Merge pull request #279 from Security-Onion-Solutions/features/heavynode

Features/heavynode
2025-12-09 02:32:46 +01:00 · 2020-01-29 17:07:00 -05:00
parent 779a9129d6 8b17d3ba6c
commit eba02ef3b4
19 changed files with 349 additions and 35 deletions
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,6 +1,6 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
-{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
 socoregroup:
  group.present:
@@ -343,7 +343,7 @@ dashboard-{{ SN }}:

 {% if salt['pillar.get']('nodestab', False) %}
 {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
-dashboard-{{ SN }}:
+dashboardsearch-{{ SN }}:
  file.managed:
    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
    - user: 939
--- a/salt/common/nginx/nginx.conf.so-heavynode
+++ b/salt/common/nginx/nginx.conf.so-heavynode
@@ -0,0 +1,89 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  _;
+        root         /usr/share/nginx/html;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location / {
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+# Settings for a TLS enabled server.
+#
+#    server {
+#        listen       443 ssl http2 default_server;
+#        listen       [::]:443 ssl http2 default_server;
+#        server_name  _;
+#        root         /usr/share/nginx/html;
+#
+#        ssl_certificate "/etc/pki/nginx/server.crt";
+#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
+#        ssl_session_cache shared:SSL:1m;
+#        ssl_session_timeout  10m;
+#        ssl_ciphers HIGH:!aNULL:!MD5;
+#        ssl_prefer_server_ciphers on;
+#
+#        # Load configuration files for the default server block.
+#        include /etc/nginx/default.d/*.conf;
+#
+#        location / {
+#        }
+#
+#        error_page 404 /404.html;
+#            location = /40x.html {
+#        }
+#
+#        error_page 500 502 503 504 /50x.html;
+#            location = /50x.html {
+#        }
+#    }
+
+}
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -31,7 +31,7 @@
 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
 {% set esheap = salt['pillar.get']('master:esheap', '') %}

-{% elif grains['role'] == 'so-node' %}
+{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}

 {% set esclustername = salt['pillar.get']('node:esclustername', '') %}
 {% set esheap = salt['pillar.get']('node:esheap', '') %}
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -1,4 +1,10 @@
+{%- if grains.role == 'so-heavynode' %}
+{%- set MASTER = grains.host %}
+{%- else %}
 {%- set MASTER = grains['master'] %}
+{%- endif %}
+
+
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
 {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
@@ -67,7 +73,7 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
-{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" %}
+{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" %}
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
  - type: log
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -1,5 +1,4 @@
  # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
-
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
@@ -15,13 +14,12 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
-{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
-{% if FEATURES %}
-  {% set FEATURES = "-features" %}
-{% else %}
-  {% set FEATURES = '' %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}		
+{% if FEATURES %}		
+  {% set FEATURES = "-features" %}		
+{% else %}		
+  {% set FEATURES = '' %}		
 {% endif %}
-
 # Filebeat Setup
 filebeatetcdir:
  file.directory:
@@ -29,21 +27,18 @@ filebeatetcdir:
    - user: 939
    - group: 939
    - makedirs: True
-
 filebeatlogdir:
  file.directory:
    - name: /opt/so/log/filebeat
    - user: 939
    - group: 939
    - makedirs: True
-
 filebeatpkidir:
  file.directory:
    - name: /opt/so/conf/filebeat/etc/pki
    - user: 939
    - group: 939
    - makedirs: True
-
 # This needs to be owned by root
 filebeatconfsync:
  file.managed:
@@ -52,7 +47,6 @@ filebeatconfsync:
    - user: 0
    - group: 0
    - template: jinja
-
 so-filebeat:
  docker_container.running:
    - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }}
@@ -67,13 +61,8 @@ so-filebeat:
      - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
      - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
      - /opt/so/log/fleet/:/osquery/logs:ro
-{%- if grains['role'] == 'so-master' %}
-      - /etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
-      - /etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
-{%- else %}
      - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
      - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
-{%- endif %}
      - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
    - watch:
      - file: /opt/so/conf/filebeat/etc/filebeat.yml
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,7 +1,7 @@
 # Firewall Magic for the grid
 {%- if grains['role'] in ['so-eval','so-master','so-helix','so-mastersearch'] %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %}
+{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
@@ -584,7 +584,7 @@ enable_standard_analyst_443_{{ip}}:
 {% endif %}

 # Rules if you are a Node
-{% if grains['role'] == 'so-node' %}
+{% if 'node' in grains['role'] %}

 #This should be more granular
 iptables_allow_docker:
@@ -655,3 +655,39 @@ iptables_drop_all_the_things:
    - chain: LOGGING
    - jump: DROP
    - save: True
+
+{% if grains['role'] == 'so-heavynode' %}
+# Allow Redis
+enable_heavynode_redis_6379_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 6379
+    - position: 1
+    - save: True
+
+enable_forwardnode_beats_5044_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 5044
+    - position: 1
+    - save: True
+
+enable_forwardnode_beats_5644_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 5644
+    - position: 1
+    - save: True
+{% endif %}
--- a/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
+++ b/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
@@ -1,10 +1,15 @@
 {%- if salt['grains.get']('role') == 'so-master' %}
 {% set master = salt['pillar.get']('static:masterip', '') %}
 {%- set nodetype = 'master' %}
+{% elif grains.role == 'so-heavynode' %}
+{% set master = salt['pillar.get']('node:mainip', '') %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %}
 {%- else %}
 {%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
 {% set master = salt['pillar.get']('static:masterip', '') %}
 {%- endif %}
+
+
 output {
 	redis {
 		host => '{{ master }}'
--- a/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
+++ b/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
@@ -1,4 +1,8 @@
-{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- if grains.role == 'so-heavynode' %}
+{%- set master = salt['pillar.get']('node:mainip', '') %}
+{%- else %}
+{%- set master = salt['pillar.get']('static:masterip', '') %}
+{% endif -%}
 input {
 	redis {
 		host => '{{ master }}'
--- a/salt/logstash/etc/logstash.yml
+++ b/salt/logstash/etc/logstash.yml
@@ -63,7 +63,7 @@
 #
 # path.config:
 # /etc/logstash/conf.d is mapped to /usr/share/logstash/pipeline in the Docker image
-{% if grains.role != 'so-mastersearch' %}
+{% if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' and grains.role != 'so-master' %}
 path.config: /usr/share/logstash/pipeline.enabled/*.conf
 {% else %} 
 #path.config: /usr/share/logstash/pipeline.enabled/*.conf
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -27,7 +27,7 @@
 {% set lsheap = salt['pillar.get']('sensor:lsheap', '') %}
 {% set lsaccessip = salt['pillar.get']('sensor:lsaccessip', '') %}

-{% elif grains['role'] == 'so-node' %}
+{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {% set lsheap = salt['pillar.get']('node:lsheap', '') %}
 {% set nodetype = salt['pillar.get']('node:node_type', 'storage') %}

@@ -162,7 +162,7 @@ lscustsync:
 lsconfsync:
  file.managed:
    - name: /opt/so/conf/logstash/conf.enabled.txt
-{% if grains.role == 'so-mastersearch' %}
+{% if grains.role == 'so-mastersearch' or grains.role == 'so-heavynode' %}
    - source: salt://logstash/conf/conf.enabled.txt.so-master
 {% else %}
    - source: salt://logstash/conf/conf.enabled.txt.{{ nodetype }}
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -2,7 +2,7 @@
 {% set master_minion_id = master.split(".")[0] %}
 {%- set masterip = salt['pillar.get']('static:masterip', '') -%}

-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval'  or grains['role'] == 'so-heavynode' %}
    {% set trusttheca_text =  salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %}
    {% set ca_server = grains.id %}
 {% else %}
@@ -41,7 +41,7 @@ m2cryptopkgs:
        bits: 4096
        backup: True

-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch'  %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}

 # Request a cert and drop it where it needs to go to be distributed
 /etc/pki/filebeat.crt:
@@ -49,7 +49,11 @@ m2cryptopkgs:
    - ca_server: {{ ca_server }}
    - signing_policy: filebeat
    - public_key: /etc/pki/filebeat.key
-    - CN: {{ master }}
+{% if grains.role == 'so-heavynode' %}
+    - CN: {{grains.id}}
+{% else %}
+    - CN: {{master}}
+{% endif %}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
@@ -129,7 +133,7 @@ fbcrtlink:
        backup: True

 {% endif %}
-{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch'  %}
+{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}

 fbcertdir:
  file.directory:
@@ -142,7 +146,11 @@ fbcertdir:
    - ca_server: {{ ca_server }}
    - signing_policy: filebeat
    - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - CN: {{ master }}
+{% if grains.role == 'so-heavynode' %}
+    - CN: {{grains.id}}
+{% else %}
+    - CN: {{master}}
+{% endif %}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -233,3 +233,31 @@ base:
    {%- if DOMAINSTATS != 0 %}
    - domainstats
    {%- endif %}
+
+  'G@role:so-heavynode':
+    - ca
+    - ssl
+    - common
+    - firewall
+    - redis
+    - logstash
+    - elasticsearch
+    - curator
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
+    - filebeat
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
+    - pcap
+    - suricata
+    {%- if BROVER != 'SURICATA' %}
+    - zeek
+    {%- endif %}
+    - wazuh
+    - filebeat
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
+    - schedule
--- a/salt/wazuh/files/agent/ossec.conf
+++ b/salt/wazuh/files/agent/ossec.conf
@@ -1,6 +1,6 @@
 {%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %}
+{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -1,6 +1,6 @@
 {%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %}
+{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}