diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index fa74b3751..949fa5951 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -235,7 +235,7 @@ {% do allowed_states.append('kibana.secrets') %} {% endif %} - {% if grains.role in ['so-eval', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-manager'] %} + {% if grains.role in ['so-eval', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-manager'] %} {% do allowed_states.append('curator') %} {% endif %} diff --git a/salt/backup/config_backup.sls b/salt/backup/config_backup.sls new file mode 100644 index 000000000..5c4125ceb --- /dev/null +++ b/salt/backup/config_backup.sls @@ -0,0 +1,32 @@ +{% from 'backup/map.jinja' import BACKUP_MERGED %} + +# Lock permissions on the backup directory +backupdir: + file.directory: + - name: /nsm/backup + - user: 0 + - group: 0 + - makedirs: True + - mode: 700 + +config_backup_script: + file.managed: + - name: /usr/sbin/so-config-backup + - user: root + - group: root + - file_mode: 755 + - template: jinja + - source: salt://backup/tools/sbin + - defaults: + BACKUPLOCATIONS: {{ BACKUP_MERGED.locations }} + +# Add config backup +so_config_backup: + cron.present: + - name: /usr/sbin/so-config-backup > /dev/null 2>&1 + - user: root + - minute: '1' + - hour: '0' + - daymonth: '*' + - month: '*' + - dayweek: '*' diff --git a/salt/backup/defaults.yaml b/salt/backup/defaults.yaml new file mode 100644 index 000000000..f994eac29 --- /dev/null +++ b/salt/backup/defaults.yaml @@ -0,0 +1,3 @@ +backup: + locations: + - /opt/so/saltstack/local diff --git a/salt/backup/map.jinja b/salt/backup/map.jinja new file mode 100644 index 000000000..2a7724ff4 --- /dev/null +++ b/salt/backup/map.jinja @@ -0,0 +1,2 @@ +{% import_yaml 'backup/defaults.yaml' as BACKUP_DEFAULTS %} +{% set BACKUP_MERGED = salt['pillar.get']('backup', BACKUP_DEFAULTS, merge=true, merge_nested_lists=true) %} diff --git a/salt/common/tools/sbin/so-config-backup b/salt/backup/tools/sbin/so-config-backup similarity index 95% rename from salt/common/tools/sbin/so-config-backup rename to salt/backup/tools/sbin/so-config-backup index 3a84d9ee8..b808bd350 100755 --- a/salt/common/tools/sbin/so-config-backup +++ b/salt/backup/tools/sbin/so-config-backup @@ -6,7 +6,6 @@ # Elastic License 2.0. . /usr/sbin/so-common -{% set BACKUPLOCATIONS = salt['pillar.get']('backup:locations', {}) %} TODAY=$(date '+%Y_%m_%d') BACKUPFILE="/nsm/backup/so-config-backup-$TODAY.tar" diff --git a/salt/common/init.sls b/salt/common/init.sls index 4bf779e2b..5bb1051b6 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -1,12 +1,12 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set role = grains.id.split('_') | last %} +{% from 'vars/globals.map.jinja' import GLOBALS %} include: - common.soup_scripts - common.packages -{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %} +{% if GLOBALS.role in GLOBALS.manager_roles %} - manager.elasticsearch # needed for elastic_curl_config state {% endif %} @@ -104,7 +104,7 @@ elastic_curl_config: - mode: 600 - show_changes: False - makedirs: True - {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %} + {% if GLOBALS.role in GLOBALS.manager_roles %} - require: - file: elastic_curl_config_distributed {% endif %} @@ -131,7 +131,7 @@ so-status_script: - source: salt://common/tools/sbin/so-status - mode: 755 -{% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %} +{% if GLOBALS.role in GLOBALS.sensor_roles %} # Add sensor cleanup /usr/sbin/so-sensor-clean: cron.present: @@ -208,8 +208,9 @@ common_pip_dependencies: - target: /usr/lib64/python3.6/site-packages # Install sostatus check cron -'/usr/sbin/so-status -j > /opt/so/log/sostatus/status.log 2>&1': +sostatus_check_cron: cron.present: + - name: '/usr/sbin/so-status -j > /opt/so/log/sostatus/status.log 2>&1' - user: root - minute: '*/1' - hour: '*' @@ -217,36 +218,8 @@ common_pip_dependencies: - month: '*' - dayweek: '*' -{% if role in ['eval', 'manager', 'managersearch', 'standalone'] %} -# Install cron job to determine size of influxdb for telegraf -'du -s -k /nsm/influxdb | cut -f1 > /opt/so/log/telegraf/influxdb_size.log 2>&1': - cron.present: - - user: root - - minute: '*/1' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' - -# Lock permissions on the backup directory -backupdir: - file.directory: - - name: /nsm/backup - - user: 0 - - group: 0 - - makedirs: True - - mode: 700 - -# Add config backup -/usr/sbin/so-config-backup > /dev/null 2>&1: - cron.present: - - user: root - - minute: '1' - - hour: '0' - - daymonth: '*' - - month: '*' - - dayweek: '*' -{% else %} +{% if GLOBALS.role not in ['eval', 'manager', 'managersearch', 'standalone'] %} + soversionfile: file.managed: - name: /etc/soversion @@ -256,8 +229,8 @@ soversionfile: {% endif %} -{% if salt['grains.get']('sosmodel', '') %} - {% if grains['os'] == 'CentOS' %} +{% if GLOBALS.so_model %} + {% if GLOBALS.os == 'CentOS' %} # Install Raid tools raidpkgs: pkg.installed: @@ -268,8 +241,9 @@ raidpkgs: {% endif %} # Install raid check cron -/usr/sbin/so-raid-status > /dev/null 2>&1: +so_raid_status: cron.present: + - name: '/usr/sbin/so-raid-status > /dev/null 2>&1' - user: root - minute: '*/15' - hour: '*' diff --git a/salt/common/packages.sls b/salt/common/packages.sls index c6dfe8f7b..d3e158cc2 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -1,4 +1,6 @@ -{% if grains['os'] != 'CentOS' %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +{% if GLOBALS.os != 'CentOS' %} commonpkgs: pkg.installed: - skip_suggestions: True @@ -23,8 +25,6 @@ commonpkgs: - git - vim-enhanced - python3-docker - - {% else %} commonpkgs: pkg.installed: @@ -57,5 +57,4 @@ commonpkgs: - git - vim-enhanced - yum-plugin-versionlock - -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/cron/dead.sls b/salt/cron/dead.sls index 8ddb79cbf..5e3662da9 100644 --- a/salt/cron/dead.sls +++ b/salt/cron/dead.sls @@ -1,4 +1,4 @@ -{% from "cron/map.jinja" import cronmap with context %} +{% from "cron/map.jinja" import cronmap %} crond_service: service.dead: diff --git a/salt/cron/running.sls b/salt/cron/running.sls index bcd5e7ef9..462b22e9a 100644 --- a/salt/cron/running.sls +++ b/salt/cron/running.sls @@ -1,4 +1,4 @@ -{% from "cron/map.jinja" import cronmap with context %} +{% from "cron/map.jinja" import cronmap %} crond_service: service.running: diff --git a/salt/curator/files/action/delete.yml b/salt/curator/files/action/delete.yml index 1a4afaabf..ae757f06a 100644 --- a/salt/curator/files/action/delete.yml +++ b/salt/curator/files/action/delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} +{%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-aws-close.yml b/salt/curator/files/action/so-aws-close.yml index 1bf9bfe81..568579d67 100644 --- a/salt/curator/files/action/so-aws-close.yml +++ b/salt/curator/files/action/so-aws-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-aws:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-aws:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-aws-delete.yml b/salt/curator/files/action/so-aws-delete.yml index 82d29a9f0..b93f2b14d 100644 --- a/salt/curator/files/action/so-aws-delete.yml +++ b/salt/curator/files/action/so-aws-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-aws-warm.yml b/salt/curator/files/action/so-aws-warm.yml index 90d5e11f9..a4608f0bf 100644 --- a/salt/curator/files/action/so-aws-warm.yml +++ b/salt/curator/files/action/so-aws-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-azure-close.yml b/salt/curator/files/action/so-azure-close.yml index 74d799c55..a49825266 100644 --- a/salt/curator/files/action/so-azure-close.yml +++ b/salt/curator/files/action/so-azure-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-azure:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-azure:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-azure-delete.yml b/salt/curator/files/action/so-azure-delete.yml index a736eadc0..062388c0e 100644 --- a/salt/curator/files/action/so-azure-delete.yml +++ b/salt/curator/files/action/so-azure-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-azure-warm.yml b/salt/curator/files/action/so-azure-warm.yml index 63fb42f33..aaac2fc03 100644 --- a/salt/curator/files/action/so-azure-warm.yml +++ b/salt/curator/files/action/so-azure-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-barracuda-close.yml b/salt/curator/files/action/so-barracuda-close.yml index 6249cdde6..35032bc56 100644 --- a/salt/curator/files/action/so-barracuda-close.yml +++ b/salt/curator/files/action/so-barracuda-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-barracuda-delete.yml b/salt/curator/files/action/so-barracuda-delete.yml index cb7231836..bf8e7638f 100644 --- a/salt/curator/files/action/so-barracuda-delete.yml +++ b/salt/curator/files/action/so-barracuda-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-barracuda-warm.yml b/salt/curator/files/action/so-barracuda-warm.yml index 6cb5f1641..d61cbce61 100644 --- a/salt/curator/files/action/so-barracuda-warm.yml +++ b/salt/curator/files/action/so-barracuda-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-beats-close.yml b/salt/curator/files/action/so-beats-close.yml index 594767b28..bcd138c38 100644 --- a/salt/curator/files/action/so-beats-close.yml +++ b/salt/curator/files/action/so-beats-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-beats:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-beats:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-beats-delete.yml b/salt/curator/files/action/so-beats-delete.yml index 88e8b8bd4..fa072c1e2 100644 --- a/salt/curator/files/action/so-beats-delete.yml +++ b/salt/curator/files/action/so-beats-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-beats-warm.yml b/salt/curator/files/action/so-beats-warm.yml index 9cbd49b15..ae733ce3b 100644 --- a/salt/curator/files/action/so-beats-warm.yml +++ b/salt/curator/files/action/so-beats-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-bluecoat-close.yml b/salt/curator/files/action/so-bluecoat-close.yml index 213ebd8b0..349a21a27 100644 --- a/salt/curator/files/action/so-bluecoat-close.yml +++ b/salt/curator/files/action/so-bluecoat-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-bluecoat-delete.yml b/salt/curator/files/action/so-bluecoat-delete.yml index 23e9724a0..c2aad1419 100644 --- a/salt/curator/files/action/so-bluecoat-delete.yml +++ b/salt/curator/files/action/so-bluecoat-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-bluecoat-warm.yml b/salt/curator/files/action/so-bluecoat-warm.yml index a61009380..b50f0db0b 100644 --- a/salt/curator/files/action/so-bluecoat-warm.yml +++ b/salt/curator/files/action/so-bluecoat-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-cef-close.yml b/salt/curator/files/action/so-cef-close.yml index 994f20308..57bcb3a2a 100644 --- a/salt/curator/files/action/so-cef-close.yml +++ b/salt/curator/files/action/so-cef-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cef:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cef:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-cef-delete.yml b/salt/curator/files/action/so-cef-delete.yml index eb3038514..3bda2246f 100644 --- a/salt/curator/files/action/so-cef-delete.yml +++ b/salt/curator/files/action/so-cef-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-cef-warm.yml b/salt/curator/files/action/so-cef-warm.yml index 59d3c1c8d..b2143c1ce 100644 --- a/salt/curator/files/action/so-cef-warm.yml +++ b/salt/curator/files/action/so-cef-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-checkpoint-close.yml b/salt/curator/files/action/so-checkpoint-close.yml index 12be685f5..938eaf25f 100644 --- a/salt/curator/files/action/so-checkpoint-close.yml +++ b/salt/curator/files/action/so-checkpoint-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-checkpoint-delete.yml b/salt/curator/files/action/so-checkpoint-delete.yml index 31ce55f49..d0048162d 100644 --- a/salt/curator/files/action/so-checkpoint-delete.yml +++ b/salt/curator/files/action/so-checkpoint-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-checkpoint-warm.yml b/salt/curator/files/action/so-checkpoint-warm.yml index db0754e7a..a66335593 100644 --- a/salt/curator/files/action/so-checkpoint-warm.yml +++ b/salt/curator/files/action/so-checkpoint-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-cisco-close.yml b/salt/curator/files/action/so-cisco-close.yml index f958d9450..a097e466d 100644 --- a/salt/curator/files/action/so-cisco-close.yml +++ b/salt/curator/files/action/so-cisco-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cisco:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cisco:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-cisco-delete.yml b/salt/curator/files/action/so-cisco-delete.yml index 4e5697ebe..0cb98a634 100644 --- a/salt/curator/files/action/so-cisco-delete.yml +++ b/salt/curator/files/action/so-cisco-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-cisco-warm.yml b/salt/curator/files/action/so-cisco-warm.yml index 0f80f0547..5240f401b 100644 --- a/salt/curator/files/action/so-cisco-warm.yml +++ b/salt/curator/files/action/so-cisco-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-cyberark-close.yml b/salt/curator/files/action/so-cyberark-close.yml index 35bda7814..deb0dd869 100644 --- a/salt/curator/files/action/so-cyberark-close.yml +++ b/salt/curator/files/action/so-cyberark-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-cyberark-delete.yml b/salt/curator/files/action/so-cyberark-delete.yml index 61b157ff6..1fbf83f44 100644 --- a/salt/curator/files/action/so-cyberark-delete.yml +++ b/salt/curator/files/action/so-cyberark-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-cyberark-warm.yml b/salt/curator/files/action/so-cyberark-warm.yml index a361a6bd9..3e8ef7ec2 100644 --- a/salt/curator/files/action/so-cyberark-warm.yml +++ b/salt/curator/files/action/so-cyberark-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-cylance-close.yml b/salt/curator/files/action/so-cylance-close.yml index c031753eb..064c5f02a 100644 --- a/salt/curator/files/action/so-cylance-close.yml +++ b/salt/curator/files/action/so-cylance-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cylance:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cylance:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-cylance-delete.yml b/salt/curator/files/action/so-cylance-delete.yml index 579ec7f68..42df1877b 100644 --- a/salt/curator/files/action/so-cylance-delete.yml +++ b/salt/curator/files/action/so-cylance-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-cylance-warm.yml b/salt/curator/files/action/so-cylance-warm.yml index e27185cf0..97e94c49e 100644 --- a/salt/curator/files/action/so-cylance-warm.yml +++ b/salt/curator/files/action/so-cylance-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-elasticsearch-close.yml b/salt/curator/files/action/so-elasticsearch-close.yml index 3ee9372cc..517972ea6 100644 --- a/salt/curator/files/action/so-elasticsearch-close.yml +++ b/salt/curator/files/action/so-elasticsearch-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-elasticsearch-delete.yml b/salt/curator/files/action/so-elasticsearch-delete.yml index e2071ff3a..805d86c85 100644 --- a/salt/curator/files/action/so-elasticsearch-delete.yml +++ b/salt/curator/files/action/so-elasticsearch-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-elasticsearch-warm.yml b/salt/curator/files/action/so-elasticsearch-warm.yml index 05a6a5e85..dc844ccba 100644 --- a/salt/curator/files/action/so-elasticsearch-warm.yml +++ b/salt/curator/files/action/so-elasticsearch-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-endgame-close.yml b/salt/curator/files/action/so-endgame-close.yml index 248638e6c..92de8afe8 100644 --- a/salt/curator/files/action/so-endgame-close.yml +++ b/salt/curator/files/action/so-endgame-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-endgame:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-endgame:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-endgame-delete.yml b/salt/curator/files/action/so-endgame-delete.yml index ce16c4d87..bd208da1d 100644 --- a/salt/curator/files/action/so-endgame-delete.yml +++ b/salt/curator/files/action/so-endgame-delete.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-endgame-warm.yml b/salt/curator/files/action/so-endgame-warm.yml index d6b3c6fc2..5c9cd8268 100644 --- a/salt/curator/files/action/so-endgame-warm.yml +++ b/salt/curator/files/action/so-endgame-warm.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-f5-close.yml b/salt/curator/files/action/so-f5-close.yml index 33d856a4d..a7d3f14c7 100644 --- a/salt/curator/files/action/so-f5-close.yml +++ b/salt/curator/files/action/so-f5-close.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-f5:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-f5:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-f5-delete.yml b/salt/curator/files/action/so-f5-delete.yml index 566fbfb5f..e696922e5 100644 --- a/salt/curator/files/action/so-f5-delete.yml +++ b/salt/curator/files/action/so-f5-delete.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-f5-warm.yml b/salt/curator/files/action/so-f5-warm.yml index 92e3a02f9..ed3453321 100644 --- a/salt/curator/files/action/so-f5-warm.yml +++ b/salt/curator/files/action/so-f5-warm.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-firewall-close.yml b/salt/curator/files/action/so-firewall-close.yml index 4b8dd0121..dccf7068b 100644 --- a/salt/curator/files/action/so-firewall-close.yml +++ b/salt/curator/files/action/so-firewall-close.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-firewall:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-firewall:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-firewall-delete.yml b/salt/curator/files/action/so-firewall-delete.yml index 8b6f6f45f..fff3315b9 100644 --- a/salt/curator/files/action/so-firewall-delete.yml +++ b/salt/curator/files/action/so-firewall-delete.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-firewall-warm.yml b/salt/curator/files/action/so-firewall-warm.yml index 727983618..a882f34ab 100644 --- a/salt/curator/files/action/so-firewall-warm.yml +++ b/salt/curator/files/action/so-firewall-warm.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-fortinet-close.yml b/salt/curator/files/action/so-fortinet-close.yml index 067a5b412..7218e83a2 100644 --- a/salt/curator/files/action/so-fortinet-close.yml +++ b/salt/curator/files/action/so-fortinet-close.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-fortinet-delete.yml b/salt/curator/files/action/so-fortinet-delete.yml index cf18f7513..707ef5da5 100644 --- a/salt/curator/files/action/so-fortinet-delete.yml +++ b/salt/curator/files/action/so-fortinet-delete.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-fortinet-warm.yml b/salt/curator/files/action/so-fortinet-warm.yml index e65e9cc5b..4b0959022 100644 --- a/salt/curator/files/action/so-fortinet-warm.yml +++ b/salt/curator/files/action/so-fortinet-warm.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-gcp-close.yml b/salt/curator/files/action/so-gcp-close.yml index 9dd783f63..1541f9076 100644 --- a/salt/curator/files/action/so-gcp-close.yml +++ b/salt/curator/files/action/so-gcp-close.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-gcp:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-gcp:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-gcp-delete.yml b/salt/curator/files/action/so-gcp-delete.yml index 799d624fb..d7d463332 100644 --- a/salt/curator/files/action/so-gcp-delete.yml +++ b/salt/curator/files/action/so-gcp-delete.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-gcp-warm.yml b/salt/curator/files/action/so-gcp-warm.yml index aba256c69..52ec004f7 100644 --- a/salt/curator/files/action/so-gcp-warm.yml +++ b/salt/curator/files/action/so-gcp-warm.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-google_workspace-close.yml b/salt/curator/files/action/so-google_workspace-close.yml index 6aac7f2e0..00b44e1e1 100644 --- a/salt/curator/files/action/so-google_workspace-close.yml +++ b/salt/curator/files/action/so-google_workspace-close.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-google_workspace-delete.yml b/salt/curator/files/action/so-google_workspace-delete.yml index 5d26648b8..ca8a7571a 100644 --- a/salt/curator/files/action/so-google_workspace-delete.yml +++ b/salt/curator/files/action/so-google_workspace-delete.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-google_workspace-warm.yml b/salt/curator/files/action/so-google_workspace-warm.yml index ddb5cf58c..94f9d8bd5 100644 --- a/salt/curator/files/action/so-google_workspace-warm.yml +++ b/salt/curator/files/action/so-google_workspace-warm.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-ids-close.yml b/salt/curator/files/action/so-ids-close.yml index a38acbf98..e7ea3f073 100644 --- a/salt/curator/files/action/so-ids-close.yml +++ b/salt/curator/files/action/so-ids-close.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ids:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ids:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-ids-delete.yml b/salt/curator/files/action/so-ids-delete.yml index fd7b5c79f..f5748d08d 100644 --- a/salt/curator/files/action/so-ids-delete.yml +++ b/salt/curator/files/action/so-ids-delete.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-ids-warm.yml b/salt/curator/files/action/so-ids-warm.yml index 01271f226..e79621e72 100644 --- a/salt/curator/files/action/so-ids-warm.yml +++ b/salt/curator/files/action/so-ids-warm.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-imperva-close.yml b/salt/curator/files/action/so-imperva-close.yml index 420b03b29..74b5c47e6 100644 --- a/salt/curator/files/action/so-imperva-close.yml +++ b/salt/curator/files/action/so-imperva-close.yml @@ -4,7 +4,7 @@ # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-imperva:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-imperva:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-imperva-delete.yml b/salt/curator/files/action/so-imperva-delete.yml index 7c7fe40ac..08e781e95 100644 --- a/salt/curator/files/action/so-imperva-delete.yml +++ b/salt/curator/files/action/so-imperva-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-imperva-warm.yml b/salt/curator/files/action/so-imperva-warm.yml index 3b4130b86..220ef1fe6 100644 --- a/salt/curator/files/action/so-imperva-warm.yml +++ b/salt/curator/files/action/so-imperva-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-import-close.yml b/salt/curator/files/action/so-import-close.yml index 9debb2928..e851798e8 100644 --- a/salt/curator/files/action/so-import-close.yml +++ b/salt/curator/files/action/so-import-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-import:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-import:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-import-delete.yml b/salt/curator/files/action/so-import-delete.yml index 99388e7cb..a3ba76435 100644 --- a/salt/curator/files/action/so-import-delete.yml +++ b/salt/curator/files/action/so-import-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-import-warm.yml b/salt/curator/files/action/so-import-warm.yml index 49e9dae3a..b29bfe96b 100644 --- a/salt/curator/files/action/so-import-warm.yml +++ b/salt/curator/files/action/so-import-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-infoblox-close.yml b/salt/curator/files/action/so-infoblox-close.yml index cb3d0dce3..8c50d291f 100644 --- a/salt/curator/files/action/so-infoblox-close.yml +++ b/salt/curator/files/action/so-infoblox-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-infoblox-delete.yml b/salt/curator/files/action/so-infoblox-delete.yml index 1e0958eb1..e231af0b5 100644 --- a/salt/curator/files/action/so-infoblox-delete.yml +++ b/salt/curator/files/action/so-infoblox-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-infoblox-warm.yml b/salt/curator/files/action/so-infoblox-warm.yml index cc757c75b..712a96c6b 100644 --- a/salt/curator/files/action/so-infoblox-warm.yml +++ b/salt/curator/files/action/so-infoblox-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-juniper-close.yml b/salt/curator/files/action/so-juniper-close.yml index 0fa8b4f9c..266e884df 100644 --- a/salt/curator/files/action/so-juniper-close.yml +++ b/salt/curator/files/action/so-juniper-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-juniper:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-juniper:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-juniper-delete.yml b/salt/curator/files/action/so-juniper-delete.yml index 901c014a6..bbe59cf5e 100644 --- a/salt/curator/files/action/so-juniper-delete.yml +++ b/salt/curator/files/action/so-juniper-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-juniper-warm.yml b/salt/curator/files/action/so-juniper-warm.yml index 90d5e11f9..a4608f0bf 100644 --- a/salt/curator/files/action/so-juniper-warm.yml +++ b/salt/curator/files/action/so-juniper-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-kibana-close.yml b/salt/curator/files/action/so-kibana-close.yml index 7c9908086..47bc752df 100644 --- a/salt/curator/files/action/so-kibana-close.yml +++ b/salt/curator/files/action/so-kibana-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kibana:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kibana:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-kibana-delete.yml b/salt/curator/files/action/so-kibana-delete.yml index 4d227ccb9..c1da5997c 100644 --- a/salt/curator/files/action/so-kibana-delete.yml +++ b/salt/curator/files/action/so-kibana-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-kibana-warm.yml b/salt/curator/files/action/so-kibana-warm.yml index a5a0899ee..d1c2f55eb 100644 --- a/salt/curator/files/action/so-kibana-warm.yml +++ b/salt/curator/files/action/so-kibana-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-kratos-close.yml b/salt/curator/files/action/so-kratos-close.yml index c24cc2b40..b12bec607 100644 --- a/salt/curator/files/action/so-kratos-close.yml +++ b/salt/curator/files/action/so-kratos-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kratos:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kratos:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-kratos-delete.yml b/salt/curator/files/action/so-kratos-delete.yml index c5bd26651..86d457d32 100644 --- a/salt/curator/files/action/so-kratos-delete.yml +++ b/salt/curator/files/action/so-kratos-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-kratos-warm.yml b/salt/curator/files/action/so-kratos-warm.yml index 51b35a8f9..509792f4c 100644 --- a/salt/curator/files/action/so-kratos-warm.yml +++ b/salt/curator/files/action/so-kratos-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-logstash-close.yml b/salt/curator/files/action/so-logstash-close.yml index 63df86874..e91ce0fd9 100644 --- a/salt/curator/files/action/so-logstash-close.yml +++ b/salt/curator/files/action/so-logstash-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-logstash:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-logstash:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-logstash-delete.yml b/salt/curator/files/action/so-logstash-delete.yml index 9132fbbc9..3aa73874d 100644 --- a/salt/curator/files/action/so-logstash-delete.yml +++ b/salt/curator/files/action/so-logstash-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-logstash-warm.yml b/salt/curator/files/action/so-logstash-warm.yml index a47ffae2a..8865026b0 100644 --- a/salt/curator/files/action/so-logstash-warm.yml +++ b/salt/curator/files/action/so-logstash-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-microsoft-close.yml b/salt/curator/files/action/so-microsoft-close.yml index 7f8e1f912..0401883f0 100644 --- a/salt/curator/files/action/so-microsoft-close.yml +++ b/salt/curator/files/action/so-microsoft-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-microsoft-delete.yml b/salt/curator/files/action/so-microsoft-delete.yml index fcf4a74b7..35aa95173 100644 --- a/salt/curator/files/action/so-microsoft-delete.yml +++ b/salt/curator/files/action/so-microsoft-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-microsoft-warm.yml b/salt/curator/files/action/so-microsoft-warm.yml index 8b3e4716a..f702bbbe9 100644 --- a/salt/curator/files/action/so-microsoft-warm.yml +++ b/salt/curator/files/action/so-microsoft-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-misp-close.yml b/salt/curator/files/action/so-misp-close.yml index 14998cdcc..c32b3992a 100644 --- a/salt/curator/files/action/so-misp-close.yml +++ b/salt/curator/files/action/so-misp-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-misp:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-misp:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-misp-delete.yml b/salt/curator/files/action/so-misp-delete.yml index 868441932..7e432c969 100644 --- a/salt/curator/files/action/so-misp-delete.yml +++ b/salt/curator/files/action/so-misp-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-misp-warm.yml b/salt/curator/files/action/so-misp-warm.yml index d1c7b1591..be0447c7e 100644 --- a/salt/curator/files/action/so-misp-warm.yml +++ b/salt/curator/files/action/so-misp-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-netflow-close.yml b/salt/curator/files/action/so-netflow-close.yml index d1e39e07e..1069aebb4 100644 --- a/salt/curator/files/action/so-netflow-close.yml +++ b/salt/curator/files/action/so-netflow-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netflow:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netflow:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-netflow-delete.yml b/salt/curator/files/action/so-netflow-delete.yml index 19d7406de..f697daf33 100644 --- a/salt/curator/files/action/so-netflow-delete.yml +++ b/salt/curator/files/action/so-netflow-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-netflow-warm.yml b/salt/curator/files/action/so-netflow-warm.yml index 60d844efd..4d0dcf1ff 100644 --- a/salt/curator/files/action/so-netflow-warm.yml +++ b/salt/curator/files/action/so-netflow-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-netscout-close.yml b/salt/curator/files/action/so-netscout-close.yml index b15d4c30d..d5ebfe41d 100644 --- a/salt/curator/files/action/so-netscout-close.yml +++ b/salt/curator/files/action/so-netscout-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netscout:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netscout:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-netscout-delete.yml b/salt/curator/files/action/so-netscout-delete.yml index a12bb27b6..46ea94c76 100644 --- a/salt/curator/files/action/so-netscout-delete.yml +++ b/salt/curator/files/action/so-netscout-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-netscout-warm.yml b/salt/curator/files/action/so-netscout-warm.yml index c36846994..9b568ca36 100644 --- a/salt/curator/files/action/so-netscout-warm.yml +++ b/salt/curator/files/action/so-netscout-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-o365-close.yml b/salt/curator/files/action/so-o365-close.yml index 33ee84a20..db0202e07 100644 --- a/salt/curator/files/action/so-o365-close.yml +++ b/salt/curator/files/action/so-o365-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-o365:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-o365:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-o365-delete.yml b/salt/curator/files/action/so-o365-delete.yml index 41cc31e06..350808e3d 100644 --- a/salt/curator/files/action/so-o365-delete.yml +++ b/salt/curator/files/action/so-o365-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-o365:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-o365:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-o365-warm.yml b/salt/curator/files/action/so-o365-warm.yml index 0c2788ead..60f9b7364 100644 --- a/salt/curator/files/action/so-o365-warm.yml +++ b/salt/curator/files/action/so-o365-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-o365:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-o365:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-okta-close.yml b/salt/curator/files/action/so-okta-close.yml index 29539551b..ddbb4852f 100644 --- a/salt/curator/files/action/so-okta-close.yml +++ b/salt/curator/files/action/so-okta-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-okta:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-okta:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-okta-warm.yml b/salt/curator/files/action/so-okta-warm.yml index 57da23031..31d2bcf41 100644 --- a/salt/curator/files/action/so-okta-warm.yml +++ b/salt/curator/files/action/so-okta-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-okta:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-okta:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-okta.delete.yml b/salt/curator/files/action/so-okta.delete.yml index a236a9059..358c387d5 100644 --- a/salt/curator/files/action/so-okta.delete.yml +++ b/salt/curator/files/action/so-okta.delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-okta:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-okta:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-osquery-close.yml b/salt/curator/files/action/so-osquery-close.yml index 9be61456f..b19f1c26d 100644 --- a/salt/curator/files/action/so-osquery-close.yml +++ b/salt/curator/files/action/so-osquery-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-osquery:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-osquery:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-osquery-delete.yml b/salt/curator/files/action/so-osquery-delete.yml index 190da5783..468ab5715 100644 --- a/salt/curator/files/action/so-osquery-delete.yml +++ b/salt/curator/files/action/so-osquery-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-osquery-warm.yml b/salt/curator/files/action/so-osquery-warm.yml index 477c3bf26..24cc30848 100644 --- a/salt/curator/files/action/so-osquery-warm.yml +++ b/salt/curator/files/action/so-osquery-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-ossec-close.yml b/salt/curator/files/action/so-ossec-close.yml index 85ce62967..bd4c3bea0 100644 --- a/salt/curator/files/action/so-ossec-close.yml +++ b/salt/curator/files/action/so-ossec-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ossec:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ossec:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-ossec-delete.yml b/salt/curator/files/action/so-ossec-delete.yml index 4c86054b3..4149fd767 100644 --- a/salt/curator/files/action/so-ossec-delete.yml +++ b/salt/curator/files/action/so-ossec-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-ossec-warm.yml b/salt/curator/files/action/so-ossec-warm.yml index c6ef1b95f..6913aa06b 100644 --- a/salt/curator/files/action/so-ossec-warm.yml +++ b/salt/curator/files/action/so-ossec-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-proofpoint-close.yml b/salt/curator/files/action/so-proofpoint-close.yml index 12386cb19..89bb191d4 100644 --- a/salt/curator/files/action/so-proofpoint-close.yml +++ b/salt/curator/files/action/so-proofpoint-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-proofpoint-delete.yml b/salt/curator/files/action/so-proofpoint-delete.yml index 7eec6bef6..aad867ddd 100644 --- a/salt/curator/files/action/so-proofpoint-delete.yml +++ b/salt/curator/files/action/so-proofpoint-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-proofpoint-warm.yml b/salt/curator/files/action/so-proofpoint-warm.yml index 78da530c0..fd686d728 100644 --- a/salt/curator/files/action/so-proofpoint-warm.yml +++ b/salt/curator/files/action/so-proofpoint-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-radware-close.yml b/salt/curator/files/action/so-radware-close.yml index d4d2e404b..dacd1d369 100644 --- a/salt/curator/files/action/so-radware-close.yml +++ b/salt/curator/files/action/so-radware-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-radware:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-radware:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-radware-delete.yml b/salt/curator/files/action/so-radware-delete.yml index d482300f6..5793adbe9 100644 --- a/salt/curator/files/action/so-radware-delete.yml +++ b/salt/curator/files/action/so-radware-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-radware:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-radware:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-radware-warm.yml b/salt/curator/files/action/so-radware-warm.yml index 780a428dc..29859a96a 100644 --- a/salt/curator/files/action/so-radware-warm.yml +++ b/salt/curator/files/action/so-radware-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-radware:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-radware:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-redis-close.yml b/salt/curator/files/action/so-redis-close.yml index a427b8a39..bca8129fc 100644 --- a/salt/curator/files/action/so-redis-close.yml +++ b/salt/curator/files/action/so-redis-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-redis:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-redis:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-redis-delete.yml b/salt/curator/files/action/so-redis-delete.yml index 009ae9ab0..47af44653 100644 --- a/salt/curator/files/action/so-redis-delete.yml +++ b/salt/curator/files/action/so-redis-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-redis:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-redis:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-redis-warm.yml b/salt/curator/files/action/so-redis-warm.yml index c9ee80602..38d0ee577 100644 --- a/salt/curator/files/action/so-redis-warm.yml +++ b/salt/curator/files/action/so-redis-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-redis:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-redis:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-snort-close.yml b/salt/curator/files/action/so-snort-close.yml index 0dfe42438..7555db52b 100644 --- a/salt/curator/files/action/so-snort-close.yml +++ b/salt/curator/files/action/so-snort-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-snort:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-snort:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-snort-delete.yml b/salt/curator/files/action/so-snort-delete.yml index ab911c691..5c70a08fa 100644 --- a/salt/curator/files/action/so-snort-delete.yml +++ b/salt/curator/files/action/so-snort-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snort:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snort:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-snort-warm.yml b/salt/curator/files/action/so-snort-warm.yml index c3e96c31b..2c95ad699 100644 --- a/salt/curator/files/action/so-snort-warm.yml +++ b/salt/curator/files/action/so-snort-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snort:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snort:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-snyk-close.yml b/salt/curator/files/action/so-snyk-close.yml index 4dfe142e0..cda27ffcf 100644 --- a/salt/curator/files/action/so-snyk-close.yml +++ b/salt/curator/files/action/so-snyk-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-snyk:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-snyk:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-snyk-delete.yml b/salt/curator/files/action/so-snyk-delete.yml index f6e864149..b3e306bcd 100644 --- a/salt/curator/files/action/so-snyk-delete.yml +++ b/salt/curator/files/action/so-snyk-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-snyk-warm.yml b/salt/curator/files/action/so-snyk-warm.yml index 6aadc5048..01394605d 100644 --- a/salt/curator/files/action/so-snyk-warm.yml +++ b/salt/curator/files/action/so-snyk-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-sonicwall-close.yml b/salt/curator/files/action/so-sonicwall-close.yml index 12fe05cd4..ad5520607 100644 --- a/salt/curator/files/action/so-sonicwall-close.yml +++ b/salt/curator/files/action/so-sonicwall-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-sonicwall-delete.yml b/salt/curator/files/action/so-sonicwall-delete.yml index 7033a6459..efa598bdb 100644 --- a/salt/curator/files/action/so-sonicwall-delete.yml +++ b/salt/curator/files/action/so-sonicwall-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-sonicwall-warm.yml b/salt/curator/files/action/so-sonicwall-warm.yml index bf74418f5..5d9cfbfc4 100644 --- a/salt/curator/files/action/so-sonicwall-warm.yml +++ b/salt/curator/files/action/so-sonicwall-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-sophos-close.yml b/salt/curator/files/action/so-sophos-close.yml index ed655f19c..0a4cd9c26 100644 --- a/salt/curator/files/action/so-sophos-close.yml +++ b/salt/curator/files/action/so-sophos-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-sophos:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-sophos:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-sophos-delete.yml b/salt/curator/files/action/so-sophos-delete.yml index 5684cdada..0bcf922a6 100644 --- a/salt/curator/files/action/so-sophos-delete.yml +++ b/salt/curator/files/action/so-sophos-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-sophos-warm.yml b/salt/curator/files/action/so-sophos-warm.yml index a725ec018..50874c8ae 100644 --- a/salt/curator/files/action/so-sophos-warm.yml +++ b/salt/curator/files/action/so-sophos-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-strelka-close.yml b/salt/curator/files/action/so-strelka-close.yml index b7d0e3925..1af30fd6c 100644 --- a/salt/curator/files/action/so-strelka-close.yml +++ b/salt/curator/files/action/so-strelka-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-strelka:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-strelka:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-strelka-delete.yml b/salt/curator/files/action/so-strelka-delete.yml index 293446303..c48a80c92 100644 --- a/salt/curator/files/action/so-strelka-delete.yml +++ b/salt/curator/files/action/so-strelka-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-strelka-warm.yml b/salt/curator/files/action/so-strelka-warm.yml index 4f2950dcf..641601e7a 100644 --- a/salt/curator/files/action/so-strelka-warm.yml +++ b/salt/curator/files/action/so-strelka-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-syslog-close.yml b/salt/curator/files/action/so-syslog-close.yml index 954a2eedb..d04a7e1ac 100644 --- a/salt/curator/files/action/so-syslog-close.yml +++ b/salt/curator/files/action/so-syslog-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-syslog:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-syslog:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-syslog-delete.yml b/salt/curator/files/action/so-syslog-delete.yml index 0a9500cd2..5fa7878c8 100644 --- a/salt/curator/files/action/so-syslog-delete.yml +++ b/salt/curator/files/action/so-syslog-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-syslog-warm.yml b/salt/curator/files/action/so-syslog-warm.yml index 6c04d9a9d..e94a1f118 100644 --- a/salt/curator/files/action/so-syslog-warm.yml +++ b/salt/curator/files/action/so-syslog-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-tomcat-close.yml b/salt/curator/files/action/so-tomcat-close.yml index da9b3d21d..ac75659a3 100644 --- a/salt/curator/files/action/so-tomcat-close.yml +++ b/salt/curator/files/action/so-tomcat-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-tomcat-delete.yml b/salt/curator/files/action/so-tomcat-delete.yml index 7062d6adb..cf68c0933 100644 --- a/salt/curator/files/action/so-tomcat-delete.yml +++ b/salt/curator/files/action/so-tomcat-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-tomcat-warm.yml b/salt/curator/files/action/so-tomcat-warm.yml index 0213e7e5f..0b2772d6c 100644 --- a/salt/curator/files/action/so-tomcat-warm.yml +++ b/salt/curator/files/action/so-tomcat-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-zeek-close.yml b/salt/curator/files/action/so-zeek-close.yml index 82041df5e..de18b146b 100644 --- a/salt/curator/files/action/so-zeek-close.yml +++ b/salt/curator/files/action/so-zeek-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-zeek:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-zeek:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-zeek-delete.yml b/salt/curator/files/action/so-zeek-delete.yml index 2640136a9..bc902fd5c 100644 --- a/salt/curator/files/action/so-zeek-delete.yml +++ b/salt/curator/files/action/so-zeek-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-zeek-warm.yml b/salt/curator/files/action/so-zeek-warm.yml index b62bf90e9..490e21c12 100644 --- a/salt/curator/files/action/so-zeek-warm.yml +++ b/salt/curator/files/action/so-zeek-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/action/so-zscaler-close.yml b/salt/curator/files/action/so-zscaler-close.yml index d7559097f..ba1d36029 100644 --- a/salt/curator/files/action/so-zscaler-close.yml +++ b/salt/curator/files/action/so-zscaler-close.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:close') -%} actions: 1: action: close diff --git a/salt/curator/files/action/so-zscaler-delete.yml b/salt/curator/files/action/so-zscaler-delete.yml index 8a7cffcdb..fe663ba3a 100644 --- a/salt/curator/files/action/so-zscaler-delete.yml +++ b/salt/curator/files/action/so-zscaler-delete.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:delete', 365) -%} +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:delete') -%} actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-zscaler-warm.yml b/salt/curator/files/action/so-zscaler-warm.yml index 5e34177d1..c5d20b868 100644 --- a/salt/curator/files/action/so-zscaler-warm.yml +++ b/salt/curator/files/action/so-zscaler-warm.yml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:warm', 7) -%} +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:warm') -%} actions: 1: action: allocation diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index 70b032db5..fe62d3bf5 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -4,15 +4,15 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - +{% from 'vars/globals.map.jinja' import GLOBALS %} {%- if grains['role'] in ['so-searchnode', 'so-heavynode'] %} - {%- set ELASTICSEARCH_HOST = salt['pillar.get']('host:mainip', '') -%} - {%- set ELASTICSEARCH_PORT = salt['pillar.get']('elasticsearch:es_port', '') -%} + {%- set ELASTICSEARCH_HOST = GLOBALS.node_ip -%} + {%- set ELASTICSEARCH_PORT = salt['pillar.get']('elasticsearch:es_port') -%} {%- elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %} - {%- set ELASTICSEARCH_HOST = salt['pillar.get']('global:managerip', '') -%} - {%- set ELASTICSEARCH_PORT = salt['pillar.get']('manager:es_port', '') -%} + {%- set ELASTICSEARCH_HOST = GLOBALS.manager_ip -%} + {%- set ELASTICSEARCH_PORT = salt['pillar.get']('manager:es_port') -%} {%- endif -%} -{%- set LOG_SIZE_LIMIT = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} +{%- set LOG_SIZE_LIMIT = salt['pillar.get']('elasticsearch:log_size_limit') -%} # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at diff --git a/salt/curator/files/curator.yml b/salt/curator/files/curator.yml index 5eaa97c73..76888c94f 100644 --- a/salt/curator/files/curator.yml +++ b/salt/curator/files/curator.yml @@ -3,10 +3,11 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +{% from 'vars/globals.map.jinja' import GLOBALS %} {% if grains['role'] in ['so-searchnode', 'so-heavynode'] %} - {%- set elasticsearch = salt['pillar.get']('host:mainip', '') -%} + {%- set elasticsearch = GLOBALS.node_ip -%} {% elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %} - {%- set elasticsearch = salt['pillar.get']('global:managerip', '') -%} + {%- set elasticsearch = GLOBALS.manager_ip -%} {%- endif %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 164dece6b..7c47c23d4 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -6,12 +6,9 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} - - +{% from "curator/map.jinja" import CURATOROPTIONS %} {% set REMOVECURATORCRON = False %} -{% if grains['role'] in ['so-eval', 'so-managersearch', 'so-heavynode', 'so-standalone', 'so-manager'] %} - {% from "curator/map.jinja" import CURATOROPTIONS with context %} # Curator # Create the group curatorgroup: @@ -122,7 +119,7 @@ curclustercwarm: so-curator: docker_container.{{ CURATOROPTIONS.status }}: - - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }} - start: {{ CURATOROPTIONS.start }} - hostname: curator - name: so-curator @@ -167,8 +164,6 @@ so-curatorclusterwarm: - daymonth: '*' - month: '*' - dayweek: '*' - -{% endif %} {% else %} diff --git a/salt/curator/map.jinja b/salt/curator/map.jinja index bbcff2a9c..1fcebf5ad 100644 --- a/salt/curator/map.jinja +++ b/salt/curator/map.jinja @@ -1,10 +1,9 @@ {% set CURATOROPTIONS = {} %} {% set ENABLED = salt['pillar.get']('curator:enabled', True) %} -{% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} {% do CURATOROPTIONS.update({'manage_sostatus': True}) %} # don't start the docker container if curator is disabled via pillar -{% if not ENABLED or (TRUECLUSTER and grains.id.split('_')|last == 'searchnode') or (not TRUECLUSTER and grains.id.split('_')|last == 'manager') %} +{% if not ENABLED %} {% do CURATOROPTIONS.update({'start': False}) %} {% do CURATOROPTIONS.update({'status': 'absent'}) %} {% if (TRUECLUSTER and grains.id.split('_')|last == 'searchnode') or (not TRUECLUSTER and grains.id.split('_')|last == 'manager') %} diff --git a/salt/elastalert/elastalert_config.map.jinja b/salt/elastalert/elastalert_config.map.jinja index 4408111d3..15f9c8530 100644 --- a/salt/elastalert/elastalert_config.map.jinja +++ b/salt/elastalert/elastalert_config.map.jinja @@ -1,8 +1,9 @@ -{% import_yaml 'elastalert/defaults.yaml' as ELASTALERT with context %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'elastalert/defaults.yaml' as ELASTALERT %} {% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %} -{% do ELASTALERT.elastalert.config.update({'es_host': pillar.global.managerip}) %} +{% do ELASTALERT.elastalert.config.update({'es_host': GLOBALS.manager_ip}) %} {% do ELASTALERT.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %} {% do ELASTALERT.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %} diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 309894b18..f62c1fed7 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -4,17 +4,9 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'elastalert/elastalert_config.map.jinja' import ELASTALERT as elastalert_config with context %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{%- set MANAGER_URL = salt['pillar.get']('global:url_base', '') %} -{%- set MANAGER_IP = salt['pillar.get']('global:managerip', '') %} - - -# Elastalert - # Create the group elastagroup: group.present: @@ -90,7 +82,7 @@ wait_for_elasticsearch: so-elastalert: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastalert:{{ GLOBALS.so_version }} - hostname: elastalert - name: so-elastalert - user: so-elastalert @@ -101,7 +93,7 @@ so-elastalert: - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro - extra_hosts: - - {{MANAGER_URL}}:{{MANAGER_IP}} + - {{GLOBALS.url_base}}:{{GLOBALS.manager_ip}} - require: - cmd: wait_for_elasticsearch - file: elastarules diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index cec4887c8..6ccbe6985 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -1,3 +1,4 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %} {% from 'logstash/map.jinja' import REDIS_NODES with context %} @@ -9,7 +10,7 @@ {% if HIGHLANDER %} {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'transform']) %} {% endif %} - {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %} + {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %} {% for SN in REDIS_NODES.keys() %} {% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(SN) %} {% endfor %} @@ -23,15 +24,15 @@ {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %} {% endif %} {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': 'hot'}) %} - {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %} + {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %} {% endif %} {% if HIGHLANDER %} {% do ESCONFIG.elasticsearch.config.xpack.ml.update({'enabled': true}) %} {% endif %} -{% do ESCONFIG.elasticsearch.config.node.update({'name': grains.host}) %} -{% do ESCONFIG.elasticsearch.config.cluster.update({'name': grains.host}) %} -{% do ESCONFIG.elasticsearch.config.transport.update({'publish_host': grains.host}) %} +{% do ESCONFIG.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %} +{% do ESCONFIG.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %} +{% do ESCONFIG.elasticsearch.config.transport.update({'publish_host': GLOBALS.hostname}) %} {# merge with the elasticsearch pillar #} {% set ESCONFIG = salt['pillar.get']('elasticsearch:config', default=ESCONFIG.elasticsearch.config, merge=True) %} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index be28a3712..7ec143089 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -9,14 +9,13 @@ include: - ssl +{% from 'vars/globals.map.jinja' import GLOBALS %} {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} {% set ROLES = salt['pillar.get']('elasticsearch:roles', {}) %} {% from 'elasticsearch/config.map.jinja' import ESCONFIG with context %} {% from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS without context %} {% from 'logstash/map.jinja' import REDIS_NODES with context %} -{% from 'vars/globals.map.jinja' import GLOBALS %} - vm.max_map_count: sysctl.present: - value: 262144 @@ -51,6 +50,8 @@ es_sync_scripts: - source: salt://elasticsearch/tools/sbin - exclude_pat: - so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state + - defaults: + GLOBALS: {{ GLOBALS }} so-elasticsearch-pipelines-script: file.managed: @@ -59,7 +60,6 @@ so-elasticsearch-pipelines-script: - user: 930 - group: 939 - mode: 754 - - template: jinja # Move our new CA over so Elastic and Logstash can use SSL with the internal CA catrustdir: @@ -283,7 +283,7 @@ auth_users_roles_inode: so-elasticsearch: docker_container.running: - - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch diff --git a/salt/elasticsearch/tools/sbin/so-catrust b/salt/elasticsearch/tools/sbin/so-catrust index 253208064..ae94fd286 100644 --- a/salt/elasticsearch/tools/sbin/so-catrust +++ b/salt/elasticsearch/tools/sbin/so-catrust @@ -5,10 +5,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - -{%- set VERSION = salt['pillar.get']('global:soversion', '') %} -{%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{%- set MANAGER = salt['grains.get']('master') %} . /usr/sbin/so-common # Exit on errors, since all lines must succeed @@ -16,7 +12,7 @@ set -e # Check to see if we have extracted the ca cert. if [ ! -f /opt/so/saltstack/local/salt/common/cacerts ]; then - docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt + docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/common/cacerts docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem docker rm so-elasticsearchca diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings b/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings index a72ccaf56..0cdec181e 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings @@ -1,6 +1,4 @@ #!/bin/bash -{% set ES = salt['pillar.get']('manager:mainip', '') %} -{% set MANAGER = salt['grains.get']('master') %} ELASTICSEARCH_PORT=9200 @@ -32,5 +30,5 @@ fi CLUSTER_SETTINGS=$(so-elasticsearch-query _cluster/settings | jq .persistent.cluster.remote) if [[ ! -z "$CLUSTER_SETTINGS" ]]; then echo "Applying cross cluster search config..." - so-elasticsearch-query _cluster/settings -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" -XPUT + so-elasticsearch-query _cluster/settings -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ GLOBALS.manager }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" -XPUT fi diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load index ab8e5b707..130e0f762 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load @@ -4,13 +4,8 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - - -{%- set mainint = salt['pillar.get']('host:mainint') %} -{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} - default_conf_dir=/opt/so/conf -ELASTICSEARCH_HOST="{{ MYIP }}" +ELASTICSEARCH_HOST="{{ GLOBALS.node_ip }}" ELASTICSEARCH_PORT=9200 # Define a default directory to load roles from diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load index aa9502396..c59be1dd7 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -3,12 +3,8 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. - -{%- set mainint = salt['pillar.get']('host:mainint') %} -{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} - default_conf_dir=/opt/so/conf -ELASTICSEARCH_HOST="{{ MYIP }}" +ELASTICSEARCH_HOST="{{ GLOBALS.node_ip }}" ELASTICSEARCH_PORT=9200 #ELASTICSEARCH_AUTH="" diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 8fab6963a..3eed07696 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -5,10 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set LOCALHOSTNAME = salt['grains.get']('host') %} -{% set MANAGER = salt['grains.get']('master') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} {% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %} {% from 'filebeat/map.jinja' import FILEBEAT_EXTRA_HOSTS with context %} @@ -97,7 +94,7 @@ thirdyparty_module_conf_remove: so-filebeat: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-filebeat:{{ GLOBALS.so_version }} - hostname: so-filebeat - user: root - extra_hosts: {{ FILEBEAT_EXTRA_HOSTS }} diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja index 47537ca41..bcbec1a8c 100644 --- a/salt/filebeat/map.jinja +++ b/salt/filebeat/map.jinja @@ -1,7 +1,6 @@ -{% set role = grains.role %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% set role = GLOBALS.role %} {% set FILEBEAT_EXTRA_HOSTS = [] %} -{% set mainint = salt['pillar.get']('host:mainint') %} -{% set localhostip = salt['grains.get']('ip_interfaces').get(mainint)[0] %} {% if role in ['so-sensor', 'so-fleet', 'so-searchnode', 'so-idh'] %} {% set node_data = salt['pillar.get']('logstash:nodes') %} {% for node_type, node_details in node_data.items() | sort %} @@ -13,4 +12,4 @@ {% endfor %} {% endif %} -{% do FILEBEAT_EXTRA_HOSTS.append({grains.host:localhostip}) %} +{% do FILEBEAT_EXTRA_HOSTS.append({GLOBALS.hostname:GLOBALS.node_ip}) %} diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml index 56b0a386e..b97088972 100644 --- a/salt/filebeat/securityoniondefaults.yaml +++ b/salt/filebeat/securityoniondefaults.yaml @@ -1,4 +1,3 @@ -{%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} {% set ZEEKLOGLOOKUP = { 'conn': 'connection', } %} diff --git a/salt/grafana/etc/datasources/influxdb.yaml b/salt/grafana/etc/datasources/influxdb.yaml index a10bed981..c95126b14 100644 --- a/salt/grafana/etc/datasources/influxdb.yaml +++ b/salt/grafana/etc/datasources/influxdb.yaml @@ -1,4 +1,3 @@ -{%- set MANAGER = salt['pillar.get']('global:managerip', '') %} apiVersion: 1 deleteDatasources: @@ -10,7 +9,7 @@ datasources: type: influxdb access: proxy database: telegraf - url: https://{{ MANAGER }}:8086 + url: https://{{ GLOBALS.manager_ip }}:8086 jsonData: tlsAuth: false tlsAuthWithCACert: false diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 584219906..f20cdffff 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -1,10 +1,9 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set ADMINPASS = salt['pillar.get']('secrets:grafana_admin') %} {% import_yaml 'grafana/grafana_defaults.yaml' as default_settings %} @@ -78,6 +77,8 @@ grafana-datasources-config: - template: jinja - source: salt://grafana/etc/datasources/influxdb.yaml - makedirs: True + - defaults: + GLOBALS: {{ GLOBALS }} grafana-config: file.managed: @@ -122,7 +123,7 @@ so-grafana-dashboard-folder-delete: so-grafana: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-grafana:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-grafana:{{ GLOBALS.so_version }} - hostname: grafana - user: socore - binds: diff --git a/salt/idh/init.sls b/salt/idh/init.sls index d4191c31e..1e7ce1530 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -5,19 +5,13 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set MAININT = salt['pillar.get']('host:mainint') %} -{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} +{% from 'vars/globals.map.jinja' import GLOBALS %} {% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', False) %} include: - idh.openssh.config - firewall - # If True, block IDH Services from accepting connections on Managment IP {% if RESTRICTIDHSERVICES %} {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} @@ -37,7 +31,7 @@ block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'.port'] }} : - position: 1 - proto: {{ proto }} - dport: {{ OPENCANARYCONFIG[service~'.port'] }} - - destination: {{ MAINIP }} + - destination: {{ GLOBALS.node_ip }} {% endfor %} {% endif %} @@ -68,7 +62,7 @@ opencanary_config: so-idh: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-idh:{{ VERSION }} + - image: {{ GLOBALS.manger }}:5000/{{ GLOBALS.image_repo }}/so-idh:{{ GLOBALS.so_version }} - name: so-idh - detach: True - network_mode: host diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index d99ef17c6..8a7aa6500 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -2,10 +2,9 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - +{% from 'vars/globals.map.jinja' import GLOBALS %} {% set proxy = salt['pillar.get']('manager:proxy') %} include: @@ -29,7 +28,7 @@ so-ruleupdatecron: so-idstools: docker_container.running: - - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }} - hostname: so-idstools - user: socore {% if proxy %} @@ -55,4 +54,4 @@ append_so-idstools_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif%} \ No newline at end of file +{% endif%} diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 637be9054..321ce76d6 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,13 +1,10 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %} - -{% set MANAGER = salt['grains.get']('master') %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% import_yaml 'influxdb/defaults.yaml' as default_settings %} {% set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %} {% from 'salt/map.jinja' import PYTHON3INFLUX with context %} @@ -48,7 +45,7 @@ influxdbconf: so-influxdb: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-influxdb:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }} - hostname: influxdb - environment: - INFLUXDB_HTTP_LOG_ENABLED=false @@ -72,11 +69,22 @@ append_so-influxdb_so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - text: so-influxdb +# Install cron job to determine size of influxdb for telegraf +get_influxdb_size: + cron.present: + - name: 'du -s -k /nsm/influxdb | cut -f1 > /opt/so/log/telegraf/influxdb_size.log 2>&1' + - user: root + - minute: '*/1' + - hour: '*' + - daymonth: '*' + - month: '*' + - dayweek: '*' + # We have to make sure the influxdb module is the right version prior to state run since reload_modules is bugged {% if PYTHONINFLUXVERSIONINSTALLED == PYTHONINFLUXVERSION %} wait_for_influxdb: http.query: - - name: 'https://{{MANAGER}}:8086/query?q=SHOW+DATABASES' + - name: 'https://{{GLOBALS.manager}}:8086/query?q=SHOW+DATABASES' - ssl: True - verify_ssl: False - status: 200 @@ -94,7 +102,7 @@ telegraf_database: - ssl: True - verify_ssl: /etc/pki/ca.crt - cert: ['/etc/pki/influxdb.crt', '/etc/pki/influxdb.key'] - - influxdb_host: {{ MANAGER }} + - influxdb_host: {{ GLOBALS.manager }} - require: - docker_container: so-influxdb - sls: salt.python3-influxdb @@ -112,7 +120,7 @@ telegraf_database: - ssl: True - verify_ssl: /etc/pki/ca.crt - cert: ['/etc/pki/influxdb.crt', '/etc/pki/influxdb.key'] - - influxdb_host: {{ MANAGER }} + - influxdb_host: {{ GLOBALS.manager }} - require: - docker_container: so-influxdb - influxdb_database: telegraf_database @@ -130,7 +138,7 @@ so_downsample_{{measurement}}_cq: - ssl: True - verify_ssl: /etc/pki/ca.crt - cert: ['/etc/pki/influxdb.crt', '/etc/pki/influxdb.key'] - - influxdb_host: {{ MANAGER }} + - influxdb_host: {{ GLOBALS.manager }} - require: - docker_container: so-influxdb - influxdb_database: telegraf_database diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 73b83cece..031343d5d 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -4,7 +4,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set MANAGER = salt['pillar.get']('global:url_base', '') %} {%- set ENDGAMEHOST = salt['pillar.get']('global:endgamehost', 'ENDGAMEHOST') %} . /usr/sbin/so-common @@ -31,7 +30,7 @@ import() { # SOCtopus and Manager if grep -lq 'PLACEHOLDER' "$ndjson_file"; then - sed -i "s/PLACEHOLDER/{{ MANAGER }}/g" "$ndjson_file" + sed -i "s/PLACEHOLDER/{{ GLOBALS.url_base }}/g" "$ndjson_file" fi # Endgame diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja index 3d285d40d..120c49cdb 100644 --- a/salt/kibana/config.map.jinja +++ b/salt/kibana/config.map.jinja @@ -1,8 +1,9 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'kibana/defaults.yaml' as KIBANACONFIG with context %} {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} -{% do KIBANACONFIG.kibana.config.server.update({'publicBaseUrl': 'https://' ~ pillar.global.url_base ~ '/kibana'}) %} -{% do KIBANACONFIG.kibana.config.elasticsearch.update({'hosts': ['https://' ~ pillar.global.managerip ~ ':9200']}) %} +{% do KIBANACONFIG.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %} +{% do KIBANACONFIG.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS..manager_ip ~ ':9200']}) %} {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 2d91ae191..9aac6bc37 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -75,6 +75,8 @@ kibanabin: - source: salt://kibana/bin/so-kibana-config-load - mode: 755 - template: jinja + - defaults: + GLOBALS: {{ GLOBALS }} # Start the kibana docker so-kibana: diff --git a/salt/kratos/files/kratos.yaml b/salt/kratos/files/kratos.yaml index b9561b4fd..650c8c752 100644 --- a/salt/kratos/files/kratos.yaml +++ b/salt/kratos/files/kratos.yaml @@ -1,4 +1,3 @@ -{%- set WEBACCESS = salt['pillar.get']('global:url_base', '') -%} {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%} {%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '') -%} {%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', '') -%} @@ -21,22 +20,22 @@ selfservice: flows: settings: - ui_url: https://{{ WEBACCESS }}/?r=/settings + ui_url: https://{{ GLOBALS.url_base }}/?r=/settings required_aal: highest_available verification: - ui_url: https://{{ WEBACCESS }}/ + ui_url: https://{{ GLOBALS.url_base }}/ login: - ui_url: https://{{ WEBACCESS }}/login/ + ui_url: https://{{ GLOBALS.url_base }}/login/ error: - ui_url: https://{{ WEBACCESS }}/login/ + ui_url: https://{{ GLOBALS.url_base }}/login/ registration: - ui_url: https://{{ WEBACCESS }}/login/ + ui_url: https://{{ GLOBALS.url_base }}/login/ - default_browser_return_url: https://{{ WEBACCESS }}/ + default_browser_return_url: https://{{ GLOBALS.url_base }}/ allowed_return_urls: - http://127.0.0.1 @@ -50,9 +49,9 @@ secrets: serve: public: - base_url: https://{{ WEBACCESS }}/auth/ + base_url: https://{{ GLOBALS.url_base }}/auth/ admin: - base_url: https://{{ WEBACCESS }}/kratos/ + base_url: https://{{ GLOBALS.url_base }}/kratos/ hashers: bcrypt: @@ -66,4 +65,4 @@ identity: courier: smtp: - connection_uri: smtps://{{ WEBACCESS }}:25 \ No newline at end of file + connection_uri: smtps://{{ GLOBALS.url_base }}:25 diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls index 40e2d4fdd..6f3f3e19d 100644 --- a/salt/kratos/init.sls +++ b/salt/kratos/init.sls @@ -42,6 +42,8 @@ kratossync: - group: 928 - file_mode: 600 - template: jinja + - defaults: + GLOBALS: {{ GLOBALS }} kratos_schema: file.exists: diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index cb94d60b2..bf4d03984 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -64,6 +64,10 @@ ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}: {% if 'jinja' in CONFIGFILE.split('.')[-1] %} - name: /opt/so/conf/logstash/pipelines/{{PL}}/{{CONFIGFILE.split('/')[1] | replace(".jinja", "")}} - template: jinja + - defaults: + GLOBALS: {{ GLOBALS }} + ES_USER: {{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') }} + ES_PASS: {{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') }} {% else %} - name: /opt/so/conf/logstash/pipelines/{{PL}}/{{CONFIGFILE.split('/')[1]}} {% endif %} @@ -132,7 +136,7 @@ lslogdir: so-logstash: docker_container.running: - - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} - hostname: so-logstash - name: so-logstash - user: logstash diff --git a/salt/logstash/map.jinja b/salt/logstash/map.jinja index d921615c7..49cdc0cc0 100644 --- a/salt/logstash/map.jinja +++ b/salt/logstash/map.jinja @@ -1,8 +1,6 @@ -{% set role = grains.role %} +{% from 'vars/globals.map.jinja' import GLOBALS %} {% set REDIS_NODES = [] %} -{% set mainint = salt['pillar.get']('host:mainint') %} -{% set localhostip = salt['grains.get']('ip_interfaces').get(mainint)[0] %} -{% if role in ['so-searchnode', 'so-standalone', 'so-managersearch'] %} +{% if GLOBALS.role in ['so-searchnode', 'so-standalone', 'so-managersearch'] %} {% set node_data = salt['pillar.get']('logstash:nodes') %} {% for node_type, node_details in node_data.items() | sort %} {% if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %} @@ -12,5 +10,5 @@ {% endif %} {% endfor %} {% else %} - {% do REDIS_NODES.append({grains.host:localhostip}) %} + {% do REDIS_NODES.append({GLOBALS.node_ip}) %} {% endif %} diff --git a/salt/logstash/pipelines/config/so/0899_input_minio.conf.jinja b/salt/logstash/pipelines/config/so/0899_input_minio.conf.jinja index 59e457115..7a0848b39 100644 --- a/salt/logstash/pipelines/config/so/0899_input_minio.conf.jinja +++ b/salt/logstash/pipelines/config/so/0899_input_minio.conf.jinja @@ -1,7 +1,7 @@ {%- if grains.role == 'so-heavynode' %} -{%- set MANAGER = salt['grains.get']('host') %} +{%- set HOST = GLOBALS.hostname %} {%- else %} -{%- set MANAGER = salt['grains.get']('master') %} +{%- set HOST = GLOBALS.manager %} {% endif -%} {%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} {%- set access_key = salt['pillar.get']('minio:access_key', '') %} @@ -11,7 +11,7 @@ input { s3 { access_key_id => "{{ access_key }}" secret_access_key => "{{ access_secret }}" - endpoint => "https://{{ MANAGER }}:9595" + endpoint => "https://{{ HOST }}:9595" bucket => "logstash" delete => true interval => {{ INTERVAL }} diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index f0aa95aeb..7b8c03f45 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -1,11 +1,8 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "zeek" and "import" not in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-zeek" diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 3e34648f8..a57830229 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -1,11 +1,8 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if "import" in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-import" diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index cce5cbc7e..4c49c61ea 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -1,11 +1,8 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "syslog" { elasticsearch { pipeline => "%{module}" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-syslog" diff --git a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja index 1fa0967f5..672a83876 100644 --- a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja +++ b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja @@ -1,12 +1,9 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if "filebeat" in [metadata][pipeline] { elasticsearch { id => "filebeat_modules_metadata_pipeline" pipeline => "%{[metadata][pipeline]}" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-%{[event][module]}-%{+YYYY.MM.dd}" diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index ef55e2441..8dbea872e 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -1,11 +1,8 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "osquery" and "live_query" not in [dataset] { elasticsearch { pipeline => "%{module}.%{dataset}" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-osquery" diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index 8738a81c8..7942aa50c 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -1,10 +1,7 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [dataset] =~ "firewall" { elasticsearch { - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-firewall" diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index b2a9cccc5..13df33e16 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -1,11 +1,8 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "suricata" and "import" not in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-ids" diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 84e9e10e8..b4aafecad 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -1,12 +1,9 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if "beat-ext" in [tags] and "import" not in [tags] and "filebeat" not in [metadata][pipeline] { if [metadata][_id] { elasticsearch { pipeline => "beats.common" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-beats" @@ -17,7 +14,7 @@ output { } else { elasticsearch { pipeline => "beats.common" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-beats" diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index fa9726f1f..ca3eeb6c1 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -1,11 +1,8 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "ossec" { elasticsearch { pipeline => "%{module}" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-ossec" diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index 3eb8a164a..281cdda5b 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -1,11 +1,8 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "strelka" { elasticsearch { pipeline => "%{module}.%{dataset}" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-strelka" diff --git a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja index 0e633a1b8..8127de23a 100644 --- a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja +++ b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja @@ -1,13 +1,9 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} - output { if [module] =~ "logscan" { elasticsearch { id => "logscan_pipeline" pipeline => "logscan.alert" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-logscan" diff --git a/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja b/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja index fcbba67e6..7f9d795e6 100644 --- a/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja +++ b/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja @@ -1,11 +1,8 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "rita" and "import" not in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "so-rita" diff --git a/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja index ae5de7f54..ed81d4322 100644 --- a/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja +++ b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja @@ -1,10 +1,7 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if "elastic-agent" in [tags] and "import" not in [tags] { elasticsearch { - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" ecs_compatibility => v8 data_stream => true user => "{{ ES_USER }}" diff --git a/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja b/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja index 6f7dc4b34..c056f5774 100644 --- a/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja +++ b/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja @@ -1,6 +1,3 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} filter { if [event][module] =~ "endgame" { mutate { @@ -12,7 +9,7 @@ output { if [event][module] =~ "endgame" { elasticsearch { id => "endgame_es_output" - hosts => "{{ ES }}" + hosts => "{{ GLOBALS.manager }}" user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "endgame-%{+YYYY.MM.dd}" diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index eac5fe304..68b5187f9 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -1,7 +1,7 @@ {%- if grains.role in ['so-heavynode', 'so-receiver'] %} - {%- set HOST = salt['grains.get']('host') %} + {%- set HOST = GLOBALS.hostname %} {%- else %} - {%- set HOST = salt['grains.get']('master') %} + {%- set HOST = GLOBALS.manager %} {%- endif %} {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} output { diff --git a/salt/motd/files/so_motd.jinja b/salt/motd/files/so_motd.jinja index 1efb77254..527269286 100644 --- a/salt/motd/files/so_motd.jinja +++ b/salt/motd/files/so_motd.jinja @@ -1,9 +1,8 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} {% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%} -{% set role = grains.id.split('_') | last -%} -{% set url = salt['pillar.get']('global:url_base') -%} -{% if role in ['eval', 'managersearch', 'manager', 'standalone'] %} -Access the Security Onion web interface at https://{{ url }} +{% if GLOBALS.role in ['so-eval', 'so-managersearch', 'so-manager', 'so-standalone'] %} +Access the Security Onion web interface at https://{{ GLOBALS.url_base }} (You may need to run so-allow first if you haven't yet) {% endif %} diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 122093337..201a35704 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -81,7 +81,7 @@ navigatorenterpriseattack: so-nginx: docker_container.running: - - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }} - hostname: so-nginx - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index a5fd5da68..401b5d616 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -6,12 +6,9 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} {% from "pcap/map.jinja" import STENOOPTIONS with context %} {% from "pcap/config.map.jinja" import PCAPMERGED with context %} - -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} {% set BPF_STENO = salt['pillar.get']('bpf:pcap', None) %} {% set BPF_COMPILED = "" %} @@ -106,7 +103,7 @@ stenolog: so-steno: docker_container.{{ STENOOPTIONS.status }}: {% if STENOOPTIONS.status == 'running' %} - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-steno:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-steno:{{ GLOBALS.so_version }} - start: {{ STENOOPTIONS.start }} - network_mode: host - privileged: True diff --git a/salt/redis/init.sls b/salt/redis/init.sls index e80ee1218..1a353a1f0 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -6,9 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} include: - ssl @@ -45,7 +43,7 @@ redisconf: so-redis: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - hostname: so-redis - user: socore - port_bindings: diff --git a/salt/repo/client/centos.sls b/salt/repo/client/centos.sls index 39ced9ea8..7e077c1ce 100644 --- a/salt/repo/client/centos.sls +++ b/salt/repo/client/centos.sls @@ -3,12 +3,11 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - +{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'repo/client/map.jinja' import ABSENTFILES with context %} {% from 'repo/client/map.jinja' import REPOPATH with context %} -{% set role = grains.id.split('_') | last %} -{% set MANAGER = salt['grains.get']('master') %} -{% if grains['os'] == 'CentOS' %} + +{% if GLOBALS.os == 'CentOS' %} {% if ABSENTFILES|length > 0%} {% for file in ABSENTFILES %} @@ -46,7 +45,7 @@ crsynckeys: - source: salt://repo/client/files/centos/keys/ - {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] %} + {% if GLOBALS.role in GLOBALS.manager_roles %} so_repo: pkgrepo.managed: - name: securityonion @@ -60,7 +59,7 @@ so_repo: pkgrepo.managed: - name: securityonion - humanname: Security Onion Repo - - baseurl: https://{{ MANAGER }}/repo + - baseurl: https://{{ GLOBALS.manager }}/repo - enabled: 1 - gpgcheck: 1 diff --git a/salt/repo/client/map.jinja b/salt/repo/client/map.jinja index e89fad746..abf824aeb 100644 --- a/salt/repo/client/map.jinja +++ b/salt/repo/client/map.jinja @@ -1,4 +1,5 @@ -{% if grains.os == 'CentOS' %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% if GLOBALS.os == 'CentOS' %} {% set REPOPATH = '/etc/yum.repos.d/' %} {% set ABSENTFILES = [ @@ -19,7 +20,7 @@ ] %} -{% elif grains.os == 'Ubuntu' %} +{% elif GLOBALS.os == 'Ubuntu' %} {% set REPOPATH = '/etc/apt/sources.list.d/' %} {% set ABSENTFILES = [] %} diff --git a/salt/salt/etc/minion.d/mine_functions.conf b/salt/salt/etc/minion.d/mine_functions.conf index 8570e7a86..378d2c435 100644 --- a/salt/salt/etc/minion.d/mine_functions.conf +++ b/salt/salt/etc/minion.d/mine_functions.conf @@ -1,4 +1,4 @@ mine_interval: 35 mine_functions: network.ip_addrs: - - interface: {{ pillar.host.mainint }} + - interface: {{ GLOBALS.main_interface }} diff --git a/salt/salt/init.sls b/salt/salt/init.sls index fe340772e..7a553ac51 100644 --- a/salt/salt/init.sls +++ b/salt/salt/init.sls @@ -1,4 +1,6 @@ -{% if grains['os'] != 'CentOS' %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +{% if GLOBALS.os != 'CentOS' %} saltpymodules: pkg.installed: - pkgs: @@ -17,8 +19,8 @@ salt_bootstrap: - source: salt://salt/scripts/bootstrap-salt.sh - mode: 755 -{% if grains.os == 'CentOS' %} +{% if GLOBALS.os == 'CentOS' %} remove_salt-2019-2-5.repo: file.absent: - name: /etc/yum.repos.d/salt-2019-2-5.repo -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 15e203d82..4e9f40cb3 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -1,3 +1,4 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'salt/map.jinja' import UPGRADECOMMAND with context %} {% from 'salt/map.jinja' import SALTVERSION %} {% from 'salt/map.jinja' import INSTALLEDSALTVERSION %} @@ -98,6 +99,8 @@ mine_functions: - name: /etc/salt/minion.d/mine_functions.conf - source: salt://salt/etc/minion.d/mine_functions.conf - template: jinja + - defaults: + GLOBALS: {{ GLOBALS }} # this has to be outside the if statement above since there are _in calls to this state salt_minion_service: diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls index 7e0aaa9aa..c410a6fd9 100644 --- a/salt/sensoroni/init.sls +++ b/salt/sensoroni/init.sls @@ -41,7 +41,7 @@ analyzerscripts: so-sensoroni: docker_container.running: - - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }} - network_mode: host - binds: - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw diff --git a/salt/soc/init.sls b/salt/soc/init.sls index ed86e1fdf..8356bd1d8 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -1,9 +1,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} include: - manager.sync_es_users @@ -91,7 +89,7 @@ salt-relay: so-soc: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }} - hostname: soc - name: so-soc - binds: diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index b91b696f8..7c516dd37 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -1,5 +1,3 @@ -{%- set MANAGER = salt['pillar.get']('global:managerip', '') %} -{%- set URLBASE = salt['pillar.get']('global:url_base', '') %} {%- set HIVEKEY = salt['pillar.get']('global:hivekey', '') %} {%- set THEHIVEURL = salt['pillar.get']('global:hiveurl', '') %} {%- set CORTEXKEY = salt['pillar.get']('global:cortexorguserkey', '') %} @@ -8,8 +6,8 @@ {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} [es] -es_url = https://{{MANAGER}}:9200 -es_ip = {{MANAGER}} +es_url = https://{{ GLOBALS.manager_ip }}:9200 +es_ip = {{ GLOBALS.manager_ip }} es_user = {{ ES_USER }} es_pass = "{{ ES_PASS }}" es_index_pattern = so-* @@ -65,11 +63,11 @@ slack_url = YOURSLACKWORKSPACE slack_webhook = YOURSLACKWEBHOOK [soc] -soc_url = http://{{MANAGER}}:9822 +soc_url = http://{{ GLOBALS.manager_ip }}:9822 [playbook] -playbook_url = http://{{MANAGER}}:3200/playbook -playbook_ext_url = https://{{URLBASE}}/playbook +playbook_url = http://{{ GLOBALS.manager_ip }}:3200/playbook +playbook_ext_url = https://{{ GLOBALS.url_base }}/playbook playbook_key = {{ PLAYBOOK_KEY }} playbook_verifycert = no playbook_unit_test_index = playbook-testing diff --git a/salt/soctopus/files/templates/es-generic.template b/salt/soctopus/files/templates/es-generic.template index 8183a5af4..af9859047 100644 --- a/salt/soctopus/files/templates/es-generic.template +++ b/salt/soctopus/files/templates/es-generic.template @@ -1,7 +1,5 @@ -{% set ES = salt['pillar.get']('global:managerip', '') %} - alert: modules.so.playbook-es.PlaybookESAlerter -elasticsearch_host: "{{ ES }}:9200" +elasticsearch_host: "{{ GLOBALS.manager_ip }}:9200" play_title: "" -play_url: "https://{{ ES }}/playbook/issues/6000" +play_url: "https://{{ GLOBALS.manager_ip }}/playbook/issues/6000" sigma_level: "" diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index c3733db2c..035d38b24 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -1,16 +1,14 @@ -{% set es = salt['pillar.get']('global:url_base', '') %} - alert: - "modules.so.playbook-es.PlaybookESAlerter" -elasticsearch_host: "{{ es }}:9200" +elasticsearch_host: "{{ GLOBALS.url_base }}:9200" play_title: "" play_id: "" event.module: "playbook" event.dataset: "alert" event.severity: rule.category: -play_url: "https://{{ es }}/playbook/issues/6000" -kibana_pivot: "https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))" -soc_pivot: "https://{{es}}/#/hunt" +play_url: "https://{{ GLOBALS.url_base }}/playbook/issues/6000" +kibana_pivot: "https://{{ GLOBALS.url_base }}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))" +soc_pivot: "https://{{ GLOBALS.url_base }}/#/hunt" sigma_level: "" diff --git a/salt/soctopus/files/templates/osquery.template b/salt/soctopus/files/templates/osquery.template index f937de5ea..eb1857bb6 100644 --- a/salt/soctopus/files/templates/osquery.template +++ b/salt/soctopus/files/templates/osquery.template @@ -1,15 +1,13 @@ -{% set es = salt['pillar.get']('global:url_base', '') %} - alert: - "modules.so.playbook-es.PlaybookESAlerter" -elasticsearch_host: "{{ es }}:9200" +elasticsearch_host: "{{ GLOBALS.url_base }}:9200" play_title: "" event.module: "playbook" event.dataset: "alert" event.severity: rule.category: -play_url: "https://{{ es }}/playbook/issues/6000" -kibana_pivot: "https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))" -soc_pivot: "https://{{es}}/#/hunt" +play_url: "https://{{ GLOBALS.url_base }}/playbook/issues/6000" +kibana_pivot: "https://{{ GLOBALS.url_base }}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))" +soc_pivot: "https://{{ GLOBALS.url_base }}/#/hunt" sigma_level: "" diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index e2a505d2c..74d7154cf 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,12 +1,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set MANAGER_URL = salt['pillar.get']('global:url_base') %} -{% set MANAGER_IP = salt['pillar.get']('global:managerip') %} -{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} include: - nginx @@ -35,6 +30,8 @@ soctopusconf: - mode: 600 - template: jinja - show_changes: False + - defaults: + GLOBALS: {{ GLOBALS }} soctopuslogdir: file.directory: @@ -56,10 +53,12 @@ playbookrulessync: - user: 939 - group: 939 - template: jinja + - defaults: + GLOBALS: {{ GLOBALS }} so-soctopus: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soctopus:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soctopus:{{ GLOBALS.so_version }} - hostname: soctopus - name: so-soctopus - binds: @@ -68,13 +67,13 @@ so-soctopus: - /opt/so/rules/elastalert/playbook:/etc/playbook-rules:rw - /opt/so/conf/navigator/nav_layer_playbook.json:/etc/playbook/nav_layer_playbook.json:rw - /opt/so/conf/soctopus/sigma-import/:/SOCtopus/sigma-import/:rw - {% if ISAIRGAP is sameas true %} + {% if GLOBALS.airgap %} - /nsm/repo/rules/sigma:/soctopus/sigma {% endif %} - port_bindings: - 0.0.0.0:7000:7000 - extra_hosts: - - {{MANAGER_URL}}:{{MANAGER_IP}} + - {{GLOBALS.url_base}}:{{GLOBALS.manager_ip}} - require: - file: soctopusconf - file: navigatordefaultlayer diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 330bdb681..8fae4be57 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -6,12 +6,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set MANAGER = salt['grains.get']('master') %} -{% set MANAGERIP = salt['pillar.get']('global:managerip') %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} -{% set ENGINE = salt['pillar.get']('global:mdengine', '') %} {% import_yaml 'strelka/defaults.yaml' as strelka_config with context %} {% set IGNORELIST = salt['pillar.get']('strelka:ignore', strelka_config.strelka.ignore, merge=True, merge_nested_lists=True) %} @@ -59,7 +55,7 @@ remove_rule_{{ IGNOREDRULE }}: - name: /opt/so/conf/strelka/rules/signature-base/{{ IGNOREDRULE }} {% endfor %} -{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import'] %} +{% if grains['role'] in GLOBALS.manager_roles %} strelkarepos: file.managed: - name: /opt/so/saltstack/default/salt/strelka/rules/repos.txt @@ -111,7 +107,7 @@ strelkaportavailable: strelka_coordinator: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-coordinator - entrypoint: redis-server --save "" --appendonly no - port_bindings: @@ -124,7 +120,7 @@ append_so-strelka-coordinator_so-status.conf: strelka_gatekeeper: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-gatekeeper - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - port_bindings: @@ -137,7 +133,7 @@ append_so-strelka-gatekeeper_so-status.conf: strelka_frontend: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-frontend:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-frontend:{{ GLOBALS.so_version }} - binds: - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro - /nsm/strelka/log/:/var/log/strelka/:rw @@ -154,7 +150,7 @@ append_so-strelka-frontend_so-status.conf: strelka_backend: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-backend:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-backend:{{ GLOBALS.so_version }} - binds: - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - /opt/so/conf/strelka/rules/:/etc/yara/:ro @@ -169,7 +165,7 @@ append_so-strelka-backend_so-status.conf: strelka_manager: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-manager:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }} - binds: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - name: so-strelka-manager @@ -182,7 +178,7 @@ append_so-strelka-manager_so-status.conf: strelka_filestream: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-filestream:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-filestream:{{ GLOBALS.so_version }} - binds: - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /nsm/strelka:/nsm/strelka @@ -200,7 +196,7 @@ strelka_zeek_extracted_sync_old: - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1' - minute: '*' -{% if ENGINE == "SURICATA" %} +{% if GLOBALS.md_engine == "SURICATA" %} strelka_suricata_extracted_sync: cron.present: diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 5f628cbdd..5af9f591d 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -6,12 +6,10 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states and grains.role not in ['so-manager', 'so-managersearch'] %} +{% from 'vars/globals.map.jinja' import GLOBALS %} {% from "suricata/map.jinja" import SURICATAOPTIONS with context %} -{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} +{% set interface = salt['pillar.get']('sensor:interface') %} {% set BPF_NIDS = salt['pillar.get']('bpf:suricata', None) %} {% set BPF_STATUS = 0 %} @@ -131,7 +129,7 @@ suribpf: so-suricata: docker_container.{{ SURICATAOPTIONS.status }}: {% if SURICATAOPTIONS.status == 'running' %} - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-suricata:{{ GLOBALS.so_version }} - start: {{ SURICATAOPTIONS.start }} - privileged: True - environment: @@ -177,8 +175,9 @@ delete_so-suricata_so-status.disabled: - regex: ^so-suricata$ {% endif %} -/usr/local/bin/surirotate: +surirotate: cron.absent: + - name: /usr/local/bin/surirotate - user: root - minute: '11' - hour: '*' diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls index c638b98fc..7d739d00c 100644 --- a/salt/tcpreplay/init.sls +++ b/salt/tcpreplay/init.sls @@ -1,14 +1,12 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} so-tcpreplay: docker_container.running: - network_mode: "host" - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-tcpreplay:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-tcpreplay:{{ GLOBALS.so_version }} - name: so-tcpreplay - user: root - interactive: True diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index de9bf6120..31a6d97e8 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -13,15 +13,15 @@ # them with $. For strings the variable must be within quotes (ie, "$STR_VAR"), # for numbers and booleans they should be plain (ie, $INT_VAR, $BOOL_VAR) -{%- set MANAGER = salt['grains.get']('master') %} +{%- set MANAGER = GLOBALS.manager %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} +{%- set NODEIP = GLOBALS.node_ip %} {%- set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} {%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %} -{%- set MDENGINE = salt['pillar.get']('global:mdengine', 'ZEEK') %} +{%- set MDENGINE = GLOBALS.md_engine %} # Global tags can be specified here in key="value" format. @@ -30,7 +30,7 @@ # rack = "1a" ## Environment variables can be used as tags, and throughout the config file # user = "$USER" - role = "{{ grains.id.split('_') | last }}" + role = "{{ GLOBALS.role.split('-') | last }}" {% if grains['role'] == 'so-helix' %} @@ -88,7 +88,7 @@ logfile = "/var/log/telegraf/telegraf.log" ## Override default hostname, if empty use os.Hostname() - hostname = "{{ grains.host | lower }}" + hostname = "{{ GLOBALS.hostname | lower }}" ## If set to true, do no set the "host" tag in the telegraf agent. omit_hostname = false diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index a95690455..b24602639 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -1,9 +1,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set MANAGER = salt['grains.get']('master') %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} include: - ssl @@ -37,7 +35,7 @@ tgrafsyncscripts: - file_mode: 770 - template: jinja - source: salt://telegraf/scripts -{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'SURICATA' %} +{% if GLOBALS.md_engine == 'SURICATA' %} - exclude_pat: zeekcaptureloss.sh {% endif %} @@ -50,6 +48,8 @@ tgrafconf: - template: jinja - source: salt://telegraf/etc/telegraf.conf - show_changes: False + - defaults: + GLOBALS: {{ GLOBALS }} # this file will be read by telegraf to send node details (management interface, monitor interface, etc) # into influx so that Grafana can build dashboards using queries @@ -61,7 +61,7 @@ node_config: so-telegraf: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-telegraf:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-telegraf:{{ GLOBALS.so_version }} - user: 939 - group_add: 939,920 - environment: diff --git a/salt/telegraf/node_config.json.jinja b/salt/telegraf/node_config.json.jinja index 482590f2b..d1ccbc327 100644 --- a/salt/telegraf/node_config.json.jinja +++ b/salt/telegraf/node_config.json.jinja @@ -1,6 +1,7 @@ +{% from 'vars/globals.map.jinja' import GLOBALS -%} { {%- if grains.role in ['so-standalone', 'so-eval', 'so-sensor', 'so-heavynode', ] %} "monint": "{{ salt['pillar.get']('sensor:interface', '') }}", {%- endif %} - "manint": "{{ salt['pillar.get']('host:mainint', '') }}" + "manint": "{{ GLOBALS.main_interface }}" } diff --git a/salt/top.sls b/salt/top.sls index 481a741b0..973978537 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -74,6 +74,7 @@ base: - registry - sensoroni - manager + - backup.config_backup - nginx - telegraf - influxdb @@ -131,6 +132,7 @@ base: - kratos - firewall - manager + - backup.config_backup - idstools - suricata.manager - mysql @@ -153,7 +155,6 @@ base: {%- if FILEBEAT %} - filebeat {%- endif %} - - curator - utility - schedule - soctopus @@ -169,6 +170,7 @@ base: - registry - sensoroni - manager + - backup.config_backup - nginx - telegraf - influxdb @@ -228,7 +230,6 @@ base: {%- if LOGSTASH %} - logstash {%- endif %} - - curator {%- if FILEBEAT %} - filebeat {%- endif %} @@ -251,6 +252,7 @@ base: - kratos - firewall - manager + - backup.config_backup - idstools - suricata.manager - mysql diff --git a/salt/utility/bin/eval b/salt/utility/bin/eval index 4b595fc0f..f30f0f421 100644 --- a/salt/utility/bin/eval +++ b/salt/utility/bin/eval @@ -1,12 +1,10 @@ #!/bin/bash -{% set ES = salt['pillar.get']('global:managerip', '') %} - # Wait for ElasticSearch to come up, so that we can query for version infromation echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 30 ]]; do - curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://{{ ES }}:9200 + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://{{ GLOBALS.manager_ip }}:9200 if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -26,6 +24,6 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then fi echo "Applying cross cluster search config..." - curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ GLOBALS.manager_ip }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ grains.host }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" diff --git a/salt/utility/init.sls b/salt/utility/init.sls index 7ca841dd3..43b780b4a 100644 --- a/salt/utility/init.sls +++ b/salt/utility/init.sls @@ -8,6 +8,8 @@ fixsearch: - cwd: /opt/so - source: salt://utility/bin/eval - template: jinja + - defaults: + GLOBALS: {{ GLOBALS }} {% endif %} {% else %} diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index 487cdf781..f9dfef404 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -8,6 +8,7 @@ 'is_manager': false, 'manager': INIT.GRAINS.master, 'minion_id': INIT.GRAINS.id, + 'main_interface': INIT.PILLAR.host.mainint, 'node_ip': INIT.GRAINS.ip_interfaces.get(INIT.PILLAR.host.mainint)[0], 'role': INIT.GRAINS.role, 'airgap': INIT.PILLAR.global.airgap, @@ -24,6 +25,7 @@ 'description': INIT.PILLAR.sensoroni.get('node_description',''), 'docker_range': INIT.PILLAR.docker.range, 'sensoroni_key': INIT.PILLAR.sensoroni.sensoronikey, + 'os': INIT.GRAINS.os, 'application_urls': {}, 'manager_roles': [ 'so-eval', @@ -32,6 +34,13 @@ 'so-managersearch', 'so-standalone' ] + 'sensor_roles': [ + 'so-eval', + 'so-heavynode', + 'so-sensor', + 'so-standalone' + + ] } %} diff --git a/salt/workstation/packages.sls b/salt/workstation/packages.sls index 59b24ec2a..b63762a2c 100644 --- a/salt/workstation/packages.sls +++ b/salt/workstation/packages.sls @@ -1,5 +1,7 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} + {# we only want this state to run it is CentOS #} -{% if grains.os == 'CentOS' %} +{% if GLOBALS.os == 'CentOS' %} xwindows_group: pkg.group_installed: diff --git a/salt/workstation/remove_gui.sls b/salt/workstation/remove_gui.sls index 097e23151..0eefc9462 100644 --- a/salt/workstation/remove_gui.sls +++ b/salt/workstation/remove_gui.sls @@ -1,5 +1,7 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} + {# we only want this state to run it is CentOS #} -{% if grains.os == 'CentOS' %} +{% if GLOBALS.os == 'CentOS' %} remove_graphical_target: file.symlink: diff --git a/salt/workstation/trusted-ca.sls b/salt/workstation/trusted-ca.sls index 008d3573f..fcdf7cffc 100644 --- a/salt/workstation/trusted-ca.sls +++ b/salt/workstation/trusted-ca.sls @@ -1,10 +1,11 @@ - + {% from 'vars/globals.map.jinja' import GLOBALS %} + {# we only want this state to run it is CentOS #} -{% if grains.os == 'CentOS' %} +{% if GLOBALS.os == 'CentOS' %} {% set global_ca_text = [] %} {% set global_ca_server = [] %} - {% set manager = salt['grains.get']('master') %} + {% set manager = GLOBALS.manager %} {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %} {% for host in x509dict %} {% if host.split('_')|last in ['manager', 'managersearch', 'standalone', 'import', 'eval'] %} diff --git a/salt/workstation/xwindows.sls b/salt/workstation/xwindows.sls index 015fb0d3c..bcd543868 100644 --- a/salt/workstation/xwindows.sls +++ b/salt/workstation/xwindows.sls @@ -1,6 +1,7 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} {# we only want this state to run it is CentOS #} -{% if grains.os == 'CentOS' %} +{% if GLOBALS.os == 'CentOS' %} include: - workstation.packages diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index b292a20a3..b1130ee43 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -198,7 +198,7 @@ localzeek: so-zeek: docker_container.{{ ZEEKOPTIONS.status }}: {% if ZEEKOPTIONS.status == 'running' %} - - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }} - start: {{ ZEEKOPTIONS.start }} - privileged: True - ulimits: