CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into 2.4/fleetautogen

Browse Source
This commit is contained in:
Josh Brower
2023-07-07 19:12:47 -04:00
parent ff3bb11fbb 5faa4f0a30
commit beb26596fd
26 changed files with 2341 additions and 198 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
pillar/logrotate/init.sls
View File

@@ -1,13 +0,0 @@
logrotate:
conf: |
daily
rotate 14
missingok
copytruncate
compress
create
extension .log
dateext
dateyesterday
group_conf: |
su root socore

14
pillar/soc/license.sls Normal file
View File

@@ -0,0 +1,14 @@
# Copyright Jason Ertel (github.com/jertel).
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with
# the Elastic License 2.0.
# Note: Per the Elastic License 2.0, the second limitation states:
#
# "You may not move, change, disable, or circumvent the license key functionality
# in the software, and you may not remove or obscure any functionality in the
# software that is protected by the license key."
# This file is generated by Security Onion and contains a list of license-enabled features.
features: []

4
pillar/top.sls
View File

@@ -40,6 +40,7 @@ base:
- logstash.adv_logstash
- soc.soc_soc
- soc.adv_soc
- soc.license
- soctopus.soc_soctopus
- soctopus.adv_soctopus
- kibana.soc_kibana
@@ -103,6 +104,7 @@ base:
- idstools.adv_idstools
- soc.soc_soc
- soc.adv_soc
- soc.license
- soctopus.soc_soctopus
- soctopus.adv_soctopus
- kibana.soc_kibana
@@ -161,6 +163,7 @@ base:
- manager.adv_manager
- soc.soc_soc
- soc.adv_soc
- soc.license
- soctopus.soc_soctopus
- soctopus.adv_soctopus
- kibana.soc_kibana
@@ -258,6 +261,7 @@ base:
- manager.adv_manager
- soc.soc_soc
- soc.adv_soc
- soc.license
- soctopus.soc_soctopus
- soctopus.adv_soctopus
- kibana.soc_kibana

1
salt/ca/init.sls
View File

@@ -20,7 +20,6 @@ pki_private_key:
- name: /etc/pki/ca.key
- keysize: 4096
- passphrase:
- cipher: aes_256_cbc
- backup: True
{% if salt['file.file_exists']('/etc/pki/ca.key') -%}
- prereq:

2
salt/common/cron/common-rotate
View File

@@ -1,2 +0,0 @@
#!/bin/bash
/usr/sbin/logrotate -f /opt/so/conf/log-rotate.conf > /dev/null 2>&1

2
salt/common/cron/sensor-rotate
View File

@@ -1,2 +0,0 @@
#!/bin/bash
/usr/sbin/logrotate -f /opt/so/conf/sensor-rotate.conf > /dev/null 2>&1

37
salt/common/files/log-rotate.conf
View File

@@ -1,37 +0,0 @@
{%- set logrotate_conf = salt['pillar.get']('logrotate:conf') %}
{%- set group_conf = salt['pillar.get']('logrotate:group_conf') %}
/opt/so/log/aptcacher-ng/*.log
/opt/so/log/idstools/*.log
/opt/so/log/nginx/*.log
/opt/so/log/soc/*.log
/opt/so/log/kratos/*.log
/opt/so/log/kibana/*.log
/opt/so/log/influxdb/*.log
/opt/so/log/elastalert/*.log
/opt/so/log/soctopus/*.log
/opt/so/log/curator/*.log
/opt/so/log/fleet/*.log
/opt/so/log/suricata/*.log
/opt/so/log/mysql/*.log
/opt/so/log/telegraf/*.log
/opt/so/log/redis/*.log
/opt/so/log/sensoroni/*.log
/opt/so/log/stenographer/*.log
/opt/so/log/salt/so-salt-minion-check
/opt/so/log/salt/minion
/opt/so/log/salt/master
/opt/so/log/logscan/*.log
/nsm/idh/*.log
{
{{ logrotate_conf | indent(width=4) }}
}
# Playbook's log directory needs additional configuration
# because Playbook requires a more permissive directory
/opt/so/log/playbook/*.log
{
{{ logrotate_conf | indent(width=4) }}
{{ group_conf | indent(width=4) }}
}

22
salt/common/files/sensor-rotate.conf
View File

@@ -1,22 +0,0 @@
/opt/so/log/sensor_clean.log
{
daily
rotate 2
missingok
nocompress
create
sharedscripts
}
/nsm/strelka/log/strelka.log
{
daily
rotate 14
missingok
copytruncate
compress
create
extension .log
dateext
dateyesterday
}

48
salt/common/init.sls
View File

@@ -151,56 +151,8 @@ so-sensor-clean:
- daymonth: '*'
- month: '*'
- dayweek: '*'
sensorrotatescript:
file.managed:
- name: /usr/local/bin/sensor-rotate
- source: salt://common/cron/sensor-rotate
- mode: 755
sensorrotateconf:
file.managed:
- name: /opt/so/conf/sensor-rotate.conf
- source: salt://common/files/sensor-rotate.conf
- mode: 644
sensor-rotate:
cron.present:
- name: /usr/local/bin/sensor-rotate
- identifier: sensor-rotate
- user: root
- minute: '1'
- hour: '0'
- daymonth: '*'
- month: '*'
- dayweek: '*'
{% endif %}
commonlogrotatescript:
file.managed:
- name: /usr/local/bin/common-rotate
- source: salt://common/cron/common-rotate
- mode: 755
commonlogrotateconf:
file.managed:
- name: /opt/so/conf/log-rotate.conf
- source: salt://common/files/log-rotate.conf
- template: jinja
- mode: 644
common-rotate:
cron.present:
- name: /usr/local/bin/common-rotate
- identifier: common-rotate
- user: root
- minute: '1'
- hour: '0'
- daymonth: '*'
- month: '*'
- dayweek: '*'
# Create the status directory
sostatusdir:
file.directory:

11
salt/common/tools/sbin/so-common
View File

@@ -301,6 +301,17 @@ lookup_role() {
echo ${pieces[1]}
}
is_feature_enabled() {
feature=$1
enabled=$(lookup_salt_value features)
for cur in $enabled; do
if [[ "$feature" == "$cur" ]]; then
return 0
fi
done
return 1
}
require_manager() {
if is_manager_node; then
echo "This is a manager, so we can proceed."

45
salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load
View File

@@ -4,18 +4,26 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{%- set SUPPORTED_PACKAGES = salt['pillar.get']('elasticfleet:packages', default=ELASTICFLEETDEFAULTS.elasticfleet.packages, merge=True) %}
. /usr/sbin/so-common
{% if GLOBALS.role != 'so-heavynode' %}
. /usr/sbin/so-elastic-fleet-common
{% endif %}
default_conf_dir=/opt/so/conf
# Define a default directory to load pipelines from
ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/"
if [ -f /usr/sbin/so-elastic-fleet-common ]; then
{% if GLOBALS.role == 'so-heavynode' %}
file="/opt/so/conf/elasticsearch/templates/index/so-common-template.json"
{% else %}
file="/usr/sbin/so-elastic-fleet-common"
{% endif %}
if [ -f "$file" ]; then
# Wait for ElasticSearch to initialize
echo -n "Waiting for ElasticSearch..."
COUNT=0
@@ -39,7 +47,8 @@ if [ -f /usr/sbin/so-elastic-fleet-common ]; then
exit 1
fi
SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
{% if GLOBALS.role != 'so-heavynode' %}
SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
INSTALLED=$(elastic_fleet_package_is_installed {{ SUPPORTED_PACKAGES[0] }} )
if [ "$INSTALLED" != "installed" ]; then
echo
@@ -47,7 +56,7 @@ if [ -f /usr/sbin/so-elastic-fleet-common ]; then
echo
exit 0
fi
{% endif %}
set -e
cd ${ELASTICSEARCH_TEMPLATES}/component/ecs
@@ -58,7 +67,12 @@ if [ -f /usr/sbin/so-elastic-fleet-common ]; then
cd ${ELASTICSEARCH_TEMPLATES}/component/elastic-agent
echo "Loading Elastic Agent component templates..."
for i in *; do TEMPLATE=${i::-5}; echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done
{% if GLOBALS.role == 'so-heavynode' %}
component_pattern="so-*"
{% else %}
component_pattern="*"
{% endif %}
for i in $component_pattern; do TEMPLATE=${i::-5}; echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done
# Load SO-specific component templates
cd ${ELASTICSEARCH_TEMPLATES}/component/so
@@ -71,10 +85,25 @@ if [ -f /usr/sbin/so-elastic-fleet-common ]; then
cd ${ELASTICSEARCH_TEMPLATES}/index
echo "Loading Security Onion index templates..."
for i in *; do TEMPLATE=${i::-14}; echo "$TEMPLATE"; so-elasticsearch-query _index_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done
shopt -s extglob
{% if GLOBALS.role == 'so-heavynode' %}
pattern="!(*1password*|*aws*|*azure*|*cloudflare*|*elastic_agent*|*fim*|*github*|*google*|*osquery*|*system*|*windows*)"
{% else %}
pattern="*"
{% endif %}
for i in $pattern; do
TEMPLATE=${i::-14};
echo "$TEMPLATE";
so-elasticsearch-query _index_template/$TEMPLATE -d@$i -XPUT 2>/dev/null;
echo;
done
echo
else
echo "Elastic Fleet not configured. Exiting..."
exit 0
{% if GLOBALS.role == 'so-heavynode' %}
echo "Common template does not exist. Exiting..."
{% else %}
echo "Elastic Fleet not configured. Exiting..."
{% endif %}
exit 0
fi
cd - >/dev/null

230
salt/logrotate/defaults.yaml Normal file
View File

@@ -0,0 +1,230 @@
logrotate:
config:
/opt/so/log/idstools/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/nginx/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/soc/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/kratos/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/kibana/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/influxdb/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/elastalert/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/soctopus/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/curator/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/fleet/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/suricata/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/mysql/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/telegraf/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/redis/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/sensoroni/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/stenographer/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/salt/so-salt-minion-check:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/salt/minion:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/salt/master:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/nsm/idh/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/playbook/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
- su root socore
/nsm/strelka/log/strelka_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/sensor_clean_x_log:
- daily
- rotate 2
- missingok
- nocompress
- create
- sharedscripts

8
salt/logrotate/etc/rotate.conf.jinja Normal file
View File

@@ -0,0 +1,8 @@
{%- for file, opts in CONFIG.items() %}
{{ file | replace("_x_", ".")}}
{
{%- for opt in opts %}
{{ opt }}
{%- endfor %}
}
{%- endfor %}

31
salt/logrotate/init.sls Normal file
View File

@@ -0,0 +1,31 @@
{% from 'logrotate/map.jinja' import LOGROTATEMERGED %}
logrotateconfdir:
file.directory:
- name: /opt/so/conf/logrotate
commonlogrotatescript:
file.managed:
- name: /usr/local/bin/common-rotate
- source: salt://logrotate/tools/sbin/common-rotate
- mode: 755
commonlogrotateconf:
file.managed:
- name: /opt/so/conf/logrotate/common-rotate.conf
- source: salt://logrotate/etc/rotate.conf.jinja
- template: jinja
- mode: 644
- defaults:
CONFIG: {{ LOGROTATEMERGED.config }}
common-rotate:
cron.present:
- name: /usr/local/bin/common-rotate
- identifier: common-rotate
- user: root
- minute: '1'
- hour: '0'
- daymonth: '*'
- month: '*'
- dayweek: '*'

7
salt/logrotate/map.jinja Normal file
View File

@@ -0,0 +1,7 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% import_yaml 'logrotate/defaults.yaml' as LOGROTATEDEFAULTS %}
{% set LOGROTATEMERGED = salt['pillar.get']('logrotate', LOGROTATEDEFAULTS.logrotate, merge=True) %}

163
salt/logrotate/soc_logrotate.yaml Normal file
View File

@@ -0,0 +1,163 @@
logrotate:
config:
"/opt/so/log/idstools/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/idstools/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/nginx/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/nginx/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/soc/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/soc/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/kratos/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/kratos/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/kibana/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/kibana/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/influxdb/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/influxdb/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/elastalert/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/elastalert/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/soctopus/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/soctopus/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/curator/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/curator/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/fleet/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/fleet/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/suricata/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/suricata/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/mysql/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/mysql/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/telegraf/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/telegraf/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/redis/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/redis/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/sensoroni/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/sensoroni/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/stenographer/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/stenographer/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/salt/so-salt-minion-check":
description: List of logrotate options for this file.
title: /opt/so/log/salt/so-salt-minion-check
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/salt/minion":
description: List of logrotate options for this file.
title: /opt/so/log/salt/minion
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/salt/master":
description: List of logrotate options for this file.
title: /opt/so/log/salt/master
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/nsm/idh/*_x_log":
description: List of logrotate options for this file.
title: /nsm/idh/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/playbook/*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/playbook/*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/nsm/strelka/log/strelka_x_log":
description: List of logrotate options for this file.
title: /nsm/strelka/log/strelka.log
advanced: True
multiline: True
global: True
forcedType: "[]string"
"/opt/so/log/sensor_clean_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/sensor_clean.log
advanced: True
multiline: True
global: True
forcedType: "[]string"

2
salt/logrotate/tools/sbin/common-rotate Normal file
View File

@@ -0,0 +1,2 @@
#!/bin/bash
/usr/sbin/logrotate -f /opt/so/conf/logrotate/common-rotate.conf > /dev/null 2>&1

12
salt/logstash/tools/sbin/so-logstash-get-unparsed
View File

@@ -1,12 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
docker exec -it so-redis redis-cli llen logstash:unparsed

2
salt/nginx/etc/nginx.conf
View File

@@ -160,7 +160,7 @@ http {
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ ^/auth/.*?(whoami|logout|settings|webauthn.js) {
location ~ ^/auth/.*?(whoami|logout|settings|errors|webauthn.js) {
rewrite /auth/(.*) /$1 break;
proxy_pass http://{{ GLOBALS.manager }}:4433;
proxy_read_timeout 90;

5
salt/soc/enabled.sls
View File

@@ -33,11 +33,6 @@ so-soc:
- /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
- /opt/so/conf/soc/queue:/opt/sensoroni/queue:rw
- /opt/so/saltstack:/opt/so/saltstack:rw
{% if DOCKER.containers['so-soc'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-soc'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- extra_hosts: {{ DOCKER_EXTRA_HOSTS }}
{% if DOCKER.containers['so-soc'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %}

38
salt/ssl/init.sls
View File

@@ -77,12 +77,6 @@ influxdb_crt:
- days_remaining: 0
- days_valid: 820
- backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30
- retry:
attempts: 5
@@ -122,12 +116,6 @@ redis_crt:
- days_remaining: 0
- days_valid: 820
- backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30
- retry:
attempts: 5
@@ -415,12 +403,6 @@ etc_filebeat_crt:
- days_remaining: 0
- days_valid: 820
- backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30
- retry:
attempts: 5
@@ -492,10 +474,6 @@ registry_crt:
- days_remaining: 0
- days_valid: 820
- backup: True
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 30
- retry:
attempts: 5
@@ -534,12 +512,6 @@ regkeyperms:
- days_remaining: 0
- days_valid: 820
- backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30
- retry:
attempts: 5
@@ -601,12 +573,6 @@ conf_filebeat_crt:
- days_remaining: 0
- days_valid: 820
- backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30
- retry:
attempts: 5
@@ -661,10 +627,6 @@ chownfilebeatp8:
- days_remaining: 0
- days_valid: 820
- backup: True
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 30
- retry:
attempts: 5

2
salt/strelka/backend/enabled.sls
View File

@@ -17,7 +17,7 @@ strelka_backend:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-backend:{{ GLOBALS.so_version }}
- binds:
- /opt/so/conf/strelka/backend/:/etc/strelka/:ro
- /opt/so/conf/strelka/rules/:/etc/yara/:ro
- /nsm/rules/yara/:/etc/yara/:ro
{% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
- {{ BIND }}

1
salt/top.sls
View File

@@ -14,6 +14,7 @@ base:
- repo.client
- ntp
- schedule
- logrotate
'not G@saltversion:{{saltversion}}':
- match: compound

1814
setup/files/patch/states/x509_v2.py Normal file
View File

File diff suppressed because it is too large Load Diff

11
setup/so-functions
View File

@@ -1341,8 +1341,9 @@ kibana_pillar() {
}
logrotate_pillar() {
touch $adv_logrotate_pillar_file
touch $logrotate_pillar_file
logCmd "mkdir -p $local_salt_dir/pillar/logrotate"
logCmd "touch $adv_logrotate_pillar_file"
logCmd "touch $logrotate_pillar_file"
}
patch_pillar() {
@@ -2045,6 +2046,12 @@ saltify() {
logCmd "salt-pip install docker --no-index --only-binary=:all: --find-links files/salt_module_deps/docker/"
logCmd "salt-pip install pymysql --no-index --only-binary=:all: --find-links files/salt_module_deps/pymysql/"
# this can be removed when https://github.com/saltstack/salt/issues/64195 is resolved
if [ $SALTVERSION == "3006.1" ]; then
info "Salt version 3006.1 found. Patching /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py"
\cp -v ./files/patch/states/x509_v2.py /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py
fi
}

2
setup/so-setup
View File

@@ -659,6 +659,7 @@ if ! [[ -f $install_opt_file ]]; then
logCmd "salt-call state.apply -l info manager"
logCmd "salt-call state.apply influxdb -l info"
logCmd "salt-call state.highstate -l info"
logCmd "salt-call schedule.disable -linfo --local"
if [[ ! $is_airgap ]]; then
title "Downloading IDS Rules"
logCmd "so-rule-update"
@@ -683,6 +684,7 @@ if ! [[ -f $install_opt_file ]]; then
fi
checkin_at_boot
set_initial_firewall_access
logCmd "salt-call schedule.enable -linfo --local"
systemctl restart salt-master
systemctl restart salt-minion
verify_setup