ES basic SSL

2025-12-06 09:12:45 +01:00 · 2020-08-10 14:26:56 -04:00
parent 32fe3ed961
commit e659af3466
15 changed files with 152 additions and 3 deletions
--- a/salt/kibana/etc/kibana.yml
+++ b/salt/kibana/etc/kibana.yml
@@ -1,10 +1,15 @@
 ---
 # Default Kibana configuration from kibana-docker.
 {%- set ES = salt['pillar.get']('manager:mainip', '') -%}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 server.name: kibana
 server.host: "0"
 server.basePath: /kibana
+{% if FEATURES %}
+elasticsearch.hosts: [ "https://{{ ES }}:9200" ]
+{%- else %}
 elasticsearch.hosts: [ "http://{{ ES }}:9200" ]
+{%- endif %}
 #kibana.index: ".kibana"
 #elasticsearch.username: elastic
 #elasticsearch.password: changeme
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -167,7 +167,8 @@ so-logstash:
      - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
      - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
      - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
-      - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+      - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
+      - /etc/pki/ca.cer:/ca/ca.crt:ro
      {%- if grains['role'] == 'so-eval' %}
      - /nsm/zeek:/nsm/zeek:ro
      - /nsm/suricata:/suricata:ro
--- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
@@ -3,11 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 output {
  if [module] =~ "zeek" and "import" not in [tags] {
    elasticsearch {
      pipeline => "%{module}.%{dataset}"
+      {%- if FEATURES %}
+      hosts => "https://{{ ES }}"
+      cacert => '/ca/ca.crt'
+      {%- else %}
      hosts => "{{ ES }}"
+      {%- endif %}
      index => "so-zeek-%{+YYYY.MM.dd}"
      template_name => "so-zeek"
      template => "/templates/so-zeek-template.json"
--- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
@@ -3,11 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 output {
  if "import" in [tags] {
    elasticsearch {
      pipeline => "%{module}.%{dataset}"
+      {%- if FEATURES %}
+      hosts => "https://{{ ES }}"
+      cacert => '/ca/ca.crt'
+      {%- else %}
      hosts => "{{ ES }}"
+      {%- endif %}
      index => "so-import-%{+YYYY.MM.dd}"
      template_name => "so-import"
      template => "/templates/so-import-template.json"
--- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja
@@ -3,10 +3,16 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 output {
  if [event_type] == "sflow" {
    elasticsearch {
+      {%- if FEATURES %}
+      hosts => "https://{{ ES }}"
+      cacert => '/ca/ca.crt'
+      {%- else %}
      hosts => "{{ ES }}"
+      {%- endif %}
      index => "so-flow-%{+YYYY.MM.dd}"
      template_name => "so-flow"
      template => "/templates/so-flow-template.json"
--- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja
@@ -3,10 +3,16 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 output {
  if [event_type] == "ids" and "import" not in [tags] {
    elasticsearch {
+      {%- if FEATURES %}
+      hosts => "https://{{ ES }}"
+      cacert => '/ca/ca.crt'
+      {%- else %}
      hosts => "{{ ES }}"
+      {%- endif %}
      index => "so-ids-%{+YYYY.MM.dd}"
      template_name => "so-ids"
      template => "/templates/so-ids-template.json"
--- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
@@ -3,11 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 output {
  if [module] =~ "syslog" {
    elasticsearch {
      pipeline => "%{module}"
+      {%- if FEATURES %}
+      hosts => "https://{{ ES }}"
+      cacert => '/ca/ca.crt'
+      {%- else %}
      hosts => "{{ ES }}"
+      {%- endif %}
      index => "so-syslog-%{+YYYY.MM.dd}"
      template_name => "so-syslog"
      template => "/templates/so-syslog-template.json"
--- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
@@ -3,11 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 output {
  if [module] =~ "osquery" {
    elasticsearch {
      pipeline => "%{module}.%{dataset}" 
+      {%- if FEATURES %}
+      hosts => "https://{{ ES }}"
+      cacert => '/ca/ca.crt'
+      {%- else %}
      hosts => "{{ ES }}"
+      {%- endif %}
      index => "so-osquery-%{+YYYY.MM.dd}"
      template_name => "so-osquery"
      template => "/templates/so-osquery-template.json"
--- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
@@ -3,10 +3,16 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 output {
  if "firewall" in [tags] {
    elasticsearch {
+      {%- if FEATURES %}
+      hosts => "https://{{ ES }}"
+      cacert => '/ca/ca.crt'
+      {%- else %}
      hosts => "{{ ES }}"
+      {%- endif %}
      index => "so-firewall-%{+YYYY.MM.dd}"
      template_name => "so-firewall"
      template => "/templates/so-firewall-template.json"
--- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
@@ -3,11 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 output {
  if [module] =~ "suricata" and "import" not in [tags] {
    elasticsearch {
      pipeline => "%{module}.%{dataset}"
+      {%- if FEATURES %}
+      hosts => "https://{{ ES }}"
+      cacert => '/ca/ca.crt'
+      {%- else %}
      hosts => "{{ ES }}"
+      {%- endif %}
      index => "so-ids-%{+YYYY.MM.dd}"
      template_name => "so-ids" 
      template => "/templates/so-ids-template.json"
--- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
@@ -3,11 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 output {
  if "beat-ext" in [tags] and "import" not in [tags] {
    elasticsearch {
      pipeline => "beats.common" 
+      {%- if FEATURES %}
+      hosts => "https://{{ ES }}"
+      cacert => '/ca/ca.crt'
+      {%- else %}
      hosts => "{{ ES }}"
+      {%- endif %}
      index => "so-beats-%{+YYYY.MM.dd}"
      template_name => "so-beats"
      template => "/templates/so-beats-template.json"
--- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
@@ -3,11 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 output {
  if [module] =~ "ossec" {
    elasticsearch {
      pipeline => "%{module}.%{dataset}"
+      {%- if FEATURES %}
+      hosts => "https://{{ ES }}"
+      cacert => '/ca/ca.crt'
+      {%- else %}
      hosts => "{{ ES }}"
+      {%- endif %}
      index => "so-ossec-%{+YYYY.MM.dd}"
      template_name => "so-ossec"
      template => "/templates/so-ossec-template.json"
--- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
@@ -3,11 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 output {
  if [module] =~ "strelka" {
    elasticsearch {
      pipeline => "%{module}.%{dataset}" 
+      {%- if FEATURES %}
+      hosts => "https://{{ ES }}"
+      cacert => '/ca/ca.crt'
+      {%- else %}
      hosts => "{{ ES }}"
+      {%- endif %}
      index => "so-strelka-%{+YYYY.MM.dd}"
      template_name => "so-strelka"
      template => "/templates/so-strelka-template.json"
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -1,5 +1,6 @@
 {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%}
 {%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') -%}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 {
  "logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
  "server": {
@@ -15,7 +16,11 @@
        "hostUrl": "http://{{ MANAGERIP }}:4434/"
      },
      "elastic": {
+        {%- if FEATURES %}
+        "hostUrl": "https://{{ MANAGERIP }}:9200",
+        {%- else %}
        "hostUrl": "http://{{ MANAGERIP }}:9200",
+        {%- endif %}
        "username": "",
        "password": "",
        "verifyCert": false
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -194,7 +194,7 @@ regkeyperms:
      - x509: /etc/pki/minio.crt
    {%- endif %}

-# Create a cert for the docker registry
+# Create a cert for minio
 /etc/pki/minio.crt:
  x509.certificate_managed:
    - ca_server: {{ ca_server }}
@@ -229,6 +229,41 @@ miniokeyperms:
      - x509: /etc/pki/redis.crt
    {%- endif %}

+# Create a cert for elasticsearch
+/etc/pki/elasticsearch.crt:
+  x509.certificate_managed:
+    - ca_server: {{ ca_server }}
+    - signing_policy: registry
+    - public_key: /etc/pki/ealsticsearch.key
+    - CN: {{ manager }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+
+miniokeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticsearch.key
+    - mode: 640
+    - group: 939
+
+/etc/pki/elasticsearch.key:
+  x509.private_key_managed:
+    - CN: {{ manager }}
+    - bits: 4096
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
+    - prereq:
+      - x509: /etc/pki/elasticsearch.crt
+    {%- endif %}
+
 # Create a cert for the docker registry
 /etc/pki/redis.crt:
  x509.certificate_managed:
@@ -457,4 +492,41 @@ fleetkeyperms:
    - mode: 640
    - group: 939

-{% endif %}
+{% endif %}
+
+{% if grains['role'] in ['so-search', 'so-heavynode'] %}
+# Create a cert for elasticsearch
+/etc/pki/elasticsearch.crt:
+  x509.certificate_managed:
+    - ca_server: {{ ca_server }}
+    - signing_policy: registry
+    - public_key: /etc/pki/ealsticsearch.key
+    - CN: {{ manager }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+
+miniokeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticsearch.key
+    - mode: 640
+    - group: 939
+
+/etc/pki/elasticsearch.key:
+  x509.private_key_managed:
+    - CN: {{ manager }}
+    - bits: 4096
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
+    - prereq:
+      - x509: /etc/pki/elasticsearch.crt
+    {%- endif %}
+{%- endif %}