From f6f9097cd99a0240e49e76e079e73b611739b63a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 11 Oct 2020 10:53:54 -0400 Subject: [PATCH 01/12] Enable tls for 9200 on search capable nodes --- salt/elasticsearch/files/sotls.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/elasticsearch/files/sotls.yml b/salt/elasticsearch/files/sotls.yml index c676f4a56..00045442a 100644 --- a/salt/elasticsearch/files/sotls.yml +++ b/salt/elasticsearch/files/sotls.yml @@ -9,4 +9,8 @@ protocols: ciphers: - TLS_RSA_WITH_AES_128_CBC_SHA256 transport.encrypted: true +{%- if grains['role'] in ['so-node','so-heavynode'] %} +http.encrypted: true +{%- else %} http.encrypted: false +{%- endif %} From 271e40337b5b7852744ec725c20922f1c383baaa Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 11 Oct 2020 10:57:04 -0400 Subject: [PATCH 02/12] Enable jinja for tls --- salt/elasticsearch/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index c43edba23..5dfdb1449 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -150,6 +150,7 @@ sotls: - source: salt://elasticsearch/files/sotls.yml - user: 930 - group: 939 + - template: jinja #sync templates to /opt/so/conf/elasticsearch/templates {% for TEMPLATE in TEMPLATES %} From 73aade1223a9a82f57ab3a3dc055a0f348250038 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 11 Oct 2020 11:02:20 -0400 Subject: [PATCH 03/12] Enable rest access from manager to sn --- salt/firewall/assigned_hostgroups.map.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 4c05f2241..6d6a181ac 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -416,6 +416,7 @@ role: manager: portgroups: - {{ portgroups.elasticsearch_node }} + - {{ portgroups.elasticsearch_rest }} dockernet: portgroups: - {{ portgroups.elasticsearch_node }} @@ -454,6 +455,7 @@ role: manager: portgroups: - {{ portgroups.elasticsearch_node }} + - {{ portgroups.elasticsearch_rest }} dockernet: portgroups: - {{ portgroups.elasticsearch_node }} From 31e0b5c81cc6fc980396d75cf94a68029217459e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 11 Oct 2020 11:28:49 -0400 Subject: [PATCH 04/12] Add nodes to soc.json --- salt/soc/files/soc/soc.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 2c574616a..1e25c47fa 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -24,6 +24,13 @@ }, "elastic": { "hostUrl": "http://{{ MANAGERIP }}:9200", + {%- if salt['pillar.get']('nodestab', {}) %} + "remoteHostUrls": [ + {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} + {{ SN.split('_')|first }}{{ "," if not loop.last }} + {%- endfor %} + ], + {%- endif %} "username": "", "password": "", "verifyCert": false From 29c3948f9551855e0a56af119fa7bd244a1c9354 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 11 Oct 2020 14:09:14 -0400 Subject: [PATCH 05/12] Fix soc.json --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 1e25c47fa..f6a6eca5b 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -27,7 +27,7 @@ {%- if salt['pillar.get']('nodestab', {}) %} "remoteHostUrls": [ {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} - {{ SN.split('_')|first }}{{ "," if not loop.last }} + "https://{{ SN.split('_')|first }}:9200"{{ "," if not loop.last }} {%- endfor %} ], {%- endif %} From a7bd1c2ce54f992b77d2da0aee2ebeb940ce80c7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 11 Oct 2020 15:58:12 -0400 Subject: [PATCH 06/12] Turn on SSL output --- .../pipelines/config/so/9000_output_zeek.conf.jinja | 4 ++++ .../pipelines/config/so/9002_output_import.conf.jinja | 4 ++++ .../pipelines/config/so/9004_output_flow.conf.jinja | 4 ++++ .../pipelines/config/so/9033_output_snort.conf.jinja | 4 ++++ .../pipelines/config/so/9034_output_syslog.conf.jinja | 4 ++++ .../pipelines/config/so/9100_output_osquery.conf.jinja | 4 ++++ .../pipelines/config/so/9200_output_firewall.conf.jinja | 4 ++++ .../pipelines/config/so/9400_output_suricata.conf.jinja | 4 ++++ .../pipelines/config/so/9500_output_beats.conf.jinja | 4 ++++ .../pipelines/config/so/9600_output_ossec.conf.jinja | 4 ++++ .../pipelines/config/so/9700_output_strelka.conf.jinja | 4 ++++ salt/soc/init.sls | 8 +++++++- 12 files changed, 51 insertions(+), 1 deletion(-) diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 98a842b2d..dd5f267f0 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -13,6 +13,10 @@ output { template_name => "so-zeek" template => "/templates/so-zeek-template.json" template_overwrite => true + {%- if salt['pillar.get']('nodestab', {}) %} + ssl => true + ssl_verification => false + {%- endif %} } } } diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 315c892e2..99d0362f5 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -13,6 +13,10 @@ output { template_name => "so-import" template => "/templates/so-import-template.json" template_overwrite => true + {%- if salt['pillar.get']('nodestab', {}) %} + ssl => true + ssl_verification => false + {%- endif %} } } } diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index 889a3567f..59543fd77 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -12,6 +12,10 @@ output { template_name => "so-flow" template => "/templates/so-flow-template.json" template_overwrite => true + {%- if salt['pillar.get']('nodestab', {}) %} + ssl => true + ssl_verification => false + {%- endif %} } } } diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index 96d2ae5ba..79266e3a9 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -12,6 +12,10 @@ output { template_name => "so-ids" template => "/templates/so-ids-template.json" template_overwrite => true + {%- if salt['pillar.get']('nodestab', {}) %} + ssl => true + ssl_verification => false + {%- endif %} } } } diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index ee5c57c5a..ea59bda5d 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -13,6 +13,10 @@ output { template_name => "so-syslog" template => "/templates/so-syslog-template.json" template_overwrite => true + {%- if salt['pillar.get']('nodestab', {}) %} + ssl => true + ssl_verification => false + {%- endif %} } } } diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index a9e5ac64d..a4eb3ce46 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -13,6 +13,10 @@ output { template_name => "so-osquery" template => "/templates/so-osquery-template.json" template_overwrite => true + {%- if salt['pillar.get']('nodestab', {}) %} + ssl => true + ssl_verification => false + {%- endif %} } } } diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index 3ad4a5722..c8f1b6724 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -12,6 +12,10 @@ output { template_name => "so-firewall" template => "/templates/so-firewall-template.json" template_overwrite => true + {%- if salt['pillar.get']('nodestab', {}) %} + ssl => true + ssl_verification => false + {%- endif %} } } } diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index e65952cca..cfcfd05ce 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -12,6 +12,10 @@ output { index => "so-ids-%{+YYYY.MM.dd}" template_name => "so-ids" template => "/templates/so-ids-template.json" + {%- if salt['pillar.get']('nodestab', {}) %} + ssl => true + ssl_verification => false + {%- endif %} } } } diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 10700733e..ea5f48709 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -13,6 +13,10 @@ output { template_name => "so-beats" template => "/templates/so-beats-template.json" template_overwrite => true + {%- if salt['pillar.get']('nodestab', {}) %} + ssl => true + ssl_verification => false + {%- endif %} } } } diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 7ebe6afbd..1eb3675aa 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -13,6 +13,10 @@ output { template_name => "so-ossec" template => "/templates/so-ossec-template.json" template_overwrite => true + {%- if salt['pillar.get']('nodestab', {}) %} + ssl => true + ssl_verification => false + {%- endif %} } } } diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index cdc340b39..b5ebcc42c 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -13,6 +13,10 @@ output { template_name => "so-strelka" template => "/templates/so-strelka-template.json" template_overwrite => true + {%- if salt['pillar.get']('nodestab', {}) %} + ssl => true + ssl_verification => false + {%- endif %} } } } diff --git a/salt/soc/init.sls b/salt/soc/init.sls index b76244d82..a4f99d92d 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -56,10 +56,16 @@ so-soc: - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/soc/changes.json:/opt/sensoroni/html/changes.json:ro - /opt/so/log/soc/:/opt/sensoroni/logs/:rw + - extra_hosts: + {%- if salt['pillar.get']('nodestab', {}) %} + {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} + - {{ SN.split('_')|first }}:{{ SNDATA.ip }} + {%- endfor %} + {%- endif %} - port_bindings: - 0.0.0.0:9822:9822 - watch: - - file: /opt/so/conf/soc + - file: /opt/so/conf/soc/* # Add Kratos Group kratosgroup: From e4ce17d4ded6b3d55ec517ef13f0df585543e8bc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 11 Oct 2020 16:10:55 -0400 Subject: [PATCH 07/12] Turn on SSL output --- salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja | 2 +- salt/logstash/pipelines/config/so/9002_output_import.conf.jinja | 2 +- salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja | 2 +- salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja | 2 +- salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja | 2 +- .../logstash/pipelines/config/so/9100_output_osquery.conf.jinja | 2 +- .../pipelines/config/so/9200_output_firewall.conf.jinja | 2 +- .../pipelines/config/so/9400_output_suricata.conf.jinja | 2 +- salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja | 2 +- salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja | 2 +- .../logstash/pipelines/config/so/9700_output_strelka.conf.jinja | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index dd5f267f0..84b146a73 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -13,7 +13,7 @@ output { template_name => "so-zeek" template => "/templates/so-zeek-template.json" template_overwrite => true - {%- if salt['pillar.get']('nodestab', {}) %} + {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true ssl_verification => false {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 99d0362f5..5ad76d154 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -13,7 +13,7 @@ output { template_name => "so-import" template => "/templates/so-import-template.json" template_overwrite => true - {%- if salt['pillar.get']('nodestab', {}) %} + {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true ssl_verification => false {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index 59543fd77..ae73f9afe 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -12,7 +12,7 @@ output { template_name => "so-flow" template => "/templates/so-flow-template.json" template_overwrite => true - {%- if salt['pillar.get']('nodestab', {}) %} + {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true ssl_verification => false {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index 79266e3a9..56814fbbf 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -12,7 +12,7 @@ output { template_name => "so-ids" template => "/templates/so-ids-template.json" template_overwrite => true - {%- if salt['pillar.get']('nodestab', {}) %} + {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true ssl_verification => false {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index ea59bda5d..dc486cf95 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -13,7 +13,7 @@ output { template_name => "so-syslog" template => "/templates/so-syslog-template.json" template_overwrite => true - {%- if salt['pillar.get']('nodestab', {}) %} + {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true ssl_verification => false {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index a4eb3ce46..2e77f0c9a 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -13,7 +13,7 @@ output { template_name => "so-osquery" template => "/templates/so-osquery-template.json" template_overwrite => true - {%- if salt['pillar.get']('nodestab', {}) %} + {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true ssl_verification => false {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index c8f1b6724..f4f92dbb6 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -12,7 +12,7 @@ output { template_name => "so-firewall" template => "/templates/so-firewall-template.json" template_overwrite => true - {%- if salt['pillar.get']('nodestab', {}) %} + {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true ssl_verification => false {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index cfcfd05ce..9f2d24c84 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -12,7 +12,7 @@ output { index => "so-ids-%{+YYYY.MM.dd}" template_name => "so-ids" template => "/templates/so-ids-template.json" - {%- if salt['pillar.get']('nodestab', {}) %} + {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true ssl_verification => false {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index ea5f48709..d72ab382e 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -13,7 +13,7 @@ output { template_name => "so-beats" template => "/templates/so-beats-template.json" template_overwrite => true - {%- if salt['pillar.get']('nodestab', {}) %} + {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true ssl_verification => false {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 1eb3675aa..26d5e5a2e 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -13,7 +13,7 @@ output { template_name => "so-ossec" template => "/templates/so-ossec-template.json" template_overwrite => true - {%- if salt['pillar.get']('nodestab', {}) %} + {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true ssl_verification => false {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index b5ebcc42c..b265c0c73 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -13,7 +13,7 @@ output { template_name => "so-strelka" template => "/templates/so-strelka-template.json" template_overwrite => true - {%- if salt['pillar.get']('nodestab', {}) %} + {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true ssl_verification => false {%- endif %} From b7c4fd94c46f29b95b25374df679903e1410f4d8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 11 Oct 2020 16:57:08 -0400 Subject: [PATCH 08/12] get pipelines to load --- salt/common/tools/sbin/so-elasticsearch-templates-list | 4 ++++ salt/common/tools/sbin/so-elasticsearch-templates-load | 4 ++++ salt/elasticsearch/files/so-elasticsearch-pipelines | 8 ++++++++ 3 files changed, 16 insertions(+) diff --git a/salt/common/tools/sbin/so-elasticsearch-templates-list b/salt/common/tools/sbin/so-elasticsearch-templates-list index f0cbe36e7..d4d080938 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates-list +++ b/salt/common/tools/sbin/so-elasticsearch-templates-list @@ -17,7 +17,11 @@ {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then + {% if grains['role'] in ['so-node','so-heavynode'] %} + curl -s -k kttps://{{ NODEIP }}:9200/_template/* | jq 'keys' + {% else %} curl -s {{ NODEIP }}:9200/_template/* | jq 'keys' + {% endif %} else curl -s {{ NODEIP }}:9200/_template/$1 | jq fi diff --git a/salt/common/tools/sbin/so-elasticsearch-templates-load b/salt/common/tools/sbin/so-elasticsearch-templates-load index 61ff48330..292ade995 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates-load +++ b/salt/common/tools/sbin/so-elasticsearch-templates-load @@ -30,7 +30,11 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do + {% if grains['role'] in ['so-node','so-heavynode'] %} + curl -k --output /dev/null --silent --head --fail https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + {% else %} curl --output /dev/null --silent --head --fail http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + {% endif %} if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" diff --git a/salt/elasticsearch/files/so-elasticsearch-pipelines b/salt/elasticsearch/files/so-elasticsearch-pipelines index 514054359..eed62da24 100755 --- a/salt/elasticsearch/files/so-elasticsearch-pipelines +++ b/salt/elasticsearch/files/so-elasticsearch-pipelines @@ -27,7 +27,11 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do + {% if grains['role'] in ['so-node','so-heavynode'] %} + curl ${ELASTICSEARCH_AUTH} -k --output /dev/null --silent --head --fail https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + {% else %} curl ${ELASTICSEARCH_AUTH} --output /dev/null --silent --head --fail http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + {% endif %} if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -47,7 +51,11 @@ fi cd ${ELASTICSEARCH_INGEST_PIPELINES} echo "Loading pipelines..." +{% if grains['role'] in ['so-node','so-heavynode'] %} +for i in *; do echo $i; RESPONSE=$(curl ${ELASTICSEARCH_AUTH} -k -XPUT https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done +{% else %} for i in *; do echo $i; RESPONSE=$(curl ${ELASTICSEARCH_AUTH} -XPUT http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done +{% endif %} echo cd - >/dev/null From deb0f640d6955effcea5f61afbf0e1466732e33a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 11 Oct 2020 17:02:07 -0400 Subject: [PATCH 09/12] add jinja templates --- salt/elasticsearch/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 5dfdb1449..54afd595f 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -233,6 +233,7 @@ so-elasticsearch-pipelines-file: so-elasticsearch-pipelines: cmd.run: - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }} + - template: jinja - onchanges: - file: esingestconf - file: esyml @@ -243,6 +244,7 @@ so-elasticsearch-templates: cmd.run: - name: /usr/sbin/so-elasticsearch-templates-load - cwd: /opt/so + - template: jinja {% endif %} {% else %} From 96083e1458c32a5b3a1bbc7ce773a17a6ea80ea0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 11 Oct 2020 17:06:56 -0400 Subject: [PATCH 10/12] update logstash outputs --- salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja | 2 +- salt/logstash/pipelines/config/so/9002_output_import.conf.jinja | 2 +- salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja | 2 +- salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja | 2 +- salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja | 2 +- .../logstash/pipelines/config/so/9100_output_osquery.conf.jinja | 2 +- .../pipelines/config/so/9200_output_firewall.conf.jinja | 2 +- .../pipelines/config/so/9400_output_suricata.conf.jinja | 2 +- salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja | 2 +- salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja | 2 +- .../logstash/pipelines/config/so/9700_output_strelka.conf.jinja | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 84b146a73..2a3babcbd 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -15,7 +15,7 @@ output { template_overwrite => true {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true - ssl_verification => false + ssl_certificate_verification => false {%- endif %} } } diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 5ad76d154..fdb969865 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -15,7 +15,7 @@ output { template_overwrite => true {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true - ssl_verification => false + ssl_certificate_verification => false {%- endif %} } } diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index ae73f9afe..a9ca4c60d 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -14,7 +14,7 @@ output { template_overwrite => true {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true - ssl_verification => false + ssl_certificate_verification => false {%- endif %} } } diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index 56814fbbf..9da6c5b14 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -14,7 +14,7 @@ output { template_overwrite => true {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true - ssl_verification => false + ssl_certificate_verification => false {%- endif %} } } diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index dc486cf95..d57611cb7 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -15,7 +15,7 @@ output { template_overwrite => true {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true - ssl_verification => false + ssl_certificate_verification => false {%- endif %} } } diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index 2e77f0c9a..ee0718029 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -15,7 +15,7 @@ output { template_overwrite => true {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true - ssl_verification => false + ssl_certificate_verification => false {%- endif %} } } diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index f4f92dbb6..8227aab01 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -14,7 +14,7 @@ output { template_overwrite => true {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true - ssl_verification => false + ssl_certificate_verification => false {%- endif %} } } diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 9f2d24c84..93bfd7020 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -14,7 +14,7 @@ output { template => "/templates/so-ids-template.json" {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true - ssl_verification => false + ssl_certificate_verification => false {%- endif %} } } diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index d72ab382e..4d26d491a 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -15,7 +15,7 @@ output { template_overwrite => true {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true - ssl_verification => false + ssl_certificate_verification => false {%- endif %} } } diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 26d5e5a2e..63e20c59a 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -15,7 +15,7 @@ output { template_overwrite => true {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true - ssl_verification => false + ssl_certificate_verification => false {%- endif %} } } diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index b265c0c73..193057a53 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -15,7 +15,7 @@ output { template_overwrite => true {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true - ssl_verification => false + ssl_certificate_verification => false {%- endif %} } } From 9695e6395042d65edee524610fe164c1fa9525b9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 11 Oct 2020 17:21:57 -0400 Subject: [PATCH 11/12] fix template statement --- salt/elasticsearch/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 54afd595f..1406df02c 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -229,11 +229,11 @@ so-elasticsearch-pipelines-file: - user: 930 - group: 939 - mode: 754 + - template: jinja so-elasticsearch-pipelines: cmd.run: - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }} - - template: jinja - onchanges: - file: esingestconf - file: esyml From f5cfd480a35bcb2efe571ccb671bfeb701964544 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Oct 2020 09:12:36 -0400 Subject: [PATCH 12/12] Moar encryptions --- salt/elasticsearch/files/sotls.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/sotls.yml b/salt/elasticsearch/files/sotls.yml index 00045442a..2fc577337 100644 --- a/salt/elasticsearch/files/sotls.yml +++ b/salt/elasticsearch/files/sotls.yml @@ -8,6 +8,7 @@ protocols: - TLSv1.2 ciphers: - TLS_RSA_WITH_AES_128_CBC_SHA256 +- TLS_RSA_WITH_AES_256_GCM_SHA384 transport.encrypted: true {%- if grains['role'] in ['so-node','so-heavynode'] %} http.encrypted: true