Merge pull request #9912 from Security-Onion-Solutions/2.4/heavynode

2.4/heavynode

pillar/top.sls

@@ -10,6 +10,7 @@ base:
     - sensoroni.adv_sensoroni
     - telegraf.soc_telegraf
     - telegraf.adv_telegraf
+    - influxdb.token
     - node_data.ips
 
   '* and not *_eval and not *_import':
@@ -27,6 +28,8 @@ base:
     - logstash.soc_logstash
     - logstash.adv_logstash
     - elasticsearch.index_templates
+    - elasticsearch.soc_elasticsearch
+    - elasticsearch.adv_elasticsearch
 
   '*_manager':
     - logstash

salt/firewall/assigned_hostgroups.map.yaml

@@ -411,11 +411,9 @@ role:
           elasticsearch_rest:
             portgroups:
               - {{ portgroups.elasticsearch_rest }}
-          {% if TRUE_CLUSTER %}
           searchnodes:
             portgroups:
               - {{ portgroups.elasticsearch_node }}
-          {% endif %}
           self:
             portgroups:
               - {{ portgroups.syslog}}
@@ -469,6 +467,8 @@ role:
           self:
             portgroups:
               - {{ portgroups.syslog}}
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.elasticsearch_rest }}
           strelka_frontend:
             portgroups:
               - {{ portgroups.strelka_frontend }}

salt/influxdb/curl.config.jinja

@@ -1 +1 @@
-header = "Authorization: Token {{ salt['pillar.get']('secrets:influx_token') }}"
+header = "Authorization: Token {{ salt['pillar.get']('influxdb:token') }}"

salt/influxdb/init.sls

@@ -6,7 +6,7 @@
 
 {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %}
 {% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
-{% set TOKEN = salt['pillar.get']('secrets:influx_token') %}
+{% set TOKEN = salt['pillar.get']('influxdb:token') %}
 
 include:
   - salt.minion

salt/soc/defaults.map.jinja

@@ -1,7 +1,7 @@
 {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'docker/docker.map.jinja' import DOCKER -%}
-{% set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %}
+{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
 {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
 
 {% for module, application_url in GLOBALS.application_urls.items() %}

salt/telegraf/etc/telegraf.conf

@@ -2,7 +2,7 @@
 {%- set INFLUXDBHOST = GLOBALS.influxdb_host %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
-{%- set TOKEN = salt['pillar.get']('secrets:influx_token', '') %}
+{%- set TOKEN = salt['pillar.get']('influxdb:token', '') %}
 {%- set NODEIP = GLOBALS.node_ip %}
 {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %}
 {%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %}

salt/top.sls

@@ -147,6 +147,7 @@ base:
     - schedule
     - soctopus
     - playbook
+    - elastic-fleet
     - docker_clean
 
   '*_standalone and G@saltversion:{{saltversion}}':
@@ -197,8 +198,8 @@ base:
     - schedule
     - soctopus
     - playbook
-    - docker_clean
     - elastic-fleet
+    - docker_clean
 
   '*_searchnode and G@saltversion:{{saltversion}}':
     - match: compound
@@ -256,6 +257,7 @@ base:
     - schedule
     - soctopus
     - playbook
+    - elastic-fleet
     - docker_clean
 
   '*_heavynode and G@saltversion:{{saltversion}}':
@@ -315,8 +317,8 @@ base:
     - suricata
     - zeek
     - schedule
-    - docker_clean
     - elastic-fleet
+    - docker_clean
 
   '*_receiver and G@saltversion:{{saltversion}}':
     - match: compound

salt/vars/heavynode.map.jinja

@@ -0,0 +1,17 @@
+{% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %}
+{% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %}
+{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %}
+
+{% set ROLE_GLOBALS = {} %}
+
+{% set HEAVYNODE_GLOBALS =
+   [
+     SENSOR_GLOBALS,
+     ELASTICSEARCH_GLOBALS,
+     LOGSTASH_GLOBALS
+   ]
+%}
+
+{% for sg in HEAVYNODE_GLOBALS %}
+{%   do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %}
+{% endfor %}

setup/so-functions

@@ -899,6 +899,7 @@ create_manager_pillars() {
 	kratos_pillar
 	soc_pillar
 	idh_pillar
+	influxdb_pillar
 
 }
 
@@ -1538,6 +1539,9 @@ influxdb_pillar() {
 	title "Create the influxdb pillar file"
 	touch $adv_influxdb_pillar_file
 	touch $influxdb_pillar_file
+	printf '%s\n'\
+		"influxdb:"\
+		"  token: $INFLUXTOKEN" > $local_salt_dir/pillar/influxdb/token.sls
 }
 
 make_some_dirs() {
@@ -1704,7 +1708,7 @@ process_installtype() {
 	elif [ "$install_type" = 'SEARCHNODE' ]; then
 		is_searchnode=true
 	elif [ "$install_type" = 'HEAVYNODE' ]; then
-		is_heavy=true
+		is_heavynode=true
 	elif [ "$install_type" = 'FLEET' ]; then
 		is_fleet=true
 	elif [ "$install_type" = 'IDH' ]; then
@@ -2066,8 +2070,7 @@ secrets_pillar(){
 		"  playbook_admin: $PLAYBOOKADMINPASS"\
 		"  playbook_automation: $PLAYBOOKAUTOMATIONPASS"\
 		"  playbook_automation_api_key: "\
-		"  influx_pass: $INFLUXPASS"\
+		"  influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls
-		"  influx_token: $INFLUXTOKEN" > $local_salt_dir/pillar/secrets.sls
   fi
 }
 

setup/so-setup

@@ -638,5 +638,5 @@ if ! [[ -f $install_opt_file ]]; then
 		verify_setup
 	fi
 
-	# Need to make sure the latest install is located on the web server of the manager to check the versions and donwload the code if required
+	# Need to make sure the latest install is located on the web server of the manager to check the versions and download the code if required
 fi