc..73867a5c3 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -4,6 +4,7 @@ {% set main_ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} {%- endif %} +{%- set manager_ip = salt['pillar.get']('manager:mainip', '') %} {%- set url_base = salt['pillar.get']('global:url_base') %} {%- set fleet_manager = salt['pillar.get']('global:fleet_manager') %} @@ -61,7 +62,7 @@ http { {%- if role == 'fleet' %} grpc_pass grpcs://{{ main_ip }}:8080; {%- else %} - grpc_pass grpcs://{{ url_base }}:8080; + grpc_pass grpcs://{{ manager_ip }}:8080; {%- endif %} grpc_set_header Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -158,7 +159,7 @@ http { ssl_protocols TLSv1.2; location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ url_base }}:9822; + proxy_pass http://{{ manager_ip }}:9822; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -172,7 +173,7 @@ http { location / { auth_request /auth/sessions/whoami; - proxy_pass http://{{ url_base }}:9822/; + proxy_pass http://{{ manager_ip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -186,7 +187,7 @@ http { location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ url_base }}:4433; + proxy_pass http://{{ manager_ip }}:4433; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -245,7 +246,7 @@ http { location /grafana/ { auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ url_base }}:3000/; + proxy_pass http://{{ manager_ip }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -258,7 +259,7 @@ http { location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ url_base }}:5601/; + proxy_pass http://{{ manager_ip }}:5601/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -269,7 +270,7 @@ http { } location /nodered/ { - proxy_pass http://{{ url_base }}:1880/; + proxy_pass http://{{ manager_ip }}:1880/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -282,7 +283,7 @@ http { } location /playbook/ { - proxy_pass http://{{ url_base }}:3200/playbook/; + proxy_pass http://{{ manager_ip }}:3200/playbook/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -301,7 +302,7 @@ http { {%- else %} location /fleet/ { - proxy_pass https://{{ url_base }}:8080; + proxy_pass https://{{ manager_ip }}:8080; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -314,7 +315,7 @@ http { {%- endif %} location /thehive/ { - proxy_pass http://{{ url_base }}:9000/thehive/; + proxy_pass http://{{ manager_ip }}:9000/thehive/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -326,7 +327,7 @@ http { } location /cortex/ { - proxy_pass http://{{ url_base }}:9001/cortex/; + proxy_pass http://{{ manager_ip }}:9001/cortex/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -338,7 +339,7 @@ http { } location /soctopus/ { - proxy_pass http://{{ url_base }}:7000/; + proxy_pass http://{{ manager_ip }}:7000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -364,7 +365,7 @@ http { if ($http_authorization = "") { return 403; } - proxy_pass http://{{ url_base }}:9822/; + proxy_pass http://{{ manager_ip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json index 4fd31b96d..8a9027bd0 100644 --- a/salt/pcap/files/sensoroni.json +++ b/salt/pcap/files/sensoroni.json @@ -1,4 +1,4 @@ -{%- set MANAGER = salt['grains.get']('master') -%} +{%- set URLBASE = salt['pillar.get']('global:url_base') %} {%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') -%} {%- set CHECKININTERVALMS = salt['pillar.get']('pcap:sensor_checkin_interval_ms', 10000) -%} { @@ -6,7 +6,7 @@ "logLevel":"info", "agent": { "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, - "serverUrl": "https://{{ MANAGER }}/sensoroniagents", + "serverUrl": "https://{{ URLBASE }}/sensoroniagents", "verifyCert": false, "modules": { "importer": {}, diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index 1b2e5fd3d..29f31f95f 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -1,4 +1,5 @@ {%- set MANAGER = salt['pillar.get']('global:url_base', '') %} +{%- set URLBASE = salt['pillar.get']('global:url_base', '') %} {%- set HIVEKEY = salt['pillar.get']('global:hivekey', '') %} {%- set CORTEXKEY = salt['pillar.get']('global:cortexorguserkey', '') %} {%- set PLAYBOOK_KEY = salt['pillar.get']('playbook:api_key', '') %} @@ -14,7 +15,7 @@ es_verifycert = no [cortex] auto_analyze_alerts = no -cortex_url = https://{{MANAGER}}/cortex/ +cortex_url = https://{{URLBASE}}/cortex/ cortex_key = {{ CORTEXKEY }} supported_analyzers = Urlscan_io_Search,CERTatPassiveDNS @@ -35,7 +36,7 @@ grr_user = YOURGRRUSER grr_pass = YOURGRRPASS [hive] -hive_url = https://{{MANAGER}}/thehive/ +hive_url = https://{{URLBASE}}/thehive/ hive_key = {{ HIVEKEY }} hive_tlp = 3 hive_verifycert = no @@ -66,7 +67,7 @@ soc_url = http://{{MANAGER}}:9822 [playbook] playbook_url = http://{{MANAGER}}:3200/playbook -playbook_ext_url = https://{{MANAGER}}/playbook +playbook_ext_url = https://{{URLBASE}}/playbook playbook_key = {{ PLAYBOOK_KEY }} playbook_verifycert = no playbook_unit_test_index = playbook-testing diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init index d358b8dd4..beade9c4b 100644 --- a/salt/thehive/scripts/cortex_init +++ b/salt/thehive/scripts/cortex_init @@ -1,5 +1,5 @@ #!/bin/bash -# {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} +# {%- set URLBASE = salt['pillar.get']('global:url_base', '') %} # {%- set CORTEXUSER = salt['pillar.get']('global:cortexuser', 'cortexadmin') %} # {%- set CORTEXPASSWORD = salt['pillar.get']('global:cortexpassword', 'cortexchangeme') %} # {%- set CORTEXKEY = salt['pillar.get']('global:cortexkey', '') %} @@ -17,7 +17,7 @@ cortex_clean(){ cortex_init(){ sleep 60 - CORTEX_IP="{{MANAGERIP}}" + CORTEX_API_URL="{{URLBASE}}/cortex/api" CORTEX_USER="{{CORTEXUSER}}" CORTEX_PASSWORD="{{CORTEXPASSWORD}}" CORTEX_KEY="{{CORTEXKEY}}" @@ -29,31 +29,30 @@ cortex_init(){ # Migrate DB - curl -v -k -XPOST -L "https://$CORTEX_IP:/cortex/api/maintenance/migrate" + curl -v -k -XPOST -L "https://$CORTEX_API_URL/maintenance/migrate" # Create intial Cortex superadmin - curl -v -k -L "https://$CORTEX_IP/cortex/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$CORTEX_USER\",\"name\" : \"$CORTEX_USER\",\"roles\" : [\"superadmin\"],\"preferences\" : \"{}\",\"password\" : \"$CORTEX_PASSWORD\", \"key\": \"$CORTEX_KEY\"}" + curl -v -k -L "https://$CORTEX_API_URL/user" -H "Content-Type: application/json" -d "{\"login\" : \"$CORTEX_USER\",\"name\" : \"$CORTEX_USER\",\"roles\" : [\"superadmin\"],\"preferences\" : \"{}\",\"password\" : \"$CORTEX_PASSWORD\", \"key\": \"$CORTEX_KEY\"}" # Create user-supplied org - curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_IP/cortex/api/organization" -d "{ \"name\": \"$CORTEX_ORG_NAME\",\"description\": \"$CORTEX_ORG_DESC\",\"status\": \"Active\"}" + curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/organization" -d "{ \"name\": \"$CORTEX_ORG_NAME\",\"description\": \"$CORTEX_ORG_DESC\",\"status\": \"Active\"}" # Create user-supplied org user - curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_IP/cortex/api/user" -d "{\"name\": \"$CORTEX_ORG_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_ORG_USER\",\"key\": \"$CORTEX_ORG_USER_KEY\" }" + curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/user" -d "{\"name\": \"$CORTEX_ORG_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_ORG_USER\",\"key\": \"$CORTEX_ORG_USER_KEY\" }" # Enable URLScan.io Analyzer - curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_IP/cortex/api/organization/analyzer/Urlscan_io_Search_0_1_0" -d '{"name":"Urlscan_io_Search_0_1_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2}}' + curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/organization/analyzer/Urlscan_io_Search_0_1_0" -d '{"name":"Urlscan_io_Search_0_1_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2}}' # Enable Cert PassiveDNS Analyzer - curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_IP/cortex/api/organization/analyzer/CERTatPassiveDNS_2_0" -d '{"name":"CERTatPassiveDNS_2_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2, "limit": 100}}' + curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/organization/analyzer/CERTatPassiveDNS_2_0" -d '{"name":"CERTatPassiveDNS_2_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2, "limit": 100}}' # Revoke $CORTEX_USER key - curl -k -XDELETE -H "Authorization: Bearer $CORTEX_KEY" -L "https:///$CORTEX_IP/api/user/$CORTEX_USER/key" + curl -k -XDELETE -H "Authorization: Bearer $CORTEX_KEY" -L "https://$CORTEX_API_URL/user/$CORTEX_USER/key" # Update SOCtopus config with apikey value #sed -i "s/cortex_key = .*/cortex_key = $CORTEX_KEY/" $SOCTOPUS_CONFIG touch /opt/so/state/cortex.txt - } if [ -f /opt/so/state/cortex.txt ]; then @@ -61,7 +60,7 @@ if [ -f /opt/so/state/cortex.txt ]; then exit 0 else rm -f garbage_file - while ! wget -O garbage_file {{MANAGERIP}}:9500 2>/dev/null + while ! wget -O garbage_file {{URLBASE}}:9500 2>/dev/null do echo "Waiting for Elasticsearch..." rm -f garbage_file diff --git a/salt/thehive/scripts/hive_init b/salt/thehive/scripts/hive_init index f47f60b0a..51eefeac8 100755 --- a/salt/thehive/scripts/hive_init +++ b/salt/thehive/scripts/hive_init @@ -1,5 +1,6 @@ #!/bin/bash # {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} +# {%- set URLBASE = salt['pillar.get']('global:url_base', '') %} # {%- set THEHIVEUSER = salt['pillar.get']('global:hiveuser', 'hiveadmin') %} # {%- set THEHIVEPASSWORD = salt['pillar.get']('global:hivepassword', 'hivechangeme') %} # {%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') %} @@ -11,7 +12,8 @@ thehive_clean(){ thehive_init(){ sleep 120 - THEHIVE_IP="{{MANAGERIP}}" + THEHIVE_URL="{{URLBASE}}/thehive" + THEHIVE_API_URL="$THEHIVE_URL/api" THEHIVE_USER="{{THEHIVEUSER}}" THEHIVE_PASSWORD="{{THEHIVEPASSWORD}}" THEHIVE_KEY="{{THEHIVEKEY}}" @@ -21,7 +23,7 @@ thehive_init(){ COUNT=0 THEHIVE_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - curl --output /dev/null --silent --head --fail -k "https://$THEHIVE_IP/thehive" + curl --output /dev/null --silent --head --fail -k "https://$THEHIVE_URL" if [ $? -eq 0 ]; then THEHIVE_CONNECTED="yes" echo "connected!" @@ -36,15 +38,15 @@ thehive_init(){ if [ "$THEHIVE_CONNECTED" == "yes" ]; then # Migrate DB - curl -v -k -XPOST -L "https://$THEHIVE_IP:/thehive/api/maintenance/migrate" + curl -v -k -XPOST -L "https://$THEHIVE_API_URL/maintenance/migrate" # Create intial TheHive user - curl -v -k -L "https://$THEHIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASSWORD\", \"key\": \"$THEHIVE_KEY\"}" + curl -v -k -L "https://$THEHIVE_API_URL/user" -H "Content-Type: application/json" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASSWORD\", \"key\": \"$THEHIVE_KEY\"}" # Pre-load custom fields # # reputation - curl -v -k -L "https://$THEHIVE_IP/thehive/api/list/custom_fields" -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -d "{\"value\":{\"name\": \"reputation\", \"reference\": \"reputation\", \"description\": \"This field provides an overall reputation status for an address/domain.\", \"type\": \"string\", \"options\": []}}" + curl -v -k -L "https://$THEHIVE_API_URL/list/custom_fields" -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -d "{\"value\":{\"name\": \"reputation\", \"reference\": \"reputation\", \"description\": \"This field provides an overall reputation status for an address/domain.\", \"type\": \"string\", \"options\": []}}" touch /opt/so/state/thehive.txt