CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1505 from Security-Onion-Solutions/experimental

Browse Source 
Fix Cross Cluster Search Acks
This commit is contained in:
Mike Reeves
2020-10-12 09:24:16 -04:00
committed by GitHub
parent 3fff1451d4 f5cfd480a3
commit e0fe63d263
19 changed files with 82 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/common/tools/sbin/so-elasticsearch-templates-list
View File

@@ -17,7 +17,11 @@
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
. /usr/sbin/so-common . /usr/sbin/so-common
if [ "$1" == "" ]; then if [ "$1" == "" ]; then
{% if grains['role'] in ['so-node','so-heavynode'] %}
curl -s -k kttps://{{ NODEIP }}:9200/_template/* | jq 'keys'
{% else %}
curl -s {{ NODEIP }}:9200/_template/* | jq 'keys' curl -s {{ NODEIP }}:9200/_template/* | jq 'keys'
{% endif %}
else else
curl -s {{ NODEIP }}:9200/_template/$1 | jq curl -s {{ NODEIP }}:9200/_template/$1 | jq
fi fi

4
salt/common/tools/sbin/so-elasticsearch-templates-load
View File

@@ -30,7 +30,11 @@ echo -n "Waiting for ElasticSearch..."
COUNT=0 COUNT=0
ELASTICSEARCH_CONNECTED="no" ELASTICSEARCH_CONNECTED="no"
while [[ "$COUNT" -le 240 ]]; do while [[ "$COUNT" -le 240 ]]; do
{% if grains['role'] in ['so-node','so-heavynode'] %}
curl -k --output /dev/null --silent --head --fail https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
{% else %}
curl --output /dev/null --silent --head --fail http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" curl --output /dev/null --silent --head --fail http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
{% endif %}
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
ELASTICSEARCH_CONNECTED="yes" ELASTICSEARCH_CONNECTED="yes"
echo "connected!" echo "connected!"

8
salt/elasticsearch/files/so-elasticsearch-pipelines
View File

@@ -27,7 +27,11 @@ echo -n "Waiting for ElasticSearch..."
COUNT=0 COUNT=0
ELASTICSEARCH_CONNECTED="no" ELASTICSEARCH_CONNECTED="no"
while [[ "$COUNT" -le 240 ]]; do while [[ "$COUNT" -le 240 ]]; do
{% if grains['role'] in ['so-node','so-heavynode'] %}
curl ${ELASTICSEARCH_AUTH} -k --output /dev/null --silent --head --fail https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
{% else %}
curl ${ELASTICSEARCH_AUTH} --output /dev/null --silent --head --fail http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" curl ${ELASTICSEARCH_AUTH} --output /dev/null --silent --head --fail http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
{% endif %}
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
ELASTICSEARCH_CONNECTED="yes" ELASTICSEARCH_CONNECTED="yes"
echo "connected!" echo "connected!"
@@ -47,7 +51,11 @@ fi
cd ${ELASTICSEARCH_INGEST_PIPELINES} cd ${ELASTICSEARCH_INGEST_PIPELINES}
echo "Loading pipelines..." echo "Loading pipelines..."
{% if grains['role'] in ['so-node','so-heavynode'] %}
for i in *; do echo $i; RESPONSE=$(curl ${ELASTICSEARCH_AUTH} -k -XPUT https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done
{% else %}
for i in *; do echo $i; RESPONSE=$(curl ${ELASTICSEARCH_AUTH} -XPUT http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done for i in *; do echo $i; RESPONSE=$(curl ${ELASTICSEARCH_AUTH} -XPUT http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done
{% endif %}
echo echo
cd - >/dev/null cd - >/dev/null

4
salt/elasticsearch/files/sotls.yml
View File

@@ -10,4 +10,8 @@ ciphers:
- TLS_RSA_WITH_AES_128_CBC_SHA256 - TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384 - TLS_RSA_WITH_AES_256_GCM_SHA384
transport.encrypted: true transport.encrypted: true
{%- if grains['role'] in ['so-node','so-heavynode'] %}
http.encrypted: true
{%- else %}
http.encrypted: false http.encrypted: false
{%- endif %}

3
salt/elasticsearch/init.sls
View File

@@ -150,6 +150,7 @@ sotls:
- source: salt://elasticsearch/files/sotls.yml - source: salt://elasticsearch/files/sotls.yml
- user: 930 - user: 930
- group: 939 - group: 939
- template: jinja
#sync templates to /opt/so/conf/elasticsearch/templates #sync templates to /opt/so/conf/elasticsearch/templates
{% for TEMPLATE in TEMPLATES %} {% for TEMPLATE in TEMPLATES %}
@@ -228,6 +229,7 @@ so-elasticsearch-pipelines-file:
- user: 930 - user: 930
- group: 939 - group: 939
- mode: 754 - mode: 754
- template: jinja
so-elasticsearch-pipelines: so-elasticsearch-pipelines:
cmd.run: cmd.run:
@@ -242,6 +244,7 @@ so-elasticsearch-templates:
cmd.run: cmd.run:
- name: /usr/sbin/so-elasticsearch-templates-load - name: /usr/sbin/so-elasticsearch-templates-load
- cwd: /opt/so - cwd: /opt/so
- template: jinja
{% endif %} {% endif %}
{% else %} {% else %}

2
salt/firewall/assigned_hostgroups.map.yaml
View File

@@ -416,6 +416,7 @@ role:
manager: manager:
portgroups: portgroups:
- {{ portgroups.elasticsearch_node }} - {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
dockernet: dockernet:
portgroups: portgroups:
- {{ portgroups.elasticsearch_node }} - {{ portgroups.elasticsearch_node }}
@@ -454,6 +455,7 @@ role:
manager: manager:
portgroups: portgroups:
- {{ portgroups.elasticsearch_node }} - {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
dockernet: dockernet:
portgroups: portgroups:
- {{ portgroups.elasticsearch_node }} - {{ portgroups.elasticsearch_node }}

4
salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
View File

@@ -13,6 +13,10 @@ output {
template_name => "so-zeek" template_name => "so-zeek"
template => "/templates/so-zeek-template.json" template => "/templates/so-zeek-template.json"
template_overwrite => true template_overwrite => true
{%- if grains['role'] in ['so-node','so-heavynode'] %}
ssl => true
ssl_certificate_verification => false
{%- endif %}
} }
} }
} }

4
salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
View File

@@ -13,6 +13,10 @@ output {
template_name => "so-import" template_name => "so-import"
template => "/templates/so-import-template.json" template => "/templates/so-import-template.json"
template_overwrite => true template_overwrite => true
{%- if grains['role'] in ['so-node','so-heavynode'] %}
ssl => true
ssl_certificate_verification => false
{%- endif %}
} }
} }
} }

4
salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja
View File

@@ -12,6 +12,10 @@ output {
template_name => "so-flow" template_name => "so-flow"
template => "/templates/so-flow-template.json" template => "/templates/so-flow-template.json"
template_overwrite => true template_overwrite => true
{%- if grains['role'] in ['so-node','so-heavynode'] %}
ssl => true
ssl_certificate_verification => false
{%- endif %}
} }
} }
} }

4
salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja
View File

@@ -12,6 +12,10 @@ output {
template_name => "so-ids" template_name => "so-ids"
template => "/templates/so-ids-template.json" template => "/templates/so-ids-template.json"
template_overwrite => true template_overwrite => true
{%- if grains['role'] in ['so-node','so-heavynode'] %}
ssl => true
ssl_certificate_verification => false
{%- endif %}
} }
} }
} }

4
salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
View File

@@ -13,6 +13,10 @@ output {
template_name => "so-syslog" template_name => "so-syslog"
template => "/templates/so-syslog-template.json" template => "/templates/so-syslog-template.json"
template_overwrite => true template_overwrite => true
{%- if grains['role'] in ['so-node','so-heavynode'] %}
ssl => true
ssl_certificate_verification => false
{%- endif %}
} }
} }
} }

4
salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
View File

@@ -13,6 +13,10 @@ output {
template_name => "so-osquery" template_name => "so-osquery"
template => "/templates/so-osquery-template.json" template => "/templates/so-osquery-template.json"
template_overwrite => true template_overwrite => true
{%- if grains['role'] in ['so-node','so-heavynode'] %}
ssl => true
ssl_certificate_verification => false
{%- endif %}
} }
} }
} }

4
salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
View File

@@ -12,6 +12,10 @@ output {
template_name => "so-firewall" template_name => "so-firewall"
template => "/templates/so-firewall-template.json" template => "/templates/so-firewall-template.json"
template_overwrite => true template_overwrite => true
{%- if grains['role'] in ['so-node','so-heavynode'] %}
ssl => true
ssl_certificate_verification => false
{%- endif %}
} }
} }
} }

4
salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
View File

@@ -12,6 +12,10 @@ output {
index => "so-ids-%{+YYYY.MM.dd}" index => "so-ids-%{+YYYY.MM.dd}"
template_name => "so-ids" template_name => "so-ids"
template => "/templates/so-ids-template.json" template => "/templates/so-ids-template.json"
{%- if grains['role'] in ['so-node','so-heavynode'] %}
ssl => true
ssl_certificate_verification => false
{%- endif %}
} }
} }
} }

4
salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
View File

@@ -13,6 +13,10 @@ output {
template_name => "so-beats" template_name => "so-beats"
template => "/templates/so-beats-template.json" template => "/templates/so-beats-template.json"
template_overwrite => true template_overwrite => true
{%- if grains['role'] in ['so-node','so-heavynode'] %}
ssl => true
ssl_certificate_verification => false
{%- endif %}
} }
} }
} }

4
salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
View File

@@ -13,6 +13,10 @@ output {
template_name => "so-ossec" template_name => "so-ossec"
template => "/templates/so-ossec-template.json" template => "/templates/so-ossec-template.json"
template_overwrite => true template_overwrite => true
{%- if grains['role'] in ['so-node','so-heavynode'] %}
ssl => true
ssl_certificate_verification => false
{%- endif %}
} }
} }
} }

4
salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
View File

@@ -13,6 +13,10 @@ output {
template_name => "so-strelka" template_name => "so-strelka"
template => "/templates/so-strelka-template.json" template => "/templates/so-strelka-template.json"
template_overwrite => true template_overwrite => true
{%- if grains['role'] in ['so-node','so-heavynode'] %}
ssl => true
ssl_certificate_verification => false
{%- endif %}
} }
} }
} }

7
salt/soc/files/soc/soc.json
View File

@@ -24,6 +24,13 @@
}, },
"elastic": { "elastic": {
"hostUrl": "http://{{ MANAGERIP }}:9200", "hostUrl": "http://{{ MANAGERIP }}:9200",
{%- if salt['pillar.get']('nodestab', {}) %}
"remoteHostUrls": [
{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
"https://{{ SN.split('_')|first }}:9200"{{ "," if not loop.last }}
{%- endfor %}
],
{%- endif %}
"username": "", "username": "",
"password": "", "password": "",
"verifyCert": false "verifyCert": false

6
salt/soc/init.sls
View File

@@ -56,6 +56,12 @@ so-soc:
- /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/conf/soc/changes.json:/opt/sensoroni/html/changes.json:ro - /opt/so/conf/soc/changes.json:/opt/sensoroni/html/changes.json:ro
- /opt/so/log/soc/:/opt/sensoroni/logs/:rw - /opt/so/log/soc/:/opt/sensoroni/logs/:rw
- extra_hosts:
{%- if salt['pillar.get']('nodestab', {}) %}
{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
- {{ SN.split('_')|first }}:{{ SNDATA.ip }}
{%- endfor %}
{%- endif %}
- port_bindings: - port_bindings:
- 0.0.0.0:9822:9822 - 0.0.0.0:9822:9822
- watch: - watch: