From 146c1a4d757bf1029f4aa18a0d37765934baf7e5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 19 Nov 2020 15:06:06 -0500 Subject: [PATCH 1/9] fix typos of minon to minion --- salt/salt/map.jinja | 8 ++++---- salt/soc/files/soc/changes.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index e4c395304..4796b16a2 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -12,13 +12,13 @@ {% if grains.saltversion|string != SALTVERSION|string %} {% if grains.os|lower in ['centos', 'redhat'] %} {% if ISAIRGAP is sameas true %} - {% set UPGRADECOMMAND = 'yum clean all && yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*" && systemctl restart salt-minon' %} + {% set UPGRADECOMMAND = 'yum clean all && yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*" && systemctl restart salt-minion' %} {% else %} - {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*" && systemctl restart salt-minon' %} + {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*" && systemctl restart salt-minion' %} {% endif %} {% elif grains.os|lower == 'ubuntu' %} - {% set UPGRADECOMMAND = 'apt-mark unhold salt-common && apt-mark unhold salt-minion && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion && systemctl restart salt-minon' %} + {% set UPGRADECOMMAND = 'apt-mark unhold salt-common && apt-mark unhold salt-minion && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion && systemctl restart salt-minion' %} {% endif %} {% else %} - {% set UPGRADECOMMAND = 'echo Already running Salt Minon version ' ~ SALTVERSION %} + {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %} {% endif %} \ No newline at end of file diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 44298caf0..8a0fe1f50 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -37,6 +37,6 @@ { "summary": "Winlogbeat download package is now available from the SOC Downloads interface." }, { "summary": "Upgraded Kratos authentication system." }, { "summary": "Added new Reset Defaults button to the SOC Profile Settings interface which allows users to reset all local browser SOC customizations back to their defaults. This includes things like default sort column, sort order, items per page, etc." }, - { "summary": "Known Issues " } + { "summary": "Known Issues " } ] } From 8df9e020acef43c78940943d4b8b94804bb1aee7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 Jan 2021 15:35:29 -0500 Subject: [PATCH 2/9] pillarize elastalert https://github.com/Security-Onion-Solutions/securityonion/issues/1191 --- salt/elastalert/defaults.yaml | 48 +++++++++++++++++++ salt/elastalert/elastalert_config.map.jinja | 4 ++ .../files/elastalert_config.yaml.jinja | 3 ++ salt/elastalert/init.sls | 6 ++- 4 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 salt/elastalert/defaults.yaml create mode 100644 salt/elastalert/elastalert_config.map.jinja create mode 100644 salt/elastalert/files/elastalert_config.yaml.jinja diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml new file mode 100644 index 000000000..2bfd03243 --- /dev/null +++ b/salt/elastalert/defaults.yaml @@ -0,0 +1,48 @@ +elastalert: + config: + rules_folder: /opt/elastalert/rules/ + scan_subdirectories: true + disable_rules_on_error: false + run_every: + minutes: 3 + buffer_time: + minutes: 10 + old_query_limit: + minutes: 5 + es_host: {{salt['pillar.get']('manager:mainip', '')}} + es_port: {{salt['pillar.get']('manager:es_port', '')}} + es_conn_timeout: 55 + max_query_size: 5000 + #aws_region: us-east-1 + #profile: test + #es_url_prefix: elasticsearch + #use_ssl: True + #verify_certs: True + #es_send_get_body_as: GET + #es_username: someusername + #es_password: somepassword + writeback_index: elastalert_status + alert_time_limit: + days: 2 + index_settings: + shards: 1 + replicas: 0 + logging: + version: 1 + incremental: false + disable_existing_loggers: false + formatters: + logline: + format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s' + handlers: + file: + class : logging.FileHandler + formatter: logline + level: INFO + filename: /var/log/elastalert/elastalert.log + loggers: + '': + level: INFO + handlers: + - file + propagate: false diff --git a/salt/elastalert/elastalert_config.map.jinja b/salt/elastalert/elastalert_config.map.jinja new file mode 100644 index 000000000..270872fee --- /dev/null +++ b/salt/elastalert/elastalert_config.map.jinja @@ -0,0 +1,4 @@ +{% import_yaml 'elastalert/defaults.yaml' as elastalert_defaults with context %} +{% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %} + +{% do salt['defaults.merge'](elastalert_defaults.elastalert.config, elastalert_pillar, in_place=True) %} \ No newline at end of file diff --git a/salt/elastalert/files/elastalert_config.yaml.jinja b/salt/elastalert/files/elastalert_config.yaml.jinja new file mode 100644 index 000000000..6bcfbef56 --- /dev/null +++ b/salt/elastalert/files/elastalert_config.yaml.jinja @@ -0,0 +1,3 @@ +%YAML 1.1 +--- +{{ elastalert_config | yaml(False) }} \ No newline at end of file diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index fcab3f57c..3fa261580 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -15,6 +15,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'elastalert/elastalert_config.map.jinja' import elastalert_defaults as elastalert_config with context %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -92,7 +94,9 @@ elastasomodulesync: elastaconf: file.managed: - name: /opt/so/conf/elastalert/elastalert_config.yaml - - source: salt://elastalert/files/elastalert_config.yaml + - source: salt://elastalert/files/elastalert_config.yaml.jinja + - context: + elastalert_config: {{ elastalert_config.elastalert.config } - user: 933 - group: 933 - template: jinja From b7aef32eebc5c446e0aa69b330b4ab07d41276b6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 Jan 2021 15:50:23 -0500 Subject: [PATCH 3/9] fix missing } --- salt/elastalert/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 3fa261580..c45a4225d 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -96,7 +96,7 @@ elastaconf: - name: /opt/so/conf/elastalert/elastalert_config.yaml - source: salt://elastalert/files/elastalert_config.yaml.jinja - context: - elastalert_config: {{ elastalert_config.elastalert.config } + elastalert_config: {{ elastalert_config.elastalert.config }} - user: 933 - group: 933 - template: jinja From 0936dbdb1c174a56f644ae2bbbe4b69126a676cf Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 28 Jan 2021 11:40:31 -0500 Subject: [PATCH 4/9] add timeouts and retries to ca/ssl states --- salt/ca/init.sls | 3 ++ salt/ssl/init.sls | 72 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 07cb75f31..ca5223d39 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -42,6 +42,9 @@ pki_private_key: - replace: False - require: - file: /etc/pki + - timeout: 60 + - retry: 5 + - interval: 30 x509_pem_entries: module.run: diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index d6c06d6fd..f12e5ebcb 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -67,6 +67,9 @@ removeesp12dir: - prereq: - x509: /etc/pki/influxdb.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for the talking to influxdb /etc/pki/influxdb.crt: @@ -82,6 +85,9 @@ removeesp12dir: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 influxkeyperms: file.managed: @@ -104,6 +110,9 @@ influxkeyperms: - prereq: - x509: /etc/pki/redis.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/redis.crt: x509.certificate_managed: @@ -118,6 +127,9 @@ influxkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 rediskeyperms: file.managed: @@ -140,6 +152,9 @@ rediskeyperms: - prereq: - x509: /etc/pki/filebeat.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Request a cert and drop it where it needs to go to be distributed /etc/pki/filebeat.crt: @@ -159,6 +174,9 @@ rediskeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" - onchanges: @@ -213,6 +231,9 @@ fbcrtlink: - prereq: - x509: /etc/pki/registry.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for the docker registry /etc/pki/registry.crt: @@ -228,6 +249,9 @@ fbcrtlink: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 regkeyperms: file.managed: @@ -248,6 +272,9 @@ regkeyperms: - prereq: - x509: /etc/pki/minio.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for minio /etc/pki/minio.crt: @@ -263,6 +290,9 @@ regkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/minio.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 miniokeyperms: file.managed: @@ -284,6 +314,9 @@ miniokeyperms: - prereq: - x509: /etc/pki/elasticsearch.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/elasticsearch.crt: x509.certificate_managed: @@ -298,6 +331,9 @@ miniokeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 cmd.run: - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:" - onchanges: @@ -329,6 +365,9 @@ elasticp12perms: - prereq: - x509: /etc/pki/managerssl.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for the reverse proxy /etc/pki/managerssl.crt: @@ -345,6 +384,9 @@ elasticp12perms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 msslkeyperms: file.managed: @@ -366,6 +408,9 @@ msslkeyperms: - prereq: - x509: /etc/pki/fleet.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/fleet.crt: x509.certificate_managed: @@ -379,6 +424,9 @@ msslkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 fleetkeyperms: file.managed: @@ -407,6 +455,9 @@ fbcertdir: - prereq: - x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Request a cert and drop it where it needs to go to be distributed /opt/so/conf/filebeat/etc/pki/filebeat.crt: @@ -426,6 +477,9 @@ fbcertdir: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 # Convert the key to pkcs#8 so logstash will work correctly. filebeatpkcs: @@ -465,6 +519,9 @@ chownfilebeatp8: - prereq: - x509: /etc/pki/managerssl.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for the reverse proxy /etc/pki/managerssl.crt: @@ -481,6 +538,9 @@ chownfilebeatp8: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 msslkeyperms: file.managed: @@ -502,6 +562,9 @@ msslkeyperms: - prereq: - x509: /etc/pki/fleet.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/fleet.crt: x509.certificate_managed: @@ -515,6 +578,9 @@ msslkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 fleetkeyperms: file.managed: @@ -539,6 +605,9 @@ fleetkeyperms: - prereq: - x509: /etc/pki/elasticsearch.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/elasticsearch.crt: x509.certificate_managed: @@ -553,6 +622,9 @@ fleetkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 cmd.run: - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:" - onchanges: From e6ecd609ccc009c56278470c484c85014560c1fe Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Jan 2021 13:44:11 -0500 Subject: [PATCH 5/9] change timeouts to 30s --- salt/ca/init.sls | 2 +- salt/ssl/init.sls | 48 +++++++++++++++++++++++------------------------ 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index ca5223d39..0d35c10c1 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -42,7 +42,7 @@ pki_private_key: - replace: False - require: - file: /etc/pki - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index f12e5ebcb..8d6c65bea 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -67,7 +67,7 @@ removeesp12dir: - prereq: - x509: /etc/pki/influxdb.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -85,7 +85,7 @@ removeesp12dir: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -110,7 +110,7 @@ influxkeyperms: - prereq: - x509: /etc/pki/redis.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -127,7 +127,7 @@ influxkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -152,7 +152,7 @@ rediskeyperms: - prereq: - x509: /etc/pki/filebeat.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -174,7 +174,7 @@ rediskeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 cmd.run: @@ -231,7 +231,7 @@ fbcrtlink: - prereq: - x509: /etc/pki/registry.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -249,7 +249,7 @@ fbcrtlink: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -272,7 +272,7 @@ regkeyperms: - prereq: - x509: /etc/pki/minio.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -290,7 +290,7 @@ regkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/minio.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -314,7 +314,7 @@ miniokeyperms: - prereq: - x509: /etc/pki/elasticsearch.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -331,7 +331,7 @@ miniokeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 cmd.run: @@ -365,7 +365,7 @@ elasticp12perms: - prereq: - x509: /etc/pki/managerssl.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -384,7 +384,7 @@ elasticp12perms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -408,7 +408,7 @@ msslkeyperms: - prereq: - x509: /etc/pki/fleet.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -424,7 +424,7 @@ msslkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -455,7 +455,7 @@ fbcertdir: - prereq: - x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -477,7 +477,7 @@ fbcertdir: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -519,7 +519,7 @@ chownfilebeatp8: - prereq: - x509: /etc/pki/managerssl.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -538,7 +538,7 @@ chownfilebeatp8: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -562,7 +562,7 @@ msslkeyperms: - prereq: - x509: /etc/pki/fleet.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -578,7 +578,7 @@ msslkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -605,7 +605,7 @@ fleetkeyperms: - prereq: - x509: /etc/pki/elasticsearch.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -622,7 +622,7 @@ fleetkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 cmd.run: From f50a89a0cf7fd422f815d77e7f14a32151d4fed8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Jan 2021 15:28:59 -0500 Subject: [PATCH 6/9] watch elastalert config and restart docker if chagnes --- salt/elastalert/defaults.yaml | 2 +- salt/elastalert/files/elastalert_config.yaml | 110 ------------------ .../files/elastalert_config.yaml.jinja | 2 - salt/elastalert/init.sls | 2 + 4 files changed, 3 insertions(+), 113 deletions(-) delete mode 100644 salt/elastalert/files/elastalert_config.yaml diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index 2bfd03243..1b177f58e 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -45,4 +45,4 @@ elastalert: level: INFO handlers: - file - propagate: false + propagate: false \ No newline at end of file diff --git a/salt/elastalert/files/elastalert_config.yaml b/salt/elastalert/files/elastalert_config.yaml deleted file mode 100644 index 28d26bac0..000000000 --- a/salt/elastalert/files/elastalert_config.yaml +++ /dev/null @@ -1,110 +0,0 @@ -{% set esip = salt['pillar.get']('manager:mainip', '') %} -{% set esport = salt['pillar.get']('manager:es_port', '') %} -# This is the folder that contains the rule yaml files -# Any .yaml file will be loaded as a rule -rules_folder: /opt/elastalert/rules/ - -# Sets whether or not ElastAlert should recursively descend -# the rules directory - true or false -scan_subdirectories: true - -# Do not disable a rule when an uncaught exception is thrown - -# This setting should be tweaked once the following issue has been fixed -# https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/98 -disable_rules_on_error: false - -# How often ElastAlert will query Elasticsearch -# The unit can be anything from weeks to seconds -run_every: - minutes: 3 - -# ElastAlert will buffer results from the most recent -# period of time, in case some log sources are not in real time -buffer_time: - minutes: 10 - -# The maximum time between queries for ElastAlert to start at the most recently -# run query. When ElastAlert starts, for each rule, it will search elastalert_metadata -# for the most recently run query and start from that time, unless it is older than -# old_query_limit, in which case it will start from the present time. The default is one week. -old_query_limit: - minutes: 5 - -# The Elasticsearch hostname for metadata writeback -# Note that every rule can have its own Elasticsearch host -es_host: {{ esip }} - -# The Elasticsearch port -es_port: {{ esport }} - -# Sets timeout for connecting to and reading from es_host -es_conn_timeout: 55 - -# The maximum number of documents that will be downloaded from Elasticsearch in -# a single query. The default is 10,000, and if you expect to get near this number, -# consider using use_count_query for the rule. If this limit is reached, ElastAlert -# will scroll through pages the size of max_query_size until processing all results. -max_query_size: 5000 - -# The AWS region to use. Set this when using AWS-managed elasticsearch -#aws_region: us-east-1 - -# The AWS profile to use. Use this if you are using an aws-cli profile. -# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html -# for details -#profile: test - -# Optional URL prefix for Elasticsearch -#es_url_prefix: elasticsearch - -# Connect with TLS to Elasticsearch -#use_ssl: True - -# Verify TLS certificates -#verify_certs: True - -# GET request with body is the default option for Elasticsearch. -# If it fails for some reason, you can pass 'GET', 'POST' or 'source'. -# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport -# for details -#es_send_get_body_as: GET - -# Option basic-auth username and password for Elasticsearch -#es_username: someusername -#es_password: somepassword - -# The index on es_host which is used for metadata storage -# This can be a unmapped index, but it is recommended that you run -# elastalert-create-index to set a mapping -writeback_index: elastalert_status - -# If an alert fails for some reason, ElastAlert will retry -# sending the alert until this time period has elapsed -alert_time_limit: - days: 2 - -index_settings: - shards: 1 - replicas: 0 - -logging: - version: 1 - incremental: false - disable_existing_loggers: false - formatters: - logline: - format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s' - - handlers: - file: - class : logging.FileHandler - formatter: logline - level: INFO - filename: /var/log/elastalert/elastalert.log - - loggers: - '': - level: INFO - handlers: - - file - propagate: false diff --git a/salt/elastalert/files/elastalert_config.yaml.jinja b/salt/elastalert/files/elastalert_config.yaml.jinja index 6bcfbef56..9394d0fa2 100644 --- a/salt/elastalert/files/elastalert_config.yaml.jinja +++ b/salt/elastalert/files/elastalert_config.yaml.jinja @@ -1,3 +1 @@ -%YAML 1.1 ---- {{ elastalert_config | yaml(False) }} \ No newline at end of file diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index c45a4225d..9008832f1 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -123,6 +123,8 @@ so-elastalert: - {{MANAGER_URL}}:{{MANAGER_IP}} - require: - module: wait_for_elasticsearch + - watch: + - file: elastaconf append_so-elastalert_so-status.conf: file.append: From 618b94b9b637c92c6f41382f04de95fab67fb39a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Jan 2021 15:31:05 -0500 Subject: [PATCH 7/9] add newline --- salt/elastalert/files/elastalert_config.yaml.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/files/elastalert_config.yaml.jinja b/salt/elastalert/files/elastalert_config.yaml.jinja index 9394d0fa2..4e368ab30 100644 --- a/salt/elastalert/files/elastalert_config.yaml.jinja +++ b/salt/elastalert/files/elastalert_config.yaml.jinja @@ -1 +1 @@ -{{ elastalert_config | yaml(False) }} \ No newline at end of file +{{ elastalert_config | yaml(False) }} From 0ea504c16a6da0ff03b21e7d47faf4310c3600f8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Jan 2021 17:32:48 -0500 Subject: [PATCH 8/9] remove space --- salt/elastalert/defaults.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index 1b177f58e..0602e3fe7 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -5,6 +5,7 @@ elastalert: disable_rules_on_error: false run_every: minutes: 3 + seconds: 0 buffer_time: minutes: 10 old_query_limit: @@ -36,7 +37,7 @@ elastalert: format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s' handlers: file: - class : logging.FileHandler + class: logging.FileHandler formatter: logline level: INFO filename: /var/log/elastalert/elastalert.log From 8cf0a3da98d47275ca12f1664ceebd179d518de3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 1 Feb 2021 15:19:47 -0500 Subject: [PATCH 9/9] remove seconds --- salt/elastalert/defaults.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index 0602e3fe7..a22d65b7b 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -5,7 +5,6 @@ elastalert: disable_rules_on_error: false run_every: minutes: 3 - seconds: 0 buffer_time: minutes: 10 old_query_limit: