CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-23 13:05:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: CSEC_PUBLIC:analyzer-cp314-wheels
Branches Tags
CSEC_PUBLIC:master CSEC_PUBLIC:zeek-websocket CSEC_PUBLIC:3/dev CSEC_PUBLIC:delta CSEC_PUBLIC:quickfixes CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:customulimit CSEC_PUBLIC:ulimits CSEC_PUBLIC:reyesj2-449 CSEC_PUBLIC:reyesj2-15601 CSEC_PUBLIC:zeekload CSEC_PUBLIC:moreja CSEC_PUBLIC:analyzer-cp314-wheels CSEC_PUBLIC:moresoup CSEC_PUBLIC:mreeves/remove-non-oracle9-salt CSEC_PUBLIC:mreeves/remove-non-oracle9-support CSEC_PUBLIC:TOoSmOotH-patch-6 CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.211 CSEC_PUBLIC:TOoSmOotH-patch-5 CSEC_PUBLIC:stenoclean CSEC_PUBLIC:fix/suricatatest CSEC_PUBLIC:bravo CSEC_PUBLIC:kilo CSEC_PUBLIC:foxtrot CSEC_PUBLIC:3/dev-merge-fix CSEC_PUBLIC:2.4.210 CSEC_PUBLIC:TOoSmOotH-patch-2 CSEC_PUBLIC:3/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:dev CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.211-20260312 CSEC_PUBLIC:2.4.210-20260302 CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3
..
compare: CSEC_PUBLIC:delta
Branches Tags
CSEC_PUBLIC:zeek-websocket CSEC_PUBLIC:3/dev CSEC_PUBLIC:delta CSEC_PUBLIC:quickfixes CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:customulimit CSEC_PUBLIC:ulimits CSEC_PUBLIC:reyesj2-449 CSEC_PUBLIC:reyesj2-15601 CSEC_PUBLIC:zeekload CSEC_PUBLIC:moreja CSEC_PUBLIC:analyzer-cp314-wheels CSEC_PUBLIC:moresoup CSEC_PUBLIC:mreeves/remove-non-oracle9-salt CSEC_PUBLIC:mreeves/remove-non-oracle9-support CSEC_PUBLIC:TOoSmOotH-patch-6 CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.211 CSEC_PUBLIC:TOoSmOotH-patch-5 CSEC_PUBLIC:stenoclean CSEC_PUBLIC:fix/suricatatest CSEC_PUBLIC:bravo CSEC_PUBLIC:kilo CSEC_PUBLIC:foxtrot CSEC_PUBLIC:3/dev-merge-fix CSEC_PUBLIC:2.4.210 CSEC_PUBLIC:TOoSmOotH-patch-2 CSEC_PUBLIC:3/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:master CSEC_PUBLIC:dev CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.211-20260312 CSEC_PUBLIC:2.4.210-20260302 CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3

91 Commits
analyzer-c ... delta

Author SHA1 Message Date
Josh Patterson
f0f9de4b44 add status updates for pillar conversions 2026-03-20 16:12:10 -04:00
Josh Patterson
e857a8487a convert suricata pillar data yes/no to true/false 2026-03-20 15:35:44 -04:00
Josh Patterson
fa4bf218d5 Merge pull request #15652 from Security-Onion-Solutions/delta 
Enabled / Disabled Buttons for SOC Grid Configuration
 2026-03-20 09:19:55 -04:00
Josh Patterson
2186872317 update telegraf lower true/false 2026-03-20 09:19:22 -04:00
Josh Patterson
6e3986b0b0 set community-id annotation to advanced 2026-03-19 17:37:40 -04:00
Josh Patterson
2585bdd23f add more description to checksum-checks 2026-03-19 17:30:47 -04:00
Josh Patterson
ca588d2e78 new elastalert options advanced 2026-03-19 17:19:42 -04:00
Josh Patterson
f756ecb396 remove quotes from suricata af-packet config 2026-03-19 17:14:55 -04:00
Josh Patterson
82107f00a1 afpacket:checksum-checks yes/no options instead of true/false 2026-03-19 16:57:42 -04:00
Josh Patterson
5c53244b54 convert suricata config yes/no to true/false 2026-03-19 16:41:17 -04:00
Josh Patterson
3b269e8b82 Merge remote-tracking branch 'origin/3/dev' into delta 2026-03-19 15:14:06 -04:00
Josh Patterson
7ece93d7e0 ensure bool sliders telegraf 2026-03-19 15:12:47 -04:00
Josh Patterson
14d254e81b ensure bool sliders suricata 2026-03-19 15:02:45 -04:00
Josh Patterson
7af6efda1e ensure bool sliders strelka 2026-03-19 14:46:49 -04:00
Josh Patterson
ce972238fe ensure bool sliders sensoroni 2026-03-19 14:41:49 -04:00
Josh Patterson
442bd1499d ensure bool sliders for patch 2026-03-19 14:39:10 -04:00
Josh Patterson
30ea309dff ensure bool sliders for manager 2026-03-19 14:36:36 -04:00
Josh Patterson
bfeefeea2f ensure bool sliders for kratos 2026-03-19 14:36:05 -04:00
Josh Patterson
8251d56a96 ensure bool sliders for kibana 2026-03-19 14:24:13 -04:00
Josh Patterson
1b1e602716 ensure bool sliders for influxdb 2026-03-19 14:16:37 -04:00
Josh Patterson
034b1d045b ensure bool sliders for idh 2026-03-19 14:00:20 -04:00
Josh Patterson
20bf88b338 ensure bool sliders for elasticsearch 2026-03-19 13:52:40 -04:00
Josh Patterson
d3f819017b ensure bool sliders for elasticfleet config options 2026-03-19 13:13:26 -04:00
Josh Patterson
c92aedfff3 ensure bool sliders for elastalert config options 2026-03-19 13:06:32 -04:00
Mike Reeves
7aded184b3 Merge pull request #15648 from Security-Onion-Solutions/quickfixes 
Hyperlink to JA4+ license
 2026-03-19 12:50:52 -04:00
Mike Reeves
d3938b61d2 ja4plus nest enabled under ja4plus key for defaults 2026-03-19 12:39:37 -04:00
Josh Patterson
c2c5aea244 ensure bool sliders for each state:enabled annotation 2026-03-19 12:35:38 -04:00
Mike Reeves
83b7fecbbc ja4plus cleanup 2026-03-19 11:12:24 -04:00
Mike Reeves
d227cf71c8 ja4plus cleanup 2026-03-19 11:01:40 -04:00
Josh Patterson
020b9db610 Merge pull request #15641 from Security-Onion-Solutions/delta 
Support docker ulimit customization
 2026-03-19 09:46:33 -04:00
Josh Patterson
cceaebe350 remove restriction of mmap locked on suricata ulimits 2026-03-19 09:42:39 -04:00
Josh Patterson
a982056363 Merge remote-tracking branch 'origin/3/dev' into delta 2026-03-18 15:45:15 -04:00
Josh Patterson
db81834e06 fix indentation to match prior indentation 2026-03-18 15:44:49 -04:00
Jason Ertel
318e4ec54b Merge pull request #15643 from Security-Onion-Solutions/jertel/wip 
fix casing to match annotation docs
 2026-03-18 15:36:47 -04:00
Jorge Reyes
20bf05e9f3 Merge pull request #15644 from Security-Onion-Solutions/reyesj2-361 
fix so-idh and so-redis datastream config
 2026-03-18 14:36:17 -05:00
Josh Patterson
4254769e68 Merge remote-tracking branch 'origin/3/dev' into delta 2026-03-18 15:32:52 -04:00
reyesj2
c16ff2bd99 so-idh and so-redis datastream config 2026-03-18 14:31:23 -05:00
Jason Ertel
0c88b32fc2 fix casing to match annotation docs 2026-03-18 15:31:19 -04:00
Josh Patterson
0814f34f0e don't define zeek nofile, already uses docker default 2026-03-18 13:13:06 -04:00
Jason Ertel
b6366e52ba Merge pull request #15642 from Security-Onion-Solutions/jertel/wip 
more doc updates
 2026-03-18 13:09:36 -04:00
Jason Ertel
825f377d2d more doc updates 2026-03-18 13:05:36 -04:00
Josh Patterson
74ad2990a7 Merge remote-tracking branch 'origin/3/dev' into delta 2026-03-18 13:05:02 -04:00
Josh Patterson
738ce62d35 Merge pull request #15640 from Security-Onion-Solutions/customulimit 
ensure valid ulimit names
 2026-03-18 12:51:15 -04:00
Josh Patterson
057ec6f0f1 ensure valid ulimit names 2026-03-18 12:49:46 -04:00
Jorge Reyes
20c4da50b1 Merge pull request #15632 from Security-Onion-Solutions/reyesj2-15601 
fix global override settings affecting non-data stream indices
 2026-03-18 10:51:17 -05:00
Jason Ertel
5fb396fc09 Merge pull request #15637 from Security-Onion-Solutions/jertel/wip 
ignore redis restart warning in logstash log
 2026-03-18 11:13:00 -04:00
Josh Patterson
a0b1e31717 Merge pull request #15638 from Security-Onion-Solutions/customulimit 
remove .jinja from daemon.json
 2026-03-18 11:09:41 -04:00
Josh Patterson
cacae12ba3 remove .jinja from daemon.json 2026-03-18 11:08:33 -04:00
Jason Ertel
83bd8a025c ignore redis restart warning in logstash log 2026-03-18 10:59:20 -04:00
Josh Patterson
2a271b950b Merge pull request #15636 from Security-Onion-Solutions/customulimit 
Customulimit
 2026-03-18 10:42:19 -04:00
Josh Patterson
e19e83bebb allow user defined ulimits 2026-03-18 10:38:15 -04:00
Doug Burks
066918e27d Merge pull request #15634 from Security-Onion-Solutions/dougburks-3dev 
update helpLink references for new documentation
 2026-03-18 10:01:43 -04:00
Doug Burks
930985b770 update helpLink references for new documentation 2026-03-18 09:46:45 -04:00
Jorge Reyes
346dc446de Merge pull request #15630 from Security-Onion-Solutions/reyesj2-449 
use elasticsearch recommended vm.max_map_count
 2026-03-17 15:36:06 -05:00
reyesj2
7e7b8dc8a8 vm.max_map_count allow for minion specific values 2026-03-17 15:23:46 -05:00
Josh Patterson
341471d38e DOCKER to DOCKERMERGED 2026-03-17 16:19:36 -04:00
Josh Patterson
2349750e13 DOCKER to DOCKERMERGED 2026-03-17 16:19:02 -04:00
reyesj2
2c6c502067 use elasticsearch recommended vm.max_map_count 2026-03-17 15:12:29 -05:00
Josh Patterson
00986dc2fd Merge remote-tracking branch 'origin/delta' into customulimit 2026-03-17 16:04:09 -04:00
Josh Patterson
d60bef1371 add spft/hard ulimits 2026-03-17 16:00:09 -04:00
Josh Patterson
5806a85214 Merge pull request #15629 from Security-Onion-Solutions/ulimits 
Add customizable ulimit settings for all Docker containers
 2026-03-17 15:14:31 -04:00
Mike Reeves
2d97dfc8a1 Add customizable ulimit settings for all Docker containers 
Add ulimits as a configurable advanced setting for every container,
allowing customization through the web UI. Move hardcoded ulimits
from elasticsearch and zeek into defaults.yaml and fix elasticsearch
ulimits that were incorrectly nested under the environment key.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-17 15:10:42 -04:00
Josh Patterson
d6263812a6 move daemon.json to docker/files 2026-03-17 15:09:09 -04:00
Josh Patterson
ef7d1771ab DOCKER TO DOCKERMERGED 2026-03-17 15:08:10 -04:00
Josh Patterson
4dc377c99f DOCKER to DOCKERMERGED 2026-03-17 15:06:06 -04:00
reyesj2
a52e5d0474 update index template priorities + explicity add datastream config options 2026-03-17 13:50:15 -05:00
reyesj2
1a943aefc5 rollover datastreams to get latest index templates + remove existing ilm policies from so-case / so-detection indices 2026-03-17 13:49:20 -05:00
Mike Reeves
4bb61d999d Merge pull request #15628 from Security-Onion-Solutions/zeekload 
Add salt states for custom Zeek package loading
 2026-03-17 13:40:14 -04:00
Mike Reeves
e0e0e3e97b Exclude README from zkg sync 2026-03-17 13:36:56 -04:00
Mike Reeves
6b039b3f94 Consolidate zkg directory creation into file.recurse with makedirs 2026-03-17 13:36:03 -04:00
Josh Patterson
d2d2f0cb5f Merge pull request #15627 from Security-Onion-Solutions/delta 
old code cleanup. add ja4 toggle in soc.
 2026-03-17 13:24:59 -04:00
Mike Reeves
e6ee7dac7c Add salt states for custom Zeek package loading 
Create /opt/so/conf/zeek/zkg directory and sync custom packages
from the manager via file.recurse. Bind mount the directory into
the so-zeek container so the entrypoint can install packages on
startup.
 2026-03-17 13:22:59 -04:00
Josh Patterson
7bf63b822d replace placeholder files with .gitkeep to keep empty directories 2026-03-17 11:40:49 -04:00
Josh Patterson
1a7d72c630 ensure empty directory tracked by git 2026-03-17 11:11:02 -04:00
Josh Patterson
4224713cc6 Merge pull request #15624 from Security-Onion-Solutions/moreja 
Add SOC UI toggle for JA4+ fingerprinting
 2026-03-17 09:44:04 -04:00
Mike Reeves
b452e70419 Keep JA4S_raw and JA4H_raw hardcoded to disabled 2026-03-17 09:37:37 -04:00
Mike Reeves
6809497730 Add SOC UI toggle for JA4+ fingerprinting in Zeek 
JA4 (BSD licensed) remains always enabled, but JA4+ variants (JA4S,
JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X) require a FoxIO license
and are now toggleable via the SOC UI. The toggle includes a license
agreement warning and defaults to disabled.
 2026-03-17 09:35:31 -04:00
Jason Ertel
70597a77ab Merge pull request #15623 from Security-Onion-Solutions/jertel/wip 
fix hydra health check
 2026-03-17 07:53:00 -04:00
Jason Ertel
f5faf86cb3 fix hydra health check 2026-03-17 07:50:40 -04:00
Mike Reeves
be4e253620 Merge pull request #15621 from Security-Onion-Solutions/analyzer-cp314-wheels 
Rebuild analyzer source-packages wheels for Python 3.14
 2026-03-16 19:07:27 -04:00
reyesj2
eaf3f10adc remove unused close/delete configs on datastream index templates 2026-03-16 17:26:45 -05:00
reyesj2
84f4e460f6 update index patterns 2026-03-16 16:53:22 -05:00
reyesj2
88841c9814 remove ilm configs from non-datastream indices 2026-03-16 16:52:42 -05:00
Josh Patterson
744d8fdd5e Merge pull request #15620 from Security-Onion-Solutions/mreeves/remove-non-oracle9-salt 
Remove non-Oracle Linux 9 support from salt states
 2026-03-16 17:10:24 -04:00
Josh Patterson
6feb06e623 cleanup preflight 2026-03-16 17:02:36 -04:00
Mike Reeves
afc14ec29d Remove non-Oracle Linux 9 support from salt states 
Simplifies salt states, map files, and modules to only support
Oracle Linux 9, removing all Debian/Ubuntu/CentOS/Rocky/AlmaLinux/RHEL
conditional branches.
 2026-03-16 16:58:39 -04:00
Josh Patterson
59134c65d0 Merge pull request #15619 from Security-Onion-Solutions/mreeves/remove-non-oracle9-support 
Remove support for non-Oracle Linux 9 operating systems
 2026-03-16 16:55:59 -04:00
Josh Patterson
614537998a remove curator.disabled from top 2026-03-16 16:44:11 -04:00
Mike Reeves
d2cee468a0 Remove support for non-Oracle Linux 9 operating systems 
Security Onion now exclusively supports Oracle Linux 9. This removes
detection, setup, and update logic for Ubuntu, Debian, CentOS, Rocky,
AlmaLinux, and RHEL.
 2026-03-16 16:44:07 -04:00
Josh Patterson
94f454c311 cleanup file.absent 2026-03-16 15:57:15 -04:00
Josh Patterson
17881c9a36 cleanup highlander 2026-03-16 15:56:16 -04:00
122 changed files with 2044 additions and 2579 deletions
Expand all files Collapse all files

20
salt/_modules/needs_restarting.py
View File

@@ -1,24 +1,14 @@
from os import path
import subprocess
def check():
osfam = __grains__['os_family']
retval = 'False'
if osfam == 'Debian':
if path.exists('/var/run/reboot-required'):
retval = 'True'
cmd = 'needs-restarting -r > /dev/null 2>&1'
elif osfam == 'RedHat':
cmd = 'needs-restarting -r > /dev/null 2>&1'
try:
needs_restarting = subprocess.check_call(cmd, shell=True)
except subprocess.CalledProcessError:
retval = 'True'
else:
retval = 'Unsupported OS: %s' % os
try:
needs_restarting = subprocess.check_call(cmd, shell=True)
except subprocess.CalledProcessError:
retval = 'True'
return retval

4
salt/backup/soc_backup.yaml
View File

@@ -1,10 +1,10 @@
backup:
locations:
description: List of locations to back up to the destination.
helpLink: backup.html
helpLink: backup
global: True
destination:
description: Directory to store the configuration backups in.
helpLink: backup.html
helpLink: backup
global: True

6
salt/bpf/soc_bpf.yaml
View File

@@ -3,14 +3,14 @@ bpf:
description: List of BPF filters to apply to the PCAP engine.
multiline: True
forcedType: "[]string"
helpLink: bpf.html
helpLink: bpf
suricata:
description: List of BPF filters to apply to Suricata. This will apply to alerts and, if enabled, to metadata and PCAP logs generated by Suricata.
multiline: True
forcedType: "[]string"
helpLink: bpf.html
helpLink: bpf
zeek:
description: List of BPF filters to apply to Zeek.
multiline: True
forcedType: "[]string"
helpLink: bpf.html
helpLink: bpf

8
salt/ca/trustca.sls
View File

@@ -3,8 +3,6 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
- docker
@@ -18,9 +16,3 @@ trusttheca:
- show_changes: False
- makedirs: True
{% if GLOBALS.os_family == 'Debian' %}
symlinkca:
file.symlink:
- target: /etc/pki/tls/certs/intca.crt
- name: /etc/ssl/certs/intca.crt
{% endif %}

19
salt/common/files/daemon.json
View File

@@ -1,19 +0,0 @@
{
"registry-mirrors": [
"https://:5000"
],
"bip": "172.17.0.1/24",
"default-address-pools": [
{
"base": "172.17.0.0/24",
"size": 24
}
],
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Soft": 1048576,
"Hard": 1048576
}
}
}

27
salt/common/init.sls
View File

@@ -20,11 +20,6 @@ kernel.printk:
sysctl.present:
- value: "3 4 1 3"
# Remove variables.txt from /tmp - This is temp
rmvariablesfile:
file.absent:
- name: /tmp/variables.txt
# Add socore Group
socoregroup:
group.present:
@@ -149,28 +144,6 @@ common_sbin_jinja:
- so-import-pcap
{% endif %}
{% if GLOBALS.role == 'so-heavynode' %}
remove_so-pcap-import_heavynode:
file.absent:
- name: /usr/sbin/so-pcap-import
remove_so-import-pcap_heavynode:
file.absent:
- name: /usr/sbin/so-import-pcap
{% endif %}
{% if not GLOBALS.is_manager%}
# prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
# these two states remove the scripts from non manager nodes
remove_soup:
file.absent:
- name: /usr/sbin/soup
remove_so-firewall:
file.absent:
- name: /usr/sbin/so-firewall
{% endif %}
so-status_script:
file.managed:
- name: /usr/sbin/so-status

49
salt/common/packages.sls
View File

@@ -1,52 +1,5 @@
# we cannot import GLOBALS from vars/globals.map.jinja in this state since it is called in setup.virt.init
# since it is early in setup of a new VM, the pillars imported in GLOBALS are not yet defined
{% if grains.os_family == 'Debian' %}
commonpkgs:
pkg.installed:
- skip_suggestions: True
- pkgs:
- apache2-utils
- wget
- ntpdate
- jq
- curl
- ca-certificates
- software-properties-common
- apt-transport-https
- openssl
- netcat-openbsd
- sqlite3
- libssl-dev
- procps
- python3-dateutil
- python3-docker
- python3-packaging
- python3-lxml
- git
- rsync
- vim
- tar
- unzip
- bc
{% if grains.oscodename != 'focal' %}
- python3-rich
{% endif %}
{% if grains.oscodename == 'focal' %}
# since Ubuntu requires and internet connection we can use pip to install modules
python3-pip:
pkg.installed
python-rich:
pip.installed:
- name: rich
- target: /usr/local/lib/python3.8/dist-packages/
- require:
- pkg: python3-pip
{% endif %}
{% endif %}
{% if grains.os_family == 'RedHat' %}
remove_mariadb:
pkg.removed:
@@ -84,5 +37,3 @@ commonpkgs:
- unzip
- wget
- yum-utils
{% endif %}

8
salt/common/soup_scripts.sls
View File

@@ -11,14 +11,6 @@
{% endif %}
{% set SOVERSION = salt['file.read']('/etc/soversion').strip() %}
remove_common_soup:
file.absent:
- name: /opt/so/saltstack/default/salt/common/tools/sbin/soup
remove_common_so-firewall:
file.absent:
- name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall
# This section is used to put the scripts in place in the Salt file system
# in case a state run tries to overwrite what we do in the next section.
copy_so-common_common_tools_sbin:

101
salt/common/tools/sbin/so-common
View File

@@ -349,21 +349,16 @@ get_random_value() {
}
gpg_rpm_import() {
if [[ $is_oracle ]]; then
if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
else
local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
fi
RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
for RPMKEY in "${RPMKEYS[@]}"; do
rpm --import $RPMKEYSLOC/$RPMKEY
echo "Imported $RPMKEY"
done
elif [[ $is_rpm ]]; then
echo "Importing the security onion GPG key"
rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
else
local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
fi
RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
for RPMKEY in "${RPMKEYS[@]}"; do
rpm --import $RPMKEYSLOC/$RPMKEY
echo "Imported $RPMKEY"
done
}
header() {
@@ -550,6 +545,22 @@ retry() {
return $exitcode
}
rollover_index() {
idx=$1
exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
if [[ $exists -eq 200 ]]; then
rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
if [[ $rollover -eq 200 ]]; then
echo "Successfully triggered rollover for $idx..."
else
echo "Could not trigger rollover for $idx..."
fi
else
echo "Could not find index $idx..."
fi
}
run_check_net_err() {
local cmd=$1
local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
@@ -615,69 +626,19 @@ salt_minion_count() {
}
set_os() {
if [ -f /etc/redhat-release ]; then
if grep -q "Rocky Linux release 9" /etc/redhat-release; then
OS=rocky
OSVER=9
is_rocky=true
is_rpm=true
elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
OS=centos
OSVER=9
is_centos=true
is_rpm=true
elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
OS=alma
OSVER=9
is_alma=true
is_rpm=true
elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
if [ -f /etc/oracle-release ]; then
OS=oracle
OSVER=9
is_oracle=true
is_rpm=true
else
OS=rhel
OSVER=9
is_rhel=true
is_rpm=true
fi
fi
cron_service_name="crond"
elif [ -f /etc/os-release ]; then
if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
OSVER=focal
UBVER=20.04
OS=ubuntu
is_ubuntu=true
is_deb=true
elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
OSVER=jammy
UBVER=22.04
OS=ubuntu
is_ubuntu=true
is_deb=true
elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
OSVER=bookworm
DEBVER=12
is_debian=true
OS=debian
is_deb=true
fi
cron_service_name="cron"
if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
OS=oracle
OSVER=9
is_oracle=true
is_rpm=true
fi
cron_service_name="crond"
}
set_minionid() {
MINIONID=$(lookup_grain id)
}
set_palette() {
if [[ $is_deb ]]; then
update-alternatives --set newt-palette /etc/newt/palette.original
fi
}
set_version() {
CURRENTVERSION=0.0.0

1
salt/common/tools/sbin/so-log-check
View File

@@ -131,6 +131,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not configured for GeoIP" # SO does not bundle the maxminddb with Zeek
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found" # Salt loops until Kratos returns 200, during startup Kratos may not be ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Redis may have been restarted" # Redis likely restarted by salt
fi
if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then

34
salt/curator/disabled.sls
View File

@@ -1,34 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
so-curator:
docker_container.absent:
- force: True
so-curator_so-status.disabled:
file.line:
- name: /opt/so/conf/so-status/so-status.conf
- match: ^so-curator$
- mode: delete
so-curator-cluster-close:
cron.absent:
- identifier: so-curator-cluster-close
so-curator-cluster-delete:
cron.absent:
- identifier: so-curator-cluster-delete
delete_curator_configuration:
file.absent:
- name: /opt/so/conf/curator
- recurse: True
{% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
{% if files|length > 0 %}
delete_curator_scripts:
file.absent:
- names: {{files|yaml}}
{% endif %}

45
salt/docker/defaults.yaml
View File

@@ -1,6 +1,10 @@
docker:
range: '172.17.1.0/24'
gateway: '172.17.1.1'
ulimits:
- name: nofile
soft: 1048576
hard: 1048576
containers:
'so-dockerregistry':
final_octet: 20
@@ -9,6 +13,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elastic-fleet':
final_octet: 21
port_bindings:
@@ -16,6 +21,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elasticsearch':
final_octet: 22
port_bindings:
@@ -24,6 +30,16 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits:
- name: memlock
soft: -1
hard: -1
- name: nofile
soft: 65536
hard: 65536
- name: nproc
soft: 4096
hard: 4096
'so-influxdb':
final_octet: 26
port_bindings:
@@ -31,6 +47,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-kibana':
final_octet: 27
port_bindings:
@@ -38,6 +55,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-kratos':
final_octet: 28
port_bindings:
@@ -46,6 +64,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-hydra':
final_octet: 30
port_bindings:
@@ -54,6 +73,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-logstash':
final_octet: 29
port_bindings:
@@ -70,6 +90,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-nginx':
final_octet: 31
port_bindings:
@@ -81,6 +102,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-nginx-fleet-node':
final_octet: 31
port_bindings:
@@ -88,6 +110,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-redis':
final_octet: 33
port_bindings:
@@ -96,11 +119,13 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-sensoroni':
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-soc':
final_octet: 34
port_bindings:
@@ -108,16 +133,19 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-backend':
final_octet: 36
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-filestream':
final_octet: 37
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-frontend':
final_octet: 38
port_bindings:
@@ -125,11 +153,13 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-manager':
final_octet: 39
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-gatekeeper':
final_octet: 40
port_bindings:
@@ -137,6 +167,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-coordinator':
final_octet: 41
port_bindings:
@@ -144,11 +175,13 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elastalert':
final_octet: 42
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elastic-fleet-package-registry':
final_octet: 44
port_bindings:
@@ -156,11 +189,13 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-idh':
final_octet: 45
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elastic-agent':
final_octet: 46
port_bindings:
@@ -169,23 +204,28 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-telegraf':
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-suricata':
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits:
- memlock=524288000
ulimits: []
'so-zeek':
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits:
- name: core
soft: 0
hard: 0
'so-kafka':
final_octet: 88
port_bindings:
@@ -196,3 +236,4 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []

8
salt/docker/docker.map.jinja
View File

@@ -1,8 +1,8 @@
{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
{% set RANGESPLIT = DOCKER.range.split('.') %}
{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
{% set RANGESPLIT = DOCKERMERGED.range.split('.') %}
{% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
{% for container, vals in DOCKER.containers.items() %}
{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %}
{% for container, vals in DOCKERMERGED.containers.items() %}
{% do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %}
{% endfor %}

24
salt/docker/files/daemon.json.jinja Normal file
View File

@@ -0,0 +1,24 @@
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{
"registry-mirrors": [
"https://:5000"
],
"bip": "172.17.0.1/24",
"default-address-pools": [
{
"base": "172.17.0.0/24",
"size": 24
}
]
{%- if DOCKERMERGED.ulimits %},
"default-ulimits": {
{%- for ULIMIT in DOCKERMERGED.ulimits %}
"{{ ULIMIT.name }}": {
"Name": "{{ ULIMIT.name }}",
"Soft": {{ ULIMIT.soft }},
"Hard": {{ ULIMIT.hard }}
}{{ "," if not loop.last else "" }}
{%- endfor %}
}
{%- endif %}
}

43
salt/docker/init.sls
View File

@@ -3,7 +3,7 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
# docker service requires the ca.crt
@@ -15,39 +15,6 @@ dockergroup:
- name: docker
- gid: 920
{% if GLOBALS.os_family == 'Debian' %}
{% if grains.oscodename == 'bookworm' %}
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 2.2.1-1~debian.12~bookworm
- docker-ce: 5:29.2.1-1~debian.12~bookworm
- docker-ce-cli: 5:29.2.1-1~debian.12~bookworm
- docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm
- hold: True
- update_holds: True
{% elif grains.oscodename == 'jammy' %}
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 2.2.1-1~ubuntu.22.04~jammy
- docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy
- docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy
- docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy
- hold: True
- update_holds: True
{% else %}
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 1.7.21-1
- docker-ce: 5:27.2.0-1~ubuntu.20.04~focal
- docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal
- docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal
- hold: True
- update_holds: True
{% endif %}
{% else %}
dockerheldpackages:
pkg.installed:
- pkgs:
@@ -57,7 +24,6 @@ dockerheldpackages:
- docker-ce-rootless-extras: 29.2.1-1.el9
- hold: True
- update_holds: True
{% endif %}
#disable docker from managing iptables
iptables_disabled:
@@ -75,10 +41,9 @@ dockeretc:
file.directory:
- name: /etc/docker
# Manager daemon.json
docker_daemon:
file.managed:
- source: salt://common/files/daemon.json
- source: salt://docker/files/daemon.json.jinja
- name: /etc/docker/daemon.json
- template: jinja
@@ -109,8 +74,8 @@ dockerreserveports:
sos_docker_net:
docker_network.present:
- name: sobridge
- subnet: {{ DOCKER.range }}
- gateway: {{ DOCKER.gateway }}
- subnet: {{ DOCKERMERGED.range }}
- gateway: {{ DOCKERMERGED.gateway }}
- options:
com.docker.network.bridge.name: 'sobridge'
com.docker.network.driver.mtu: '1500'

90
salt/docker/soc_docker.yaml
View File

@@ -1,44 +1,82 @@
docker:
gateway:
description: Gateway for the default docker interface.
helpLink: docker.html
helpLink: docker
advanced: True
range:
description: Default docker IP range for containers.
helpLink: docker.html
helpLink: docker
advanced: True
ulimits:
description: |
Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
forcedType: "[]{}"
syntax: json
advanced: True
helpLink: docker.html
uiElements:
- field: name
label: Resource Name
required: True
regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
- field: soft
label: Soft Limit
forcedType: int
- field: hard
label: Hard Limit
forcedType: int
containers:
so-dockerregistry: &dockerOptions
final_octet:
description: Last octet of the container IP address.
helpLink: docker.html
helpLink: docker
readonly: True
advanced: True
global: True
port_bindings:
description: List of port bindings for the container.
helpLink: docker.html
helpLink: docker
advanced: True
multiline: True
forcedType: "[]string"
custom_bind_mounts:
description: List of custom local volume bindings.
advanced: True
helpLink: docker.html
helpLink: docker
multiline: True
forcedType: "[]string"
extra_hosts:
description: List of additional host entries for the container.
advanced: True
helpLink: docker.html
helpLink: docker
multiline: True
forcedType: "[]string"
extra_env:
description: List of additional ENV entries for the container.
advanced: True
helpLink: docker.html
helpLink: docker
multiline: True
forcedType: "[]string"
ulimits:
description: |
Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
advanced: True
helpLink: docker.html
forcedType: "[]{}"
syntax: json
uiElements:
- field: name
label: Resource Name
required: True
regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
- field: soft
label: Soft Limit
forcedType: int
- field: hard
label: Hard Limit
forcedType: int
so-elastic-fleet: *dockerOptions
so-elasticsearch: *dockerOptions
so-influxdb: *dockerOptions
@@ -62,42 +100,6 @@ docker:
so-idh: *dockerOptions
so-elastic-agent: *dockerOptions
so-telegraf: *dockerOptions
so-suricata:
final_octet:
description: Last octet of the container IP address.
helpLink: docker.html
readonly: True
advanced: True
global: True
port_bindings:
description: List of port bindings for the container.
helpLink: docker.html
advanced: True
multiline: True
forcedType: "[]string"
custom_bind_mounts:
description: List of custom local volume bindings.
advanced: True
helpLink: docker.html
multiline: True
forcedType: "[]string"
extra_hosts:
description: List of additional host entries for the container.
advanced: True
helpLink: docker.html
multiline: True
forcedType: "[]string"
extra_env:
description: List of additional ENV entries for the container.
advanced: True
helpLink: docker.html
multiline: True
forcedType: "[]string"
ulimits:
description: Ulimits for the container, in bytes.
advanced: True
helpLink: docker.html
multiline: True
forcedType: "[]string"
so-suricata: *dockerOptions
so-zeek: *dockerOptions
so-kafka: *dockerOptions

22
salt/elastalert/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include:
- elastalert.config
@@ -24,7 +24,7 @@ so-elastalert:
- user: so-elastalert
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }}
- detach: True
- binds:
- /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
@@ -33,24 +33,30 @@ so-elastalert:
- /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
- /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
- /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
{% if DOCKER.containers['so-elastalert'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKER.containers['so-elastalert'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %}
{% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-elastalert'].extra_env %}
{% if DOCKERMERGED.containers['so-elastalert'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastalert'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- require:
- cmd: wait_for_elasticsearch
- file: elastarules

0
salt/elasticfleet/files/certs/placeholder → salt/elastalert/files/custom/.gitkeep
View File

1
salt/elastalert/files/custom/placeholder
View File

@@ -1 +0,0 @@
THIS IS A PLACEHOLDER FILE

93
salt/elastalert/soc_elastalert.yaml
View File

@@ -1,47 +1,48 @@
elastalert:
enabled:
description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery.
helpLink: elastalert.html
forcedType: bool
helpLink: elastalert
alerter_parameters:
title: Custom Configuration Parameters
description: Optional configuration parameters made available as defaults for all rules and alerters. Use YAML format for these parameters, and reference the ElastAlert 2 documentation, located at https://elastalert2.readthedocs.io, for available configuration parameters. Requires a valid Security Onion license key.
global: True
multiline: True
syntax: yaml
helpLink: elastalert.html
helpLink: elastalert
forcedType: string
jira_api_key:
title: Jira API Key
description: Optional configuration parameter for Jira API Key, used instead of the Jira username and password. Requires a valid Security Onion license key.
global: True
sensitive: True
helpLink: elastalert.html
helpLink: elastalert
forcedType: string
jira_pass:
title: Jira Password
description: Optional configuration parameter for Jira password. Requires a valid Security Onion license key.
global: True
sensitive: True
helpLink: elastalert.html
helpLink: elastalert
forcedType: string
jira_user:
title: Jira Username
description: Optional configuration parameter for Jira username. Requires a valid Security Onion license key.
global: True
helpLink: elastalert.html
helpLink: elastalert
forcedType: string
smtp_pass:
title: SMTP Password
description: Optional configuration parameter for SMTP password, required for authenticating email servers. Requires a valid Security Onion license key.
global: True
sensitive: True
helpLink: elastalert.html
helpLink: elastalert
forcedType: string
smtp_user:
title: SMTP Username
description: Optional configuration parameter for SMTP username, required for authenticating email servers. Requires a valid Security Onion license key.
global: True
helpLink: elastalert.html
helpLink: elastalert
forcedType: string
files:
custom:
@@ -49,91 +50,131 @@ elastalert:
description: Optional custom Certificate Authority for connecting to an AlertManager server. To utilize this custom file, the alertmanager_ca_certs key must be set to /opt/elastalert/custom/alertmanager_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True
file: True
helpLink: elastalert.html
helpLink: elastalert
gelf_ca__crt:
description: Optional custom Certificate Authority for connecting to a Graylog server. To utilize this custom file, the graylog_ca_certs key must be set to /opt/elastalert/custom/graylog_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True
file: True
helpLink: elastalert.html
helpLink: elastalert
http_post_ca__crt:
description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the legacy HTTP POST alerter. To utilize this custom file, the http_post_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True
file: True
helpLink: elastalert.html
helpLink: elastalert
http_post2_ca__crt:
description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the newer HTTP POST 2 alerter. To utilize this custom file, the http_post2_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True
file: True
helpLink: elastalert.html
helpLink: elastalert
ms_teams_ca__crt:
description: Optional custom Certificate Authority for connecting to Microsoft Teams server. To utilize this custom file, the ms_teams_ca_certs key must be set to /opt/elastalert/custom/ms_teams_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True
file: True
helpLink: elastalert.html
helpLink: elastalert
pagerduty_ca__crt:
description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the pagerduty_ca_certs key must be set to /opt/elastalert/custom/pagerduty_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True
file: True
helpLink: elastalert.html
helpLink: elastalert
rocket_chat_ca__crt:
description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the rocket_chart_ca_certs key must be set to /opt/elastalert/custom/rocket_chat_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True
file: True
helpLink: elastalert.html
helpLink: elastalert
smtp__crt:
description: Optional custom certificate for connecting to an SMTP server. To utilize this custom file, the smtp_cert_file key must be set to /opt/elastalert/custom/smtp.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True
file: True
helpLink: elastalert.html
helpLink: elastalert
smtp__key:
description: Optional custom certificate key for connecting to an SMTP server. To utilize this custom file, the smtp_key_file key must be set to /opt/elastalert/custom/smtp.key in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True
file: True
helpLink: elastalert.html
helpLink: elastalert
slack_ca__crt:
description: Optional custom Certificate Authority for connecting to Slack. To utilize this custom file, the slack_ca_certs key must be set to /opt/elastalert/custom/slack_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True
file: True
helpLink: elastalert.html
helpLink: elastalert
config:
scan_subdirectories:
description: Recursively scan subdirectories for rules.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
disable_rules_on_error:
description: Disable rules on failure.
forcedType: bool
global: True
helpLink: elastalert.html
helpLink: elastalert
run_every:
minutes:
description: Amount of time in minutes between searches.
global: True
helpLink: elastalert.html
helpLink: elastalert
buffer_time:
minutes:
description: Amount of time in minutes to look through.
global: True
helpLink: elastalert.html
helpLink: elastalert
old_query_limit:
minutes:
description: Amount of time in minutes between queries to start at the most recently run query.
global: True
helpLink: elastalert.html
helpLink: elastalert
es_conn_timeout:
description: Timeout in seconds for connecting to and reading from Elasticsearch.
global: True
helpLink: elastalert.html
helpLink: elastalert
max_query_size:
description: The maximum number of documents that will be returned from Elasticsearch in a single query.
global: True
helpLink: elastalert.html
helpLink: elastalert
use_ssl:
description: Use SSL to connect to Elasticsearch.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
verify_certs:
description: Verify TLS certificates when connecting to Elasticsearch.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
alert_time_limit:
days:
description: The retry window for failed alerts.
global: True
helpLink: elastalert.html
helpLink: elastalert
index_settings:
shards:
description: The number of shards for elastalert indices.
global: True
helpLink: elastalert.html
helpLink: elastalert
replicas:
description: The number of replicas for elastalert indices.
global: True
helpLink: elastalert.html
helpLink: elastalert
logging:
incremental:
description: When incremental is false (the default), the logging configuration is applied in full, replacing any existing logging setup. When true, only the level attributes of existing loggers and handlers are updated, leaving the rest of the logging configuration unchanged.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
disable_existing_loggers:
description: Disable existing loggers.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
loggers:
'':
propagate:
description: Propagate log messages to parent loggers.
forcedType: bool
advanced: True
global: True
helpLink: elastalert

24
salt/elastic-fleet-package-registry/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include:
- elastic-fleet-package-registry.config
@@ -21,30 +21,36 @@ so-elastic-fleet-package-registry:
- user: 948
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }}
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
- binds:
{% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
delete_so-elastic-fleet-package-registry_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf

1
salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml
View File

@@ -1,4 +1,5 @@
elastic_fleet_package_registry:
enabled:
description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated.
forcedType: bool
advanced: True

24
salt/elasticagent/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include:
- ca
@@ -22,17 +22,17 @@ so-elastic-agent:
- user: 949
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-elastic-agent'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %}
{% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -41,19 +41,25 @@ so-elastic-agent:
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /nsm:/nsm:ro
- /opt/so/log:/opt/so/log:ro
{% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- environment:
- FLEET_CA=/etc/pki/tls/certs/intca.crt
- LOGS_PATH=logs
{% if DOCKER.containers['so-elastic-agent'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
{% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- require:
- file: create-elastic-agent-config
- file: trusttheca

1
salt/elasticagent/soc_elasticagent.yaml
View File

@@ -1,4 +1,5 @@
elasticagent:
enabled:
description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events.
forcedType: bool
advanced: True

24
salt/elasticfleet/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
{# This value is generated during node install and stored in minion pillar #}
@@ -94,17 +94,17 @@ so-elastic-fleet:
- user: 947
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-elastic-fleet'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %}
{% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -112,8 +112,8 @@ so-elastic-fleet:
- /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs
{% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
@@ -128,11 +128,17 @@ so-elastic-fleet:
- FLEET_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
- LOGS_PATH=logs
{% if DOCKER.containers['so-elastic-fleet'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
{% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: trusttheca
- x509: etc_elasticfleet_key

0
salt/suricata/rules/PLACEHOLDER → salt/elasticfleet/files/certs/.gitkeep
View File

59
salt/elasticfleet/soc_elasticfleet.yaml
View File

@@ -1,14 +1,15 @@
elasticfleet:
enabled:
description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents.
forcedType: bool
advanced: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
enable_manager_output:
description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers.
advanced: True
global: True
forcedType: bool
helpLink: elastic-fleet.html
helpLink: elastic-fleet
files:
soc:
elastic-defend-disabled-filters__yaml:
@@ -17,7 +18,7 @@ elasticfleet:
syntax: yaml
file: True
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
elastic-defend-custom-filters__yaml:
title: Custom Elastic Defend filters
@@ -25,31 +26,32 @@ elasticfleet:
syntax: yaml
file: True
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
logging:
zeek:
excluded:
description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, Elastic Agent will attempt to process it. If an ingest node pipeline is not available to process the logs, you may experience errors.
forcedType: "[]string"
helpLink: zeek.html
helpLink: zeek
config:
defend_filters:
enable_auto_configuration:
description: Enable auto-configuration and management of the Elastic Defend Exclusion filters.
forcedType: bool
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
subscription_integrations:
description: Enable the installation of integrations that require an Elastic license.
global: True
forcedType: bool
helpLink: elastic-fleet.html
helpLink: elastic-fleet
auto_upgrade_integrations:
description: Enables or disables automatically upgrading Elastic Agent integrations.
global: True
forcedType: bool
helpLink: elastic-fleet.html
helpLink: elastic-fleet
outputs:
logstash:
bulk_max_size:
@@ -57,67 +59,68 @@ elasticfleet:
global: True
forcedType: int
advanced: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
worker:
description: The number of workers per configured host publishing events.
global: True
forcedType: int
advanced: true
helpLink: elastic-fleet.html
helpLink: elastic-fleet
queue_mem_events:
title: queued events
description: The number of events the queue can store. This value should be evenly divisible by the smaller of 'bulk_max_size' to avoid sending partial batches to the output.
global: True
forcedType: int
advanced: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
timeout:
description: The number of seconds to wait for responses from the Logstash server before timing out. Eg 30s
regex: ^[0-9]+s$
advanced: True
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
loadbalance:
description: If true and multiple Logstash hosts are configured, the output plugin load balances published events onto all Logstash hosts. If false, the output plugin sends all events to one host (determined at random) and switches to another host if the selected one becomes unresponsive.
forcedType: bool
advanced: True
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
compression_level:
description: The gzip compression level. The compression level must be in the range of 1 (best speed) to 9 (best compression).
regex: ^[1-9]$
forcedType: int
advanced: True
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
server:
custom_fqdn:
description: Custom FQDN for Agents to connect to. One per line.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
forcedType: "[]string"
enable_auto_configuration:
description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
forcedType: bool
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
endpoints_enrollment:
description: Endpoint enrollment key.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
sensitive: True
advanced: True
es_token:
description: Elastic auth token.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
sensitive: True
advanced: True
grid_enrollment:
description: Grid enrollment key.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
sensitive: True
advanced: True
optional_integrations:
@@ -125,57 +128,57 @@ elasticfleet:
enabled_nodes:
description: Fleet nodes with the Sublime Platform integration enabled. Enter one per line.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
forcedType: "[]string"
api_key:
description: API key for Sublime Platform.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
forcedType: string
sensitive: True
base_url:
description: Base URL for Sublime Platform.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
forcedType: string
poll_interval:
description: Poll interval for alerts from Sublime Platform.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
forcedType: string
limit:
description: The maximum number of message groups to return from Sublime Platform.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
forcedType: int
kismet:
base_url:
description: Base URL for Kismet.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
forcedType: string
poll_interval:
description: Poll interval for wireless device data from Kismet. Integration is currently configured to return devices seen as active by any Kismet sensor within the last 10 minutes.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
forcedType: string
api_key:
description: API key for Kismet.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
forcedType: string
sensitive: True
enabled_nodes:
description: Fleet nodes with the Kismet integration enabled. Enter one per line.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
advanced: True
forcedType: "[]string"

8
salt/elasticsearch/config.map.jinja
View File

@@ -6,8 +6,6 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
{# this is a list of dicts containing hostname:ip for elasticsearch nodes that need to know about each other for cluster #}
{% set ELASTICSEARCH_SEED_HOSTS = [] %}
{% set node_data = salt['pillar.get']('elasticsearch:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
@@ -36,14 +34,8 @@
{% endfor %}
{% endif %}
{% elif grains.id.split('_') | last == 'searchnode' %}
{% if HIGHLANDER %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
{% endif %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
{% endif %}
{% if HIGHLANDER %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
{% endif %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}

11
salt/elasticsearch/config.sls
View File

@@ -10,7 +10,7 @@
vm.max_map_count:
sysctl.present:
- value: 262144
- value: {{ ELASTICSEARCHMERGED.vm.max_map_count }}
# Add ES Group
elasticsearchgroup:
@@ -98,10 +98,6 @@ esrolesdir:
- group: 939
- makedirs: True
eslibdir:
file.absent:
- name: /opt/so/conf/elasticsearch/lib
esingestdynamicconf:
file.recurse:
- name: /opt/so/conf/elasticsearch/ingest
@@ -119,11 +115,6 @@ esingestconf:
- group: 939
- show_changes: False
# Remove .fleet_final_pipeline-1 because we are using global@custom now
so-fleet-final-pipeline-remove:
file.absent:
- name: /opt/so/conf/elasticsearch/ingest/.fleet_final_pipeline-1
# Auto-generate Elasticsearch ingest node pipelines from pillar
{% for pipeline, config in ELASTICSEARCHMERGED.pipelines.items() %}
es_ingest_conf_{{pipeline}}:

120
salt/elasticsearch/defaults.yaml
View File

@@ -2,6 +2,8 @@ elasticsearch:
enabled: false
version: 9.0.8
index_clean: true
vm:
max_map_count: 1048576
config:
action:
destructive_requires_name: true
@@ -117,7 +119,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- so-case*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -129,8 +131,6 @@ elasticsearch:
match_mapping_type: string
settings:
index:
lifecycle:
name: so-case-logs
mapping:
total_fields:
limit: 1500
@@ -141,14 +141,7 @@ elasticsearch:
sort:
field: '@timestamp'
order: desc
policy:
phases:
hot:
actions: {}
min_age: 0ms
so-common:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -212,7 +205,9 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- winlog-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-*-so*
@@ -272,7 +267,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- so-detection*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -284,8 +279,6 @@ elasticsearch:
match_mapping_type: string
settings:
index:
lifecycle:
name: so-detection-logs
mapping:
total_fields:
limit: 1500
@@ -296,11 +289,6 @@ elasticsearch:
sort:
field: '@timestamp'
order: desc
policy:
phases:
hot:
actions: {}
min_age: 0ms
sos-backup:
index_sorting: false
index_template:
@@ -460,7 +448,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- endgame*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -508,8 +496,6 @@ elasticsearch:
priority: 50
min_age: 30d
so-idh:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -564,10 +550,13 @@ elasticsearch:
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- so-idh-*
priority: 500
- logs-idh-so*
priority: 501
template:
mappings:
date_detection: false
@@ -677,11 +666,13 @@ elasticsearch:
- common-dynamic-mappings
- winlog-mappings
- hash-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-import-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -736,7 +727,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- so-ip*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -751,19 +742,12 @@ elasticsearch:
mapping:
total_fields:
limit: 1500
lifecycle:
name: so-ip-mappings-logs
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
hot:
actions: {}
min_age: 0ms
so-items:
index_sorting: false
index_template:
@@ -772,7 +756,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- .items-default-**
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -851,8 +835,6 @@ elasticsearch:
priority: 50
min_age: 30d
so-kratos:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -873,7 +855,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- logs-kratos-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -921,8 +903,6 @@ elasticsearch:
priority: 50
min_age: 30d
so-hydra:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -983,7 +963,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- logs-hydra-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -1038,7 +1018,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- .lists-default-**
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -1524,6 +1504,9 @@ elasticsearch:
- so-fleet_integrations.ip_mappings-1
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.cloudbeat@custom
index_patterns:
@@ -1759,6 +1742,9 @@ elasticsearch:
- so-fleet_integrations.ip_mappings-1
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.heartbeat@custom
index_patterns:
@@ -3018,8 +3004,6 @@ elasticsearch:
priority: 50
min_age: 30d
so-logs-soc:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -3074,11 +3058,13 @@ elasticsearch:
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-soc-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -3668,10 +3654,13 @@ elasticsearch:
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-logstash-default*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -3969,10 +3958,13 @@ elasticsearch:
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-redis-default*
priority: 500
- logs-redis.log*
priority: 501
template:
mappings:
date_detection: false
@@ -4083,11 +4075,13 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- hash-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-strelka-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -4197,11 +4191,13 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- hash-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-suricata-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -4311,11 +4307,13 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- hash-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-suricata.alerts-*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -4425,11 +4423,13 @@ elasticsearch:
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-syslog-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -4541,11 +4541,13 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- hash-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-zeek-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false

28
salt/elasticsearch/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
@@ -28,15 +28,15 @@ so-elasticsearch:
- user: elasticsearch
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }}
- extra_hosts:
{% for node in ELASTICSEARCH_NODES %}
{% for hostname, ip in node.items() %}
- {{hostname}}:{{ip}}
{% endfor %}
{% endfor %}
{% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
{% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
@@ -45,17 +45,19 @@ so-elasticsearch:
- discovery.type=single-node
{% endif %}
- ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
ulimits:
- memlock=-1:-1
- nofile=65536:65536
- nproc=4096
{% if DOCKER.containers['so-elasticsearch'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
{% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -75,8 +77,8 @@ so-elasticsearch:
- {{ repo }}:{{ repo }}:rw
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}

0
salt/elasticsearch/files/ingest-dynamic/.gitkeep Normal file
View File

16
salt/elasticsearch/files/ingest-dynamic/common → salt/elasticsearch/files/ingest/common
View File

@@ -1,5 +1,3 @@
{%- set HIGHLANDER = salt['pillar.get']('global:highlander', False) -%}
{%- raw -%}
{
"description" : "common",
"processors" : [
@@ -67,19 +65,7 @@
{ "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" } },
{ "grok": { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]} },
{ "set": { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
{%- endraw %}
{%- if HIGHLANDER %}
,
{
"pipeline": {
"name": "ecs"
}
}
{%- endif %}
{%- raw %}
,
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } },
{ "pipeline": { "name": "global@custom", "ignore_missing_pipeline": true, "description": "[Fleet] Global pipeline for all data streams" } }
]
}
{% endraw %}

197
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -1,8 +1,9 @@
elasticsearch:
enabled:
description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported.
forcedType: bool
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
version:
description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure."
readonly: True
@@ -10,15 +11,20 @@ elasticsearch:
advanced: True
esheap:
description: Specify the memory heap size in (m)egabytes for Elasticsearch.
helpLink: elasticsearch.html
helpLink: elasticsearch
index_clean:
description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations can only use ILM settings.
forcedType: bool
helpLink: elasticsearch.html
helpLink: elasticsearch
vm:
max_map_count:
description: The maximum number of memory map areas a process may use. Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts could be too low, which may result in out of memory exceptions.
forcedType: int
helpLink: elasticsearch
retention:
retention_pct:
decription: Total percentage of space used by Elasticsearch for multi node clusters
helpLink: elasticsearch.html
helpLink: elasticsearch
global: True
config:
cluster:
@@ -26,55 +32,102 @@ elasticsearch:
description: The name of the Security Onion Elasticsearch cluster, for identification purposes.
readonly: True
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
logsdb:
enabled:
description: Enables or disables the Elasticsearch logsdb index mode. When enabled, most logs-* datastreams will convert to logsdb from standard after rolling over.
forcedType: bool
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
routing:
allocation:
disk:
threshold_enabled:
threshold_enabled:
description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster.
helpLink: elasticsearch.html
forcedType: bool
helpLink: elasticsearch
watermark:
low:
description: The lower percentage of used disk space representing a healthy node.
helpLink: elasticsearch.html
helpLink: elasticsearch
high:
description: The higher percentage of used disk space representing an unhealthy node.
helpLink: elasticsearch.html
helpLink: elasticsearch
flood_stage:
description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events.
helpLink: elasticsearch.html
helpLink: elasticsearch
action:
destructive_requires_name:
description: Requires explicit index names when deleting indices. Prevents accidental deletion of indices via wildcard patterns.
advanced: True
forcedType: bool
helpLink: elasticsearch
script:
max_compilations_rate:
max_compilations_rate:
description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources.
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
indices:
id_field_data:
enabled:
description: Enables or disables loading of field data on the _id field.
advanced: True
forcedType: bool
helpLink: elasticsearch
query:
bool:
max_clause_count:
max_clause_count:
description: Max number of boolean clauses per query.
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
xpack:
ml:
enabled:
description: Enables or disables machine learning on the node.
forcedType: bool
advanced: True
helpLink: elasticsearch
security:
enabled:
description: Enables or disables Elasticsearch security features.
forcedType: bool
advanced: True
helpLink: elasticsearch
authc:
anonymous:
authz_exception:
description: Controls whether an authorization exception is thrown when anonymous user does not have the required privileges.
advanced: True
forcedType: bool
helpLink: elasticsearch
http:
ssl:
enabled:
description: Enables or disables TLS/SSL for the HTTP layer.
advanced: True
forcedType: bool
helpLink: elasticsearch
transport:
ssl:
enabled:
description: Enables or disables TLS/SSL for the transport layer.
advanced: True
forcedType: bool
helpLink: elasticsearch
pipelines:
custom001: &pipelines
description:
description: Description of the ingest node pipeline
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
processors:
description: Processors for the ingest node pipeline
global: True
advanced: True
multiline: True
helpLink: elasticsearch.html
helpLink: elasticsearch
custom002: *pipelines
custom003: *pipelines
custom004: *pipelines
@@ -94,24 +147,24 @@ elasticsearch:
description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices.
forcedType: int
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
refresh_interval:
description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
number_of_shards:
description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
sort:
field:
description: The field to sort by. Must set index_sorting to True.
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
order:
description: The order to sort by. Must set index_sorting to True.
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
policy:
phases:
hot:
@@ -121,16 +174,16 @@ elasticsearch:
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
forcedType: int
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
rollover:
max_age:
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
max_primary_shard_size:
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
shrink:
method:
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -178,13 +231,13 @@ elasticsearch:
regex: ^[0-9]{1,5}d$
forcedType: string
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
actions:
set_priority:
priority:
description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
allocate:
number_of_replicas:
description: Set the number of replicas. Remains the same as the previous phase by default.
@@ -197,14 +250,14 @@ elasticsearch:
regex: ^[0-9]{1,5}d$
forcedType: string
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
actions:
set_priority:
priority:
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
forcedType: int
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
shrink:
method:
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -257,13 +310,14 @@ elasticsearch:
regex: ^[0-9]{1,5}d$
forcedType: string
global: True
helpLink: elasticsearch.html
helpLink: elasticsearch
so-logs: &indexSettings
index_sorting:
index_sorting:
description: Sorts the index by event time, at the cost of additional processing resource consumption.
forcedType: bool
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
index_template:
index_patterns:
description: Patterns for matching multiple indices or tables.
@@ -271,7 +325,7 @@ elasticsearch:
multiline: True
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
template:
settings:
index:
@@ -280,35 +334,35 @@ elasticsearch:
forcedType: int
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
mapping:
total_fields:
limit:
description: Max number of fields that can exist on a single index. Larger values will consume more resources.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
refresh_interval:
description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
number_of_shards:
description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
sort:
field:
description: The field to sort by. Must set index_sorting to True.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
order:
description: The order to sort by. Must set index_sorting to True.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
mappings:
_meta:
package:
@@ -316,43 +370,43 @@ elasticsearch:
description: Meta settings for the mapping.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
managed_by:
description: Meta settings for the mapping.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
managed:
description: Meta settings for the mapping.
forcedType: bool
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
composed_of:
description: The index template is composed of these component templates.
forcedType: "[]string"
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
priority:
description: The priority of the index template.
forcedType: int
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
data_stream:
hidden:
description: Hide the data stream.
forcedType: bool
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
allow_custom_routing:
description: Allow custom routing for the data stream.
forcedType: bool
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
policy:
phases:
hot:
@@ -360,7 +414,7 @@ elasticsearch:
description: Minimum age of index. This determines when the index should be moved to the hot tier.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
actions:
set_priority:
priority:
@@ -368,18 +422,18 @@ elasticsearch:
forcedType: int
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
rollover:
max_age:
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
max_primary_shard_size:
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
shrink:
method:
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -428,7 +482,7 @@ elasticsearch:
forcedType: string
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
actions:
set_priority:
priority:
@@ -436,18 +490,18 @@ elasticsearch:
forcedType: int
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
rollover:
max_age:
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
max_primary_shard_size:
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
shrink:
method:
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -501,7 +555,7 @@ elasticsearch:
forcedType: string
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
actions:
set_priority:
priority:
@@ -509,7 +563,7 @@ elasticsearch:
forcedType: int
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
allocate:
number_of_replicas:
description: Set the number of replicas. Remains the same as the previous phase by default.
@@ -523,25 +577,25 @@ elasticsearch:
forcedType: string
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
_meta:
package:
name:
description: Meta settings for the mapping.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
managed_by:
description: Meta settings for the mapping.
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
managed:
description: Meta settings for the mapping.
forcedType: bool
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
so-logs-system_x_auth: *indexSettings
so-logs-system_x_syslog: *indexSettings
so-logs-system_x_system: *indexSettings
@@ -604,20 +658,21 @@ elasticsearch:
so-metrics-fleet_server_x_agent_status: &fleetMetricsSettings
index_sorting:
description: Sorts the index by event time, at the cost of additional processing resource consumption.
forcedType: bool
advanced: True
readonly: True
helpLink: elasticsearch.html
helpLink: elasticsearch
index_template:
ignore_missing_component_templates:
description: Ignore component templates if they aren't in Elasticsearch.
advanced: True
readonly: True
helpLink: elasticsearch.html
helpLink: elasticsearch
index_patterns:
description: Patterns for matching multiple indices or tables.
advanced: True
readonly: True
helpLink: elasticsearch.html
helpLink: elasticsearch
template:
settings:
index:
@@ -625,33 +680,35 @@ elasticsearch:
description: Type of mode used for this index. Time series indices can be used for metrics to reduce necessary storage.
advanced: True
readonly: True
helpLink: elasticsearch.html
helpLink: elasticsearch
number_of_replicas:
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
advanced: True
readonly: True
helpLink: elasticsearch.html
helpLink: elasticsearch
composed_of:
description: The index template is composed of these component templates.
advanced: True
readonly: True
helpLink: elasticsearch.html
helpLink: elasticsearch
priority:
description: The priority of the index template.
advanced: True
readonly: True
helpLink: elasticsearch.html
helpLink: elasticsearch
data_stream:
hidden:
description: Hide the data stream.
forcedType: bool
advanced: True
readonly: True
helpLink: elasticsearch.html
helpLink: elasticsearch
allow_custom_routing:
description: Allow custom routing for the data stream.
forcedType: bool
advanced: True
readonly: True
helpLink: elasticsearch.html
helpLink: elasticsearch
so-metrics-fleet_server_x_agent_versions: *fleetMetricsSettings
so_roles:
so-manager: &soroleSettings
@@ -662,7 +719,7 @@ elasticsearch:
forcedType: "[]string"
global: False
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch
so-managersearch: *soroleSettings
so-standalone: *soroleSettings
so-searchnode: *soroleSettings

4
salt/firewall/init.sls
View File

@@ -27,14 +27,12 @@ iptables_config:
- source: salt://firewall/iptables.jinja
- template: jinja
{% if grains.os_family == 'RedHat' %}
disable_firewalld:
service.dead:
- name: firewalld
- enable: False
- require:
- file: iptables_config
{% endif %}
iptables_restore:
cmd.run:
@@ -44,7 +42,6 @@ iptables_restore:
- onlyif:
- iptables-restore --test {{ iptmap.configfile }}
{% if grains.os_family == 'RedHat' %}
enable_firewalld:
service.running:
- name: firewalld
@@ -52,7 +49,6 @@ enable_firewalld:
- onfail:
- file: iptables_config
- cmd: iptables_restore
{% endif %}
{% else %}

20
salt/firewall/ipt.map.jinja
View File

@@ -1,14 +1,6 @@
{% set iptmap = salt['grains.filter_by']({
'Debian': {
'service': 'netfilter-persistent',
'iptpkg': 'iptables',
'persistpkg': 'iptables-persistent',
'configfile': '/etc/iptables/rules.v4'
},
'RedHat': {
'service': 'iptables',
'iptpkg': 'iptables-nft',
'persistpkg': 'iptables-nft-services',
'configfile': '/etc/sysconfig/iptables'
},
}) %}
{% set iptmap = {
'service': 'iptables',
'iptpkg': 'iptables-nft',
'persistpkg': 'iptables-nft-services',
'configfile': '/etc/sysconfig/iptables'
} %}

18
salt/firewall/iptables.jinja
View File

@@ -1,5 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'docker/docker.map.jinja' import DOCKER %}
{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
{%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
{%- set role = GLOBALS.role.split('-')[1] %}
{%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
@@ -8,9 +8,9 @@
{%- set D1 = [] %}
{%- set D2 = [] %}
{%- for container in NODE_CONTAINERS %}
{%- set IP = DOCKER.containers[container].ip %}
{%- if DOCKER.containers[container].port_bindings is defined %}
{%- for binding in DOCKER.containers[container].port_bindings %}
{%- set IP = DOCKERMERGED.containers[container].ip %}
{%- if DOCKERMERGED.containers[container].port_bindings is defined %}
{%- for binding in DOCKERMERGED.containers[container].port_bindings %}
{#- cant split int so we convert to string #}
{%- set binding = binding|string %}
{#- split the port binding by /. if proto not specified, default is tcp #}
@@ -33,13 +33,13 @@
{%- set hostPort = bsa[0] %}
{%- set containerPort = bsa[1] %}
{%- endif %}
{%- do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
{%- do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
{%- if bindip | length and bindip != '0.0.0.0' %}
{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
{%- else %}
{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
{%- endif %}
{%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
{%- do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
{%- endfor %}
{%- endif %}
{%- endfor %}
@@ -52,7 +52,7 @@
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE
{%- for rule in PR %}
{{ rule }}
{%- endfor %}

4
salt/firewall/map.jinja
View File

@@ -1,11 +1,11 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
{# add our ip to self #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
{# add dockernet range #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}
{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %}
{% if GLOBALS.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}

16
salt/firewall/soc_firewall.yaml
View File

@@ -3,7 +3,7 @@ firewall:
analyst: &hostgroupsettings
description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string"
helpLink: firewall.html
helpLink: firewall
multiline: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
@@ -11,7 +11,7 @@ firewall:
anywhere: &hostgroupsettingsadv
description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string"
helpLink: firewall.html
helpLink: firewall
multiline: True
advanced: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
@@ -22,7 +22,7 @@ firewall:
dockernet: &ROhostgroupsettingsadv
description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string"
helpLink: firewall.html
helpLink: firewall
multiline: True
advanced: True
readonly: True
@@ -53,7 +53,7 @@ firewall:
customhostgroup0: &customhostgroupsettings
description: List of IP or CIDR blocks to allow to this hostgroup.
forcedType: "[]string"
helpLink: firewall.html
helpLink: firewall
advanced: True
multiline: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
@@ -73,14 +73,14 @@ firewall:
tcp: &tcpsettings
description: List of TCP ports for this port group.
forcedType: "[]string"
helpLink: firewall.html
helpLink: firewall
advanced: True
multiline: True
duplicates: True
udp: &udpsettings
description: List of UDP ports for this port group.
forcedType: "[]string"
helpLink: firewall.html
helpLink: firewall
advanced: True
multiline: True
duplicates: True
@@ -206,7 +206,7 @@ firewall:
advanced: True
multiline: True
forcedType: "[]string"
helpLink: firewall.html
helpLink: firewall
duplicates: True
sensor:
portgroups: *portgroupsdocker
@@ -262,7 +262,7 @@ firewall:
advanced: True
multiline: True
forcedType: "[]string"
helpLink: firewall.html
helpLink: firewall
duplicates: True
dockernet:
portgroups: *portgroupshost

4
salt/host/soc_host.yaml
View File

@@ -1,7 +1,7 @@
host:
mainint:
description: Main interface of the grid host.
helpLink: host.html
helpLink: ip-address
mainip:
description: Main IP address of the grid host.
helpLink: host.html
helpLink: ip-address

26
salt/hydra/enabled.sls
View File

@@ -11,7 +11,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if 'api' in salt['pillar.get']('features', []) %}
@@ -26,32 +26,38 @@ so-hydra:
- name: so-hydra
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }}
- binds:
- /opt/so/conf/hydra/:/hydra-conf:ro
- /opt/so/log/hydra/:/hydra-log:rw
- /nsm/hydra/db:/hydra-data:rw
{% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKER.containers['so-hydra'].extra_hosts %}
{% if DOCKERMERGED.containers['so-hydra'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-hydra'].extra_env %}
{% if DOCKERMERGED.containers['so-hydra'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-hydra'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- restart_policy: unless-stopped
- watch:
- file: hydraconfig
@@ -67,7 +73,7 @@ delete_so-hydra_so-status.disabled:
wait_for_hydra:
http.wait_for_successful_query:
- name: 'http://{{ GLOBALS.manager }}:4444/'
- name: 'http://{{ GLOBALS.manager }}:4444/health/alive'
- ssl: True
- verify_ssl: False
- status:

13
salt/hydra/soc_hydra.yaml
View File

@@ -1,7 +1,8 @@
hydra:
enabled:
description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False.
helpLink: connect.html
description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False.
forcedType: bool
helpLink: connect-api
global: True
config:
ttl:
@@ -9,16 +10,16 @@ hydra:
description: Amount of time that the generated access token will be valid. Specified in the form of 2h, which means 2 hours.
global: True
forcedType: string
helpLink: connect.html
helpLink: connect-api
log:
level:
description: Log level to use for Kratos logs.
global: True
helpLink: connect.html
helpLink: connect-api
format:
description: Log output format for Kratos logs.
global: True
helpLink: connect.html
helpLink: connect-api
secrets:
system:
description: Secrets used for token generation. Generated during installation.
@@ -26,4 +27,4 @@ hydra:
sensitive: True
advanced: True
forcedType: "[]string"
helpLink: connect.html
helpLink: connect-api

20
salt/idh/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include:
- idh.config
@@ -22,23 +22,29 @@ so-idh:
- /nsm/idh:/var/tmp:rw
- /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
- /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
{% if DOCKER.containers['so-idh'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-idh'].extra_hosts %}
{% if DOCKERMERGED.containers['so-idh'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-idh'].extra_env %}
{% if DOCKERMERGED.containers['so-idh'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-idh'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-idh'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: opencanary_config
- require:

2
salt/idh/openssh/config.sls
View File

@@ -3,7 +3,6 @@
include:
- idh.openssh
{% if grains.os_family == 'RedHat' %}
idh_sshd_selinux:
selinux.port_policy_present:
- port: {{ openssh_map.config.port }}
@@ -13,7 +12,6 @@ idh_sshd_selinux:
- file: openssh_config
- require:
- pkg: python_selinux_mgmt_tools
{% endif %}
openssh_config:
file.replace:

2
salt/idh/openssh/init.sls
View File

@@ -16,8 +16,6 @@ openssh:
- name: {{ openssh_map.service }}
{% endif %}
{% if grains.os_family == 'RedHat' %}
python_selinux_mgmt_tools:
pkg.installed:
- name: policycoreutils-python-utils
{% endif %}

49
salt/idh/soc_idh.yaml
View File

@@ -1,7 +1,12 @@
idh:
enabled:
description: Enables or disables the Intrusion Detection Honeypot (IDH) process.
helpLink: idh.html
description: Enables or disables the Intrusion Detection Honeypot (IDH) process.
forcedType: bool
helpLink: idh
restrict_management_ip:
description: Restricts management IP access to the IDH node.
forcedType: bool
helpLink: idh
opencanary:
config:
logger:
@@ -10,7 +15,7 @@ idh:
readonly: True
advanced: True
global: True
helpLink: idh.html
helpLink: idh
kwargs:
formatters:
plain:
@@ -24,53 +29,54 @@ idh:
filename: *loggingOptions
portscan_x_enabled: &serviceOptions
description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid.
helpLink: idh.html
forcedType: bool
helpLink: idh
portscan_x_logfile: *loggingOptions
portscan_x_synrate:
description: Portscan - syn rate limiting
advanced: True
helpLink: idh.html
helpLink: idh
portscan_x_nmaposrate:
description: Portscan - nmap OS rate limiting
advanced: True
helpLink: idh.html
helpLink: idh
portscan_x_lorate:
description: Portscan - lo rate limiting
advanced: True
helpLink: idh.html
helpLink: idh
tcpbanner_x_maxnum:
description: Portscan - maxnum
advanced: True
helpLink: idh.html
helpLink: idh
tcpbanner_x_enabled: *serviceOptions
tcpbanner_1_x_enabled: *serviceOptions
tcpbanner_1_x_port: &portOptions
description: Port the service should listen on.
advanced: True
helpLink: idh.html
helpLink: idh
tcpbanner_1_x_datareceivedbanner: &bannerOptions
description: Data Received Banner
advanced: True
helpLink: idh.html
helpLink: idh
tcpbanner_1_x_initbanner: *bannerOptions
tcpbanner_1_x_alertstring_x_enabled: *serviceOptions
tcpbanner_1_x_keep_alive_x_enabled: *serviceOptions
tcpbanner_1_x_keep_alive_secret:
description: Keep Alive Secret
advanced: True
helpLink: idh.html
helpLink: idh
tcpbanner_1_x_keep_alive_probes:
description: Keep Alive Probes
advanced: True
helpLink: idh.html
helpLink: idh
tcpbanner_1_x_keep_alive_interval:
description: Keep Alive Interval
advanced: True
helpLink: idh.html
helpLink: idh
tcpbanner_1_x_keep_alive_idle:
description: Keep Alive Idle
advanced: True
helpLink: idh.html
helpLink: idh
ftp_x_enabled: *serviceOptions
ftp_x_port: *portOptions
ftp_x_banner: *bannerOptions
@@ -82,11 +88,11 @@ idh:
http_x_skin: &skinOptions
description: HTTP skin
advanced: True
helpLink: idh.html
helpLink: idh
http_x_skinlist: &skinlistOptions
description: List of skins to use for the service.
advanced: True
helpLink: idh.html
helpLink: idh
httpproxy_x_enabled: *serviceOptions
httpproxy_x_port: *portOptions
httpproxy_x_skin: *skinOptions
@@ -95,7 +101,7 @@ idh:
mssql_x_version: &versionOptions
description: Specify the version the service should present.
advanced: True
helpLink: idh.html
helpLink: idh
mssql_x_port: *portOptions
mysql_x_enabled: *serviceOptions
mysql_x_port: *portOptions
@@ -119,16 +125,17 @@ idh:
telnet_x_honeycreds:
description: Credentials list for the telnet service.
advanced: True
helpLink: idh.html
helpLink: idh
tftp_x_enabled: *serviceOptions
tftp_x_port: *portOptions
vnc_x_enabled: *serviceOptions
vnc_x_port: *portOptions
openssh:
enable:
enable:
description: This is the real SSH service for the host machine.
helpLink: idh.html
forcedType: bool
helpLink: idh
config:
port:
description: Port that the real SSH service will listen on and will only be accessible from the manager.
helpLink: idh.html
helpLink: idh

24
salt/influxdb/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
{% set TOKEN = salt['pillar.get']('influxdb:token') %}
@@ -21,7 +21,7 @@ so-influxdb:
- hostname: influxdb
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }}
- environment:
- INFLUXD_CONFIG_PATH=/conf/config.yaml
- INFLUXDB_HTTP_LOG_ENABLED=false
@@ -31,8 +31,8 @@ so-influxdb:
- DOCKER_INFLUXDB_INIT_ORG=Security Onion
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
{% if DOCKER.containers['so-influxdb'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %}
{% if DOCKERMERGED.containers['so-influxdb'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
@@ -43,21 +43,27 @@ so-influxdb:
- /nsm/influxdb:/var/lib/influxdb2:rw
- /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
- /etc/pki/influxdb.key:/conf/influxdb.key:ro
{% if DOCKER.containers['so-influxdb'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKER.containers['so-influxdb'].extra_hosts %}
{% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-influxdb'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: influxdbconf
- x509: influxdb_key

160
salt/influxdb/soc_influxdb.yaml
View File

@@ -1,358 +1,372 @@
influxdb:
enabled:
description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
helpLink: influxdb.html
forcedType: bool
helpLink: influxdb
config:
assets-path:
description: Path to the InfluxDB user interface assets located inside the so-influxdb container.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
bolt-path:
description: Path to the bolt DB file located inside the so-influxdb container.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
engine-path:
description: Path to the engine directory located inside the so-influxdb container. This directory stores the time series data.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
feature-flags:
description: List of key=value flags to enable.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
flux-log-enabled:
description: Controls whether detailed flux query logging is enabled.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
hardening-enabled:
description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
http-bind-address:
description: The URL and port on which InfluxDB will listen for new connections.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
http-idle-timeout:
description: Keep-alive timeout while a connection waits for new requests. A value of 0 is the same as no timeout enforced.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
http-read-header-timeout:
description: The duration to wait for a request header before closing the connection. A value of 0 is the same as no timeout enforced.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
http-read-timeout:
description: The duration to wait for the request to be fully read before closing the connection. A value of 0 is the same as no timeout enforced.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
http-write-timeout:
description: The duration to wait for the response to be fully written before closing the connection. A value of 0 is the same as no timeout enforced.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
influxql-max-select-buckets:
description: Maximum number of group-by clauses in a SELECT statement. A value of 0 is the same as unlimited.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
influxql-max-select-point:
description: Maximum number of points that can be queried in a SELECT statement. A value of 0 is the same as unlimited.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
influxql-max-select-series:
description: Maximum number of series that can be returned in a SELECT statement. A value of 0 is the same as unlimited.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
instance-id:
description: Unique instance ID for this server, to avoid collisions in a replicated cluster.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
log-level:
description: The log level to use for outputting log statements. Allowed values are debug, info, or error.
global: True
advanced: false
regex: ^(info|debug|error)$
helpLink: influxdb.html
helpLink: influxdb
metrics-disabled:
description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
no-tasks:
description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
pprof-disabled:
description: If true, the profiling data HTTP endpoint will be inaccessible.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
query-concurrency:
description: Maximum number of queries to execute concurrently. A value of 0 is the same as unlimited.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
query-initial-memory-bytes:
description: The initial number of bytes of memory to allocate for a new query.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
query-max-memory-bytes:
description: The number of bytes of memory to allocate to all running queries. Should typically be the query bytes times the max concurrent queries.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
query-memory-bytes:
description: Maximum number of bytes of memory to allocate to a query.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
query-queue-size:
description: Maximum number of queries that can be queued at one time. If this value is reached, new queries will not be queued. A value of 0 is the same as unlimited.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
reporting-disabled:
description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
secret-store:
description: Determines the type of storage used for secrets. Allowed values are bolt or vault.
global: True
advanced: True
regex: ^(bolt|vault)$
helpLink: influxdb.html
helpLink: influxdb
session-length:
description: Number of minutes that a user login session can remain authenticated.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
session-renew-disabled:
description: If true, user login sessions will renew after each request.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
sqlite-path:
description: Path to the Sqlite3 database inside the container. This database stored user data and other information about the database.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-cache-max-memory-size:
description: Maximum number of bytes to allocate to cache data per shard. If exceeded, new data writes will be rejected.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-cache-snapshot-memory-size:
description: Number of bytes to allocate to cache snapshot data. When the cache reaches this size, it will be written to disk to increase available memory.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-cache-snapshot-write-cold-duration:
description: Duration between snapshot writes to disk when the shard data hasn't been modified.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-compact-full-write-cold-duration:
description: Duration between shard compactions when the shard data hasn't been modified.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-compact-throughput-burst:
description: Maximum throughput (number of bytes per second) that compactions be written to disk.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-max-concurrent-compactions:
description: Maximum number of concurrent compactions. A value of 0 is the same as half the available CPU processors (procs).
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-max-index-log-file-size:
description: Maximum number of bytes of a write-ahead log (WAL) file before it will be compacted into an index on disk.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-no-validate-field-size:
description: If true, incoming requests will skip the field size validation.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-retention-check-interval:
description: Interval between reviewing each bucket's retention policy and the age of the associated data.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-series-file-max-concurrent-snapshot-compactions:
description: Maximum number of concurrent snapshot compactions across all database partitions.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-series-id-set-cache-size:
description: Maximum size of the series cache results. Higher values may increase performance for repeated data lookups.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-shard-precreator-advance-period:
description: The duration before a successor shard group is created after the end-time has been reached.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-shard-precreator-check-interval:
description: Interval between checking if new shards should be created.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-tsm-use-madv-willneed:
description: If true, InfluxDB will manage TSM memory paging.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-validate-keys:
description: If true, validates incoming requests for supported characters.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-wal-fsync-delay:
description: Duration to wait before calling fsync. Useful for handling conflicts on slower disks.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-wal-max-concurrent-writes:
description: Maximum number of concurrent write-ahead log (WAL) writes to disk. The value of 0 is the same as CPU processors (procs) x 2.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-wal-max-write-delay:
description: Maximum duration to wait before writing the write-ahead log (WAL) to disk, when the concurrency limit has been exceeded. A value of 0 is the same as no timeout.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
storage-write-timeout:
description: Maximum time to wait for a write-ahead log (WAL) to write to disk before aborting.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
store:
description: The type of data store to use for HTTP resources. Allowed values are disk or memory. Memory should not be used for production Security Onion installations.
global: True
advanced: True
regex: ^(disk|memory)$
helpLink: influxdb.html
helpLink: influxdb
tls-cert:
description: The container path to the certificate to use for TLS encryption of the HTTP requests and responses.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
tls-key:
description: The container path to the certificate key to use for TLS encryption of the HTTP requests and responses.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
tls-min-version:
description: The minimum supported version of TLS to be enforced on all incoming HTTP requests.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
tls-strict-ciphers:
description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
tracing-type:
description: The tracing format for debugging purposes. Allowed values are log or jaeger, or leave blank to disable tracing.
global: True
advanced: True
helpLink: influxdb.html
ui-disabled:
helpLink: influxdb
ui-disabled:
description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
vault-addr:
description: Vault server address.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
vault-cacert:
description: Path to the Vault's single certificate authority certificate file within the container.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
vault-capath:
description: Path to the Vault's certificate authority directory within the container.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
vault-client-cert:
description: Vault client certificate path within the container.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
vault-client-key:
description: Vault client certificate key path within the container.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
vault-client-timeout:
description: Duration to wait for a response from the Vault server before aborting.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
vault-max-retries:
description: Maximum number of retries when attempting to contact the Vault server. A value of 0 is the same as disabling retries.
global: True
advanced: True
helpLink: influxdb.html
vault-skip-verify:
helpLink: influxdb
vault-skip-verify:
description: Skip certification validation of the Vault server.
forcedType: bool
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
vault-tls-server-name:
description: SNI host to specify when using TLS to connect to the Vault server.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
vault-token:
description: Vault token used for authentication.
global: True
advanced: True
helpLink: influxdb.html
helpLink: influxdb
buckets:
so_short_term:
duration:
description: Amount of time (in seconds) to keep short term data.
global: True
helpLink: influxdb.html
helpLink: influxdb
shard_duration:
description: Amount of the time (in seconds) range covered by the shard group.
global: True
helpLink: influxdb.html
helpLink: influxdb
so_long_term:
duration:
description: Amount of time (in seconds) to keep long term downsampled data.
global: True
helpLink: influxdb.html
helpLink: influxdb
shard_duration:
description: Amount of the time (in seconds) range covered by the shard group.
global: True
helpLink: influxdb.html
helpLink: influxdb
downsample:
so_long_term:
resolution:
description: Amount of time to turn into a single data point.
global: True
helpLink: influxdb.html
helpLink: influxdb

18
salt/kafka/enabled.sls
View File

@@ -12,7 +12,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
{% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
{% if 'gmd' in salt['pillar.get']('features', []) %}
@@ -31,22 +31,22 @@ so-kafka:
- name: so-kafka
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-kafka'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }}
- user: kafka
- environment:
KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
- extra_hosts:
{% for node in KAFKANODES %}
- {{ node }}:{{ KAFKANODES[node].ip }}
{% endfor %}
{% if DOCKER.containers['so-kafka'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %}
{% if DOCKERMERGED.containers['so-kafka'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-kafka'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -60,6 +60,12 @@ so-kafka:
{% if KAFKA_EXTERNAL_ACCESS %}
- /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
{% endif %}
{% if DOCKERMERGED.containers['so-kafka'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
{% for sc in ['server', 'client'] %}
- file: kafka_kraft_{{sc}}_properties

107
salt/kafka/soc_kafka.yaml
View File

@@ -1,257 +1,258 @@
kafka:
enabled:
description: Set to True to enable Kafka. To avoid grid problems, do not enable Kafka until the related configuration is in place. Requires a valid Security Onion license key.
helpLink: kafka.html
forcedType: bool
helpLink: kafka
cluster_id:
description: The ID of the Kafka cluster.
readonly: True
advanced: True
sensitive: True
helpLink: kafka.html
helpLink: kafka
controllers:
description: A comma-separated list of hostnames that will act as Kafka controllers. These hosts will be responsible for managing the Kafka cluster. Note that only manager and receiver nodes are eligible to run Kafka. This configuration needs to be set before enabling Kafka. Failure to do so may result in Kafka topics becoming unavailable requiring manual intervention to restore functionality or reset Kafka, either of which can result in data loss.
forcedType: string
helpLink: kafka.html
helpLink: kafka
reset:
description: Disable and reset the Kafka cluster. This will remove all Kafka data including logs that may have not yet been ingested into Elasticsearch and reverts the grid to using REDIS as the global pipeline. This is useful when testing different Kafka configurations such as rearranging Kafka brokers / controllers allowing you to reset the cluster rather than manually fixing any issues arising from attempting to reassign a Kafka broker into a controller. Enter 'YES_RESET_KAFKA' and submit to disable and reset Kafka. Make any configuration changes required and re-enable Kafka when ready. This action CANNOT be reversed.
advanced: True
helpLink: kafka.html
helpLink: kafka
logstash:
description: By default logstash is disabled when Kafka is enabled. This option allows you to specify any hosts you would like to re-enable logstash on alongside Kafka.
forcedType: "[]string"
multiline: True
advanced: True
helpLink: kafka.html
helpLink: kafka
config:
password:
description: The password used for the Kafka certificates.
readonly: True
sensitive: True
helpLink: kafka.html
helpLink: kafka
trustpass:
description: The password used for the Kafka truststore.
readonly: True
sensitive: True
helpLink: kafka.html
helpLink: kafka
broker:
auto_x_create_x_topics_x_enable:
description: Enable the auto creation of topics.
title: auto.create.topics.enable
forcedType: bool
helpLink: kafka.html
helpLink: kafka
default_x_replication_x_factor:
description: The default replication factor for automatically created topics. This value must be less than the amount of brokers in the cluster. Hosts specified in controllers should not be counted towards total broker count.
title: default.replication.factor
forcedType: int
helpLink: kafka.html
helpLink: kafka
inter_x_broker_x_listener_x_name:
description: The name of the listener used for inter-broker communication.
title: inter.broker.listener.name
helpLink: kafka.html
helpLink: kafka
listeners:
description: Set of URIs that is listened on and the listener names in a comma-seperated list.
helpLink: kafka.html
helpLink: kafka
listener_x_security_x_protocol_x_map:
description: Comma-seperated mapping of listener name and security protocols.
title: listener.security.protocol.map
helpLink: kafka.html
helpLink: kafka
log_x_dirs:
description: Where Kafka logs are stored within the Docker container.
title: log.dirs
helpLink: kafka.html
helpLink: kafka
log_x_retention_x_check_x_interval_x_ms:
description: Frequency at which log files are checked if they are qualified for deletion.
title: log.retention.check.interval.ms
helpLink: kafka.html
helpLink: kafka
log_x_retention_x_hours:
description: How long, in hours, a log file is kept.
title: log.retention.hours
forcedType: int
helpLink: kafka.html
helpLink: kafka
log_x_segment_x_bytes:
description: The maximum allowable size for a log file.
title: log.segment.bytes
forcedType: int
helpLink: kafka.html
helpLink: kafka
num_x_io_x_threads:
description: The number of threads used by Kafka.
title: num.io.threads
forcedType: int
helpLink: kafka.html
helpLink: kafka
num_x_network_x_threads:
description: The number of threads used for network communication.
title: num.network.threads
forcedType: int
helpLink: kafka.html
helpLink: kafka
num_x_partitions:
description: The number of log partitions assigned per topic.
title: num.partitions
forcedType: int
helpLink: kafka.html
helpLink: kafka
num_x_recovery_x_threads_x_per_x_data_x_dir:
description: The number of threads used for log recuperation at startup and purging at shutdown. This ammount of threads is used per data directory.
title: num.recovery.threads.per.data.dir
forcedType: int
helpLink: kafka.html
helpLink: kafka
offsets_x_topic_x_replication_x_factor:
description: The offsets topic replication factor.
title: offsets.topic.replication.factor
forcedType: int
helpLink: kafka.html
helpLink: kafka
process_x_roles:
description: The role performed by Kafka brokers.
title: process.roles
readonly: True
helpLink: kafka.html
helpLink: kafka
socket_x_receive_x_buffer_x_bytes:
description: Size, in bytes of the SO_RCVBUF buffer. A value of -1 will use the OS default.
title: socket.receive.buffer.bytes
#forcedType: int - soc needs to allow -1 as an int before we can use this
helpLink: kafka.html
helpLink: kafka
socket_x_request_x_max_x_bytes:
description: The maximum bytes allowed for a request to the socket.
title: socket.request.max.bytes
forcedType: int
helpLink: kafka.html
helpLink: kafka
socket_x_send_x_buffer_x_bytes:
description: Size, in bytes of the SO_SNDBUF buffer. A value of -1 will use the OS default.
title: socket.send.buffer.byte
#forcedType: int - soc needs to allow -1 as an int before we can use this
helpLink: kafka.html
helpLink: kafka
ssl_x_keystore_x_location:
description: The key store file location within the Docker container.
title: ssl.keystore.location
helpLink: kafka.html
helpLink: kafka
ssl_x_keystore_x_password:
description: The key store file password. Invalid for PEM format.
title: ssl.keystore.password
sensitive: True
helpLink: kafka.html
helpLink: kafka
ssl_x_keystore_x_type:
description: The key store file format.
title: ssl.keystore.type
regex: ^(JKS|PKCS12|PEM)$
helpLink: kafka.html
helpLink: kafka
ssl_x_truststore_x_location:
description: The trust store file location within the Docker container.
title: ssl.truststore.location
helpLink: kafka.html
helpLink: kafka
ssl_x_truststore_x_type:
description: The trust store file format.
title: ssl.truststore.type
helpLink: kafka.html
helpLink: kafka
ssl_x_truststore_x_password:
description: The trust store file password. If null, the trust store file is still use, but integrity checking is disabled. Invalid for PEM format.
title: ssl.truststore.password
sensitive: True
helpLink: kafka.html
helpLink: kafka
transaction_x_state_x_log_x_min_x_isr:
description: Overrides min.insync.replicas for the transaction topic. When a producer configures acks to "all" (or "-1"), this setting determines the minimum number of replicas required to acknowledge a write as successful. Failure to meet this minimum triggers an exception (either NotEnoughReplicas or NotEnoughReplicasAfterAppend). When used in conjunction, min.insync.replicas and acks enable stronger durability guarantees. For instance, creating a topic with a replication factor of 3, setting min.insync.replicas to 2, and using acks of "all" ensures that the producer raises an exception if a majority of replicas fail to receive a write.
title: transaction.state.log.min.isr
forcedType: int
helpLink: kafka.html
helpLink: kafka
transaction_x_state_x_log_x_replication_x_factor:
description: Set the replication factor higher for the transaction topic to ensure availability. Internal topic creation will not proceed until the cluster size satisfies this replication factor prerequisite.
title: transaction.state.log.replication.factor
forcedType: int
helpLink: kafka.html
helpLink: kafka
client:
security_x_protocol:
description: 'Broker communication protocol. Options are: SASL_SSL, PLAINTEXT, SSL, SASL_PLAINTEXT'
title: security.protocol
regex: ^(SASL_SSL|PLAINTEXT|SSL|SASL_PLAINTEXT)
helpLink: kafka.html
helpLink: kafka
ssl_x_keystore_x_location:
description: The key store file location within the Docker container.
title: ssl.keystore.location
helpLink: kafka.html
helpLink: kafka
ssl_x_keystore_x_password:
description: The key store file password. Invalid for PEM format.
title: ssl.keystore.password
sensitive: True
helpLink: kafka.html
helpLink: kafka
ssl_x_keystore_x_type:
description: The key store file format.
title: ssl.keystore.type
regex: ^(JKS|PKCS12|PEM)$
helpLink: kafka.html
helpLink: kafka
ssl_x_truststore_x_location:
description: The trust store file location within the Docker container.
title: ssl.truststore.location
helpLink: kafka.html
helpLink: kafka
ssl_x_truststore_x_type:
description: The trust store file format.
title: ssl.truststore.type
helpLink: kafka.html
helpLink: kafka
ssl_x_truststore_x_password:
description: The trust store file password. If null, the trust store file is still use, but integrity checking is disabled. Invalid for PEM format.
title: ssl.truststore.password
sensitive: True
helpLink: kafka.html
helpLink: kafka
controller:
controller_x_listener_x_names:
description: Set listeners used by the controller in a comma-seperated list.
title: controller.listener.names
helpLink: kafka.html
helpLink: kafka
listeners:
description: Set of URIs that is listened on and the listener names in a comma-seperated list.
helpLink: kafka.html
helpLink: kafka
listener_x_security_x_protocol_x_map:
description: Comma-seperated mapping of listener name and security protocols.
title: listener.security.protocol.map
helpLink: kafka.html
helpLink: kafka
log_x_dirs:
description: Where Kafka logs are stored within the Docker container.
title: log.dirs
helpLink: kafka.html
helpLink: kafka
log_x_retention_x_check_x_interval_x_ms:
description: Frequency at which log files are checked if they are qualified for deletion.
title: log.retention.check.interval.ms
helpLink: kafka.html
helpLink: kafka
log_x_retention_x_hours:
description: How long, in hours, a log file is kept.
title: log.retention.hours
forcedType: int
helpLink: kafka.html
helpLink: kafka
log_x_segment_x_bytes:
description: The maximum allowable size for a log file.
title: log.segment.bytes
forcedType: int
helpLink: kafka.html
helpLink: kafka
process_x_roles:
description: The role performed by controller node.
title: process.roles
readonly: True
helpLink: kafka.html
helpLink: kafka
external_access:
enabled:
description: Enables or disables access to Kafka topics using user/password authentication. Used for producing / consuming messages via an external client.
forcedType: bool
helpLink: kafka.html
helpLink: kafka
listeners:
description: Set of URIs that is listened on and the listener names in a comma-seperated list.
title: listeners
readonly: True
advanced: True
helpLink: kafka.html
helpLink: kafka
listener_x_security_x_protocol_x_map:
description: External listener name and mapped security protocol.
title: listener.security.protocol.map
readonly: True
advanced: True
helpLink: kafka.html
helpLink: kafka
sasl_x_enabled_x_mechanisms:
description: SASL/PLAIN is a simple username/password authentication mechanism, used with TLS to implement secure authentication.
title: sasl.enabled.mechanisms
readonly: True
advanced: True
helpLink: kafka.html
helpLink: kafka
sasl_x_mechanism_x_inter_x_broker_x_protocol:
description: SASL mechanism used for inter-broker communication
title: sasl.mechanism.inter.broker.protocol
readonly: True
advanced: True
helpLink: kafka.html
helpLink: kafka
remote_users:
user01: &remote_user
username:

24
salt/kibana/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -20,20 +20,20 @@ so-kibana:
- user: kibana
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }}
- environment:
- ELASTICSEARCH_HOST={{ GLOBALS.manager }}
- ELASTICSEARCH_PORT=9200
- MANAGER={{ GLOBALS.manager }}
{% if DOCKER.containers['so-kibana'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %}
{% if DOCKERMERGED.containers['so-kibana'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKER.containers['so-kibana'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %}
{% if DOCKERMERGED.containers['so-kibana'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
@@ -42,15 +42,21 @@ so-kibana:
- /opt/so/log/kibana:/var/log/kibana:rw
- /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
- /sys/fs/cgroup:/sys/fs/cgroup:ro
{% if DOCKER.containers['so-kibana'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-kibana'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: kibanaconfig

1
salt/kibana/map.jinja
View File

@@ -5,7 +5,6 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'kibana/defaults.yaml' as KIBANADEFAULTS with context %}
{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
{% do KIBANADEFAULTS.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
{% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}

25
salt/kibana/so_dashboard_load.sls
View File

@@ -3,7 +3,6 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
include:
- kibana.enabled
@@ -29,27 +28,3 @@ so-kibana-dashboard-load:
- require:
- sls: kibana.enabled
- file: dashboard_saved_objects_template
{%- if HIGHLANDER %}
dashboard_saved_objects_template_hl:
file.managed:
- name: /opt/so/conf/kibana/hl.ndjson.template
- source: salt://kibana/files/hl.ndjson
- user: 932
- group: 939
- show_changes: False
dashboard_saved_objects_hl_changes:
file.absent:
- names:
- /opt/so/state/kibana_hl.txt
- onchanges:
- file: dashboard_saved_objects_template_hl
so-kibana-dashboard-load_hl:
cmd.run:
- name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/hl.ndjson.template
- cwd: /opt/so
- require:
- sls: kibana.enabled
- file: dashboard_saved_objects_template_hl
{%- endif %}

42
salt/kibana/soc_kibana.yaml
View File

@@ -1,10 +1,46 @@
kibana:
enabled:
enabled:
description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
helpLink: kibana.html
forcedType: bool
helpLink: kibana
config:
server:
rewriteBasePath:
description: Specifies whether Kibana should rewrite requests that are prefixed with the server basePath.
forcedType: bool
global: True
advanced: True
helpLink: kibana
elasticsearch:
requestTimeout:
description: The length of time before the request reaches timeout.
global: True
helpLink: kibana.html
helpLink: kibana
telemetry:
enabled:
description: Enables or disables telemetry data collection in Kibana.
forcedType: bool
global: True
advanced: True
helpLink: kibana
xpack:
security:
secureCookies:
description: Sets the secure flag on session cookies. Cookies are only sent over HTTPS when enabled.
forcedType: bool
global: True
advanced: True
helpLink: kibana
showInsecureClusterWarning:
description: Shows a warning in Kibana when the cluster does not have security enabled.
forcedType: bool
global: True
advanced: True
helpLink: kibana
apm:
enabled:
description: Enables or disables the APM agent in Kibana.
forcedType: bool
global: True
advanced: True
helpLink: kibana

7
salt/kibana/tools/sbin_jinja/so-kibana-space-defaults
View File

@@ -1,6 +1,5 @@
#!/bin/bash
. /usr/sbin/so-common
{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
## This hackery will be removed if using Elastic Auth ##
@@ -9,10 +8,6 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http:
# Disable certain Features from showing up in the Kibana UI
echo
echo "Setting up default Space:"
{% if HIGHLANDER %}
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log
{% else %}
echo "Setting up default Kibana Space:"
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV3","inventory","dataQuality","searchSynonyms","enterpriseSearchApplications","enterpriseSearchAnalytics","securitySolutionTimeline","securitySolutionNotes","entityManager"]} ' >> /opt/so/log/kibana/misc.log
{% endif %}
echo

24
salt/kratos/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -19,32 +19,38 @@ so-kratos:
- name: so-kratos
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }}
- binds:
- /opt/so/conf/kratos/:/kratos-conf:ro
- /opt/so/log/kratos/:/kratos-log:rw
- /nsm/kratos/db:/kratos-data:rw
{% if DOCKER.containers['so-kratos'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKER.containers['so-kratos'].extra_hosts %}
{% if DOCKERMERGED.containers['so-kratos'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-kratos'].extra_env %}
{% if DOCKERMERGED.containers['so-kratos'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-kratos'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- restart_policy: unless-stopped
- watch:
- file: kratosschema

104
salt/kratos/soc_kratos.yaml
View File

@@ -1,88 +1,91 @@
kratos:
enabled:
description: Enables or disables the Kratos authentication system. WARNING - Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH.
forcedType: bool
advanced: True
helpLink: kratos.html
helpLink: kratos
oidc:
enabled:
enabled:
description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key.
forcedType: bool
global: True
helpLink: oidc.html
helpLink: oidc
config:
id:
description: Customize the OIDC provider name. This name appears on the login page. Required. It is strongly recommended to leave this to the default value, unless you are aware of the other configuration pieces that will be affected by changing it.
global: True
forcedType: string
helpLink: oidc.html
helpLink: oidc
provider:
description: "Specify the provider type. Required. Valid values are: auth0, generic, github, google, microsoft"
global: True
forcedType: string
regex: "auth0|generic|github|google|microsoft"
regexFailureMessage: "Valid values are: auth0, generic, github, google, microsoft"
helpLink: oidc.html
helpLink: oidc
client_id:
description: Specify the client ID, also referenced as the application ID. Required.
global: True
forcedType: string
helpLink: oidc.html
helpLink: oidc
client_secret:
description: Specify the client secret. Required.
global: True
forcedType: string
helpLink: oidc.html
helpLink: oidc
microsoft_tenant:
description: Specify the Microsoft Active Directory Tenant ID. Required when provider is 'microsoft'.
global: True
forcedType: string
helpLink: oidc.html
helpLink: oidc
subject_source:
description: The source of the subject identifier. Typically 'userinfo'. Only used when provider is 'microsoft'.
global: True
forcedType: string
regex: me|userinfo
regexFailureMessage: "Valid values are: me, userinfo"
helpLink: oidc.html
helpLink: oidc
auth_url:
description: Provider's auth URL. Required when provider is 'generic'.
global: True
forcedType: string
helpLink: oidc.html
helpLink: oidc
issuer_url:
description: Provider's issuer URL. Required when provider is 'auth0' or 'generic'.
global: True
forcedType: string
helpLink: oidc.html
helpLink: oidc
mapper_url:
description: A file path or URL in Jsonnet format, used to map OIDC claims to the Kratos schema. Defaults to an included file that maps the email claim. Note that the contents of the included file can be customized via the "OIDC Claims Mapping" setting.
advanced: True
global: True
forcedType: string
helpLink: oidc.html
helpLink: oidc
token_url:
description: Provider's token URL. Required when provider is 'generic'.
global: True
forcedType: string
helpLink: oidc.html
helpLink: oidc
scope:
description: List of scoped data categories to request in the authentication response. Typically 'email' and 'profile' are the minimum required scopes. However, GitHub requires `user:email', instead and Auth0 requires 'profile', 'email', and 'openid'.
global: True
forcedType: "[]string"
helpLink: oidc.html
helpLink: oidc
pkce:
description: Set to 'force' if the OIDC provider does not support auto-detection of PKCE, but does support PKCE. Set to `never` to disable PKCE. The default setting automatically attempts to detect if PKCE is supported. The provider's `well-known/openid-configuration` JSON response must contain the `S256` algorithm within the `code_challenge_methods_supported` list in order for the auto-detection to correctly detect PKCE is supported.
global: True
forcedType: string
helpLink: oidc.html
helpLink: oidc
requested_claims:
id_token:
email:
essential:
description: Specifies whether the email claim is necessary. Typically leave this value set to true.
forcedType: bool
advanced: True
global: True
helpLink: oidc.html
helpLink: oidc
files:
oidc__jsonnet:
title: OIDC Claims Mapping
@@ -90,164 +93,169 @@ kratos:
advanced: True
file: True
global: True
helpLink: oidc.html
helpLink: oidc
config:
session:
lifespan:
description: Defines the length of a login session.
global: True
helpLink: kratos.html
helpLink: kratos
whoami:
required_aal:
description: Sets the Authenticator Assurance Level. Leave as default to ensure proper security protections remain in place.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
selfservice:
methods:
password:
enabled:
enabled:
description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled.
forcedType: bool
global: True
advanced: True
helpLink: oidc.html
helpLink: oidc
config:
haveibeenpwned_enabled:
description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
forcedType: bool
global: True
helpLink: kratos.html
helpLink: kratos
totp:
enabled:
enabled:
description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
forcedType: bool
global: True
helpLink: kratos.html
helpLink: kratos
config:
issuer:
description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address.
global: True
helpLink: kratos.html
helpLink: kratos
webauthn:
enabled:
description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
forcedType: bool
global: True
helpLink: kratos.html
helpLink: kratos
config:
passwordless:
passwordless:
description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in.
forcedType: bool
global: True
helpLink: kratos.html
helpLink: kratos
rp:
id:
description: The internal identification used for registering new Security Keys. Leave as default to ensure Security Keys function properly.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
origin:
description: The URL used to login to SOC. Leave as default to ensure Security Keys function properly.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
display_name:
description: The name assigned to the security key. Note that URL_BASE is replaced with the hostname or IP address used to login to SOC, to help distinguish multiple Security Onion installations.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
flows:
settings:
privileged_session_max_age:
description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change.
global: True
helpLink: kratos.html
helpLink: kratos
ui_url:
description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
required_aal:
description: Sets the Authenticator Assurance Level for accessing user self-service profile and security settings. Leave as default to ensure proper security enforcement remains in place.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
verification:
ui_url:
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
login:
ui_url:
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
lifespan:
description: Defines the duration that a login form will remain valid.
global: True
helpLink: kratos.html
helpLink: kratos
error:
ui_url:
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
registration:
ui_url:
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
default_browser_return_url:
description: Security Onion Console landing page URL. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
allowed_return_urls:
description: Internal redirect URL. Leave as default to ensure proper operation.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
log:
level:
description: Log level to use for Kratos logs.
global: True
helpLink: kratos.html
helpLink: kratos
format:
description: Log output format for Kratos logs.
global: True
helpLink: kratos.html
helpLink: kratos
secrets:
default:
description: Secret key used for protecting session cookie data. Generated during installation.
global: True
sensitive: True
advanced: True
helpLink: kratos.html
helpLink: kratos
serve:
public:
base_url:
description: User accessible URL for authenticating to Kratos. Leave as default for proper operation.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
admin:
base_url:
description: User accessible URL for accessing Kratos administration API. Leave as default for proper operation.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
hashers:
bcrypt:
cost:
description: Bcrypt hashing algorithm cost. Higher values consume more CPU and take longer to complete. Actual cost is computed as 2^X where X is the value in this setting.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos
courier:
smtp:
connection_uri:
description: SMTPS URL for sending outbound account-related emails. Not utilized with the standard Security Onion installation.
global: True
advanced: True
helpLink: kratos.html
helpLink: kratos

4
salt/logstash/config.sls
View File

@@ -36,10 +36,6 @@ logstash:
- gid: 931
- home: /opt/so/conf/logstash
lslibdir:
file.absent:
- name: /opt/so/conf/logstash/lib
logstash_sbin:
file.recurse:
- name: /usr/sbin

24
salt/logstash/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
{% from 'logstash/map.jinja' import LOGSTASH_NODES %}
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
@@ -32,7 +32,7 @@ so-logstash:
- name: so-logstash
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }}
- user: logstash
- extra_hosts:
{% for node in LOGSTASH_NODES %}
@@ -40,20 +40,20 @@ so-logstash:
- {{hostname}}:{{ip}}
{% endfor %}
{% endfor %}
{% if DOCKER.containers['so-logstash'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
{% if DOCKERMERGED.containers['so-logstash'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- environment:
- LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
{% if DOCKER.containers['so-logstash'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-logstash'].extra_env %}
{% if DOCKERMERGED.containers['so-logstash'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -91,11 +91,17 @@ so-logstash:
- /opt/so/log/fleet/:/osquery/logs:ro
- /opt/so/log/strelka:/strelka:ro
{% endif %}
{% if DOCKER.containers['so-logstash'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-logstash'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: lsetcsync
- file: trusttheca

25
salt/logstash/soc_logstash.yaml
View File

@@ -1,13 +1,14 @@
logstash:
enabled:
enabled:
description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend.
helpLink: logstash.html
forcedType: bool
helpLink: logstash
assigned_pipelines:
roles:
standalone: &assigned_pipelines
description: List of defined pipelines to add to this role.
advanced: True
helpLink: logstash.html
helpLink: logstash
multiline: True
forcedType: "[]string"
duplicates: True
@@ -21,7 +22,7 @@ logstash:
receiver: &defined_pipelines
description: List of pipeline configurations assign to this group.
advanced: True
helpLink: logstash.html
helpLink: logstash
multiline: True
forcedType: "[]string"
duplicates: True
@@ -39,7 +40,7 @@ logstash:
advanced: True
multiline: True
forcedType: string
helpLink: logstash.html
helpLink: logstash
duplicates: True
custom002: *pipeline_config
custom003: *pipeline_config
@@ -53,35 +54,35 @@ logstash:
settings:
lsheap:
description: Heap size to use for logstash
helpLink: logstash.html
helpLink: logstash
global: False
config:
api_x_http_x_host:
description: Host interface to listen to connections.
helpLink: logstash.html
helpLink: logstash
readonly: True
advanced: True
path_x_logs:
description: Path inside the container to wrote logs.
helpLink: logstash.html
helpLink: logstash
readonly: True
advanced: True
pipeline_x_workers:
description: Number of worker threads to process events in logstash.
helpLink: logstash.html
helpLink: logstash
global: False
pipeline_x_batch_x_size:
description: Logstash batch size.
helpLink: logstash.html
helpLink: logstash
global: False
pipeline_x_ecs_compatibility:
description: Sets ECS compatibility. This is set per pipeline so you should never need to change this.
helpLink: logstash.html
helpLink: logstash
readonly: True
advanced: True
dmz_nodes:
description: "List of receiver nodes in DMZs. Prevents sensors from sending to these receivers. Primarily used for external Elastic agents."
helpLink: logstash.html
helpLink: logstash
multiline: True
advanced: True
forcedType: "[]string"

2
salt/manager/init.sls
View File

@@ -63,11 +63,9 @@ yara_log_dir:
- user
- group
{% if GLOBALS.os_family == 'RedHat' %}
install_createrepo:
pkg.installed:
- name: createrepo_c
{% endif %}
repo_conf_dir:
file.directory:

33
salt/manager/soc_manager.yaml
View File

@@ -2,81 +2,82 @@ manager:
reposync:
enabled:
description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis.
forcedType: bool
global: True
helpLink: soup.html
helpLink: soup
hour:
description: The hour of the day in which the repo sync takes place.
global: True
helpLink: soup.html
helpLink: soup
minute:
description: The minute within the hour to run the repo sync.
global: True
helpLink: soup.html
helpLink: soup
elastalert:
description: Enable elastalert 1=enabled 0=disabled.
global: True
helpLink: elastalert.html
helpLink: elastalert
no_proxy:
description: String of hosts to ignore the proxy settings for.
global: True
helpLink: proxy.html
helpLink: proxy
proxy:
description: Proxy server to use for updates.
global: True
helpLink: proxy.html
helpLink: proxy
additionalCA:
description: Additional CA certificates to trust in PEM format.
global: True
advanced: True
multiline: True
forcedType: string
helpLink: proxy.html
helpLink: proxy
insecureSkipVerify:
description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes.
advanced: True
forcedType: bool
global: True
helpLink: proxy.html
helpLink: proxy
agent_monitoring:
enabled:
description: Enable monitoring elastic agents for health issues. Can be used to trigger an alert when a 'critical' agent hasn't checked in with fleet for longer than the configured offline threshold.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
forcedType: bool
config:
critical_agents:
description: List of 'critical' agents to log when they haven't checked in longer than the maximum allowed time. If there are no 'critical' agents specified all offline agents will be logged once they reach the offline threshold.
global: True
multiline: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
forcedType: "[]string"
custom_kquery:
description: For more granular control over what agents to monitor for offline|degraded status add a kquery here. It is recommended to create & test within Elastic Fleet first to ensure your agents are targeted correctly using the query. eg 'status:offline AND tags:INFRA'
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
forcedType: string
advanced: True
offline_threshold:
description: The maximum allowed time in hours a 'critical' agent has been offline before being logged.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
forcedType: int
realert_threshold:
description: The time to pass before another alert for an offline agent exceeding the offline_threshold is generated.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
forcedType: int
page_size:
description: The amount of agents that can be processed per API request to fleet.
global: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
forcedType: int
advanced: True
run_interval:
description: The time in minutes between checking fleet agent statuses.
global: True
advanced: True
helpLink: elastic-fleet.html
helpLink: elastic-fleet
forcedType: int
managed_integrations:
description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass
@@ -84,4 +85,4 @@ manager:
multiline: True
global: True
advanced: True
helpLink: elasticsearch.html
helpLink: elasticsearch

206
salt/manager/tools/sbin/soup
View File

@@ -383,6 +383,67 @@ check_minimum_version() {
### 3.0.0 Scripts ###
convert_suricata_yes_no() {
echo "Starting suricata yes/no values to true/false conversion."
local SURICATA_FILE=/opt/so/saltstack/local/pillar/suricata/soc_suricata.sls
local MINIONDIR=/opt/so/saltstack/local/pillar/minions
local pillar_files=()
[[ -f "$SURICATA_FILE" ]] && pillar_files+=("$SURICATA_FILE")
for suffix in _eval _heavynode _sensor _standalone; do
for f in "$MINIONDIR"/*${suffix}.sls; do
[[ -f "$f" ]] && pillar_files+=("$f")
done
done
for pillar_file in "${pillar_files[@]}"; do
echo "Checking $pillar_file for suricata yes/no values."
local yaml_output
yaml_output=$(so-yaml.py get -r "$pillar_file" suricata 2>/dev/null) || continue
local keys_to_fix
keys_to_fix=$(python3 -c "
import yaml, sys
def find(d, prefix=''):
if isinstance(d, dict):
for k, v in d.items():
path = f'{prefix}.{k}' if prefix else k
if isinstance(v, dict):
find(v, path)
elif isinstance(v, str) and v.lower() in ('yes', 'no'):
print(f'{path} {v.lower()}')
find(yaml.safe_load(sys.stdin) or {})
" <<< "$yaml_output") || continue
while IFS=' ' read -r key value; do
[[ -z "$key" ]] && continue
if [[ "$value" == "yes" ]]; then
echo "Replacing suricata.${key} yes -> true in $pillar_file"
so-yaml.py replace "$pillar_file" "suricata.${key}" true
else
echo "Replacing suricata.${key} no -> false in $pillar_file"
so-yaml.py replace "$pillar_file" "suricata.${key}" false
fi
done <<< "$keys_to_fix"
done
echo "Completed suricata yes/no conversion."
}
migrate_pcap_to_suricata() {
echo "Starting pillar pcap.enabled to suricata.pcap.enabled migration."
local MINIONDIR=/opt/so/saltstack/local/pillar/minions
local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
[[ -f "$pillar_file" ]] || continue
pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
echo "Migrating pcap.enabled -> suricata.pcap.enabled in $pillar_file"
so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
so-yaml.py remove "$pillar_file" pcap
done
echo "Completed pcap.enabled to suricata.pcap.enabled pillar migration."
}
up_to_3.0.0() {
determine_elastic_agent_upgrade
migrate_pcap_to_suricata
@@ -390,20 +451,19 @@ up_to_3.0.0() {
INSTALLEDVERSION=3.0.0
}
migrate_pcap_to_suricata() {
local MINIONDIR=/opt/so/saltstack/local/pillar/minions
local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
[[ -f "$pillar_file" ]] || continue
pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
so-yaml.py remove "$pillar_file" pcap
done
}
post_to_3.0.0() {
echo "Nothing to apply"
for idx in "logs-idh-so" "logs-redis.log-default"; do
rollover_index "$idx"
done
# Remove ILM for so-case and so-detection indices
for idx in "so-case" "so-casehistory" "so-detection" "so-detectionhistory"; do
so-elasticsearch-query $idx/_ilm/remove -XPOST
done
# convert yes/no in suricata pillars to true/false
convert_suricata_yes_no
POSTVERSION=3.0.0
}
@@ -576,78 +636,46 @@ upgrade_check_salt() {
upgrade_salt() {
echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
echo ""
# If rhel family
if [[ $is_rpm ]]; then
# Check if salt-cloud is installed
if rpm -q salt-cloud &>/dev/null; then
SALT_CLOUD_INSTALLED=true
fi
# Check if salt-cloud is configured
if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
SALT_CLOUD_CONFIGURED=true
fi
echo "Removing yum versionlock for Salt."
echo ""
yum versionlock delete "salt"
yum versionlock delete "salt-minion"
yum versionlock delete "salt-master"
# Remove salt-cloud versionlock if installed
if [[ $SALT_CLOUD_INSTALLED == true ]]; then
yum versionlock delete "salt-cloud"
fi
echo "Updating Salt packages."
echo ""
set +e
# if oracle run with -r to ignore repos set by bootstrap
if [[ $OS == 'oracle' ]]; then
# Add -L flag only if salt-cloud is already installed
if [[ $SALT_CLOUD_INSTALLED == true ]]; then
run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
"Could not update salt, please check $SOUP_LOG for details."
else
run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
"Could not update salt, please check $SOUP_LOG for details."
fi
# if another rhel family variant we want to run without -r to allow the bootstrap script to manage repos
else
run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
"Could not update salt, please check $SOUP_LOG for details."
fi
set -e
echo "Applying yum versionlock for Salt."
echo ""
yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
# Add salt-cloud versionlock if installed
if [[ $SALT_CLOUD_INSTALLED == true ]]; then
yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
fi
# Else do Ubuntu things
elif [[ $is_deb ]]; then
# ensure these files don't exist when upgrading from 3006.9 to 3006.16
rm -f /etc/apt/keyrings/salt-archive-keyring-2023.pgp /etc/apt/sources.list.d/salt.list
echo "Removing apt hold for Salt."
echo ""
apt-mark unhold "salt-common"
apt-mark unhold "salt-master"
apt-mark unhold "salt-minion"
echo "Updating Salt packages."
echo ""
set +e
# Check if salt-cloud is installed
if rpm -q salt-cloud &>/dev/null; then
SALT_CLOUD_INSTALLED=true
fi
# Check if salt-cloud is configured
if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
SALT_CLOUD_CONFIGURED=true
fi
echo "Removing yum versionlock for Salt."
echo ""
yum versionlock delete "salt"
yum versionlock delete "salt-minion"
yum versionlock delete "salt-master"
# Remove salt-cloud versionlock if installed
if [[ $SALT_CLOUD_INSTALLED == true ]]; then
yum versionlock delete "salt-cloud"
fi
echo "Updating Salt packages."
echo ""
set +e
# Run with -r to ignore repos set by bootstrap
if [[ $SALT_CLOUD_INSTALLED == true ]]; then
run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
"Could not update salt, please check $SOUP_LOG for details."
set -e
echo "Applying apt hold for Salt."
echo ""
apt-mark hold "salt-common"
apt-mark hold "salt-master"
apt-mark hold "salt-minion"
else
run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
"Could not update salt, please check $SOUP_LOG for details."
fi
set -e
echo "Applying yum versionlock for Salt."
echo ""
yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
# Add salt-cloud versionlock if installed
if [[ $SALT_CLOUD_INSTALLED == true ]]; then
yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
fi
echo "Checking if Salt was upgraded."
@@ -1084,6 +1112,10 @@ main() {
echo ""
set_os
if [[ ! $is_oracle ]]; then
fail "This OS is not supported. Security Onion requires Oracle Linux 9."
fi
check_salt_master_status 1 || fail "Could not talk to salt master: Please run 'systemctl status salt-master' to ensure the salt-master service is running and check the log at /opt/so/log/salt/master."
echo "Checking to see if this is a manager."
@@ -1193,14 +1225,6 @@ main() {
echo "Upgrading Salt"
# Update the repo files so it can actually upgrade
upgrade_salt
# for Debian based distro, we need to stop salt again after upgrade output below is from bootstrap-salt
# * WARN: Not starting daemons on Debian based distributions
# is not working mostly because starting them is the default behaviour.
if [[ $is_deb ]]; then
stop_salt_minion
stop_salt_master
fi
fi
preupgrade_changes

24
salt/nginx/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'nginx/map.jinja' import NGINXMERGED %}
include:
@@ -37,11 +37,11 @@ so-nginx:
- hostname: so-nginx
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers[container_config].ip }}
- ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKER.containers[container_config].extra_hosts %}
{% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
{% if DOCKERMERGED.containers[container_config].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
@@ -64,20 +64,26 @@ so-nginx:
- /opt/so/rules/nids/suri:/surirules:ro
{% endif %}
{% endif %}
{% if DOCKER.containers[container_config].custom_bind_mounts %}
{% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
{% if DOCKERMERGED.containers[container_config].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKER.containers[container_config].extra_env %}
{% if DOCKERMERGED.containers[container_config].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers[container_config].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers[container_config].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- cap_add: NET_BIND_SERVICE
- port_bindings:
{% for BINDING in DOCKER.containers[container_config].port_bindings %}
{% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %}
- {{ BINDING }}
{% endfor %}
- watch:

2
salt/nginx/etc/nginx.conf
View File

@@ -1,5 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'docker/docker.map.jinja' import DOCKER %}
{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
{%- from 'nginx/map.jinja' import NGINXMERGED %}
{%- set role = grains.id.split('_') | last %}
{%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}

19
salt/nginx/soc_nginx.yaml
View File

@@ -1,12 +1,13 @@
nginx:
enabled:
enabled:
description: Enables or disables the Nginx web server and reverse proxy. WARNING - Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support.
forcedType: bool
advanced: True
helpLink: nginx.html
helpLink: nginx
external_suricata:
description: Enable this to allow external access to Suricata Rulesets managed by Detections.
advanced: True
helplink: nginx.html
helpLink: nginx
forcedType: bool
ssl:
replace_cert:
@@ -15,33 +16,33 @@ nginx:
advanced: True
forcedType: bool
title: Replace Default Cert
helpLink: nginx.html
helpLink: nginx
ssl__key:
description: If you enabled the replace_cert option, paste the contents of your .key file here.
file: True
title: SSL/TLS Key File
advanced: True
global: True
helpLink: nginx.html
helpLink: nginx
ssl__crt:
description: If you enabled the replace_cert option, paste the contents of your .crt file here.
file: True
title: SSL/TLS Cert File
advanced: True
global: True
helpLink: nginx.html
helpLink: nginx
alt_names:
description: Provide a list of alternate names to allow remote systems the ability to refer to the SOC API as another hostname.
global: True
forcedType: '[]string'
multiline: True
helpLink: nginx.html
helpLink: nginx
config:
throttle_login_burst:
description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow.
global: True
helpLink: nginx.html
helpLink: nginx
throttle_login_rate:
description: Number of login API requests per minute that can be processed without triggering a rate limit. Higher values allow more repeated login attempts. Requests are counted by unique client IP and averaged over time. Note that a single login flow will perform multiple requests to the login API, so this value will need to be adjusted accordingly.
global: True
helpLink: nginx.html
helpLink: nginx

5
salt/ntp/init.sls
View File

@@ -2,7 +2,6 @@
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'ntp/config.map.jinja' import NTPCONFIG %}
chrony_pkg:
@@ -17,11 +16,7 @@ chronyconf:
- defaults:
NTPCONFIG: {{ NTPCONFIG }}
{% if GLOBALS.os_family == 'RedHat' %}
chronyd:
{% else %}
chrony:
{% endif %}
service.running:
- enable: True
- watch:

2
salt/ntp/soc_ntp.yaml
View File

@@ -3,4 +3,4 @@ ntp:
servers:
description: NTP Server List
title: NTP Servers
helpLink: ntp.html
helpLink: ntp

15
salt/patch/soc_patch.yaml
View File

@@ -2,19 +2,20 @@ patch:
os:
enabled:
description: Enable OS updates. WARNING - Disabling this setting will prevent important operating system updates from being applied on a scheduled basis.
helpLink: soup.html
forcedType: bool
helpLink: soup
schedule_to_run:
description: Currently running schedule for updates.
helpLink: soup.html
helpLink: soup
schedules:
auto:
splay: &splayOptions
description: Seconds to splay updates.
helpLink: soup.html
helpLink: soup
schedule:
hours:
description: Run the OS updates every X hours.
helpLink: soup.html
helpLink: soup
monday:
splay: *splayOptions
schedule:
@@ -51,7 +52,7 @@ patch:
Monday: &dailyOptions
description: List of times to apply OS patches daily.
multiline: True
helpLink: soup.html
helpLink: soup
Tuesday: *dailyOptions
Wednesday: *dailyOptions
Thursday: *dailyOptions
@@ -64,7 +65,7 @@ patch:
Monday: &weekdayOptions
description: List of times for weekdays.
multiline: True
helpLink: soup.html
helpLink: soup
Tuesday: *weekdayOptions
Wednesday: *weekdayOptions
Thursday: *weekdayOptions
@@ -75,5 +76,5 @@ patch:
Saturday: &weekendOptions
description: List of times for weekend days.
multiline: true
helpLink: soup.html
helpLink: soup
Sunday: *weekendOptions

17
salt/podman/files/podman.service
View File

@@ -1,17 +0,0 @@
[Unit]
Description=Podman API Service
Requires=podman.socket
After=podman.socket
Documentation=man:podman-api(1)
StartLimitIntervalSec=0
[Service]
Type=oneshot
Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
ExecStart=/usr/bin/podman system service
TimeoutStopSec=30
KillMode=process
[Install]
WantedBy=multi-user.target
Also=podman.socket

10
salt/podman/files/podman.socket
View File

@@ -1,10 +0,0 @@
[Unit]
Description=Podman API Socket
Documentation=man:podman-api(1)
[Socket]
ListenStream=%t/podman/podman.sock
SocketMode=0660
[Install]
WantedBy=sockets.target

48
salt/podman/files/sobridge.conflist
View File

@@ -1,48 +0,0 @@
{
"args": {
"podman_options": {
"isolate": "true",
"mtu": "1500"
}
},
"cniVersion": "0.4.0",
"name": "sobridge",
"plugins": [
{
"type": "bridge",
"bridge": "sobridge",
"isGateway": true,
"ipMasq": false,
"mtu": 1500,
"hairpinMode": false,
"ipam": {
"type": "host-local",
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"ranges": [
[
{
"subnet": "172.17.1.0/24",
"gateway": "172.17.1.1"
}
]
]
},
"capabilities": {
"ips": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": false
}
},
{
"type": "tuning"
}
]
}

56
salt/podman/init.sls
View File

@@ -1,56 +0,0 @@
{% from 'docker/docker.map.jinja' import DOCKER %}
Podman pkg:
pkg.installed:
- name: podman
cnipkg:
pkg.installed:
- name: containernetworking-plugins
{#
Podman service:
file.managed:
- name: /usr/lib/systemd/system/podman.service
- source: salt://podman/podman.service
#}
sobridgeconf:
file.managed:
- name: /etc/cni/net.d/sobridge.conflist
- source: salt://podman/files/sobridge.conflist
Podman_socket_service:
service.running:
- name: podman.socket
- enable: true
Podman_service:
service.running:
- name: podman.service
- enable: true
Docker socket:
file.symlink:
- name: /var/run/docker.sock
- target: /var/run/podman/podman.sock
podman_docker_symlink:
file.symlink:
- name: /usr/bin/docker
- target: /usr/bin/podman
{#
sos_docker_net:
docker_network.present:
- name: sobridge
- subnet: {{ DOCKER.range }}
- gateway: {{ DOCKER.bip }}
- options:
com.docker.network.bridge.name: 'sobridge'
com.docker.network.driver.mtu: '1500'
com.docker.network.bridge.enable_ip_masquerade: 'true'
com.docker.network.bridge.enable_icc: 'true'
com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
- unless: 'docker network ls | grep sobridge'
#}

24
salt/redis/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -21,9 +21,9 @@ so-redis:
- user: socore
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }}
- port_bindings:
{% for BINDING in DOCKER.containers['so-redis'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -34,23 +34,29 @@ so-redis:
- /etc/pki/redis.crt:/certs/redis.crt:ro
- /etc/pki/redis.key:/certs/redis.key:ro
- /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
{% if DOCKER.containers['so-redis'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-redis'].extra_hosts %}
{% if DOCKERMERGED.containers['so-redis'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-redis'].extra_env %}
{% if DOCKERMERGED.containers['so-redis'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-redis'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-redis'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
- watch:
- file: trusttheca

117
salt/redis/soc_redis.yaml
View File

@@ -1,18 +1,19 @@
redis:
enabled:
enabled:
description: Enables the log event in-memory buffering process. This process might already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events.
helpLink: redis.html
forcedType: bool
helpLink: redis
config:
bind:
description: The IP address to bind to.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
protected-mode:
description: Force authentication to access redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
requirepass:
description: Password for accessing Redis.
global: True
@@ -21,262 +22,262 @@ redis:
description: TLS cert file location.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
tls-key-file:
description: TLS key file location.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
tls-ca-cert-file:
description: TLS CA file location.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
tls-port:
description: Port to use TLS encryption on.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
tls-auth-clients:
description: Force TLS authentication.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
port:
description: Non TLS port for Redis access.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
tcp-backlog:
description: Set the TCP backlog value. This is normally increasd in high request environments.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
timeout:
description: Time in seconds to close an idle connection. 0 to disable.
global: True
helpLink: redis.html
helpLink: redis
tcp-keepalive:
description: Time in seconds to send a keepalive.
global: True
helpLink: redis.html
helpLink: redis
tls-replication:
description: Enable TLS replication links.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
tls-protocols:
description: List of acceptable TLS protocols separated by spaces.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
tls-prefer-server-ciphers:
description: Prefer the server side ciphers.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
tls-session-caching:
description: Enable TLS session caching.
global: True
helpLink: redis.html
helpLink: redis
tls-session-cache-size:
description: The number of TLS sessions to cache.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
tls-session-cache-timeout:
description: Timeout in seconds to cache TLS sessions.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
loglevel:
description: Log verbosity level.
global: True
helpLink: redis.html
helpLink: redis
logfile:
description: Log file name.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
syslog-enabled:
description: Enable syslog output.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
syslog-ident:
description: Set the syslog identity.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
syslog-facility:
description: Set the syslog facility.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
databases:
description: Total amount of databases.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
always-show-logo:
description: The amount of time that a write will wait before fsyncing.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
save:
'900':
description: Set the amount of keys that need to change to save after 15 minutes.
global: True
helpLink: redis.html
helpLink: redis
'300':
description: Set the amount of keys that need to change to save after 5 minutes.
global: True
helpLink: redis.html
helpLink: redis
'60':
description: Set the amount of keys that need to change to save after 1 minute
global: True
helpLink: redis.html
helpLink: redis
stop-writes-on-bgsave-error:
description: Stop writes to redis is there is an error with the save.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
rdbcompression:
description: Compress string objects with LZF.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
rdbchecksum:
description: Enable checksum of rdb files.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
dbfilename:
description: Filename of the rdb saves.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
acllog-max-len:
description: Maximum length of the ACL log.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
maxmemory:
description: Maximum memory for storing redis objects.
global: True
helpLink: redis.html
helpLink: redis
maxmemory-policy:
description: The policy to use when maxmemory is reached.
global: True
helpLink: redis.html
helpLink: redis
maxmemory-samples:
description: maxmemory sample size.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
lua-time-limit:
description: Maximum execution time of LUA scripts.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
slowlog-log-slower-than:
description: Time in microseconds to write to the slow log.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
slowlog-max-len:
description: Maximum size of the slow log.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
hash-max-ziplist-entries:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
hash-max-ziplist-value:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
list-max-ziplist-size:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
list-compress-depth:
description: Depth for list compression.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
set-max-intset-entries:
description: Sets the limit on the size of the set in order to use the special memory saving encoding.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
zset-max-ziplist-entries:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
zset-max-ziplist-value:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
hll-sparse-max-bytes:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
stream-node-max-bytes:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
stream-node-max-entries:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
activerehashing:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
client-output-buffer-limit:
normal:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
replica:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
pubsub:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
hz:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
dynamic-hz:
description: Used for advanced performance tuning of Redis.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
rdb-save-incremental-fsync:
description: fsync redis data.
global: True
advanced: True
helpLink: redis.html
helpLink: redis
jemalloc-bg-thread:
description: Jemalloc background thread for purging.
global: True
advanced: True
helpLink: redis.html
helpLink: redis

24
salt/registry/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include:
- registry.ssl
@@ -20,10 +20,10 @@ so-dockerregistry:
- hostname: so-registry
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }}
- restart_policy: always
- port_bindings:
{% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -32,25 +32,31 @@ so-dockerregistry:
- /nsm/docker-registry/docker:/var/lib/registry/docker:rw
- /etc/pki/registry.crt:/etc/pki/registry.crt:ro
- /etc/pki/registry.key:/etc/pki/registry.key:ro
{% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-dockerregistry'].extra_hosts %}
{% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- client_timeout: 180
- environment:
- HOME=/root
{% if DOCKER.containers['so-dockerregistry'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %}
{% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- retry:
attempts: 5
interval: 30

1
salt/registry/soc_registry.yaml
View File

@@ -1,4 +1,5 @@
registry:
enabled:
description: Enables or disables the Docker registry on the manager node. WARNING - If this process is disabled the grid will malfunction and a manual effort may be needed to re-enable the setting.
forcedType: bool
advanced: True

72
salt/repo/client/map.jinja
View File

@@ -1,43 +1,29 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if GLOBALS.os_family == 'RedHat' %}
{% set REPOPATH = '/etc/yum.repos.d/' %}
{% if GLOBALS.os == 'OEL' %}
{% set ABSENTFILES = [
'centos-addons.repo',
'centos-devel.repo',
'centos-extras.repo',
'centos.repo',
'docker-ce.repo',
'epel.repo',
'epel-testing.repo',
'saltstack.repo',
'salt-latest.repo',
'wazuh.repo'
'Rocky-Base.repo',
'Rocky-CR.repo',
'Rocky-Debuginfo.repo',
'Rocky-fasttrack.repo',
'Rocky-Media.repo',
'Rocky-Sources.repo',
'Rocky-Vault.repo',
'Rocky-x86_64-kernel.repo',
'rocky-addons.repo',
'rocky-devel.repo',
'rocky-extras.repo',
'rocky.repo',
'oracle-linux-ol9.repo',
'uek-ol9.repo',
'virt-ol9.repo'
]
%}
{% else %}
{% set ABSENTFILES = [] %}
{% endif %}
{% else %}
{% set REPOPATH = '/etc/apt/sources.list.d/' %}
{% set ABSENTFILES = [] %}
{% endif %}
{% set REPOPATH = '/etc/yum.repos.d/' %}
{% set ABSENTFILES = [
'centos-addons.repo',
'centos-devel.repo',
'centos-extras.repo',
'centos.repo',
'docker-ce.repo',
'epel.repo',
'epel-testing.repo',
'saltstack.repo',
'salt-latest.repo',
'wazuh.repo'
'Rocky-Base.repo',
'Rocky-CR.repo',
'Rocky-Debuginfo.repo',
'Rocky-fasttrack.repo',
'Rocky-Media.repo',
'Rocky-Sources.repo',
'Rocky-Vault.repo',
'Rocky-x86_64-kernel.repo',
'rocky-addons.repo',
'rocky-devel.repo',
'rocky-extras.repo',
'rocky.repo',
'oracle-linux-ol9.repo',
'uek-ol9.repo',
'virt-ol9.repo'
]
%}

7
salt/salt/init.sls
View File

@@ -1,10 +1,3 @@
{% if grains.oscodename == 'focal' %}
saltpymodules:
pkg.installed:
- pkgs:
- python3-docker
{% endif %}
# distribute to minions for salt upgrades
salt_bootstrap:
file.managed:

18
salt/salt/map.jinja
View File

@@ -17,22 +17,12 @@
{% set SALTVERSION = saltminion.salt.minion.version | string %}
{% set INSTALLEDSALTVERSION = grains.saltversion | string %}
{% if grains.os_family == 'Debian' %}
{% set SPLITCHAR = '+' %}
{% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %}
{% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
{% else %}
{% set SPLITCHAR = '-' %}
{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
{% endif %}
{% set SPLITCHAR = '-' %}
{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
{% if INSTALLEDSALTVERSION != SALTVERSION %}
{% if grains.os_family|lower == 'redhat' %}
{% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
{% elif grains.os_family|lower == 'debian' %}
{% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -F stable ' ~ SALTVERSION %}
{% endif %}
{% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
{% else %}
{% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
{% endif %}

9
salt/salt/master.sls
View File

@@ -23,15 +23,6 @@ sync_runners:
- name: saltutil.sync_runners
{% endif %}
# prior to 2.4.30 this engine ran on the manager with salt-minion
# this has changed to running with the salt-master in 2.4.30
remove_engines_config:
file.absent:
- name: /etc/salt/minion.d/engines.conf
- source: salt://salt/files/engines.conf
- watch_in:
- service: salt_minion_service
checkmine_engine:
file.managed:
- name: /etc/salt/engines/checkmine.py

6
salt/sensor/soc_sensor.yaml
View File

@@ -1,15 +1,15 @@
sensor:
interface:
description: Main sensor monitoring interface.
helpLink: network.html
helpLink: network-visibility
readonly: True
mtu:
description: Maximum Transmission Unit (MTU) of the sensor monitoring interface.
helpLink: network.html
helpLink: network-visibility
readonly: True
channels:
description: Set the size of the nic channels. This is rarely changed from 1
helpLink: network.html
helpLink: network-visibility
forcedType: int
node: True
advanced: True

20
salt/sensoroni/enabled.sls
View File

@@ -4,7 +4,7 @@
# Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include:
@@ -23,23 +23,29 @@ so-sensoroni:
- /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
- /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
- /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-sensoroni'].extra_hosts %}
{% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-sensoroni'].extra_env %}
{% if DOCKERMERGED.containers['so-sensoroni'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-sensoroni'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: /opt/so/conf/sensoroni/sensoroni.json
- require:

134
salt/sensoroni/soc_sensoroni.yaml
View File

@@ -1,80 +1,82 @@
sensoroni:
enabled:
description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid.
forcedType: bool
advanced: True
helpLink: grid.html
helpLink: grid
config:
analyze:
enabled:
description: Enable or disable the analyzer.
forcedType: bool
advanced: True
helpLink: cases.html
helpLink: cases
timeout_ms:
description: Timeout period for the analyzer.
advanced: True
helpLink: cases.html
helpLink: cases
parallel_limit:
description: Parallel limit for the analyzer.
advanced: True
helpLink: cases.html
helpLink: cases
export:
timeout_ms:
description: Timeout period for the exporter to finish export-related tasks.
advanced: True
helpLink: reports.html
helpLink: reports
cache_refresh_interval_ms:
description: Refresh interval for cache updates. Longer intervals result in less compute usage but risks stale data included in reports.
advanced: True
helpLink: reports.html
helpLink: reports
export_metric_limit:
description: Maximum number of metric values to include in each metric aggregation group.
advanced: True
helpLink: reports.html
helpLink: reports
export_event_limit:
description: Maximum number of events to include per event list.
advanced: True
helpLink: reports.html
helpLink: reports
csv_separator:
description: Separator character to use for CSV exports.
advanced: False
helpLink: reports.html
helpLink: reports
node_checkin_interval_ms:
description: Interval in ms to checkin to the soc_host.
advanced: True
helpLink: grid.html
helpLink: grid
node_description:
description: Description of the specific node.
helpLink: grid.html
helpLink: grid
node: True
forcedType: string
sensoronikey:
description: Shared key for sensoroni authentication.
helpLink: grid.html
helpLink: grid
global: True
sensitive: True
advanced: True
soc_host:
description: Host for sensoroni agents to connect to.
helpLink: grid.html
helpLink: grid
global: True
advanced: True
suripcap:
pcapMaxCount:
description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface.
helpLink: sensoroni.html
helpLink: pcap
advanced: True
analyzers:
echotrail:
api_key:
description: API key for the Echotrail analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: True
advanced: False
forcedType: string
base_url:
description: Base URL for the Echotrail analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: False
advanced: False
@@ -82,70 +84,70 @@ sensoroni:
elasticsearch:
api_key:
description: API key for the Elasticsearch analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: True
advanced: True
forcedType: string
base_url:
description: Connection URL for the Elasticsearch analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: False
advanced: False
forcedType: string
auth_user:
description: Username for the Elasticsearch analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: False
advanced: False
forcedType: string
auth_pwd:
description: User password for the Elasticsearch analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: True
advanced: False
forcedType: string
num_results:
description: Number of documents to return for the Elasticsearch analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: False
advanced: True
forcedType: string
index:
description: Search index for the Elasticsearch analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: False
advanced: False
forcedType: string
time_delta_minutes:
description: Time (in minutes) to search back for the Elasticsearch analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: False
advanced: True
forcedType: int
timestamp_field_name:
description: Specified name for a documents' timestamp field for the Elasticsearch analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: False
advanced: True
forcedType: string
map:
description: Map between observable types and search field for the Elasticsearch analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: False
advanced: False
forcedType: string
cert_path:
description: Path to a TLS certificate for the Elasticsearch analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: False
advanced: False
@@ -153,14 +155,14 @@ sensoroni:
emailrep:
api_key:
description: API key for the EmailRep analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: True
advanced: True
forcedType: string
base_url:
description: Base URL for the EmailRep analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
@@ -168,21 +170,21 @@ sensoroni:
greynoise:
api_key:
description: API key for the GreyNoise analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: True
advanced: True
forcedType: string
api_version:
description: API version for the GreyNoise analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
forcedType: string
base_url:
description: Base URL for the GreyNoise analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
@@ -190,7 +192,7 @@ sensoroni:
localfile:
file_path:
description: File path for the LocalFile analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
@@ -198,7 +200,7 @@ sensoroni:
malwarebazaar:
api_key:
description: API key for the malwarebazaar analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: True
advanced: False
@@ -206,14 +208,14 @@ sensoroni:
otx:
api_key:
description: API key for the OTX analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: True
advanced: True
forcedType: string
base_url:
description: Base URL for the OTX analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
@@ -221,14 +223,14 @@ sensoroni:
pulsedive:
api_key:
description: API key for the Pulsedive analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: True
advanced: True
forcedType: string
base_url:
description: Base URL for the Pulsedive analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
@@ -236,14 +238,14 @@ sensoroni:
spamhaus:
lookup_host:
description: Host to use for lookups.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
forcedType: string
nameservers:
description: Nameservers used for queries.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
multiline: True
@@ -252,35 +254,35 @@ sensoroni:
sublime_platform:
api_key:
description: API key for the Sublime Platform analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: True
advanced: True
forcedType: string
base_url:
description: Base URL for the Sublime Platform analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
forcedType: string
live_flow:
description: Determines if live flow analysis is used.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
forcedType: bool
mailbox_email_address:
description: Source mailbox address used for live flow analysis.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
forcedType: string
message_source_id:
description: ID of the message source used for live flow analysis.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
@@ -288,7 +290,7 @@ sensoroni:
threatfox:
api_key:
description: API key for the threatfox analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: True
advanced: False
@@ -296,35 +298,35 @@ sensoroni:
urlscan:
api_key:
description: API key for the Urlscan analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: True
advanced: True
forcedType: string
base_url:
description: Base URL for the Urlscan analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
forcedType: string
enabled:
description: Analyzer enabled
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
forcedType: bool
timeout:
description: Timeout for the Urlscan analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
forcedType: int
visibility:
description: Type of visibility.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
@@ -332,7 +334,7 @@ sensoroni:
urlhaus:
api_key:
description: API key for the urlhaus analyzer.
helpLink: sensoroni.html
helpLink: cases#configuring-analyzers
global: False
sensitive: True
advanced: False
@@ -340,14 +342,14 @@ sensoroni:
virustotal:
api_key:
description: API key for the VirusTotal analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: True
advanced: True
forcedType: string
base_url:
description: Base URL for the VirusTotal analyzer.
helpLink: cases.html
helpLink: cases
global: False
sensitive: False
advanced: True
@@ -362,21 +364,21 @@ sensoroni:
file: True
global: True
syntax: md
helpLink: reports.html
helpLink: reports
productivity_report__md:
title: Productivity Report Template
description: The template used when generating a comprehensive productivity report. Supports markdown format.
file: True
global: True
syntax: md
helpLink: reports.html
helpLink: reports
assistant_session_report__md:
title: Assistant Session Report Template
description: The template used when generating an assistant session report. Supports markdown format.
file: True
global: True
syntax: md
helplink: reports.html
helpLink: reports
custom:
generic_report1__md:
title: Custom Report 1
@@ -384,63 +386,63 @@ sensoroni:
file: True
global: True
syntax: md
helpLink: reports.html
helpLink: reports
generic_report2__md:
title: Custom Report 2
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
helpLink: reports
generic_report3__md:
title: Custom Report 3
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
helpLink: reports
generic_report4__md:
title: Custom Report 4
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
helpLink: reports
generic_report5__md:
title: Custom Report 5
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
helpLink: reports
generic_report6__md:
title: Custom Report 6
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
helpLink: reports
generic_report7__md:
title: Custom Report 7
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
helpLink: reports
generic_report8__md:
title: Custom Report 8
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
helpLink: reports
generic_report9__md:
title: Custom Report 9
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
helpLink: reports
addl_generic_report__md:
title: Additional Custom Report
description: A duplicatable custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. This is an unsupported feature due to the inability to edit duplicated reports via the SOC app.
@@ -449,4 +451,4 @@ sensoroni:
global: True
syntax: md
duplicates: True
helpLink: reports.html
helpLink: reports

4
salt/soc/defaults.map.jinja
View File

@@ -5,7 +5,7 @@
{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER -%}
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
{% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
@@ -32,7 +32,7 @@
{% endif %}
{% endfor %}
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
{% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
{% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}

4
salt/soc/defaults.yaml
View File

@@ -1679,8 +1679,8 @@ soc:
client:
docsUrl: /docs/
cheatsheetUrl: /docs/cheatsheet.pdf
releaseNotesUrl: /docs/release-notes.html
apiTimeoutMs: 300000
releaseNotesUrl: /docs/release-notes
apiTimeoutMs:
webSocketTimeoutMs: 15000
tipTimeoutMs: 6000
cacheExpirationMs: 300000

20
salt/soc/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
{% from 'soc/merged.map.jinja' import SOCMERGED %}
@@ -22,7 +22,7 @@ so-soc:
- name: so-soc
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-soc'].ip }}
- binds:
- /nsm/rules:/nsm/rules:rw
- /opt/so/conf/strelka:/opt/sensoroni/yara:rw
@@ -63,21 +63,27 @@ so-soc:
- {{hostname}}:{{ip}}
{% endfor %}
{% endfor %}
{% if DOCKER.containers['so-soc'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %}
{% if DOCKERMERGED.containers['so-soc'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-soc'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-soc'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKER.containers['so-soc'].extra_env %}
{% if DOCKERMERGED.containers['so-soc'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-soc'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-soc'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-soc'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: trusttheca
- file: /opt/so/conf/soc/*

2
salt/soc/files/soc/motd.md
View File

@@ -18,7 +18,7 @@ For more coverage of your enterprise, you can deploy the Elastic Agent to endpoi
## What's New
To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link.
To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes) link.
## Security Onion Pro

75
salt/soc/soc_soc.yaml
View File

@@ -1,12 +1,13 @@
soc:
enabled:
description: Enables or disables SOC. WARNING - Disabling this setting is unsupported and will cause the grid to malfunction. Re-enabling this setting is a manual effort via SSH.
forcedType: bool
advanced: True
telemetryEnabled:
title: SOC Telemetry
description: When this setting is enabled and the grid is not in airgap mode, SOC will provide feature usage data to the Security Onion development team via Google Analytics. This data helps Security Onion developers determine which product features are being used and can also provide insight into improving the user interface. When changing this setting, wait for the grid to fully synchronize and then perform a hard browser refresh on SOC, to force the browser cache to update and reflect the new setting.
global: True
helpLink: telemetry.html
helpLink: telemetry
files:
soc:
banner__md:
@@ -15,28 +16,28 @@ soc:
file: True
global: True
syntax: md
helpLink: soc-customization.html
helpLink: security-onion-console-customization
motd__md:
title: Overview Page
description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser.
file: True
global: True
syntax: md
helpLink: soc-customization.html
helpLink: security-onion-console-customization
custom__js:
title: Custom Javascript
description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades.
file: True
global: True
advanced: True
helpLink: soc-customization.html
helpLink: security-onion-console-customization
custom_roles:
title: Custom Roles
description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system.
file: True
global: True
advanced: True
helpLink: soc-customization.html
helpLink: security-onion-console-customization
sigma_final_pipeline__yaml:
title: Final Sigma Pipeline
description: Final Processing Pipeline for Sigma Rules.
@@ -44,7 +45,7 @@ soc:
file: True
global: True
advanced: True
helpLink: soc-customization.html
helpLink: security-onion-console-customization
config:
licenseKey:
title: License Key
@@ -183,7 +184,7 @@ soc:
enableReverseLookup:
description: "Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. To add your own local lookups, create a CSV file at /nsm/custom-mappings/ip-descriptions.csv on your Manager and populate the file with IP addresses and descriptions as follows: IP, Description. Elasticsearch will then ingest the CSV during the next high state."
global: True
helpLink: soc-customization.html#reverse-dns
helpLink: security-onion-console-customization#reverse-dns
modules:
elastalertengine:
aiRepoUrl:
@@ -205,7 +206,7 @@ soc:
title: "Notifications: Sev 0/Default Alerters"
description: "Specify default alerters to enable for outbound notifications. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True
helpLink: notifications.html
helpLink: notifications
forcedType: "[]string"
multiline: True
additionalSev0AlertersParams:
@@ -214,14 +215,14 @@ soc:
global: True
multiline: True
syntax: yaml
helpLink: notifications.html
helpLink: notifications
forcedType: string
jinjaEscaped: True
additionalSev1Alerters:
title: "Notifications: Sev 1/Informational Alerters"
description: "Specify specific alerters to use when alerting at the info severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True
helpLink: notifications.html
helpLink: notifications
forcedType: "[]string"
multiline: True
additionalSev1AlertersParams:
@@ -230,14 +231,14 @@ soc:
global: True
multiline: True
syntax: yaml
helpLink: notifications.html
helpLink: notifications
forcedType: string
jinjaEscaped: True
additionalSev2Alerters:
title: "Notifications: Sev 2/Low Alerters"
description: "Specify specific alerters to use when alerting at the low severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True
helpLink: notifications.html
helpLink: notifications
forcedType: "[]string"
multiline: True
additionalSev2AlertersParams:
@@ -246,14 +247,14 @@ soc:
global: True
multiline: True
syntax: yaml
helpLink: notifications.html
helpLink: notifications
forcedType: string
jinjaEscaped: True
additionalSev3Alerters:
title: "Notifications: Sev 3/Medium Alerters"
description: "Specify specific alerters to use when alerting at the medium severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True
helpLink: notifications.html
helpLink: notifications
forcedType: "[]string"
multiline: True
additionalSev3AlertersParams:
@@ -262,14 +263,14 @@ soc:
global: True
multiline: True
syntax: yaml
helpLink: notifications.html
helpLink: notifications
forcedType: string
jinjaEscaped: True
additionalSev4Alerters:
title: "Notifications: Sev 4/High Alerters"
description: "Specify specific alerters to use when alerting at the high severity level or critical severity level. These alerters will be used unless overridden by critical severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True
helpLink: notifications.html
helpLink: notifications
forcedType: "[]string"
multiline: True
additionalSev4AlertersParams:
@@ -278,14 +279,14 @@ soc:
global: True
multiline: True
syntax: yaml
helpLink: notifications.html
helpLink: notifications
forcedType: string
jinjaEscaped: True
additionalSev5Alerters:
title: "Notifications: Sev 5/Critical Alerters"
description: "Specify specific alerters to use when alerting at the critical severity level. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True
helpLink: notifications.html
helpLink: notifications
forcedType: "[]string"
multiline: True
additionalSev5AlertersParams:
@@ -294,14 +295,14 @@ soc:
global: True
multiline: True
syntax: yaml
helpLink: notifications.html
helpLink: notifications
forcedType: string
jinjaEscaped: True
additionalUserDefinedNotifications:
customAlerters:
description: "Specify custom notification alerters to use when the Sigma rule contains the following tag: so.alerters.customAlerters. This setting can be duplicated to create new custom alerter configurations. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True
helpLink: notifications.html
helpLink: notifications
forcedType: "[]string"
duplicates: True
multiline: True
@@ -310,7 +311,7 @@ soc:
global: True
multiline: True
syntax: yaml
helpLink: notifications.html
helpLink: notifications
duplicates: True
forcedType: string
jinjaEscaped: True
@@ -318,7 +319,7 @@ soc:
default: &enabledSigmaRules
description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.'
global: True
helpLink: sigma.html
helpLink: sigma
multiline: True
syntax: yaml
forcedType: string
@@ -330,7 +331,7 @@ soc:
description: 'DEPRECATED: Will be removed in a future release - use enabledSigmaRules instead.'
global: True
advanced: True
helpLink: sigma.html
helpLink: sigma
so-eval: *autoEnabledSigmaRules
so-import: *autoEnabledSigmaRules
autoUpdateEnabled:
@@ -341,7 +342,7 @@ soc:
description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.'
global: True
advanced: True
helpLink: sigma.html
helpLink: sigma
integrityCheckFrequencySeconds:
description: 'How often the ElastAlert integrity checker runs (in seconds). This verifies the integrity of deployed rules.'
global: True
@@ -352,7 +353,7 @@ soc:
global: True
advanced: True
forcedType: "[]{}"
helpLink: sigma.html
helpLink: sigma
syntax: json
uiElements:
- field: rulesetName
@@ -375,7 +376,7 @@ soc:
description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, the new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by nagivating to Detections --> Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing non-overlapping Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
global: True
advanced: False
helpLink: sigma.html
helpLink: sigma
elastic:
index:
description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
@@ -484,12 +485,12 @@ soc:
description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
global: True
advanced: True
helpLink: sigma.html
helpLink: sigma
communityRulesImportFrequencySeconds:
description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.'
global: True
advanced: True
helpLink: yara.html
helpLink: yara
integrityCheckFrequencySeconds:
description: 'How often the Strelka integrity checker runs (in seconds). This verifies the integrity of deployed rules.'
global: True
@@ -500,7 +501,7 @@ soc:
global: True
advanced: True
forcedType: "[]{}"
helpLink: yara.html
helpLink: yara
syntax: json
uiElements:
- field: rulesetName
@@ -543,7 +544,7 @@ soc:
description: 'How often to check for new Suricata rules (in seconds).'
global: True
advanced: True
helpLink: suricata.html
helpLink: suricata
disableRegex:
description: A list of regular expressions used to automatically disable rules that match any of them. Each regular expression is tested against the rule's content.
global: True
@@ -562,20 +563,20 @@ soc:
advanced: True
forcedType: "[]{}"
readonly: True
helpLink: suricata.html
helpLink: suricata
ignoredSidRanges:
description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.'
global: True
advanced: True
forcedType: "[]string"
helpLink: detections.html#rule-engine-status
helpLink: detections#rule-engine-status
rulesetSources:
default: &serulesetSources
description: "Ruleset sources for Suricata rules. Supports URL downloads and local directories. Refer to the linked documentation for details on how to configure this setting."
global: True
advanced: False
forcedType: "[]{}"
helpLink: suricata.html
helpLink: suricata
syntax: json
uiElements:
- field: name
@@ -631,11 +632,11 @@ soc:
intervalMinutes:
description: How often to generate the Navigator Layers. (minutes)
global: True
helpLink: attack-navigator.html
helpLink: attack-navigator
lookbackDays:
description: How far back to search for ATT&CK-tagged alerts. (days)
global: True
helpLink: attack-navigator.html
helpLink: attack-navigator
playbook:
playbookRepos:
default: &pbRepos
@@ -670,7 +671,7 @@ soc:
global: True
advanced: True
forcedType: "[]{}"
helpLink: assistant.html
helpLink: onion-ai
syntax: json
uiElements:
- field: name
@@ -735,7 +736,7 @@ soc:
global: True
advanced: True
forcedType: "[]{}"
helpLink: assistant.html
helpLink: onion-ai
syntax: json
uiElements:
- field: id

22
salt/strelka/backend/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,29 +18,35 @@ strelka_backend:
- binds:
- /opt/so/conf/strelka/backend/:/etc/strelka/:ro
- /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro
{% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- name: so-strelka-backend
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }}
- command: strelka-backend
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-strelka-backend'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-backend'].extra_hosts %}
{% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-strelka-backend'].extra_env %}
{% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-strelka-backend'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- restart_policy: on-failure
- watch:
- file: strelkasensorcompiledrules

24
salt/strelka/coordinator/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,32 +18,38 @@ strelka_coordinator:
- name: so-strelka-coordinator
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-coordinator'].ip }}
- entrypoint: redis-server --save "" --appendonly no
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-strelka-coordinator'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKER.containers['so-strelka-coordinator'].extra_env %}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-strelka-coordinator'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- binds:
- /nsm/strelka/coord-redis-data:/data:rw
{% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
delete_so-strelka-coordinator_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf

7
salt/strelka/filestream/config.sls
View File

@@ -47,12 +47,6 @@ filestream_config:
FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }}
# Filecheck Section
{% if GLOBALS.os_family == 'Debian' %}
install_watchdog:
pkg.installed:
- name: python3-watchdog
{% elif GLOBALS.os_family == 'RedHat' %}
remove_old_watchdog:
pkg.removed:
- name: python3-watchdog
@@ -60,7 +54,6 @@ remove_old_watchdog:
install_watchdog:
pkg.installed:
- name: securityonion-python39-watchdog
{% endif %}
filecheck_logdir:
file.directory:

22
salt/strelka/filestream/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,29 +18,35 @@ strelka_filestream:
- binds:
- /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
- /nsm/strelka:/nsm/strelka
{% if DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- name: so-strelka-filestream
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }}
- command: strelka-filestream
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-strelka-filestream'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-filestream'].extra_hosts %}
{% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-strelka-filestream'].extra_env %}
{% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-strelka-filestream'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: filestream_config

24
salt/strelka/frontend/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,8 +18,8 @@ strelka_frontend:
- binds:
- /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
- /nsm/strelka/log/:/var/log/strelka/:rw
{% if DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
@@ -27,25 +27,31 @@ strelka_frontend:
- name: so-strelka-frontend
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }}
- command: strelka-frontend
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-strelka-frontend'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-frontend'].extra_hosts %}
{% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKER.containers['so-strelka-frontend'].extra_env %}
{% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-strelka-frontend'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: frontend_config

26
salt/strelka/gatekeeper/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,32 +18,38 @@ strelka_gatekeeper:
- name: so-strelka-gatekeeper
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }}
- entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
{% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
- /nsm/strelka/gk-redis-data:/data:rw
{% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
delete_so-strelka-gatekeeper_so-status.disabled:
file.uncomment:

22
salt/strelka/manager/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -17,29 +17,35 @@ strelka_manager:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
- binds:
- /opt/so/conf/strelka/manager/:/etc/strelka/:ro
{% if DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- name: so-strelka-manager
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }}
- command: strelka-manager
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-strelka-manager'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-manager'].extra_hosts %}
{% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-strelka-manager'].extra_env %}
{% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
- environment:
{% for XTRAENV in DOCKER.containers['so-strelka-manager'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:
- file: manager_config

191
salt/strelka/soc_strelka.yaml
View File

@@ -1,74 +1,75 @@
strelka:
backend:
enabled:
enabled:
description: Enables or disables the Strelka file analysis process.
helpLink: strelka.html
forcedType: bool
helpLink: strelka
config:
backend:
logging_cfg:
description: Path to the Python logging configuration.
readonly: True
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
limits:
max_files:
description: Number of files the backend will process before shutting down.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
time_to_live:
description: Amount of time (in seconds) that the backend will run before shutting down (0 to disable).
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
max_depth:
description: Maximum depth that extracted files will be processed by the backend.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
distribution:
description: Amount of time (in seconds) that a single file can be distributed to all scanners.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
scanner:
description: Amount of time (in seconds) that a scanner can spend scanning a file (can be overridden per scanner).
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
coordinator:
addr:
description: Network address of the coordinator.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
db:
description: Redis database of the coordinator.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
tasting:
mime_db:
description: Location of the MIME database used to taste files.
readonly: True
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
yara_rules:
description: Location of the directory of YARA files that contains rules used to taste files.
readonly: True
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
scanners:
'ScanBase64PE': &scannerOptions
description: Configuration options for this scanner.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
forcedType: "[]{}"
syntax: json
@@ -139,7 +140,7 @@ strelka:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
formatters:
simple:
@@ -147,13 +148,13 @@ strelka:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
datefmt:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
handlers:
console:
@@ -161,32 +162,32 @@ strelka:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
formatter:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
stream:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
root:
level:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
handlers:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
loggers:
OpenSSL:
@@ -194,425 +195,433 @@ strelka:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
bs4:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
bz2:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
chardet:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
docx:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
elftools:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
email:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
entropy:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
esprima:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
gzip:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
hashlib:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
json:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
libarchive:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
lxml:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
lzma:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
macholibre:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
olefile:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
oletools:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
pdfminer:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
pefile:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
pgpdump:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
pygments:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
pylzma:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
rarfile:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
requests:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
rpmfile:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
ssdeep:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
tarfile:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
tnefparse:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
yara:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
zipfile:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
zlib:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
passwords:
description: Passwords that will be stored in the password_file used in scanner options.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
multiline: True
filestream:
enabled:
enabled:
description: You can enable or disable Strelka filestream.
helpLink: strelka.html
forcedType: bool
helpLink: strelka
config:
conn:
server:
description: Network address of the frontend server.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
cert:
description: Local path to the frontend SSL server certificate.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
timeout:
dial:
description: Amount of time to wait for the client to dial the server.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
file:
description: Amount of time to wait for an individual file to complete a scan.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
throughput:
concurrency:
description: Number of concurrent requests to make.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
chunk:
description: Size of file chunks that will be sent to the frontend server.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
delay:
description: Artificial sleep between the submission of each chunk.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
files:
patterns:
description: List of glob patterns that determine which files will be sent for scanning.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
delete:
description: Boolean that determines if files should be deleted after being sent for scanning.
forcedType: bool
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
gatekeeper:
description: Boolean that determines if events should be pulled from the temporary event cache.
forcedType: bool
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
processed:
description: Directory where files will be moved after being submitted for scanning.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
response:
report:
description: Frequency at which the frontend reports the number of files processed.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
delta:
description: Time value that determines how much time must pass since a file was last modified before it is sent for scanning.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
staging:
description: Directory where files are staged before being sent to the cluster.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
frontend:
enabled:
enabled:
description: You can enable or disable Strelka frontend.
helpLink: strelka.html
forcedType: bool
helpLink: strelka
config:
server:
description: Network address of the frontend server.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
coordinator:
addr:
description: Network address of the coordinator.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
db:
description: Redis database of the coordinator.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
gatekeeper:
addr:
description: Network address of the gatekeeper.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
db:
description: Redis database of the gatekeeper.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
ttl:
description: Time-to-live for events added to the gatekeeper.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
response:
log:
description: Location where worker scan results are logged to.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
manager:
enabled:
enabled:
description: You can enable or disable Strelka manager.
helpLink: strelka.html
forcedType: bool
helpLink: strelka
config:
coordinator:
addr:
description: Network address of the coordinator.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
db:
description: Redis database of the coordinator.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
coordinator:
enabled:
enabled:
description: You can enable or disable Strelka coordinator.
helpLink: strelka.html
forcedType: bool
helpLink: strelka
gatekeeper:
enabled:
enabled:
description: You can enable or disable Strelka gatekeeper.
helpLink: strelka.html
forcedType: bool
helpLink: strelka
rules:
enabled:
description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes.
forcedType: bool
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: False
filecheck:
historypath:
description: The path for previously scanned files.
readonly: True
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
strelkapath:
description: The path for unprocessed files.
readonly: True
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True
logfile:
description: The path for the filecheck log.
readonly: False
global: False
helpLink: strelka.html
helpLink: strelka
advanced: True

184
salt/suricata/defaults.yaml
View File

@@ -1,20 +1,20 @@
suricata:
enabled: False
pcap:
enabled: "no"
enabled: false
filesize: 1000mb
maxsize: 25
compression: "none"
lz4-checksum: "no"
lz4-checksum: false
lz4-level: 8
filename: "%n/so-pcap.%t"
mode: "multi"
use-stream-depth: "no"
use-stream-depth: false
conditional: "all"
dir: "/nsm/suripcap"
config:
threading:
set-cpu-affinity: "no"
set-cpu-affinity: false
cpu-affinity:
management-cpu-set:
cpu:
@@ -29,17 +29,17 @@ suricata:
interface: bond0
cluster-id: 59
cluster-type: cluster_flow
defrag: "yes"
use-mmap: "yes"
mmap-locked: "no"
defrag: true
use-mmap: true
mmap-locked: false
threads: 1
tpacket-v3: "yes"
tpacket-v3: true
ring-size: 5000
block-size: 69632
block-timeout: 10
use-emergency-flush: "yes"
use-emergency-flush: true
buffer-size: 32768
disable-promisc: "no"
disable-promisc: false
checksum-checks: kernel
vars:
address-groups:
@@ -105,15 +105,15 @@ suricata:
- 6081
default-log-dir: /var/log/suricata/
stats:
enabled: "yes"
enabled: true
interval: 30
outputs:
fast:
enabled: "no"
enabled: false
filename: fast.log
append: "yes"
append: true
eve-log:
enabled: "yes"
enabled: true
filetype: regular
filename: /nsm/eve-%Y-%m-%d-%H:%M.json
rotate-interval: hour
@@ -122,104 +122,104 @@ suricata:
community-id-seed: 0
types:
alert:
payload: "no"
payload: false
payload-buffer-size: 4kb
payload-printable: "yes"
packet: "yes"
payload-printable: true
packet: true
metadata:
app-layer: false
flow: false
rule:
metadata: true
raw: true
tagged-packets: "no"
tagged-packets: false
xff:
enabled: "no"
enabled: false
mode: extra-data
deployment: reverse
header: X-Forwarded-For
unified2-alert:
enabled: "no"
enabled: false
tls-store:
enabled: "no"
enabled: false
alert-debug:
enabled: "no"
enabled: false
alert-prelude:
enabled: "no"
enabled: false
stats:
enabled: "yes"
enabled: true
filename: stats.log
append: "yes"
totals: "yes"
threads: "no"
null-values: "yes"
append: true
totals: true
threads: false
null-values: true
drop:
enabled: "no"
enabled: false
file-store:
version: 2
enabled: "no"
enabled: false
xff:
enabled: "no"
enabled: false
mode: extra-data
deployment: reverse
header: X-Forwarded-For
tcp-data:
enabled: "no"
enabled: false
type: file
filename: tcp-data.log
http-body-data:
enabled: "no"
enabled: false
type: file
filename: http-data.log
lua:
enabled: "no"
enabled: false
scripts:
logging:
default-log-level: notice
outputs:
- console:
enabled: "yes"
enabled: true
- file:
enabled: "yes"
enabled: true
level: info
filename: suricata.log
- syslog:
enabled: "no"
enabled: false
facility: local5
format: "[%i] <%d> -- "
app-layer:
protocols:
krb5:
enabled: "yes"
enabled: true
snmp:
enabled: "yes"
enabled: true
ikev2:
enabled: "yes"
enabled: true
tls:
enabled: "yes"
enabled: true
detection-ports:
dp: 443
ja3-fingerprints: auto
ja4-fingerprints: auto
encryption-handling: track-only
dcerpc:
enabled: "yes"
enabled: true
ftp:
enabled: "yes"
enabled: true
rdp:
enabled: "yes"
enabled: true
ssh:
enabled: "yes"
enabled: true
smtp:
enabled: "yes"
raw-extraction: "no"
enabled: true
raw-extraction: false
mime:
decode-mime: "yes"
decode-base64: "yes"
decode-quoted-printable: "yes"
decode-mime: true
decode-base64: true
decode-quoted-printable: true
header-value-depth: 2000
extract-urls: "yes"
body-md5: "no"
extract-urls: true
body-md5: false
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
@@ -227,27 +227,27 @@ suricata:
imap:
enabled: detection-only
smb:
enabled: "yes"
enabled: true
detection-ports:
dp: 139, 445
nfs:
enabled: "yes"
enabled: true
tftp:
enabled: "yes"
enabled: true
dns:
global-memcap: 16mb
state-memcap: 512kb
request-flood: 500
tcp:
enabled: "yes"
enabled: true
detection-ports:
dp: 53
udp:
enabled: "yes"
enabled: true
detection-ports:
dp: 53
http:
enabled: "yes"
enabled: true
libhtp:
default-config:
personality: IDS
@@ -260,43 +260,43 @@ suricata:
response-body-decompress-layer-limit: 2
http-body-inline: auto
swf-decompression:
enabled: "no"
enabled: false
type: both
compress-depth: 100 KiB
decompress-depth: 100 KiB
randomize-inspection-sizes: "yes"
randomize-inspection-sizes: true
randomize-inspection-range: 10
double-decode-path: "no"
double-decode-query: "no"
double-decode-path: false
double-decode-query: false
server-config:
modbus:
enabled: "yes"
enabled: true
detection-ports:
dp: 502
stream-depth: 0
dnp3:
enabled: "yes"
enabled: true
detection-ports:
dp: 20000
enip:
enabled: "yes"
enabled: true
detection-ports:
dp: 44818
sp: 44818
ntp:
enabled: "yes"
enabled: true
dhcp:
enabled: "yes"
enabled: true
sip:
enabled: "yes"
enabled: true
rfb:
enabled: 'yes'
enabled: true
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt:
enabled: 'no'
enabled: false
http2:
enabled: 'yes'
enabled: true
asn1-max-frames: 256
run-as:
user: suricata
@@ -312,8 +312,8 @@ suricata:
legacy:
uricontent: enabled
engine-analysis:
rules-fast-pattern: "yes"
rules: "yes"
rules-fast-pattern: true
rules: true
pcre:
match-limit: 3500
match-limit-recursion: 1500
@@ -336,7 +336,7 @@ suricata:
hash-size: 65536
trackers: 65535
max-frags: 65535
prealloc: "yes"
prealloc: true
timeout: 60
flow:
memcap: 128mb
@@ -380,14 +380,14 @@ suricata:
emergency-bypassed: 50
stream:
memcap: 64mb
checksum-validation: "yes"
checksum-validation: true
inline: auto
reassembly:
memcap: 256mb
depth: 1mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: "yes"
randomize-chunk-size: true
host:
hash-size: 4096
prealloc: 1000
@@ -432,38 +432,38 @@ suricata:
allow-restricted-functions: false
profiling:
rules:
enabled: "yes"
enabled: true
filename: rule_perf.log
append: "yes"
append: true
limit: 10
json: "yes"
json: true
keywords:
enabled: "yes"
enabled: true
filename: keyword_perf.log
append: "yes"
append: true
prefilter:
enabled: "yes"
enabled: true
filename: prefilter_perf.log
append: "yes"
append: true
rulegroups:
enabled: "yes"
enabled: true
filename: rule_group_perf.log
append: "yes"
append: true
packets:
enabled: "yes"
enabled: true
filename: packet_stats.log
append: "yes"
append: true
csv:
enabled: "no"
enabled: false
filename: packet_stats.csv
locks:
enabled: "no"
enabled: false
filename: lock_stats.log
append: "yes"
append: true
pcap-log:
enabled: "no"
enabled: false
filename: pcaplog_stats.log
append: "yes"
append: true
default-rule-path: /etc/suricata/rules
rule-files:
- all-rulesets.rules

21
salt/suricata/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'suricata/map.jinja' import SURICATAMERGED %}
@@ -20,16 +20,15 @@ so-suricata:
- privileged: True
- environment:
- INTERFACE={{ GLOBALS.sensor.interface }}
{% if DOCKER.containers['so-suricata'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %}
{% if DOCKERMERGED.containers['so-suricata'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-suricata'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
{% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %}
{% if DOCKERMERGED.containers['so-suricata'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
- {{ ULIMIT }}
{% for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- binds:
@@ -42,15 +41,15 @@ so-suricata:
- /nsm/suricata/extracted:/var/log/suricata//filestore:rw
- /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
- /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
{% if DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- network_mode: host
{% if DOCKER.containers['so-suricata'].extra_hosts %}
{% if DOCKERMERGED.containers['so-suricata'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-suricata'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}

16
salt/suricata/map.jinja
View File

@@ -43,22 +43,18 @@
- interface: {{ GLOBALS.sensor.interface }}
cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}"
use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}"
mmap-locked: "{{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}"
defrag: {{ SURICATAMERGED.config['af-packet'].defrag }}
use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }}
mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}
threads: {{ SURICATAMERGED.config['af-packet'].threads }}
tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}"
tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}
ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
use-emergency-flush: {{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}
buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
{% if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %}
checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}"
{% else %}
disable-promisc: {{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}
checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
{% endif %}
{% endload %}
{% do SURICATAMERGED.config.pop('af-packet') %}
{% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}

Some files were not shown because too many files have changed in this diff Show More