From e6167dc34ac8f14f301716e445e9d56bd62cd179 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 2 Mar 2023 15:09:59 -0500 Subject: [PATCH 1/3] heavynode changes --- pillar/top.sls | 2 ++ salt/firewall/assigned_hostgroups.map.yaml | 4 ++-- salt/vars/heavynode.map.jinja | 17 +++++++++++++++++ setup/so-functions | 2 +- setup/so-setup | 2 +- 5 files changed, 23 insertions(+), 4 deletions(-) create mode 100644 salt/vars/heavynode.map.jinja diff --git a/pillar/top.sls b/pillar/top.sls index 41d3265f0..2f7894769 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -27,6 +27,8 @@ base: - logstash.soc_logstash - logstash.adv_logstash - elasticsearch.index_templates + - elasticsearch.soc_elasticsearch + - elasticsearch.adv_elasticsearch '*_manager': - logstash diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 0f748e6d6..2e54a5e9f 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -411,11 +411,9 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} - {% if TRUE_CLUSTER %} searchnodes: portgroups: - {{ portgroups.elasticsearch_node }} - {% endif %} self: portgroups: - {{ portgroups.syslog}} @@ -469,6 +467,8 @@ role: self: portgroups: - {{ portgroups.syslog}} + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.elasticsearch_rest }} strelka_frontend: portgroups: - {{ portgroups.strelka_frontend }} diff --git a/salt/vars/heavynode.map.jinja b/salt/vars/heavynode.map.jinja new file mode 100644 index 000000000..ccc241884 --- /dev/null +++ b/salt/vars/heavynode.map.jinja @@ -0,0 +1,17 @@ +{% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %} +{% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %} +{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %} + +{% set ROLE_GLOBALS = {} %} + +{% set HEAVYNODE_GLOBALS = + [ + SENSOR_GLOBALS, + ELASTICSEARCH_GLOBALS, + LOGSTASH_GLOBALS + ] +%} + +{% for sg in HEAVYNODE_GLOBALS %} +{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %} +{% endfor %} diff --git a/setup/so-functions b/setup/so-functions index 381c4b497..38505e784 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1704,7 +1704,7 @@ process_installtype() { elif [ "$install_type" = 'SEARCHNODE' ]; then is_searchnode=true elif [ "$install_type" = 'HEAVYNODE' ]; then - is_heavy=true + is_heavynode=true elif [ "$install_type" = 'FLEET' ]; then is_fleet=true elif [ "$install_type" = 'IDH' ]; then diff --git a/setup/so-setup b/setup/so-setup index 6825afc9d..45a124e7a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -637,5 +637,5 @@ if ! [[ -f $install_opt_file ]]; then verify_setup fi - # Need to make sure the latest install is located on the web server of the manager to check the versions and donwload the code if required + # Need to make sure the latest install is located on the web server of the manager to check the versions and download the code if required fi From b6d55bedc8cddae905736ac3cfa1eb11e6da321d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 6 Mar 2023 13:50:17 -0500 Subject: [PATCH 2/3] make influxdb token accessible to all nodes --- pillar/top.sls | 1 + salt/influxdb/curl.config.jinja | 2 +- salt/influxdb/init.sls | 2 +- salt/soc/defaults.map.jinja | 2 +- salt/telegraf/etc/telegraf.conf | 2 +- setup/so-functions | 7 +++++-- 6 files changed, 10 insertions(+), 6 deletions(-) diff --git a/pillar/top.sls b/pillar/top.sls index 2f7894769..60cface84 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -10,6 +10,7 @@ base: - sensoroni.adv_sensoroni - telegraf.soc_telegraf - telegraf.adv_telegraf + - influxdb.token - node_data.ips '* and not *_eval and not *_import': diff --git a/salt/influxdb/curl.config.jinja b/salt/influxdb/curl.config.jinja index 9f636e851..d994b05d9 100644 --- a/salt/influxdb/curl.config.jinja +++ b/salt/influxdb/curl.config.jinja @@ -1 +1 @@ -header = "Authorization: Token {{ salt['pillar.get']('secrets:influx_token') }}" \ No newline at end of file +header = "Authorization: Token {{ salt['pillar.get']('influxdb:token') }}" diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index bd894a6d4..b6190fdfd 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -6,7 +6,7 @@ {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %} {% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %} -{% set TOKEN = salt['pillar.get']('secrets:influx_token') %} +{% set TOKEN = salt['pillar.get']('influxdb:token') %} include: - salt.minion diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index e16f047e4..85db938cc 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -1,7 +1,7 @@ {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER -%} -{% set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %} +{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %} {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %} {% for module, application_url in GLOBALS.application_urls.items() %} diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 61843da5f..f2a89baf4 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -2,7 +2,7 @@ {%- set INFLUXDBHOST = GLOBALS.influxdb_host %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- set TOKEN = salt['pillar.get']('secrets:influx_token', '') %} +{%- set TOKEN = salt['pillar.get']('influxdb:token', '') %} {%- set NODEIP = GLOBALS.node_ip %} {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %} diff --git a/setup/so-functions b/setup/so-functions index 639657416..78033bda5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -899,6 +899,7 @@ create_manager_pillars() { kratos_pillar soc_pillar idh_pillar + influxdb_pillar } @@ -1538,6 +1539,9 @@ influxdb_pillar() { title "Create the influxdb pillar file" touch $adv_influxdb_pillar_file touch $influxdb_pillar_file + printf '%s\n'\ + "influxdb:"\ + " token: $INFLUXTOKEN" > $local_salt_dir/pillar/influxdb/token.sls } make_some_dirs() { @@ -2066,8 +2070,7 @@ secrets_pillar(){ " playbook_admin: $PLAYBOOKADMINPASS"\ " playbook_automation: $PLAYBOOKAUTOMATIONPASS"\ " playbook_automation_api_key: "\ - " influx_pass: $INFLUXPASS"\ - " influx_token: $INFLUXTOKEN" > $local_salt_dir/pillar/secrets.sls + " influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls fi } From 14aa9ac5c90ec591d5b8d65eb90eaff83e7f7d59 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 7 Mar 2023 10:35:49 -0500 Subject: [PATCH 3/3] apply elastic-fleet state to managers --- salt/top.sls | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 69d99f6de..f98eee725 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -149,6 +149,7 @@ base: - soctopus - playbook - elastic-fleet.install_agent_grid + - elastic-fleet - docker_clean '*_standalone and G@saltversion:{{saltversion}}': @@ -199,9 +200,9 @@ base: - schedule - soctopus - playbook - - docker_clean - - elastic-fleet - elastic-fleet.install_agent_grid + - elastic-fleet + - docker_clean '*_searchnode and G@saltversion:{{saltversion}}': - match: compound @@ -260,6 +261,7 @@ base: - soctopus - playbook - elastic-fleet.install_agent_grid + - elastic-fleet - docker_clean '*_heavynode and G@saltversion:{{saltversion}}': @@ -319,9 +321,9 @@ base: - suricata - zeek - schedule - - docker_clean - elastic-fleet.install_agent_grid - elastic-fleet + - docker_clean '*_receiver and G@saltversion:{{saltversion}}': - match: compound