CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

more requires on docker containers

Browse Source
This commit is contained in:
m0duspwnens
2021-10-22 14:10:59 -04:00
parent 451b19dc4d
commit fed8bfac67
8 changed files with 63 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
salt/domainstats/init.sls
View File

@@ -45,8 +45,6 @@ so-domainstatsimage:
so-domainstats: so-domainstats:
docker_container.running: docker_container.running:
- require:
- so-domainstatsimage
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-domainstats:{{ VERSION }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-domainstats:{{ VERSION }}
- hostname: domainstats - hostname: domainstats
- name: so-domainstats - name: so-domainstats
@@ -55,6 +53,7 @@ so-domainstats:
- /opt/so/log/domainstats:/var/log/domain_stats - /opt/so/log/domainstats:/var/log/domain_stats
- require: - require:
- file: dstatslogdir - file: dstatslogdir
- cmd: so-domainstatsimage
append_so-domainstats_so-status.conf: append_so-domainstats_so-status.conf:
file.append: file.append:

16
salt/filebeat/init.sls
View File

@@ -25,9 +25,10 @@
{% from 'filebeat/map.jinja' import SO with context %} {% from 'filebeat/map.jinja' import SO with context %}
{% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %} {% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %}
include:
- ssl
#only include elastic state for certain nodes #only include elastic state for certain nodes
{% if grains.role in ES_INCLUDED_NODES %} {% if grains.role in ES_INCLUDED_NODES %}
include:
- elasticsearch - elasticsearch
{% endif %} {% endif %}
@@ -66,7 +67,7 @@ fileregistrydir:
- makedirs: True - makedirs: True
# This needs to be owned by root # This needs to be owned by root
filebeatconfsync: filebeatconf:
file.managed: file.managed:
- name: /opt/so/conf/filebeat/etc/filebeat.yml - name: /opt/so/conf/filebeat/etc/filebeat.yml
- source: salt://filebeat/etc/filebeat.yml - source: salt://filebeat/etc/filebeat.yml
@@ -78,7 +79,7 @@ filebeatconfsync:
OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }}
# Filebeat module config file # Filebeat module config file
filebeatmoduleconfsync: filebeatmoduleconf:
file.managed: file.managed:
- name: /opt/so/conf/filebeat/etc/module-setup.yml - name: /opt/so/conf/filebeat/etc/module-setup.yml
- source: salt://filebeat/etc/module-setup.yml - source: salt://filebeat/etc/module-setup.yml
@@ -135,7 +136,14 @@ so-filebeat:
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
- watch: - watch:
- file: /opt/so/conf/filebeat/etc/filebeat.yml - file: filebeatconf
- require:
- file: filebeatconf
- file: filebeatmoduleconf
- file: filebeatmoduledir
- x509: filebeat_crt
- x509: filebeat_key
- x509: trusttheca
{% if grains.role in ES_INCLUDED_NODES %} {% if grains.role in ES_INCLUDED_NODES %}
run_module_setup: run_module_setup:

6
salt/fleet/init.sls
View File

@@ -17,6 +17,7 @@
include: include:
- ssl
- mysql - mysql
# Fleet Setup # Fleet Setup
@@ -136,10 +137,13 @@ so-fleet:
- /opt/so/conf/fleet/packs:/packs - /opt/so/conf/fleet/packs:/packs
- watch: - watch:
- /opt/so/conf/fleet/etc - /opt/so/conf/fleet/etc
- require:
- x509: fleet_key
- x509: fleet_crt
append_so-fleet_so-status.conf: append_so-fleet_so-status.conf:
file.append: file.append:
- name: /opt/so/conf/so-status/so-status.conf - name: /opt/so/conf/so-status/so-status.conf
- text: so-fleet - text: so-fleet
{% endif %} {% endif %}

2
salt/grafana/init.sls
View File

@@ -132,6 +132,8 @@ so-grafana:
- 0.0.0.0:3000:3000 - 0.0.0.0:3000:3000
- watch: - watch:
- file: /opt/so/conf/grafana/* - file: /opt/so/conf/grafana/*
- require:
- file: grafana-config
append_so-grafana_so-status.conf: append_so-grafana_so-status.conf:
file.append: file.append:

6
salt/influxdb/init.sls
View File

@@ -17,6 +17,8 @@
include: include:
- salt.minion - salt.minion
- salt.python3-influxdb - salt.python3-influxdb
- ssl
# Influx DB # Influx DB
influxconfdir: influxconfdir:
file.directory: file.directory:
@@ -60,6 +62,10 @@ so-influxdb:
- 0.0.0.0:8086:8086 - 0.0.0.0:8086:8086
- watch: - watch:
- file: influxdbconf - file: influxdbconf
- require:
- file: influxdbconf
- x509: influxdb_key
- x509: influxdb_crt
append_so-influxdb_so-status.conf: append_so-influxdb_so-status.conf:
file.append: file.append:

2
salt/learn/logscan.sls
View File

@@ -51,6 +51,8 @@ so-logscan:
- /opt/so/log/logscan:/logscan/output:rw - /opt/so/log/logscan:/logscan/output:rw
- /opt/so/log:/logscan/logs:ro - /opt/so/log:/logscan/logs:ro
- cpu_period: {{ logscan_cpu_period }} - cpu_period: {{ logscan_cpu_period }}
- require:
- file: logscan_conf
{% else %} {% else %}
- force: true - force: true
{% endif %} {% endif %}

16
salt/logstash/init.sls
View File

@@ -45,6 +45,7 @@
{% endif %} {% endif %}
include: include:
- ssl
- elasticsearch - elasticsearch
# Create the logstash group # Create the logstash group
@@ -162,9 +163,7 @@ so-logstash:
{% endfor %} {% endfor %}
- binds: - binds:
- /opt/so/conf/elasticsearch/templates/:/templates/:ro - /opt/so/conf/elasticsearch/templates/:/templates/:ro
- /opt/so/conf/logstash/etc/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro - /opt/so/conf/logstash/etc/:/usr/share/logstash/config/:ro
- /opt/so/conf/logstash/etc/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
- /opt/so/conf/logstash/etc/pipelines.yml:/usr/share/logstash/config/pipelines.yml
- /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro - /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro
- /opt/so/rules:/etc/nsm/rules:ro - /opt/so/rules:/etc/nsm/rules:ro
- /nsm/import:/nsm/import:ro - /nsm/import:/nsm/import:ro
@@ -181,7 +180,6 @@ so-logstash:
{% endif %} {% endif %}
- /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
- /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
- /etc/pki/ca.cer:/ca/ca.crt:ro
{%- if grains['role'] == 'so-eval' %} {%- if grains['role'] == 'so-eval' %}
- /nsm/zeek:/nsm/zeek:ro - /nsm/zeek:/nsm/zeek:ro
- /nsm/suricata:/suricata:ro - /nsm/suricata:/suricata:ro
@@ -201,6 +199,16 @@ so-logstash:
{% for TEMPLATE in TEMPLATES %} {% for TEMPLATE in TEMPLATES %}
- file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
{% endfor %} {% endfor %}
- require:
- x509: filebeat_crt
- x509: filebeat_key
{% if grains['role'] == 'so-heavynode' %}
- x509: trusttheca
{% else %}
- x509: pki_public_ca_crt
{% endif %}
- file: cacertz
- file: capemz
append_so-logstash_so-status.conf: append_so-logstash_so-status.conf:
file.append: file.append:

36
salt/ssl/init.sls
View File

@@ -67,8 +67,9 @@ removeesp12dir:
- name: /etc/pki/elasticsearch.p12 - name: /etc/pki/elasticsearch.p12
- onlyif: "[ -d /etc/pki/elasticsearch.p12 ]" - onlyif: "[ -d /etc/pki/elasticsearch.p12 ]"
/etc/pki/influxdb.key: influxdb_key:
x509.private_key_managed: x509.private_key_managed:
- name: /etc/pki/influxdb.key
- CN: {{ manager }} - CN: {{ manager }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
@@ -85,8 +86,9 @@ removeesp12dir:
interval: 30 interval: 30
# Create a cert for the talking to influxdb # Create a cert for the talking to influxdb
/etc/pki/influxdb.crt: influxdb_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/influxdb.crt
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: influxdb - signing_policy: influxdb
- public_key: /etc/pki/influxdb.key - public_key: /etc/pki/influxdb.key
@@ -161,8 +163,9 @@ rediskeyperms:
{% endif %} {% endif %}
{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %} {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
/etc/pki/filebeat.key: filebeat_key:
x509.private_key_managed: x509.private_key_managed:
- name: /etc/pki/filebeat.key
- CN: {{ COMMONNAME }} - CN: {{ COMMONNAME }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
@@ -179,8 +182,9 @@ rediskeyperms:
interval: 30 interval: 30
# Request a cert and drop it where it needs to go to be distributed # Request a cert and drop it where it needs to go to be distributed
/etc/pki/filebeat.crt: filebeat_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/filebeat.crt
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: filebeat - signing_policy: filebeat
- public_key: /etc/pki/filebeat.key - public_key: /etc/pki/filebeat.key
@@ -201,7 +205,7 @@ rediskeyperms:
cmd.run: cmd.run:
- name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
- onchanges: - onchanges:
- x509: /etc/pki/filebeat.key - x509: filebeat_key
fbperms: fbperms:
@@ -427,8 +431,9 @@ msslkeyperms:
- group: 939 - group: 939
# Create a private key and cert for OSQuery # Create a private key and cert for OSQuery
/etc/pki/fleet.key: fleet_key:
x509.private_key_managed: x509.private_key_managed:
- name: /etc/pki/fleet.key
- CN: {{ manager }} - CN: {{ manager }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
@@ -444,8 +449,9 @@ msslkeyperms:
attempts: 5 attempts: 5
interval: 30 interval: 30
/etc/pki/fleet.crt: fleet_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/fleet.crt
- signing_private_key: /etc/pki/fleet.key - signing_private_key: /etc/pki/fleet.key
- CN: {{ manager }} - CN: {{ manager }}
- subjectAltName: DNS:{{ manager }},IP:{{ managerip }} - subjectAltName: DNS:{{ manager }},IP:{{ managerip }}
@@ -476,8 +482,9 @@ fbcertdir:
- name: /opt/so/conf/filebeat/etc/pki - name: /opt/so/conf/filebeat/etc/pki
- makedirs: True - makedirs: True
/opt/so/conf/filebeat/etc/pki/filebeat.key: filebeat_key:
x509.private_key_managed: x509.private_key_managed:
- name: /opt/so/conf/filebeat/etc/pki/filebeat.key
- CN: {{ COMMONNAME }} - CN: {{ COMMONNAME }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
@@ -486,7 +493,7 @@ fbcertdir:
- new: True - new: True
{% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%} {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%}
- prereq: - prereq:
- x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt - x509: filebeat_crt
{%- endif %} {%- endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
@@ -494,8 +501,9 @@ fbcertdir:
interval: 30 interval: 30
# Request a cert and drop it where it needs to go to be distributed # Request a cert and drop it where it needs to go to be distributed
/opt/so/conf/filebeat/etc/pki/filebeat.crt: filebeat_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: filebeat - signing_policy: filebeat
- public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
@@ -519,7 +527,7 @@ filebeatpkcs:
cmd.run: cmd.run:
- name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:" - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
- onchanges: - onchanges:
- x509: /opt/so/conf/filebeat/etc/pki/filebeat.key - x509: filebeat_key
filebeatkeyperms: filebeatkeyperms:
file.managed: file.managed:
@@ -585,8 +593,9 @@ msslkeyperms:
- group: 939 - group: 939
# Create a private key and cert for Fleet # Create a private key and cert for Fleet
/etc/pki/fleet.key: fleet_key:
x509.private_key_managed: x509.private_key_managed:
- name: /etc/pki/fleet.key
- CN: {{ manager }} - CN: {{ manager }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
@@ -602,8 +611,9 @@ msslkeyperms:
attempts: 5 attempts: 5
interval: 30 interval: 30
/etc/pki/fleet.crt: fleet_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/fleet.crt
- signing_private_key: /etc/pki/fleet.key - signing_private_key: /etc/pki/fleet.key
- CN: {{ HOSTNAME }} - CN: {{ HOSTNAME }}
- subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}