From ec7bcd9b0c8786ecd937ababf161d44c5f8447ea Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 9 May 2023 16:46:48 -0400 Subject: [PATCH] enabled/disable kibana in ui --- salt/allowed_states.map.jinja | 3 +- salt/kibana/config.map.jinja | 18 ---- salt/kibana/config.sls | 93 +++++++++++++++++ salt/kibana/defaults.yaml | 4 +- salt/kibana/disabled.sls | 27 +++++ salt/kibana/enabled.sls | 48 +++++++++ salt/kibana/init.sls | 127 ++--------------------- salt/kibana/map.jinja | 23 ++++ salt/kibana/so_config_load.sls | 2 +- salt/kibana/so_dashboard_load.sls | 2 +- salt/kibana/so_savedobjects_defaults.sls | 2 +- salt/kibana/so_securitySolution_load.sls | 2 +- salt/kibana/soc_kibana.yaml | 3 + salt/kibana/sostatus.sls | 21 ++++ salt/manager/tools/sbin/so-minion | 2 +- salt/pcap/sostatus.sls | 8 +- salt/top.sls | 21 +--- 17 files changed, 240 insertions(+), 166 deletions(-) delete mode 100644 salt/kibana/config.map.jinja create mode 100644 salt/kibana/config.sls create mode 100644 salt/kibana/disabled.sls create mode 100644 salt/kibana/enabled.sls create mode 100644 salt/kibana/map.jinja create mode 100644 salt/kibana/sostatus.sls diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 8470a379c..a932692cf 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -3,7 +3,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %} {% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} {% set CURATOR = salt['pillar.get']('curator:enabled', True) %} {% set REDIS = salt['pillar.get']('redis:enabled', True) %} @@ -232,7 +231,7 @@ {% do allowed_states.append('elasticsearch.auth') %} {% endif %} - {% if KIBANA and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %} + {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %} {% do allowed_states.append('kibana') %} {% do allowed_states.append('kibana.secrets') %} {% endif %} diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja deleted file mode 100644 index 9ad1012f7..000000000 --- a/salt/kibana/config.map.jinja +++ /dev/null @@ -1,18 +0,0 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% import_yaml 'kibana/defaults.yaml' as KIBANACONFIG with context %} -{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} - -{% do KIBANACONFIG.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %} -{% do KIBANACONFIG.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %} - -{% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} - -{% do KIBANACONFIG.kibana.config.xpack.fleet.update({'registryUrl': 'http://' ~ GLOBALS.manager_ip ~ ':8080'}) %} - -{% if salt['pillar.get']('kibana:secrets') %} - {% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %} - {% do KIBANACONFIG.kibana.config.xpack.security.update({'encryptionKey': pillar['kibana']['secrets']['security']['encryptionKey']}) %} - {% do KIBANACONFIG.kibana.config.xpack.update({'reporting': {'encryptionKey': pillar['kibana']['secrets']['reporting']['encryptionKey']}}) %} -{% endif %} - -{% set KIBANACONFIG = salt['pillar.get']('kibana:config', default=KIBANACONFIG.kibana.config, merge=True) %} diff --git a/salt/kibana/config.sls b/salt/kibana/config.sls new file mode 100644 index 000000000..433fc9601 --- /dev/null +++ b/salt/kibana/config.sls @@ -0,0 +1,93 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'kibana/defaults.yaml' as default_settings %} +{% from 'kibana/map.jinja' import KIBANAMERGED %} + +# Add ES Group +kibanasearchgroup: + group.present: + - name: kibana + - gid: 932 + +# Add ES user +kibana: + user.present: + - uid: 932 + - gid: 932 + - home: /opt/so/conf/kibana + - createhome: False + +# Drop the correct nginx config based on role + +kibanaconfdir: + file.directory: + - name: /opt/so/conf/kibana/etc + - user: 932 + - group: 939 + - makedirs: True + +kibana_sbin: + file.recurse: + - name: /usr/sbin + - source: salt://kibana/tools/sbin + - user: 932 + - group: 939 + - file_mode: 755 + +kibana_sbin_jinja: + file.recurse: + - name: /usr/sbin + - source: salt://kibana/tools/sbin_jinja + - user: 932 + - group: 939 + - file_mode: 755 + - template: jinja + - defaults: + GLOBALS: {{ GLOBALS }} + +kibanaconfig: + file.managed: + - name: /opt/so/conf/kibana/etc/kibana.yml + - source: salt://kibana/etc/kibana.yml.jinja + - user: 932 + - group: 939 + - mode: 660 + - template: jinja + - defaults: + KIBANACONFIG: {{ KIBANAMERGED.config }} + - show_changes: False + +kibanalogdir: + file.directory: + - name: /opt/so/log/kibana + - user: 932 + - group: 939 + - makedirs: True + +kibanacustdashdir: + file.directory: + - name: /opt/so/conf/kibana/customdashboards + - user: 932 + - group: 939 + - makedirs: True + +synckibanacustom: + file.recurse: + - name: /opt/so/conf/kibana/customdashboards + - source: salt://kibana/custom + - user: 932 + - group: 939 + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index c0e279ca9..282521d12 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -1,5 +1,5 @@ kibana: - enabled: True + enabled: False config: server: name: kibana @@ -32,4 +32,4 @@ kibana: kibanaServer: hostname: localhost fleet: - registryUrl: "" \ No newline at end of file + registryUrl: "" diff --git a/salt/kibana/disabled.sls b/salt/kibana/disabled.sls new file mode 100644 index 000000000..eed2a623e --- /dev/null +++ b/salt/kibana/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - kibana.sostatus + +so-kibana: + docker_container.absent: + - force: True + +so-kibana_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-kibana$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls new file mode 100644 index 000000000..8d81beb56 --- /dev/null +++ b/salt/kibana/enabled.sls @@ -0,0 +1,48 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +include: + - kibana.config + - kibana.sostatus + +# Start the kibana docker +so-kibana: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }} + - hostname: kibana + - user: kibana + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }} + - environment: + - ELASTICSEARCH_HOST={{ GLOBALS.manager }} + - ELASTICSEARCH_PORT=9200 + - MANAGER={{ GLOBALS.manager }} + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - binds: + - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw + - /opt/so/log/kibana:/var/log/kibana:rw + - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro + - /sys/fs/cgroup:/sys/fs/cgroup:ro + - port_bindings: + {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %} + - {{ BINDING }} + {% endfor %} + - watch: + - file: kibanaconfig + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index a9d3c6da9..675106d8f 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -3,125 +3,14 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% import_yaml 'kibana/defaults.yaml' as default_settings %} -{% set KIBANA_SETTINGS = salt['grains.filter_by'](default_settings, default='kibana', merge=salt['pillar.get']('kibana', {})) %} -{% from 'kibana/config.map.jinja' import KIBANACONFIG with context %} - -# Add ES Group -kibanasearchgroup: - group.present: - - name: kibana - - gid: 932 - -# Add ES user -kibana: - user.present: - - uid: 932 - - gid: 932 - - home: /opt/so/conf/kibana - - createhome: False - -# Drop the correct nginx config based on role - -kibanaconfdir: - file.directory: - - name: /opt/so/conf/kibana/etc - - user: 932 - - group: 939 - - makedirs: True - -kibana_sbin: - file.recurse: - - name: /usr/sbin - - source: salt://kibana/tools/sbin - - user: 932 - - group: 939 - - file_mode: 755 - -kibana_sbin_jinja: - file.recurse: - - name: /usr/sbin - - source: salt://kibana/tools/sbin_jinja - - user: 932 - - group: 939 - - file_mode: 755 - - template: jinja - - defaults: - GLOBALS: {{ GLOBALS }} - -kibanaconfig: - file.managed: - - name: /opt/so/conf/kibana/etc/kibana.yml - - source: salt://kibana/etc/kibana.yml.jinja - - user: 932 - - group: 939 - - mode: 660 - - template: jinja - - defaults: - KIBANACONFIG: {{ KIBANACONFIG }} - - show_changes: False - -kibanalogdir: - file.directory: - - name: /opt/so/log/kibana - - user: 932 - - group: 939 - - makedirs: True - -kibanacustdashdir: - file.directory: - - name: /opt/so/conf/kibana/customdashboards - - user: 932 - - group: 939 - - makedirs: True - -synckibanacustom: - file.recurse: - - name: /opt/so/conf/kibana/customdashboards - - source: salt://kibana/custom - - user: 932 - - group: 939 - -# Start the kibana docker -so-kibana: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }} - - hostname: kibana - - user: kibana - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }} - - environment: - - ELASTICSEARCH_HOST={{ GLOBALS.manager }} - - ELASTICSEARCH_PORT=9200 - - MANAGER={{ GLOBALS.manager }} - - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - - binds: - - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw - - /opt/so/log/kibana:/var/log/kibana:rw - - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro - - /sys/fs/cgroup:/sys/fs/cgroup:ro - - port_bindings: - {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %} - - {{ BINDING }} - {% endfor %} - - watch: - - file: kibanaconfig - -append_so-kibana_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-kibana +{% from 'kibana/map.jinja' import KIBANAMERGED %} +include: +{% if KIBANAMERGED.enabled %} + - kibana.enabled + - kibana.so_config_load + - kibana.so_securitySolution_load + - kibana.so_dashboard_load {% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - + - kibana.disabled {% endif %} diff --git a/salt/kibana/map.jinja b/salt/kibana/map.jinja new file mode 100644 index 000000000..bd333f1c4 --- /dev/null +++ b/salt/kibana/map.jinja @@ -0,0 +1,23 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'kibana/defaults.yaml' as KIBANADEFAULTS with context %} +{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} + +{% do KIBANADEFAULTS.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %} +{% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %} + +{% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} + +{% do KIBANADEFAULTS.kibana.config.xpack.fleet.update({'registryUrl': 'http://' ~ GLOBALS.manager_ip ~ ':8080'}) %} + +{% if salt['pillar.get']('kibana:secrets') %} + {% do KIBANADEFAULTS.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %} + {% do KIBANADEFAULTS.kibana.config.xpack.security.update({'encryptionKey': pillar['kibana']['secrets']['security']['encryptionKey']}) %} + {% do KIBANADEFAULTS.kibana.config.xpack.update({'reporting': {'encryptionKey': pillar['kibana']['secrets']['reporting']['encryptionKey']}}) %} +{% endif %} + +{% set KIBANAMERGED = salt['pillar.get']('kibana', default=KIBANADEFAULTS.kibana, merge=True) %} diff --git a/salt/kibana/so_config_load.sls b/salt/kibana/so_config_load.sls index ea9655688..84c17deca 100644 --- a/salt/kibana/so_config_load.sls +++ b/salt/kibana/so_config_load.sls @@ -4,7 +4,7 @@ # Elastic License 2.0. include: - - kibana + - kibana.enabled config_saved_objects: file.managed: diff --git a/salt/kibana/so_dashboard_load.sls b/salt/kibana/so_dashboard_load.sls index 26cc13f83..08fb48da7 100644 --- a/salt/kibana/so_dashboard_load.sls +++ b/salt/kibana/so_dashboard_load.sls @@ -5,7 +5,7 @@ {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} include: - - kibana + - kibana.enabled dashboard_saved_objects_template: file.managed: diff --git a/salt/kibana/so_savedobjects_defaults.sls b/salt/kibana/so_savedobjects_defaults.sls index 135053c68..c9fe61ac6 100644 --- a/salt/kibana/so_savedobjects_defaults.sls +++ b/salt/kibana/so_savedobjects_defaults.sls @@ -4,7 +4,7 @@ # Elastic License 2.0. include: - - kibana + - kibana.enabled - kibana.so_config_load - kibana.so_securitySolution_load - kibana.so_dashboard_load diff --git a/salt/kibana/so_securitySolution_load.sls b/salt/kibana/so_securitySolution_load.sls index 0f72adcda..fe57f5a73 100644 --- a/salt/kibana/so_securitySolution_load.sls +++ b/salt/kibana/so_securitySolution_load.sls @@ -4,7 +4,7 @@ # Elastic License 2.0. include: - - kibana + - kibana.enabled securitySolution_saved_objects: file.managed: diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml index 331e7716f..c95512b58 100644 --- a/salt/kibana/soc_kibana.yaml +++ b/salt/kibana/soc_kibana.yaml @@ -1,4 +1,7 @@ kibana: + enabled: + description: You can enable or disable Kibana. + helpLink: kibana.html config: elasticsearch: requestTimeout: diff --git a/salt/kibana/sostatus.sls b/salt/kibana/sostatus.sls new file mode 100644 index 000000000..9bab0efe8 --- /dev/null +++ b/salt/kibana/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-kibana_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-kibana + - unless: grep -q so-kibana /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 0195cdb5c..eeaea1209 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -216,7 +216,7 @@ function add_sensor_to_minion() { echo " af-packet:" >> $PILLARFILE echo " threads: '$CORECOUNT'" >> $PILLARFILE echo "pcap:" >> $PILLARFILE - echo " enabled: True" >> $PILLARFILE + echo " enabled: True" >> $PILLARFILE echo " " >> $PILLARFILE } diff --git a/salt/pcap/sostatus.sls b/salt/pcap/sostatus.sls index 41ff1a183..4eebbfb0e 100644 --- a/salt/pcap/sostatus.sls +++ b/salt/pcap/sostatus.sls @@ -1,7 +1,7 @@ -{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one - or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at - https://securityonion.net/license; you may not use this file except in compliance with the - Elastic License 2.0. #} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} diff --git a/salt/top.sls b/salt/top.sls index f30de8763..6ebd0340d 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -3,7 +3,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %} {% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} {% set REDIS = salt['pillar.get']('redis:enabled', True) %} {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} @@ -74,10 +73,8 @@ base: - healthcheck - mysql - elasticsearch - {%- if KIBANA %} - elastic-fleet-package-registry - - kibana.so_savedobjects_defaults - {%- endif %} + - kibana - pcap - suricata - zeek @@ -120,10 +117,8 @@ base: {%- if REDIS %} - redis {%- endif %} - {%- if KIBANA %} - elastic-fleet-package-registry - - kibana.so_savedobjects_defaults - {%- endif %} + - kibana - curator - elastalert - utility @@ -158,10 +153,8 @@ base: {%- if REDIS %} - redis {%- endif %} - {%- if KIBANA %} - elastic-fleet-package-registry - - kibana.so_savedobjects_defaults - {%- endif %} + - kibana - pcap - suricata - zeek @@ -216,10 +209,8 @@ base: - redis {%- endif %} - curator - {%- if KIBANA %} - elastic-fleet-package-registry - - kibana.so_savedobjects_defaults - {%- endif %} + - kibana - elastalert - utility - soctopus @@ -269,10 +260,8 @@ base: - suricata.manager - pcap - elasticsearch - {%- if KIBANA %} - elastic-fleet-package-registry - - kibana.so_savedobjects_defaults - {%- endif %} + - kibana - utility - suricata - zeek