CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-24 05:22:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: CSEC_PUBLIC:delta
Branches Tags
CSEC_PUBLIC:master CSEC_PUBLIC:3/dev CSEC_PUBLIC:delta CSEC_PUBLIC:fix/idh-skins CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:zeek-websocket CSEC_PUBLIC:quickfixes CSEC_PUBLIC:customulimit CSEC_PUBLIC:ulimits CSEC_PUBLIC:reyesj2-449 CSEC_PUBLIC:reyesj2-15601 CSEC_PUBLIC:zeekload CSEC_PUBLIC:moreja CSEC_PUBLIC:analyzer-cp314-wheels CSEC_PUBLIC:moresoup CSEC_PUBLIC:mreeves/remove-non-oracle9-salt CSEC_PUBLIC:mreeves/remove-non-oracle9-support CSEC_PUBLIC:TOoSmOotH-patch-6 CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.211 CSEC_PUBLIC:TOoSmOotH-patch-5 CSEC_PUBLIC:stenoclean CSEC_PUBLIC:fix/suricatatest CSEC_PUBLIC:bravo CSEC_PUBLIC:kilo CSEC_PUBLIC:foxtrot CSEC_PUBLIC:3/dev-merge-fix CSEC_PUBLIC:2.4.210 CSEC_PUBLIC:TOoSmOotH-patch-2 CSEC_PUBLIC:3/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:dev CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.211-20260312 CSEC_PUBLIC:2.4.210-20260302 CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3
..
compare: CSEC_PUBLIC:ulimits
Branches Tags
CSEC_PUBLIC:3/dev CSEC_PUBLIC:delta CSEC_PUBLIC:fix/idh-skins CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:zeek-websocket CSEC_PUBLIC:quickfixes CSEC_PUBLIC:customulimit CSEC_PUBLIC:ulimits CSEC_PUBLIC:reyesj2-449 CSEC_PUBLIC:reyesj2-15601 CSEC_PUBLIC:zeekload CSEC_PUBLIC:moreja CSEC_PUBLIC:analyzer-cp314-wheels CSEC_PUBLIC:moresoup CSEC_PUBLIC:mreeves/remove-non-oracle9-salt CSEC_PUBLIC:mreeves/remove-non-oracle9-support CSEC_PUBLIC:TOoSmOotH-patch-6 CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.211 CSEC_PUBLIC:TOoSmOotH-patch-5 CSEC_PUBLIC:stenoclean CSEC_PUBLIC:fix/suricatatest CSEC_PUBLIC:bravo CSEC_PUBLIC:kilo CSEC_PUBLIC:foxtrot CSEC_PUBLIC:3/dev-merge-fix CSEC_PUBLIC:2.4.210 CSEC_PUBLIC:TOoSmOotH-patch-2 CSEC_PUBLIC:3/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:master CSEC_PUBLIC:dev CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.211-20260312 CSEC_PUBLIC:2.4.210-20260302 CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3

2 Commits
delta ... ulimits

Author SHA1 Message Date
Mike Reeves
350588f080 Change ulimits to structured dict format and add daemon.json ulimit support 
Convert ulimits from flat strings to structured dicts with name, soft,
and hard fields for better UI experience. Add default_ulimits as a
configurable setting that dynamically renders into daemon.json, giving
two layers of control: global defaults via the daemon and per-container
overrides.
 2026-03-17 16:51:04 -04:00
Mike Reeves
9a07a32a48 Add customizable ulimit settings for all Docker containers 
Add ulimits as a configurable advanced setting for every container,
allowing customization through the web UI. Move hardcoded ulimits
from elasticsearch and zeek into defaults.yaml and fix elasticsearch
ulimits that were incorrectly nested under the environment key.
 2026-03-17 15:14:34 -04:00
82 changed files with 1295 additions and 1676 deletions
Expand all files Collapse all files

4
salt/backup/soc_backup.yaml
View File

@@ -1,10 +1,10 @@
backup: backup:
locations: locations:
description: List of locations to back up to the destination. description: List of locations to back up to the destination.
helpLink: backup helpLink: backup.html
global: True global: True
destination: destination:
description: Directory to store the configuration backups in. description: Directory to store the configuration backups in.
helpLink: backup helpLink: backup.html
global: True global: True

6
salt/bpf/soc_bpf.yaml
View File

@@ -3,14 +3,14 @@ bpf:
description: List of BPF filters to apply to the PCAP engine. description: List of BPF filters to apply to the PCAP engine.
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
helpLink: bpf helpLink: bpf.html
suricata: suricata:
description: List of BPF filters to apply to Suricata. This will apply to alerts and, if enabled, to metadata and PCAP logs generated by Suricata. description: List of BPF filters to apply to Suricata. This will apply to alerts and, if enabled, to metadata and PCAP logs generated by Suricata.
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
helpLink: bpf helpLink: bpf.html
zeek: zeek:
description: List of BPF filters to apply to Zeek. description: List of BPF filters to apply to Zeek.
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
helpLink: bpf helpLink: bpf.html

24
salt/common/files/daemon.json Normal file
View File

@@ -0,0 +1,24 @@
{% from 'docker/docker.map.jinja' import DOCKER -%}
{
"registry-mirrors": [
"https://:5000"
],
"bip": "172.17.0.1/24",
"default-address-pools": [
{
"base": "172.17.0.0/24",
"size": 24
}
]
{%- if DOCKER.default_ulimits %},
"default-ulimits": {
{%- for ULIMIT in DOCKER.default_ulimits %}
"{{ ULIMIT.name }}": {
"Name": "{{ ULIMIT.name }}",
"Soft": {{ ULIMIT.soft }},
"Hard": {{ ULIMIT.hard }}
}{{ "," if not loop.last else "" }}
{%- endfor %}
}
{%- endif %}
}

16
salt/common/tools/sbin/so-common
View File

@@ -545,22 +545,6 @@ retry() {
return $exitcode return $exitcode
} }
rollover_index() {
idx=$1
exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
if [[ $exists -eq 200 ]]; then
rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
if [[ $rollover -eq 200 ]]; then
echo "Successfully triggered rollover for $idx..."
else
echo "Could not trigger rollover for $idx..."
fi
else
echo "Could not find index $idx..."
fi
}
run_check_net_err() { run_check_net_err() {
local cmd=$1 local cmd=$1
local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable

1
salt/common/tools/sbin/so-log-check
View File

@@ -131,7 +131,6 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not configured for GeoIP" # SO does not bundle the maxminddb with Zeek EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not configured for GeoIP" # SO does not bundle the maxminddb with Zeek
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found" # Salt loops until Kratos returns 200, during startup Kratos may not be ready EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found" # Salt loops until Kratos returns 200, during startup Kratos may not be ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Redis may have been restarted" # Redis likely restarted by salt
fi fi
if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then

10
salt/docker/defaults.yaml
View File

@@ -1,7 +1,7 @@
docker: docker:
range: '172.17.1.0/24' range: '172.17.1.0/24'
gateway: '172.17.1.1' gateway: '172.17.1.1'
ulimits: default_ulimits:
- name: nofile - name: nofile
soft: 1048576 soft: 1048576
hard: 1048576 hard: 1048576
@@ -216,7 +216,10 @@ docker:
custom_bind_mounts: [] custom_bind_mounts: []
extra_hosts: [] extra_hosts: []
extra_env: [] extra_env: []
ulimits: [] ulimits:
- name: memlock
soft: 524288000
hard: 524288000
'so-zeek': 'so-zeek':
final_octet: 99 final_octet: 99
custom_bind_mounts: [] custom_bind_mounts: []
@@ -226,6 +229,9 @@ docker:
- name: core - name: core
soft: 0 soft: 0
hard: 0 hard: 0
- name: nofile
soft: 1048576
hard: 1048576
'so-kafka': 'so-kafka':
final_octet: 88 final_octet: 88
port_bindings: port_bindings:

8
salt/docker/docker.map.jinja
View File

@@ -1,8 +1,8 @@
{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
{% set RANGESPLIT = DOCKERMERGED.range.split('.') %} {% set RANGESPLIT = DOCKER.range.split('.') %}
{% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
{% for container, vals in DOCKERMERGED.containers.items() %} {% for container, vals in DOCKER.containers.items() %}
{% do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %} {% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %}
{% endfor %} {% endfor %}

24
salt/docker/files/daemon.json.jinja
View File

@@ -1,24 +0,0 @@
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{
"registry-mirrors": [
"https://:5000"
],
"bip": "172.17.0.1/24",
"default-address-pools": [
{
"base": "172.17.0.0/24",
"size": 24
}
]
{%- if DOCKERMERGED.ulimits %},
"default-ulimits": {
{%- for ULIMIT in DOCKERMERGED.ulimits %}
"{{ ULIMIT.name }}": {
"Name": "{{ ULIMIT.name }}",
"Soft": {{ ULIMIT.soft }},
"Hard": {{ ULIMIT.hard }}
}{{ "," if not loop.last else "" }}
{%- endfor %}
}
{%- endif %}
}

9
salt/docker/init.sls
View File

@@ -3,7 +3,7 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
# docker service requires the ca.crt # docker service requires the ca.crt
@@ -41,9 +41,10 @@ dockeretc:
file.directory: file.directory:
- name: /etc/docker - name: /etc/docker
# Manager daemon.json
docker_daemon: docker_daemon:
file.managed: file.managed:
- source: salt://docker/files/daemon.json.jinja - source: salt://common/files/daemon.json
- name: /etc/docker/daemon.json - name: /etc/docker/daemon.json
- template: jinja - template: jinja
@@ -74,8 +75,8 @@ dockerreserveports:
sos_docker_net: sos_docker_net:
docker_network.present: docker_network.present:
- name: sobridge - name: sobridge
- subnet: {{ DOCKERMERGED.range }} - subnet: {{ DOCKER.range }}
- gateway: {{ DOCKERMERGED.gateway }} - gateway: {{ DOCKER.gateway }}
- options: - options:
com.docker.network.bridge.name: 'sobridge' com.docker.network.bridge.name: 'sobridge'
com.docker.network.driver.mtu: '1500' com.docker.network.driver.mtu: '1500'

30
salt/docker/soc_docker.yaml
View File

@@ -1,25 +1,22 @@
docker: docker:
gateway: gateway:
description: Gateway for the default docker interface. description: Gateway for the default docker interface.
helpLink: docker helpLink: docker.html
advanced: True advanced: True
range: range:
description: Default docker IP range for containers. description: Default docker IP range for containers.
helpLink: docker helpLink: docker.html
advanced: True advanced: True
ulimits: default_ulimits:
description: | description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults.
Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
forcedType: "[]{}"
syntax: json
advanced: True advanced: True
helpLink: docker.html helpLink: docker.html
forcedType: "[]{}"
syntax: json
uiElements: uiElements:
- field: name - field: name
label: Resource Name label: Resource Name
required: True required: True
regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
- field: soft - field: soft
label: Soft Limit label: Soft Limit
forcedType: int forcedType: int
@@ -30,37 +27,36 @@ docker:
so-dockerregistry: &dockerOptions so-dockerregistry: &dockerOptions
final_octet: final_octet:
description: Last octet of the container IP address. description: Last octet of the container IP address.
helpLink: docker helpLink: docker.html
readonly: True readonly: True
advanced: True advanced: True
global: True global: True
port_bindings: port_bindings:
description: List of port bindings for the container. description: List of port bindings for the container.
helpLink: docker helpLink: docker.html
advanced: True advanced: True
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
custom_bind_mounts: custom_bind_mounts:
description: List of custom local volume bindings. description: List of custom local volume bindings.
advanced: True advanced: True
helpLink: docker helpLink: docker.html
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
extra_hosts: extra_hosts:
description: List of additional host entries for the container. description: List of additional host entries for the container.
advanced: True advanced: True
helpLink: docker helpLink: docker.html
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
extra_env: extra_env:
description: List of additional ENV entries for the container. description: List of additional ENV entries for the container.
advanced: True advanced: True
helpLink: docker helpLink: docker.html
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
ulimits: ulimits:
description: | description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits.
Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
advanced: True advanced: True
helpLink: docker.html helpLink: docker.html
forcedType: "[]{}" forcedType: "[]{}"
@@ -69,8 +65,6 @@ docker:
- field: name - field: name
label: Resource Name label: Resource Name
required: True required: True
regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
- field: soft - field: soft
label: Soft Limit label: Soft Limit
forcedType: int forcedType: int

20
salt/elastalert/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
include: include:
- elastalert.config - elastalert.config
@@ -24,7 +24,7 @@ so-elastalert:
- user: so-elastalert - user: so-elastalert
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }} - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
- detach: True - detach: True
- binds: - binds:
- /opt/so/rules/elastalert:/opt/elastalert/rules/:ro - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
@@ -33,27 +33,27 @@ so-elastalert:
- /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro - /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
- /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro - /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
- /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
{% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %} {% if DOCKER.containers['so-elastalert'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %} {% if DOCKER.containers['so-elastalert'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-elastalert'].extra_env %} {% if DOCKER.containers['so-elastalert'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-elastalert'].ulimits %} {% if DOCKER.containers['so-elastalert'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %} {% for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

93
salt/elastalert/soc_elastalert.yaml
View File

@@ -1,48 +1,47 @@
elastalert: elastalert:
enabled: enabled:
description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery. description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery.
forcedType: bool helpLink: elastalert.html
helpLink: elastalert
alerter_parameters: alerter_parameters:
title: Custom Configuration Parameters title: Custom Configuration Parameters
description: Optional configuration parameters made available as defaults for all rules and alerters. Use YAML format for these parameters, and reference the ElastAlert 2 documentation, located at https://elastalert2.readthedocs.io, for available configuration parameters. Requires a valid Security Onion license key. description: Optional configuration parameters made available as defaults for all rules and alerters. Use YAML format for these parameters, and reference the ElastAlert 2 documentation, located at https://elastalert2.readthedocs.io, for available configuration parameters. Requires a valid Security Onion license key.
global: True global: True
multiline: True multiline: True
syntax: yaml syntax: yaml
helpLink: elastalert helpLink: elastalert.html
forcedType: string forcedType: string
jira_api_key: jira_api_key:
title: Jira API Key title: Jira API Key
description: Optional configuration parameter for Jira API Key, used instead of the Jira username and password. Requires a valid Security Onion license key. description: Optional configuration parameter for Jira API Key, used instead of the Jira username and password. Requires a valid Security Onion license key.
global: True global: True
sensitive: True sensitive: True
helpLink: elastalert helpLink: elastalert.html
forcedType: string forcedType: string
jira_pass: jira_pass:
title: Jira Password title: Jira Password
description: Optional configuration parameter for Jira password. Requires a valid Security Onion license key. description: Optional configuration parameter for Jira password. Requires a valid Security Onion license key.
global: True global: True
sensitive: True sensitive: True
helpLink: elastalert helpLink: elastalert.html
forcedType: string forcedType: string
jira_user: jira_user:
title: Jira Username title: Jira Username
description: Optional configuration parameter for Jira username. Requires a valid Security Onion license key. description: Optional configuration parameter for Jira username. Requires a valid Security Onion license key.
global: True global: True
helpLink: elastalert helpLink: elastalert.html
forcedType: string forcedType: string
smtp_pass: smtp_pass:
title: SMTP Password title: SMTP Password
description: Optional configuration parameter for SMTP password, required for authenticating email servers. Requires a valid Security Onion license key. description: Optional configuration parameter for SMTP password, required for authenticating email servers. Requires a valid Security Onion license key.
global: True global: True
sensitive: True sensitive: True
helpLink: elastalert helpLink: elastalert.html
forcedType: string forcedType: string
smtp_user: smtp_user:
title: SMTP Username title: SMTP Username
description: Optional configuration parameter for SMTP username, required for authenticating email servers. Requires a valid Security Onion license key. description: Optional configuration parameter for SMTP username, required for authenticating email servers. Requires a valid Security Onion license key.
global: True global: True
helpLink: elastalert helpLink: elastalert.html
forcedType: string forcedType: string
files: files:
custom: custom:
@@ -50,131 +49,91 @@ elastalert:
description: Optional custom Certificate Authority for connecting to an AlertManager server. To utilize this custom file, the alertmanager_ca_certs key must be set to /opt/elastalert/custom/alertmanager_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. description: Optional custom Certificate Authority for connecting to an AlertManager server. To utilize this custom file, the alertmanager_ca_certs key must be set to /opt/elastalert/custom/alertmanager_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True global: True
file: True file: True
helpLink: elastalert helpLink: elastalert.html
gelf_ca__crt: gelf_ca__crt:
description: Optional custom Certificate Authority for connecting to a Graylog server. To utilize this custom file, the graylog_ca_certs key must be set to /opt/elastalert/custom/graylog_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. description: Optional custom Certificate Authority for connecting to a Graylog server. To utilize this custom file, the graylog_ca_certs key must be set to /opt/elastalert/custom/graylog_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True global: True
file: True file: True
helpLink: elastalert helpLink: elastalert.html
http_post_ca__crt: http_post_ca__crt:
description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the legacy HTTP POST alerter. To utilize this custom file, the http_post_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the legacy HTTP POST alerter. To utilize this custom file, the http_post_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True global: True
file: True file: True
helpLink: elastalert helpLink: elastalert.html
http_post2_ca__crt: http_post2_ca__crt:
description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the newer HTTP POST 2 alerter. To utilize this custom file, the http_post2_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the newer HTTP POST 2 alerter. To utilize this custom file, the http_post2_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True global: True
file: True file: True
helpLink: elastalert helpLink: elastalert.html
ms_teams_ca__crt: ms_teams_ca__crt:
description: Optional custom Certificate Authority for connecting to Microsoft Teams server. To utilize this custom file, the ms_teams_ca_certs key must be set to /opt/elastalert/custom/ms_teams_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. description: Optional custom Certificate Authority for connecting to Microsoft Teams server. To utilize this custom file, the ms_teams_ca_certs key must be set to /opt/elastalert/custom/ms_teams_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True global: True
file: True file: True
helpLink: elastalert helpLink: elastalert.html
pagerduty_ca__crt: pagerduty_ca__crt:
description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the pagerduty_ca_certs key must be set to /opt/elastalert/custom/pagerduty_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the pagerduty_ca_certs key must be set to /opt/elastalert/custom/pagerduty_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True global: True
file: True file: True
helpLink: elastalert helpLink: elastalert.html
rocket_chat_ca__crt: rocket_chat_ca__crt:
description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the rocket_chart_ca_certs key must be set to /opt/elastalert/custom/rocket_chat_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the rocket_chart_ca_certs key must be set to /opt/elastalert/custom/rocket_chat_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True global: True
file: True file: True
helpLink: elastalert helpLink: elastalert.html
smtp__crt: smtp__crt:
description: Optional custom certificate for connecting to an SMTP server. To utilize this custom file, the smtp_cert_file key must be set to /opt/elastalert/custom/smtp.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. description: Optional custom certificate for connecting to an SMTP server. To utilize this custom file, the smtp_cert_file key must be set to /opt/elastalert/custom/smtp.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True global: True
file: True file: True
helpLink: elastalert helpLink: elastalert.html
smtp__key: smtp__key:
description: Optional custom certificate key for connecting to an SMTP server. To utilize this custom file, the smtp_key_file key must be set to /opt/elastalert/custom/smtp.key in the Alerter Parameters setting. Requires a valid Security Onion license key. description: Optional custom certificate key for connecting to an SMTP server. To utilize this custom file, the smtp_key_file key must be set to /opt/elastalert/custom/smtp.key in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True global: True
file: True file: True
helpLink: elastalert helpLink: elastalert.html
slack_ca__crt: slack_ca__crt:
description: Optional custom Certificate Authority for connecting to Slack. To utilize this custom file, the slack_ca_certs key must be set to /opt/elastalert/custom/slack_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. description: Optional custom Certificate Authority for connecting to Slack. To utilize this custom file, the slack_ca_certs key must be set to /opt/elastalert/custom/slack_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
global: True global: True
file: True file: True
helpLink: elastalert helpLink: elastalert.html
config: config:
scan_subdirectories:
description: Recursively scan subdirectories for rules.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
disable_rules_on_error: disable_rules_on_error:
description: Disable rules on failure. description: Disable rules on failure.
forcedType: bool
global: True global: True
helpLink: elastalert helpLink: elastalert.html
run_every: run_every:
minutes: minutes:
description: Amount of time in minutes between searches. description: Amount of time in minutes between searches.
global: True global: True
helpLink: elastalert helpLink: elastalert.html
buffer_time: buffer_time:
minutes: minutes:
description: Amount of time in minutes to look through. description: Amount of time in minutes to look through.
global: True global: True
helpLink: elastalert helpLink: elastalert.html
old_query_limit: old_query_limit:
minutes: minutes:
description: Amount of time in minutes between queries to start at the most recently run query. description: Amount of time in minutes between queries to start at the most recently run query.
global: True global: True
helpLink: elastalert helpLink: elastalert.html
es_conn_timeout: es_conn_timeout:
description: Timeout in seconds for connecting to and reading from Elasticsearch. description: Timeout in seconds for connecting to and reading from Elasticsearch.
global: True global: True
helpLink: elastalert helpLink: elastalert.html
max_query_size: max_query_size:
description: The maximum number of documents that will be returned from Elasticsearch in a single query. description: The maximum number of documents that will be returned from Elasticsearch in a single query.
global: True global: True
helpLink: elastalert helpLink: elastalert.html
use_ssl:
description: Use SSL to connect to Elasticsearch.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
verify_certs:
description: Verify TLS certificates when connecting to Elasticsearch.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
alert_time_limit: alert_time_limit:
days: days:
description: The retry window for failed alerts. description: The retry window for failed alerts.
global: True global: True
helpLink: elastalert helpLink: elastalert.html
index_settings: index_settings:
shards: shards:
description: The number of shards for elastalert indices. description: The number of shards for elastalert indices.
global: True global: True
helpLink: elastalert helpLink: elastalert.html
replicas: replicas:
description: The number of replicas for elastalert indices. description: The number of replicas for elastalert indices.
global: True global: True
helpLink: elastalert helpLink: elastalert.html
logging:
incremental:
description: When incremental is false (the default), the logging configuration is applied in full, replacing any existing logging setup. When true, only the level attributes of existing loggers and handlers are updated, leaving the rest of the logging configuration unchanged.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
disable_existing_loggers:
description: Disable existing loggers.
forcedType: bool
advanced: True
global: True
helpLink: elastalert
loggers:
'':
propagate:
description: Propagate log messages to parent loggers.
forcedType: bool
advanced: True
global: True
helpLink: elastalert

22
salt/elastic-fleet-package-registry/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
include: include:
- elastic-fleet-package-registry.config - elastic-fleet-package-registry.config
@@ -21,33 +21,33 @@ so-elastic-fleet-package-registry:
- user: 948 - user: 948
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }} - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %} {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %} {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} {% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
- binds: - binds:
{% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %} {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %} {% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %} {% for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

1
salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml
View File

@@ -1,5 +1,4 @@
elastic_fleet_package_registry: elastic_fleet_package_registry:
enabled: enabled:
description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated.
forcedType: bool
advanced: True advanced: True

22
salt/elasticagent/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
include: include:
- ca - ca
@@ -22,17 +22,17 @@ so-elastic-agent:
- user: 949 - user: 949
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }} - ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }}
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %} {% if DOCKER.containers['so-elastic-agent'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %} {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -41,22 +41,22 @@ so-elastic-agent:
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /nsm:/nsm:ro - /nsm:/nsm:ro
- /opt/so/log:/opt/so/log:ro - /opt/so/log:/opt/so/log:ro
{% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %} {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- environment: - environment:
- FLEET_CA=/etc/pki/tls/certs/intca.crt - FLEET_CA=/etc/pki/tls/certs/intca.crt
- LOGS_PATH=logs - LOGS_PATH=logs
{% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %} {% if DOCKER.containers['so-elastic-agent'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %} {% if DOCKER.containers['so-elastic-agent'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %} {% for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

1
salt/elasticagent/soc_elasticagent.yaml
View File

@@ -1,5 +1,4 @@
elasticagent: elasticagent:
enabled: enabled:
description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events. description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events.
forcedType: bool
advanced: True advanced: True

22
salt/elasticfleet/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
{# This value is generated during node install and stored in minion pillar #} {# This value is generated during node install and stored in minion pillar #}
@@ -94,17 +94,17 @@ so-elastic-fleet:
- user: 947 - user: 947
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }} - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %} {% if DOCKER.containers['so-elastic-fleet'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %} {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -112,8 +112,8 @@ so-elastic-fleet:
- /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs
{% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %} {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -128,14 +128,14 @@ so-elastic-fleet:
- FLEET_CA=/etc/pki/tls/certs/intca.crt - FLEET_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
- LOGS_PATH=logs - LOGS_PATH=logs
{% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %} {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %} {% if DOCKER.containers['so-elastic-fleet'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %} {% for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

59
salt/elasticfleet/soc_elasticfleet.yaml
View File

@@ -1,15 +1,14 @@
elasticfleet: elasticfleet:
enabled: enabled:
description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents. description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents.
forcedType: bool
advanced: True advanced: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
enable_manager_output: enable_manager_output:
description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers. description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers.
advanced: True advanced: True
global: True global: True
forcedType: bool forcedType: bool
helpLink: elastic-fleet helpLink: elastic-fleet.html
files: files:
soc: soc:
elastic-defend-disabled-filters__yaml: elastic-defend-disabled-filters__yaml:
@@ -18,7 +17,7 @@ elasticfleet:
syntax: yaml syntax: yaml
file: True file: True
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
elastic-defend-custom-filters__yaml: elastic-defend-custom-filters__yaml:
title: Custom Elastic Defend filters title: Custom Elastic Defend filters
@@ -26,32 +25,31 @@ elasticfleet:
syntax: yaml syntax: yaml
file: True file: True
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
logging: logging:
zeek: zeek:
excluded: excluded:
description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, Elastic Agent will attempt to process it. If an ingest node pipeline is not available to process the logs, you may experience errors. description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, Elastic Agent will attempt to process it. If an ingest node pipeline is not available to process the logs, you may experience errors.
forcedType: "[]string" forcedType: "[]string"
helpLink: zeek helpLink: zeek.html
config: config:
defend_filters: defend_filters:
enable_auto_configuration: enable_auto_configuration:
description: Enable auto-configuration and management of the Elastic Defend Exclusion filters. description: Enable auto-configuration and management of the Elastic Defend Exclusion filters.
forcedType: bool
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
subscription_integrations: subscription_integrations:
description: Enable the installation of integrations that require an Elastic license. description: Enable the installation of integrations that require an Elastic license.
global: True global: True
forcedType: bool forcedType: bool
helpLink: elastic-fleet helpLink: elastic-fleet.html
auto_upgrade_integrations: auto_upgrade_integrations:
description: Enables or disables automatically upgrading Elastic Agent integrations. description: Enables or disables automatically upgrading Elastic Agent integrations.
global: True global: True
forcedType: bool forcedType: bool
helpLink: elastic-fleet helpLink: elastic-fleet.html
outputs: outputs:
logstash: logstash:
bulk_max_size: bulk_max_size:
@@ -59,68 +57,67 @@ elasticfleet:
global: True global: True
forcedType: int forcedType: int
advanced: True advanced: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
worker: worker:
description: The number of workers per configured host publishing events. description: The number of workers per configured host publishing events.
global: True global: True
forcedType: int forcedType: int
advanced: true advanced: true
helpLink: elastic-fleet helpLink: elastic-fleet.html
queue_mem_events: queue_mem_events:
title: queued events title: queued events
description: The number of events the queue can store. This value should be evenly divisible by the smaller of 'bulk_max_size' to avoid sending partial batches to the output. description: The number of events the queue can store. This value should be evenly divisible by the smaller of 'bulk_max_size' to avoid sending partial batches to the output.
global: True global: True
forcedType: int forcedType: int
advanced: True advanced: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
timeout: timeout:
description: The number of seconds to wait for responses from the Logstash server before timing out. Eg 30s description: The number of seconds to wait for responses from the Logstash server before timing out. Eg 30s
regex: ^[0-9]+s$ regex: ^[0-9]+s$
advanced: True advanced: True
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
loadbalance: loadbalance:
description: If true and multiple Logstash hosts are configured, the output plugin load balances published events onto all Logstash hosts. If false, the output plugin sends all events to one host (determined at random) and switches to another host if the selected one becomes unresponsive. description: If true and multiple Logstash hosts are configured, the output plugin load balances published events onto all Logstash hosts. If false, the output plugin sends all events to one host (determined at random) and switches to another host if the selected one becomes unresponsive.
forcedType: bool forcedType: bool
advanced: True advanced: True
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
compression_level: compression_level:
description: The gzip compression level. The compression level must be in the range of 1 (best speed) to 9 (best compression). description: The gzip compression level. The compression level must be in the range of 1 (best speed) to 9 (best compression).
regex: ^[1-9]$ regex: ^[1-9]$
forcedType: int forcedType: int
advanced: True advanced: True
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
server: server:
custom_fqdn: custom_fqdn:
description: Custom FQDN for Agents to connect to. One per line. description: Custom FQDN for Agents to connect to. One per line.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
forcedType: "[]string" forcedType: "[]string"
enable_auto_configuration: enable_auto_configuration:
description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs. description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
forcedType: bool
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
endpoints_enrollment: endpoints_enrollment:
description: Endpoint enrollment key. description: Endpoint enrollment key.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
sensitive: True sensitive: True
advanced: True advanced: True
es_token: es_token:
description: Elastic auth token. description: Elastic auth token.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
sensitive: True sensitive: True
advanced: True advanced: True
grid_enrollment: grid_enrollment:
description: Grid enrollment key. description: Grid enrollment key.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
sensitive: True sensitive: True
advanced: True advanced: True
optional_integrations: optional_integrations:
@@ -128,57 +125,57 @@ elasticfleet:
enabled_nodes: enabled_nodes:
description: Fleet nodes with the Sublime Platform integration enabled. Enter one per line. description: Fleet nodes with the Sublime Platform integration enabled. Enter one per line.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
forcedType: "[]string" forcedType: "[]string"
api_key: api_key:
description: API key for Sublime Platform. description: API key for Sublime Platform.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
forcedType: string forcedType: string
sensitive: True sensitive: True
base_url: base_url:
description: Base URL for Sublime Platform. description: Base URL for Sublime Platform.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
forcedType: string forcedType: string
poll_interval: poll_interval:
description: Poll interval for alerts from Sublime Platform. description: Poll interval for alerts from Sublime Platform.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
forcedType: string forcedType: string
limit: limit:
description: The maximum number of message groups to return from Sublime Platform. description: The maximum number of message groups to return from Sublime Platform.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
forcedType: int forcedType: int
kismet: kismet:
base_url: base_url:
description: Base URL for Kismet. description: Base URL for Kismet.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
forcedType: string forcedType: string
poll_interval: poll_interval:
description: Poll interval for wireless device data from Kismet. Integration is currently configured to return devices seen as active by any Kismet sensor within the last 10 minutes. description: Poll interval for wireless device data from Kismet. Integration is currently configured to return devices seen as active by any Kismet sensor within the last 10 minutes.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
forcedType: string forcedType: string
api_key: api_key:
description: API key for Kismet. description: API key for Kismet.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
forcedType: string forcedType: string
sensitive: True sensitive: True
enabled_nodes: enabled_nodes:
description: Fleet nodes with the Kismet integration enabled. Enter one per line. description: Fleet nodes with the Kismet integration enabled. Enter one per line.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
advanced: True advanced: True
forcedType: "[]string" forcedType: "[]string"

2
salt/elasticsearch/config.sls
View File

@@ -10,7 +10,7 @@
vm.max_map_count: vm.max_map_count:
sysctl.present: sysctl.present:
- value: {{ ELASTICSEARCHMERGED.vm.max_map_count }} - value: 262144
# Add ES Group # Add ES Group
elasticsearchgroup: elasticsearchgroup:

120
salt/elasticsearch/defaults.yaml
View File

@@ -2,8 +2,6 @@ elasticsearch:
enabled: false enabled: false
version: 9.0.8 version: 9.0.8
index_clean: true index_clean: true
vm:
max_map_count: 1048576
config: config:
action: action:
destructive_requires_name: true destructive_requires_name: true
@@ -119,7 +117,7 @@ elasticsearch:
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- so-case* - so-case*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -131,6 +129,8 @@ elasticsearch:
match_mapping_type: string match_mapping_type: string
settings: settings:
index: index:
lifecycle:
name: so-case-logs
mapping: mapping:
total_fields: total_fields:
limit: 1500 limit: 1500
@@ -141,7 +141,14 @@ elasticsearch:
sort: sort:
field: '@timestamp' field: '@timestamp'
order: desc order: desc
policy:
phases:
hot:
actions: {}
min_age: 0ms
so-common: so-common:
close: 30
delete: 365
index_sorting: false index_sorting: false
index_template: index_template:
composed_of: composed_of:
@@ -205,9 +212,7 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
- winlog-mappings - winlog-mappings
data_stream: data_stream: {}
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-*-so* - logs-*-so*
@@ -267,7 +272,7 @@ elasticsearch:
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- so-detection* - so-detection*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -279,6 +284,8 @@ elasticsearch:
match_mapping_type: string match_mapping_type: string
settings: settings:
index: index:
lifecycle:
name: so-detection-logs
mapping: mapping:
total_fields: total_fields:
limit: 1500 limit: 1500
@@ -289,6 +296,11 @@ elasticsearch:
sort: sort:
field: '@timestamp' field: '@timestamp'
order: desc order: desc
policy:
phases:
hot:
actions: {}
min_age: 0ms
sos-backup: sos-backup:
index_sorting: false index_sorting: false
index_template: index_template:
@@ -448,7 +460,7 @@ elasticsearch:
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- endgame* - endgame*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -496,6 +508,8 @@ elasticsearch:
priority: 50 priority: 50
min_age: 30d min_age: 30d
so-idh: so-idh:
close: 30
delete: 365
index_sorting: false index_sorting: false
index_template: index_template:
composed_of: composed_of:
@@ -550,13 +564,10 @@ elasticsearch:
- dtc-user_agent-mappings - dtc-user_agent-mappings
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-idh-so* - so-idh-*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -666,13 +677,11 @@ elasticsearch:
- common-dynamic-mappings - common-dynamic-mappings
- winlog-mappings - winlog-mappings
- hash-mappings - hash-mappings
data_stream: data_stream: {}
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-import-so* - logs-import-so*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -727,7 +736,7 @@ elasticsearch:
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- so-ip* - so-ip*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -742,12 +751,19 @@ elasticsearch:
mapping: mapping:
total_fields: total_fields:
limit: 1500 limit: 1500
lifecycle:
name: so-ip-mappings-logs
number_of_replicas: 0 number_of_replicas: 0
number_of_shards: 1 number_of_shards: 1
refresh_interval: 30s refresh_interval: 30s
sort: sort:
field: '@timestamp' field: '@timestamp'
order: desc order: desc
policy:
phases:
hot:
actions: {}
min_age: 0ms
so-items: so-items:
index_sorting: false index_sorting: false
index_template: index_template:
@@ -756,7 +772,7 @@ elasticsearch:
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- .items-default-** - .items-default-**
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -835,6 +851,8 @@ elasticsearch:
priority: 50 priority: 50
min_age: 30d min_age: 30d
so-kratos: so-kratos:
close: 30
delete: 365
index_sorting: false index_sorting: false
index_template: index_template:
composed_of: composed_of:
@@ -855,7 +873,7 @@ elasticsearch:
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-kratos-so* - logs-kratos-so*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -903,6 +921,8 @@ elasticsearch:
priority: 50 priority: 50
min_age: 30d min_age: 30d
so-hydra: so-hydra:
close: 30
delete: 365
index_sorting: false index_sorting: false
index_template: index_template:
composed_of: composed_of:
@@ -963,7 +983,7 @@ elasticsearch:
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-hydra-so* - logs-hydra-so*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -1018,7 +1038,7 @@ elasticsearch:
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- .lists-default-** - .lists-default-**
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -1504,9 +1524,6 @@ elasticsearch:
- so-fleet_integrations.ip_mappings-1 - so-fleet_integrations.ip_mappings-1
- so-fleet_globals-1 - so-fleet_globals-1
- so-fleet_agent_id_verification-1 - so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: ignore_missing_component_templates:
- logs-elastic_agent.cloudbeat@custom - logs-elastic_agent.cloudbeat@custom
index_patterns: index_patterns:
@@ -1742,9 +1759,6 @@ elasticsearch:
- so-fleet_integrations.ip_mappings-1 - so-fleet_integrations.ip_mappings-1
- so-fleet_globals-1 - so-fleet_globals-1
- so-fleet_agent_id_verification-1 - so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: ignore_missing_component_templates:
- logs-elastic_agent.heartbeat@custom - logs-elastic_agent.heartbeat@custom
index_patterns: index_patterns:
@@ -3004,6 +3018,8 @@ elasticsearch:
priority: 50 priority: 50
min_age: 30d min_age: 30d
so-logs-soc: so-logs-soc:
close: 30
delete: 365
index_sorting: false index_sorting: false
index_template: index_template:
composed_of: composed_of:
@@ -3058,13 +3074,11 @@ elasticsearch:
- dtc-user_agent-mappings - dtc-user_agent-mappings
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
data_stream: data_stream: {}
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-soc-so* - logs-soc-so*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -3654,13 +3668,10 @@ elasticsearch:
- vulnerability-mappings - vulnerability-mappings
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-logstash-default* - logs-logstash-default*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -3958,13 +3969,10 @@ elasticsearch:
- vulnerability-mappings - vulnerability-mappings
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-redis.log* - logs-redis-default*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -4075,13 +4083,11 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
- hash-mappings - hash-mappings
data_stream: data_stream: {}
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-strelka-so* - logs-strelka-so*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -4191,13 +4197,11 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
- hash-mappings - hash-mappings
data_stream: data_stream: {}
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-suricata-so* - logs-suricata-so*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -4307,13 +4311,11 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
- hash-mappings - hash-mappings
data_stream: data_stream: {}
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-suricata.alerts-* - logs-suricata.alerts-*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -4423,13 +4425,11 @@ elasticsearch:
- vulnerability-mappings - vulnerability-mappings
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
data_stream: data_stream: {}
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-syslog-so* - logs-syslog-so*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false
@@ -4541,13 +4541,11 @@ elasticsearch:
- common-settings - common-settings
- common-dynamic-mappings - common-dynamic-mappings
- hash-mappings - hash-mappings
data_stream: data_stream: {}
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: [] ignore_missing_component_templates: []
index_patterns: index_patterns:
- logs-zeek-so* - logs-zeek-so*
priority: 501 priority: 500
template: template:
mappings: mappings:
date_detection: false date_detection: false

22
salt/elasticsearch/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
@@ -28,15 +28,15 @@ so-elasticsearch:
- user: elasticsearch - user: elasticsearch
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }} - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
- extra_hosts: - extra_hosts:
{% for node in ELASTICSEARCH_NODES %} {% for node in ELASTICSEARCH_NODES %}
{% for hostname, ip in node.items() %} {% for hostname, ip in node.items() %}
- {{hostname}}:{{ip}} - {{hostname}}:{{ip}}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %} {% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -45,19 +45,19 @@ so-elasticsearch:
- discovery.type=single-node - discovery.type=single-node
{% endif %} {% endif %}
- ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
{% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %} {% if DOCKER.containers['so-elasticsearch'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %} {% if DOCKER.containers['so-elasticsearch'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %} {% for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %} {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -77,8 +77,8 @@ so-elasticsearch:
- {{ repo }}:{{ repo }}:rw - {{ repo }}:{{ repo }}:rw
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %} {% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

18
salt/elasticsearch/files/ingest/zeek.websocket
View File

@@ -1,18 +0,0 @@
{
"description" : "zeek.websocket",
"processors" : [
{ "set": { "field": "event.dataset", "value": "websocket" } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.host", "target_field": "websocket.host", "ignore_missing": true } },
{ "rename": { "field": "message2.uri", "target_field": "websocket.uri", "ignore_missing": true } },
{ "rename": { "field": "message2.user_agent", "target_field": "websocket.user_agent", "ignore_missing": true } },
{ "rename": { "field": "message2.subprotocol", "target_field": "websocket.subprotocol", "ignore_missing": true } },
{ "rename": { "field": "message2.client_protocols", "target_field": "websocket.client_protocols", "ignore_missing": true } },
{ "rename": { "field": "message2.client_extensions", "target_field": "websocket.client_extensions", "ignore_missing": true } },
{ "rename": { "field": "message2.server_extensions", "target_field": "websocket.server_extensions", "ignore_missing": true } },
{ "remove": { "field": "message2.tags", "ignore_failure": true } },
{ "set": { "field": "network.transport", "value": "tcp" } },
{ "pipeline": { "name": "zeek.common" } }
]
}

189
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -1,9 +1,8 @@
elasticsearch: elasticsearch:
enabled: enabled:
description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported. description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported.
forcedType: bool
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
version: version:
description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure." description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure."
readonly: True readonly: True
@@ -11,20 +10,15 @@ elasticsearch:
advanced: True advanced: True
esheap: esheap:
description: Specify the memory heap size in (m)egabytes for Elasticsearch. description: Specify the memory heap size in (m)egabytes for Elasticsearch.
helpLink: elasticsearch helpLink: elasticsearch.html
index_clean: index_clean:
description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations can only use ILM settings. description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations can only use ILM settings.
forcedType: bool forcedType: bool
helpLink: elasticsearch helpLink: elasticsearch.html
vm:
max_map_count:
description: The maximum number of memory map areas a process may use. Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts could be too low, which may result in out of memory exceptions.
forcedType: int
helpLink: elasticsearch
retention: retention:
retention_pct: retention_pct:
decription: Total percentage of space used by Elasticsearch for multi node clusters decription: Total percentage of space used by Elasticsearch for multi node clusters
helpLink: elasticsearch helpLink: elasticsearch.html
global: True global: True
config: config:
cluster: cluster:
@@ -32,102 +26,55 @@ elasticsearch:
description: The name of the Security Onion Elasticsearch cluster, for identification purposes. description: The name of the Security Onion Elasticsearch cluster, for identification purposes.
readonly: True readonly: True
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
logsdb: logsdb:
enabled: enabled:
description: Enables or disables the Elasticsearch logsdb index mode. When enabled, most logs-* datastreams will convert to logsdb from standard after rolling over. description: Enables or disables the Elasticsearch logsdb index mode. When enabled, most logs-* datastreams will convert to logsdb from standard after rolling over.
forcedType: bool forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
routing: routing:
allocation: allocation:
disk: disk:
threshold_enabled: threshold_enabled:
description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster. description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster.
forcedType: bool helpLink: elasticsearch.html
helpLink: elasticsearch
watermark: watermark:
low: low:
description: The lower percentage of used disk space representing a healthy node. description: The lower percentage of used disk space representing a healthy node.
helpLink: elasticsearch helpLink: elasticsearch.html
high: high:
description: The higher percentage of used disk space representing an unhealthy node. description: The higher percentage of used disk space representing an unhealthy node.
helpLink: elasticsearch helpLink: elasticsearch.html
flood_stage: flood_stage:
description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events.
helpLink: elasticsearch helpLink: elasticsearch.html
action:
destructive_requires_name:
description: Requires explicit index names when deleting indices. Prevents accidental deletion of indices via wildcard patterns.
advanced: True
forcedType: bool
helpLink: elasticsearch
script: script:
max_compilations_rate: max_compilations_rate:
description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources.
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
indices: indices:
id_field_data:
enabled:
description: Enables or disables loading of field data on the _id field.
advanced: True
forcedType: bool
helpLink: elasticsearch
query: query:
bool: bool:
max_clause_count: max_clause_count:
description: Max number of boolean clauses per query. description: Max number of boolean clauses per query.
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
xpack:
ml:
enabled:
description: Enables or disables machine learning on the node.
forcedType: bool
advanced: True
helpLink: elasticsearch
security:
enabled:
description: Enables or disables Elasticsearch security features.
forcedType: bool
advanced: True
helpLink: elasticsearch
authc:
anonymous:
authz_exception:
description: Controls whether an authorization exception is thrown when anonymous user does not have the required privileges.
advanced: True
forcedType: bool
helpLink: elasticsearch
http:
ssl:
enabled:
description: Enables or disables TLS/SSL for the HTTP layer.
advanced: True
forcedType: bool
helpLink: elasticsearch
transport:
ssl:
enabled:
description: Enables or disables TLS/SSL for the transport layer.
advanced: True
forcedType: bool
helpLink: elasticsearch
pipelines: pipelines:
custom001: &pipelines custom001: &pipelines
description: description:
description: Description of the ingest node pipeline description: Description of the ingest node pipeline
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
processors: processors:
description: Processors for the ingest node pipeline description: Processors for the ingest node pipeline
global: True global: True
advanced: True advanced: True
multiline: True multiline: True
helpLink: elasticsearch helpLink: elasticsearch.html
custom002: *pipelines custom002: *pipelines
custom003: *pipelines custom003: *pipelines
custom004: *pipelines custom004: *pipelines
@@ -147,24 +94,24 @@ elasticsearch:
description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices. description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices.
forcedType: int forcedType: int
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
refresh_interval: refresh_interval:
description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
number_of_shards: number_of_shards:
description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
sort: sort:
field: field:
description: The field to sort by. Must set index_sorting to True. description: The field to sort by. Must set index_sorting to True.
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
order: order:
description: The order to sort by. Must set index_sorting to True. description: The order to sort by. Must set index_sorting to True.
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
policy: policy:
phases: phases:
hot: hot:
@@ -174,16 +121,16 @@ elasticsearch:
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
forcedType: int forcedType: int
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
rollover: rollover:
max_age: max_age:
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
max_primary_shard_size: max_primary_shard_size:
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
shrink: shrink:
method: method:
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size. description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -231,13 +178,13 @@ elasticsearch:
regex: ^[0-9]{1,5}d$ regex: ^[0-9]{1,5}d$
forcedType: string forcedType: string
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
actions: actions:
set_priority: set_priority:
priority: priority:
description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
allocate: allocate:
number_of_replicas: number_of_replicas:
description: Set the number of replicas. Remains the same as the previous phase by default. description: Set the number of replicas. Remains the same as the previous phase by default.
@@ -250,14 +197,14 @@ elasticsearch:
regex: ^[0-9]{1,5}d$ regex: ^[0-9]{1,5}d$
forcedType: string forcedType: string
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
actions: actions:
set_priority: set_priority:
priority: priority:
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
forcedType: int forcedType: int
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
shrink: shrink:
method: method:
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size. description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -310,14 +257,13 @@ elasticsearch:
regex: ^[0-9]{1,5}d$ regex: ^[0-9]{1,5}d$
forcedType: string forcedType: string
global: True global: True
helpLink: elasticsearch helpLink: elasticsearch.html
so-logs: &indexSettings so-logs: &indexSettings
index_sorting: index_sorting:
description: Sorts the index by event time, at the cost of additional processing resource consumption. description: Sorts the index by event time, at the cost of additional processing resource consumption.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
index_template: index_template:
index_patterns: index_patterns:
description: Patterns for matching multiple indices or tables. description: Patterns for matching multiple indices or tables.
@@ -325,7 +271,7 @@ elasticsearch:
multiline: True multiline: True
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
template: template:
settings: settings:
index: index:
@@ -334,35 +280,35 @@ elasticsearch:
forcedType: int forcedType: int
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
mapping: mapping:
total_fields: total_fields:
limit: limit:
description: Max number of fields that can exist on a single index. Larger values will consume more resources. description: Max number of fields that can exist on a single index. Larger values will consume more resources.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
refresh_interval: refresh_interval:
description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
number_of_shards: number_of_shards:
description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
sort: sort:
field: field:
description: The field to sort by. Must set index_sorting to True. description: The field to sort by. Must set index_sorting to True.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
order: order:
description: The order to sort by. Must set index_sorting to True. description: The order to sort by. Must set index_sorting to True.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
mappings: mappings:
_meta: _meta:
package: package:
@@ -370,43 +316,43 @@ elasticsearch:
description: Meta settings for the mapping. description: Meta settings for the mapping.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
managed_by: managed_by:
description: Meta settings for the mapping. description: Meta settings for the mapping.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
managed: managed:
description: Meta settings for the mapping. description: Meta settings for the mapping.
forcedType: bool forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
composed_of: composed_of:
description: The index template is composed of these component templates. description: The index template is composed of these component templates.
forcedType: "[]string" forcedType: "[]string"
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
priority: priority:
description: The priority of the index template. description: The priority of the index template.
forcedType: int forcedType: int
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
data_stream: data_stream:
hidden: hidden:
description: Hide the data stream. description: Hide the data stream.
forcedType: bool forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
allow_custom_routing: allow_custom_routing:
description: Allow custom routing for the data stream. description: Allow custom routing for the data stream.
forcedType: bool forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
policy: policy:
phases: phases:
hot: hot:
@@ -414,7 +360,7 @@ elasticsearch:
description: Minimum age of index. This determines when the index should be moved to the hot tier. description: Minimum age of index. This determines when the index should be moved to the hot tier.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
actions: actions:
set_priority: set_priority:
priority: priority:
@@ -422,18 +368,18 @@ elasticsearch:
forcedType: int forcedType: int
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
rollover: rollover:
max_age: max_age:
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
max_primary_shard_size: max_primary_shard_size:
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
shrink: shrink:
method: method:
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size. description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -482,7 +428,7 @@ elasticsearch:
forcedType: string forcedType: string
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
actions: actions:
set_priority: set_priority:
priority: priority:
@@ -490,18 +436,18 @@ elasticsearch:
forcedType: int forcedType: int
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
rollover: rollover:
max_age: max_age:
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
max_primary_shard_size: max_primary_shard_size:
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
shrink: shrink:
method: method:
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size. description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -555,7 +501,7 @@ elasticsearch:
forcedType: string forcedType: string
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
actions: actions:
set_priority: set_priority:
priority: priority:
@@ -563,7 +509,7 @@ elasticsearch:
forcedType: int forcedType: int
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
allocate: allocate:
number_of_replicas: number_of_replicas:
description: Set the number of replicas. Remains the same as the previous phase by default. description: Set the number of replicas. Remains the same as the previous phase by default.
@@ -577,25 +523,25 @@ elasticsearch:
forcedType: string forcedType: string
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
_meta: _meta:
package: package:
name: name:
description: Meta settings for the mapping. description: Meta settings for the mapping.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
managed_by: managed_by:
description: Meta settings for the mapping. description: Meta settings for the mapping.
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
managed: managed:
description: Meta settings for the mapping. description: Meta settings for the mapping.
forcedType: bool forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
so-logs-system_x_auth: *indexSettings so-logs-system_x_auth: *indexSettings
so-logs-system_x_syslog: *indexSettings so-logs-system_x_syslog: *indexSettings
so-logs-system_x_system: *indexSettings so-logs-system_x_system: *indexSettings
@@ -658,21 +604,20 @@ elasticsearch:
so-metrics-fleet_server_x_agent_status: &fleetMetricsSettings so-metrics-fleet_server_x_agent_status: &fleetMetricsSettings
index_sorting: index_sorting:
description: Sorts the index by event time, at the cost of additional processing resource consumption. description: Sorts the index by event time, at the cost of additional processing resource consumption.
forcedType: bool
advanced: True advanced: True
readonly: True readonly: True
helpLink: elasticsearch helpLink: elasticsearch.html
index_template: index_template:
ignore_missing_component_templates: ignore_missing_component_templates:
description: Ignore component templates if they aren't in Elasticsearch. description: Ignore component templates if they aren't in Elasticsearch.
advanced: True advanced: True
readonly: True readonly: True
helpLink: elasticsearch helpLink: elasticsearch.html
index_patterns: index_patterns:
description: Patterns for matching multiple indices or tables. description: Patterns for matching multiple indices or tables.
advanced: True advanced: True
readonly: True readonly: True
helpLink: elasticsearch helpLink: elasticsearch.html
template: template:
settings: settings:
index: index:
@@ -680,35 +625,33 @@ elasticsearch:
description: Type of mode used for this index. Time series indices can be used for metrics to reduce necessary storage. description: Type of mode used for this index. Time series indices can be used for metrics to reduce necessary storage.
advanced: True advanced: True
readonly: True readonly: True
helpLink: elasticsearch helpLink: elasticsearch.html
number_of_replicas: number_of_replicas:
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
advanced: True advanced: True
readonly: True readonly: True
helpLink: elasticsearch helpLink: elasticsearch.html
composed_of: composed_of:
description: The index template is composed of these component templates. description: The index template is composed of these component templates.
advanced: True advanced: True
readonly: True readonly: True
helpLink: elasticsearch helpLink: elasticsearch.html
priority: priority:
description: The priority of the index template. description: The priority of the index template.
advanced: True advanced: True
readonly: True readonly: True
helpLink: elasticsearch helpLink: elasticsearch.html
data_stream: data_stream:
hidden: hidden:
description: Hide the data stream. description: Hide the data stream.
forcedType: bool
advanced: True advanced: True
readonly: True readonly: True
helpLink: elasticsearch helpLink: elasticsearch.html
allow_custom_routing: allow_custom_routing:
description: Allow custom routing for the data stream. description: Allow custom routing for the data stream.
forcedType: bool
advanced: True advanced: True
readonly: True readonly: True
helpLink: elasticsearch helpLink: elasticsearch.html
so-metrics-fleet_server_x_agent_versions: *fleetMetricsSettings so-metrics-fleet_server_x_agent_versions: *fleetMetricsSettings
so_roles: so_roles:
so-manager: &soroleSettings so-manager: &soroleSettings
@@ -719,7 +662,7 @@ elasticsearch:
forcedType: "[]string" forcedType: "[]string"
global: False global: False
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html
so-managersearch: *soroleSettings so-managersearch: *soroleSettings
so-standalone: *soroleSettings so-standalone: *soroleSettings
so-searchnode: *soroleSettings so-searchnode: *soroleSettings

18
salt/firewall/iptables.jinja
View File

@@ -1,5 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'docker/docker.map.jinja' import DOCKERMERGED %} {%- from 'docker/docker.map.jinja' import DOCKER %}
{%- from 'firewall/map.jinja' import FIREWALL_MERGED %} {%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
{%- set role = GLOBALS.role.split('-')[1] %} {%- set role = GLOBALS.role.split('-')[1] %}
{%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %} {%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
@@ -8,9 +8,9 @@
{%- set D1 = [] %} {%- set D1 = [] %}
{%- set D2 = [] %} {%- set D2 = [] %}
{%- for container in NODE_CONTAINERS %} {%- for container in NODE_CONTAINERS %}
{%- set IP = DOCKERMERGED.containers[container].ip %} {%- set IP = DOCKER.containers[container].ip %}
{%- if DOCKERMERGED.containers[container].port_bindings is defined %} {%- if DOCKER.containers[container].port_bindings is defined %}
{%- for binding in DOCKERMERGED.containers[container].port_bindings %} {%- for binding in DOCKER.containers[container].port_bindings %}
{#- cant split int so we convert to string #} {#- cant split int so we convert to string #}
{%- set binding = binding|string %} {%- set binding = binding|string %}
{#- split the port binding by /. if proto not specified, default is tcp #} {#- split the port binding by /. if proto not specified, default is tcp #}
@@ -33,13 +33,13 @@
{%- set hostPort = bsa[0] %} {%- set hostPort = bsa[0] %}
{%- set containerPort = bsa[1] %} {%- set containerPort = bsa[1] %}
{%- endif %} {%- endif %}
{%- do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %} {%- do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
{%- if bindip | length and bindip != '0.0.0.0' %} {%- if bindip | length and bindip != '0.0.0.0' %}
{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %} {%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
{%- else %} {%- else %}
{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %} {%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
{%- endif %} {%- endif %}
{%- do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %} {%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- endfor %} {%- endfor %}
@@ -52,7 +52,7 @@
:DOCKER - [0:0] :DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE -A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
{%- for rule in PR %} {%- for rule in PR %}
{{ rule }} {{ rule }}
{%- endfor %} {%- endfor %}

4
salt/firewall/map.jinja
View File

@@ -1,11 +1,11 @@
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %} {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
{# add our ip to self #} {# add our ip to self #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %} {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
{# add dockernet range #} {# add dockernet range #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %} {% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}
{% if GLOBALS.role == 'so-idh' %} {% if GLOBALS.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %} {% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}

16
salt/firewall/soc_firewall.yaml
View File

@@ -3,7 +3,7 @@ firewall:
analyst: &hostgroupsettings analyst: &hostgroupsettings
description: List of IP or CIDR blocks to allow access to this hostgroup. description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string" forcedType: "[]string"
helpLink: firewall helpLink: firewall.html
multiline: True multiline: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR. regexFailureMessage: You must enter a valid IP address or CIDR.
@@ -11,7 +11,7 @@ firewall:
anywhere: &hostgroupsettingsadv anywhere: &hostgroupsettingsadv
description: List of IP or CIDR blocks to allow access to this hostgroup. description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string" forcedType: "[]string"
helpLink: firewall helpLink: firewall.html
multiline: True multiline: True
advanced: True advanced: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
@@ -22,7 +22,7 @@ firewall:
dockernet: &ROhostgroupsettingsadv dockernet: &ROhostgroupsettingsadv
description: List of IP or CIDR blocks to allow access to this hostgroup. description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string" forcedType: "[]string"
helpLink: firewall helpLink: firewall.html
multiline: True multiline: True
advanced: True advanced: True
readonly: True readonly: True
@@ -53,7 +53,7 @@ firewall:
customhostgroup0: &customhostgroupsettings customhostgroup0: &customhostgroupsettings
description: List of IP or CIDR blocks to allow to this hostgroup. description: List of IP or CIDR blocks to allow to this hostgroup.
forcedType: "[]string" forcedType: "[]string"
helpLink: firewall helpLink: firewall.html
advanced: True advanced: True
multiline: True multiline: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
@@ -73,14 +73,14 @@ firewall:
tcp: &tcpsettings tcp: &tcpsettings
description: List of TCP ports for this port group. description: List of TCP ports for this port group.
forcedType: "[]string" forcedType: "[]string"
helpLink: firewall helpLink: firewall.html
advanced: True advanced: True
multiline: True multiline: True
duplicates: True duplicates: True
udp: &udpsettings udp: &udpsettings
description: List of UDP ports for this port group. description: List of UDP ports for this port group.
forcedType: "[]string" forcedType: "[]string"
helpLink: firewall helpLink: firewall.html
advanced: True advanced: True
multiline: True multiline: True
duplicates: True duplicates: True
@@ -206,7 +206,7 @@ firewall:
advanced: True advanced: True
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
helpLink: firewall helpLink: firewall.html
duplicates: True duplicates: True
sensor: sensor:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
@@ -262,7 +262,7 @@ firewall:
advanced: True advanced: True
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
helpLink: firewall helpLink: firewall.html
duplicates: True duplicates: True
dockernet: dockernet:
portgroups: *portgroupshost portgroups: *portgroupshost

4
salt/host/soc_host.yaml
View File

@@ -1,7 +1,7 @@
host: host:
mainint: mainint:
description: Main interface of the grid host. description: Main interface of the grid host.
helpLink: ip-address helpLink: host.html
mainip: mainip:
description: Main IP address of the grid host. description: Main IP address of the grid host.
helpLink: ip-address helpLink: host.html

22
salt/hydra/enabled.sls
View File

@@ -11,7 +11,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% if 'api' in salt['pillar.get']('features', []) %} {% if 'api' in salt['pillar.get']('features', []) %}
@@ -26,35 +26,35 @@ so-hydra:
- name: so-hydra - name: so-hydra
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }} - ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
- binds: - binds:
- /opt/so/conf/hydra/:/hydra-conf:ro - /opt/so/conf/hydra/:/hydra-conf:ro
- /opt/so/log/hydra/:/hydra-log:rw - /opt/so/log/hydra/:/hydra-log:rw
- /nsm/hydra/db:/hydra-data:rw - /nsm/hydra/db:/hydra-data:rw
{% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %} {% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %} {% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKERMERGED.containers['so-hydra'].extra_hosts %} {% if DOCKER.containers['so-hydra'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-hydra'].extra_env %} {% if DOCKER.containers['so-hydra'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %} {% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-hydra'].ulimits %} {% if DOCKER.containers['so-hydra'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %} {% for ULIMIT in DOCKER.containers['so-hydra'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

11
salt/hydra/soc_hydra.yaml
View File

@@ -1,8 +1,7 @@
hydra: hydra:
enabled: enabled:
description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False. description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False.
forcedType: bool helpLink: connect.html
helpLink: connect-api
global: True global: True
config: config:
ttl: ttl:
@@ -10,16 +9,16 @@ hydra:
description: Amount of time that the generated access token will be valid. Specified in the form of 2h, which means 2 hours. description: Amount of time that the generated access token will be valid. Specified in the form of 2h, which means 2 hours.
global: True global: True
forcedType: string forcedType: string
helpLink: connect-api helpLink: connect.html
log: log:
level: level:
description: Log level to use for Kratos logs. description: Log level to use for Kratos logs.
global: True global: True
helpLink: connect-api helpLink: connect.html
format: format:
description: Log output format for Kratos logs. description: Log output format for Kratos logs.
global: True global: True
helpLink: connect-api helpLink: connect.html
secrets: secrets:
system: system:
description: Secrets used for token generation. Generated during installation. description: Secrets used for token generation. Generated during installation.
@@ -27,4 +26,4 @@ hydra:
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: "[]string" forcedType: "[]string"
helpLink: connect-api helpLink: connect.html

18
salt/idh/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
include: include:
- idh.config - idh.config
@@ -22,26 +22,26 @@ so-idh:
- /nsm/idh:/var/tmp:rw - /nsm/idh:/var/tmp:rw
- /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
- /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
{% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %} {% if DOCKER.containers['so-idh'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-idh'].extra_hosts %} {% if DOCKER.containers['so-idh'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-idh'].extra_env %} {% if DOCKER.containers['so-idh'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %} {% for XTRAENV in DOCKER.containers['so-idh'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-idh'].ulimits %} {% if DOCKER.containers['so-idh'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %} {% for ULIMIT in DOCKER.containers['so-idh'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

45
salt/idh/soc_idh.yaml
View File

@@ -1,12 +1,7 @@
idh: idh:
enabled: enabled:
description: Enables or disables the Intrusion Detection Honeypot (IDH) process. description: Enables or disables the Intrusion Detection Honeypot (IDH) process.
forcedType: bool helpLink: idh.html
helpLink: idh
restrict_management_ip:
description: Restricts management IP access to the IDH node.
forcedType: bool
helpLink: idh
opencanary: opencanary:
config: config:
logger: logger:
@@ -15,7 +10,7 @@ idh:
readonly: True readonly: True
advanced: True advanced: True
global: True global: True
helpLink: idh helpLink: idh.html
kwargs: kwargs:
formatters: formatters:
plain: plain:
@@ -29,54 +24,53 @@ idh:
filename: *loggingOptions filename: *loggingOptions
portscan_x_enabled: &serviceOptions portscan_x_enabled: &serviceOptions
description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid. description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid.
forcedType: bool helpLink: idh.html
helpLink: idh
portscan_x_logfile: *loggingOptions portscan_x_logfile: *loggingOptions
portscan_x_synrate: portscan_x_synrate:
description: Portscan - syn rate limiting description: Portscan - syn rate limiting
advanced: True advanced: True
helpLink: idh helpLink: idh.html
portscan_x_nmaposrate: portscan_x_nmaposrate:
description: Portscan - nmap OS rate limiting description: Portscan - nmap OS rate limiting
advanced: True advanced: True
helpLink: idh helpLink: idh.html
portscan_x_lorate: portscan_x_lorate:
description: Portscan - lo rate limiting description: Portscan - lo rate limiting
advanced: True advanced: True
helpLink: idh helpLink: idh.html
tcpbanner_x_maxnum: tcpbanner_x_maxnum:
description: Portscan - maxnum description: Portscan - maxnum
advanced: True advanced: True
helpLink: idh helpLink: idh.html
tcpbanner_x_enabled: *serviceOptions tcpbanner_x_enabled: *serviceOptions
tcpbanner_1_x_enabled: *serviceOptions tcpbanner_1_x_enabled: *serviceOptions
tcpbanner_1_x_port: &portOptions tcpbanner_1_x_port: &portOptions
description: Port the service should listen on. description: Port the service should listen on.
advanced: True advanced: True
helpLink: idh helpLink: idh.html
tcpbanner_1_x_datareceivedbanner: &bannerOptions tcpbanner_1_x_datareceivedbanner: &bannerOptions
description: Data Received Banner description: Data Received Banner
advanced: True advanced: True
helpLink: idh helpLink: idh.html
tcpbanner_1_x_initbanner: *bannerOptions tcpbanner_1_x_initbanner: *bannerOptions
tcpbanner_1_x_alertstring_x_enabled: *serviceOptions tcpbanner_1_x_alertstring_x_enabled: *serviceOptions
tcpbanner_1_x_keep_alive_x_enabled: *serviceOptions tcpbanner_1_x_keep_alive_x_enabled: *serviceOptions
tcpbanner_1_x_keep_alive_secret: tcpbanner_1_x_keep_alive_secret:
description: Keep Alive Secret description: Keep Alive Secret
advanced: True advanced: True
helpLink: idh helpLink: idh.html
tcpbanner_1_x_keep_alive_probes: tcpbanner_1_x_keep_alive_probes:
description: Keep Alive Probes description: Keep Alive Probes
advanced: True advanced: True
helpLink: idh helpLink: idh.html
tcpbanner_1_x_keep_alive_interval: tcpbanner_1_x_keep_alive_interval:
description: Keep Alive Interval description: Keep Alive Interval
advanced: True advanced: True
helpLink: idh helpLink: idh.html
tcpbanner_1_x_keep_alive_idle: tcpbanner_1_x_keep_alive_idle:
description: Keep Alive Idle description: Keep Alive Idle
advanced: True advanced: True
helpLink: idh helpLink: idh.html
ftp_x_enabled: *serviceOptions ftp_x_enabled: *serviceOptions
ftp_x_port: *portOptions ftp_x_port: *portOptions
ftp_x_banner: *bannerOptions ftp_x_banner: *bannerOptions
@@ -88,11 +82,11 @@ idh:
http_x_skin: &skinOptions http_x_skin: &skinOptions
description: HTTP skin description: HTTP skin
advanced: True advanced: True
helpLink: idh helpLink: idh.html
http_x_skinlist: &skinlistOptions http_x_skinlist: &skinlistOptions
description: List of skins to use for the service. description: List of skins to use for the service.
advanced: True advanced: True
helpLink: idh helpLink: idh.html
httpproxy_x_enabled: *serviceOptions httpproxy_x_enabled: *serviceOptions
httpproxy_x_port: *portOptions httpproxy_x_port: *portOptions
httpproxy_x_skin: *skinOptions httpproxy_x_skin: *skinOptions
@@ -101,7 +95,7 @@ idh:
mssql_x_version: &versionOptions mssql_x_version: &versionOptions
description: Specify the version the service should present. description: Specify the version the service should present.
advanced: True advanced: True
helpLink: idh helpLink: idh.html
mssql_x_port: *portOptions mssql_x_port: *portOptions
mysql_x_enabled: *serviceOptions mysql_x_enabled: *serviceOptions
mysql_x_port: *portOptions mysql_x_port: *portOptions
@@ -125,7 +119,7 @@ idh:
telnet_x_honeycreds: telnet_x_honeycreds:
description: Credentials list for the telnet service. description: Credentials list for the telnet service.
advanced: True advanced: True
helpLink: idh helpLink: idh.html
tftp_x_enabled: *serviceOptions tftp_x_enabled: *serviceOptions
tftp_x_port: *portOptions tftp_x_port: *portOptions
vnc_x_enabled: *serviceOptions vnc_x_enabled: *serviceOptions
@@ -133,9 +127,8 @@ idh:
openssh: openssh:
enable: enable:
description: This is the real SSH service for the host machine. description: This is the real SSH service for the host machine.
forcedType: bool helpLink: idh.html
helpLink: idh
config: config:
port: port:
description: Port that the real SSH service will listen on and will only be accessible from the manager. description: Port that the real SSH service will listen on and will only be accessible from the manager.
helpLink: idh helpLink: idh.html

22
salt/influxdb/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %} {% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
{% set TOKEN = salt['pillar.get']('influxdb:token') %} {% set TOKEN = salt['pillar.get']('influxdb:token') %}
@@ -21,7 +21,7 @@ so-influxdb:
- hostname: influxdb - hostname: influxdb
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }} - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
- environment: - environment:
- INFLUXD_CONFIG_PATH=/conf/config.yaml - INFLUXD_CONFIG_PATH=/conf/config.yaml
- INFLUXDB_HTTP_LOG_ENABLED=false - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -31,8 +31,8 @@ so-influxdb:
- DOCKER_INFLUXDB_INIT_ORG=Security Onion - DOCKER_INFLUXDB_INIT_ORG=Security Onion
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }} - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
{% if DOCKERMERGED.containers['so-influxdb'].extra_env %} {% if DOCKER.containers['so-influxdb'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %} {% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -43,24 +43,24 @@ so-influxdb:
- /nsm/influxdb:/var/lib/influxdb2:rw - /nsm/influxdb:/var/lib/influxdb2:rw
- /etc/pki/influxdb.crt:/conf/influxdb.crt:ro - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
- /etc/pki/influxdb.key:/conf/influxdb.key:ro - /etc/pki/influxdb.key:/conf/influxdb.key:ro
{% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %} {% if DOCKER.containers['so-influxdb'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %} {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %} {% if DOCKER.containers['so-influxdb'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-influxdb'].ulimits %} {% if DOCKER.containers['so-influxdb'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %} {% for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

156
salt/influxdb/soc_influxdb.yaml
View File

@@ -1,372 +1,358 @@
influxdb: influxdb:
enabled: enabled:
description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results. description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
forcedType: bool helpLink: influxdb.html
helpLink: influxdb
config: config:
assets-path: assets-path:
description: Path to the InfluxDB user interface assets located inside the so-influxdb container. description: Path to the InfluxDB user interface assets located inside the so-influxdb container.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
bolt-path: bolt-path:
description: Path to the bolt DB file located inside the so-influxdb container. description: Path to the bolt DB file located inside the so-influxdb container.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
engine-path: engine-path:
description: Path to the engine directory located inside the so-influxdb container. This directory stores the time series data. description: Path to the engine directory located inside the so-influxdb container. This directory stores the time series data.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
feature-flags: feature-flags:
description: List of key=value flags to enable. description: List of key=value flags to enable.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
flux-log-enabled: flux-log-enabled:
description: Controls whether detailed flux query logging is enabled. description: Controls whether detailed flux query logging is enabled.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
hardening-enabled: hardening-enabled:
description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address. description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
http-bind-address: http-bind-address:
description: The URL and port on which InfluxDB will listen for new connections. description: The URL and port on which InfluxDB will listen for new connections.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
http-idle-timeout: http-idle-timeout:
description: Keep-alive timeout while a connection waits for new requests. A value of 0 is the same as no timeout enforced. description: Keep-alive timeout while a connection waits for new requests. A value of 0 is the same as no timeout enforced.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
http-read-header-timeout: http-read-header-timeout:
description: The duration to wait for a request header before closing the connection. A value of 0 is the same as no timeout enforced. description: The duration to wait for a request header before closing the connection. A value of 0 is the same as no timeout enforced.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
http-read-timeout: http-read-timeout:
description: The duration to wait for the request to be fully read before closing the connection. A value of 0 is the same as no timeout enforced. description: The duration to wait for the request to be fully read before closing the connection. A value of 0 is the same as no timeout enforced.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
http-write-timeout: http-write-timeout:
description: The duration to wait for the response to be fully written before closing the connection. A value of 0 is the same as no timeout enforced. description: The duration to wait for the response to be fully written before closing the connection. A value of 0 is the same as no timeout enforced.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
influxql-max-select-buckets: influxql-max-select-buckets:
description: Maximum number of group-by clauses in a SELECT statement. A value of 0 is the same as unlimited. description: Maximum number of group-by clauses in a SELECT statement. A value of 0 is the same as unlimited.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
influxql-max-select-point: influxql-max-select-point:
description: Maximum number of points that can be queried in a SELECT statement. A value of 0 is the same as unlimited. description: Maximum number of points that can be queried in a SELECT statement. A value of 0 is the same as unlimited.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
influxql-max-select-series: influxql-max-select-series:
description: Maximum number of series that can be returned in a SELECT statement. A value of 0 is the same as unlimited. description: Maximum number of series that can be returned in a SELECT statement. A value of 0 is the same as unlimited.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
instance-id: instance-id:
description: Unique instance ID for this server, to avoid collisions in a replicated cluster. description: Unique instance ID for this server, to avoid collisions in a replicated cluster.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
log-level: log-level:
description: The log level to use for outputting log statements. Allowed values are debug, info, or error. description: The log level to use for outputting log statements. Allowed values are debug, info, or error.
global: True global: True
advanced: false advanced: false
regex: ^(info|debug|error)$ regex: ^(info|debug|error)$
helpLink: influxdb helpLink: influxdb.html
metrics-disabled: metrics-disabled:
description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible. description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
no-tasks: no-tasks:
description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems. description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
pprof-disabled: pprof-disabled:
description: If true, the profiling data HTTP endpoint will be inaccessible. description: If true, the profiling data HTTP endpoint will be inaccessible.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
query-concurrency: query-concurrency:
description: Maximum number of queries to execute concurrently. A value of 0 is the same as unlimited. description: Maximum number of queries to execute concurrently. A value of 0 is the same as unlimited.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
query-initial-memory-bytes: query-initial-memory-bytes:
description: The initial number of bytes of memory to allocate for a new query. description: The initial number of bytes of memory to allocate for a new query.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
query-max-memory-bytes: query-max-memory-bytes:
description: The number of bytes of memory to allocate to all running queries. Should typically be the query bytes times the max concurrent queries. description: The number of bytes of memory to allocate to all running queries. Should typically be the query bytes times the max concurrent queries.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
query-memory-bytes: query-memory-bytes:
description: Maximum number of bytes of memory to allocate to a query. description: Maximum number of bytes of memory to allocate to a query.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
query-queue-size: query-queue-size:
description: Maximum number of queries that can be queued at one time. If this value is reached, new queries will not be queued. A value of 0 is the same as unlimited. description: Maximum number of queries that can be queued at one time. If this value is reached, new queries will not be queued. A value of 0 is the same as unlimited.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
reporting-disabled: reporting-disabled:
description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers. description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
secret-store: secret-store:
description: Determines the type of storage used for secrets. Allowed values are bolt or vault. description: Determines the type of storage used for secrets. Allowed values are bolt or vault.
global: True global: True
advanced: True advanced: True
regex: ^(bolt|vault)$ regex: ^(bolt|vault)$
helpLink: influxdb helpLink: influxdb.html
session-length: session-length:
description: Number of minutes that a user login session can remain authenticated. description: Number of minutes that a user login session can remain authenticated.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
session-renew-disabled: session-renew-disabled:
description: If true, user login sessions will renew after each request. description: If true, user login sessions will renew after each request.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
sqlite-path: sqlite-path:
description: Path to the Sqlite3 database inside the container. This database stored user data and other information about the database. description: Path to the Sqlite3 database inside the container. This database stored user data and other information about the database.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-cache-max-memory-size: storage-cache-max-memory-size:
description: Maximum number of bytes to allocate to cache data per shard. If exceeded, new data writes will be rejected. description: Maximum number of bytes to allocate to cache data per shard. If exceeded, new data writes will be rejected.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-cache-snapshot-memory-size: storage-cache-snapshot-memory-size:
description: Number of bytes to allocate to cache snapshot data. When the cache reaches this size, it will be written to disk to increase available memory. description: Number of bytes to allocate to cache snapshot data. When the cache reaches this size, it will be written to disk to increase available memory.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-cache-snapshot-write-cold-duration: storage-cache-snapshot-write-cold-duration:
description: Duration between snapshot writes to disk when the shard data hasn't been modified. description: Duration between snapshot writes to disk when the shard data hasn't been modified.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-compact-full-write-cold-duration: storage-compact-full-write-cold-duration:
description: Duration between shard compactions when the shard data hasn't been modified. description: Duration between shard compactions when the shard data hasn't been modified.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-compact-throughput-burst: storage-compact-throughput-burst:
description: Maximum throughput (number of bytes per second) that compactions be written to disk. description: Maximum throughput (number of bytes per second) that compactions be written to disk.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-max-concurrent-compactions: storage-max-concurrent-compactions:
description: Maximum number of concurrent compactions. A value of 0 is the same as half the available CPU processors (procs). description: Maximum number of concurrent compactions. A value of 0 is the same as half the available CPU processors (procs).
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-max-index-log-file-size: storage-max-index-log-file-size:
description: Maximum number of bytes of a write-ahead log (WAL) file before it will be compacted into an index on disk. description: Maximum number of bytes of a write-ahead log (WAL) file before it will be compacted into an index on disk.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-no-validate-field-size: storage-no-validate-field-size:
description: If true, incoming requests will skip the field size validation. description: If true, incoming requests will skip the field size validation.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-retention-check-interval: storage-retention-check-interval:
description: Interval between reviewing each bucket's retention policy and the age of the associated data. description: Interval between reviewing each bucket's retention policy and the age of the associated data.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-series-file-max-concurrent-snapshot-compactions: storage-series-file-max-concurrent-snapshot-compactions:
description: Maximum number of concurrent snapshot compactions across all database partitions. description: Maximum number of concurrent snapshot compactions across all database partitions.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-series-id-set-cache-size: storage-series-id-set-cache-size:
description: Maximum size of the series cache results. Higher values may increase performance for repeated data lookups. description: Maximum size of the series cache results. Higher values may increase performance for repeated data lookups.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-shard-precreator-advance-period: storage-shard-precreator-advance-period:
description: The duration before a successor shard group is created after the end-time has been reached. description: The duration before a successor shard group is created after the end-time has been reached.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-shard-precreator-check-interval: storage-shard-precreator-check-interval:
description: Interval between checking if new shards should be created. description: Interval between checking if new shards should be created.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-tsm-use-madv-willneed: storage-tsm-use-madv-willneed:
description: If true, InfluxDB will manage TSM memory paging. description: If true, InfluxDB will manage TSM memory paging.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-validate-keys: storage-validate-keys:
description: If true, validates incoming requests for supported characters. description: If true, validates incoming requests for supported characters.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-wal-fsync-delay: storage-wal-fsync-delay:
description: Duration to wait before calling fsync. Useful for handling conflicts on slower disks. description: Duration to wait before calling fsync. Useful for handling conflicts on slower disks.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-wal-max-concurrent-writes: storage-wal-max-concurrent-writes:
description: Maximum number of concurrent write-ahead log (WAL) writes to disk. The value of 0 is the same as CPU processors (procs) x 2. description: Maximum number of concurrent write-ahead log (WAL) writes to disk. The value of 0 is the same as CPU processors (procs) x 2.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-wal-max-write-delay: storage-wal-max-write-delay:
description: Maximum duration to wait before writing the write-ahead log (WAL) to disk, when the concurrency limit has been exceeded. A value of 0 is the same as no timeout. description: Maximum duration to wait before writing the write-ahead log (WAL) to disk, when the concurrency limit has been exceeded. A value of 0 is the same as no timeout.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
storage-write-timeout: storage-write-timeout:
description: Maximum time to wait for a write-ahead log (WAL) to write to disk before aborting. description: Maximum time to wait for a write-ahead log (WAL) to write to disk before aborting.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
store: store:
description: The type of data store to use for HTTP resources. Allowed values are disk or memory. Memory should not be used for production Security Onion installations. description: The type of data store to use for HTTP resources. Allowed values are disk or memory. Memory should not be used for production Security Onion installations.
global: True global: True
advanced: True advanced: True
regex: ^(disk|memory)$ regex: ^(disk|memory)$
helpLink: influxdb helpLink: influxdb.html
tls-cert: tls-cert:
description: The container path to the certificate to use for TLS encryption of the HTTP requests and responses. description: The container path to the certificate to use for TLS encryption of the HTTP requests and responses.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
tls-key: tls-key:
description: The container path to the certificate key to use for TLS encryption of the HTTP requests and responses. description: The container path to the certificate key to use for TLS encryption of the HTTP requests and responses.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
tls-min-version: tls-min-version:
description: The minimum supported version of TLS to be enforced on all incoming HTTP requests. description: The minimum supported version of TLS to be enforced on all incoming HTTP requests.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
tls-strict-ciphers: tls-strict-ciphers:
description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA. description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
tracing-type: tracing-type:
description: The tracing format for debugging purposes. Allowed values are log or jaeger, or leave blank to disable tracing. description: The tracing format for debugging purposes. Allowed values are log or jaeger, or leave blank to disable tracing.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
ui-disabled: ui-disabled:
description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations. description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
vault-addr: vault-addr:
description: Vault server address. description: Vault server address.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
vault-cacert: vault-cacert:
description: Path to the Vault's single certificate authority certificate file within the container. description: Path to the Vault's single certificate authority certificate file within the container.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
vault-capath: vault-capath:
description: Path to the Vault's certificate authority directory within the container. description: Path to the Vault's certificate authority directory within the container.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
vault-client-cert: vault-client-cert:
description: Vault client certificate path within the container. description: Vault client certificate path within the container.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
vault-client-key: vault-client-key:
description: Vault client certificate key path within the container. description: Vault client certificate key path within the container.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
vault-client-timeout: vault-client-timeout:
description: Duration to wait for a response from the Vault server before aborting. description: Duration to wait for a response from the Vault server before aborting.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
vault-max-retries: vault-max-retries:
description: Maximum number of retries when attempting to contact the Vault server. A value of 0 is the same as disabling retries. description: Maximum number of retries when attempting to contact the Vault server. A value of 0 is the same as disabling retries.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
vault-skip-verify: vault-skip-verify:
description: Skip certification validation of the Vault server. description: Skip certification validation of the Vault server.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
vault-tls-server-name: vault-tls-server-name:
description: SNI host to specify when using TLS to connect to the Vault server. description: SNI host to specify when using TLS to connect to the Vault server.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
vault-token: vault-token:
description: Vault token used for authentication. description: Vault token used for authentication.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
buckets: buckets:
so_short_term: so_short_term:
duration: duration:
description: Amount of time (in seconds) to keep short term data. description: Amount of time (in seconds) to keep short term data.
global: True global: True
helpLink: influxdb helpLink: influxdb.html
shard_duration: shard_duration:
description: Amount of the time (in seconds) range covered by the shard group. description: Amount of the time (in seconds) range covered by the shard group.
global: True global: True
helpLink: influxdb helpLink: influxdb.html
so_long_term: so_long_term:
duration: duration:
description: Amount of time (in seconds) to keep long term downsampled data. description: Amount of time (in seconds) to keep long term downsampled data.
global: True global: True
helpLink: influxdb helpLink: influxdb.html
shard_duration: shard_duration:
description: Amount of the time (in seconds) range covered by the shard group. description: Amount of the time (in seconds) range covered by the shard group.
global: True global: True
helpLink: influxdb helpLink: influxdb.html
downsample: downsample:
so_long_term: so_long_term:
resolution: resolution:
description: Amount of time to turn into a single data point. description: Amount of time to turn into a single data point.
global: True global: True
helpLink: influxdb helpLink: influxdb.html

16
salt/kafka/enabled.sls
View File

@@ -12,7 +12,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% set KAFKANODES = salt['pillar.get']('kafka:nodes') %} {% set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
{% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %} {% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
{% if 'gmd' in salt['pillar.get']('features', []) %} {% if 'gmd' in salt['pillar.get']('features', []) %}
@@ -31,22 +31,22 @@ so-kafka:
- name: so-kafka - name: so-kafka
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }} - ipv4_address: {{ DOCKER.containers['so-kafka'].ip }}
- user: kafka - user: kafka
- environment: - environment:
KAFKA_HEAP_OPTS: -Xmx2G -Xms1G KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}" KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
- extra_hosts: - extra_hosts:
{% for node in KAFKANODES %} {% for node in KAFKANODES %}
- {{ node }}:{{ KAFKANODES[node].ip }} - {{ node }}:{{ KAFKANODES[node].ip }}
{% endfor %} {% endfor %}
{% if DOCKERMERGED.containers['so-kafka'].extra_hosts %} {% if DOCKER.containers['so-kafka'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %} {% for BINDING in DOCKER.containers['so-kafka'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -60,9 +60,9 @@ so-kafka:
{% if KAFKA_EXTERNAL_ACCESS %} {% if KAFKA_EXTERNAL_ACCESS %}
- /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-kafka'].ulimits %} {% if DOCKER.containers['so-kafka'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %} {% for ULIMIT in DOCKER.containers['so-kafka'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

107
salt/kafka/soc_kafka.yaml
View File

@@ -1,258 +1,257 @@
kafka: kafka:
enabled: enabled:
description: Set to True to enable Kafka. To avoid grid problems, do not enable Kafka until the related configuration is in place. Requires a valid Security Onion license key. description: Set to True to enable Kafka. To avoid grid problems, do not enable Kafka until the related configuration is in place. Requires a valid Security Onion license key.
forcedType: bool helpLink: kafka.html
helpLink: kafka
cluster_id: cluster_id:
description: The ID of the Kafka cluster. description: The ID of the Kafka cluster.
readonly: True readonly: True
advanced: True advanced: True
sensitive: True sensitive: True
helpLink: kafka helpLink: kafka.html
controllers: controllers:
description: A comma-separated list of hostnames that will act as Kafka controllers. These hosts will be responsible for managing the Kafka cluster. Note that only manager and receiver nodes are eligible to run Kafka. This configuration needs to be set before enabling Kafka. Failure to do so may result in Kafka topics becoming unavailable requiring manual intervention to restore functionality or reset Kafka, either of which can result in data loss. description: A comma-separated list of hostnames that will act as Kafka controllers. These hosts will be responsible for managing the Kafka cluster. Note that only manager and receiver nodes are eligible to run Kafka. This configuration needs to be set before enabling Kafka. Failure to do so may result in Kafka topics becoming unavailable requiring manual intervention to restore functionality or reset Kafka, either of which can result in data loss.
forcedType: string forcedType: string
helpLink: kafka helpLink: kafka.html
reset: reset:
description: Disable and reset the Kafka cluster. This will remove all Kafka data including logs that may have not yet been ingested into Elasticsearch and reverts the grid to using REDIS as the global pipeline. This is useful when testing different Kafka configurations such as rearranging Kafka brokers / controllers allowing you to reset the cluster rather than manually fixing any issues arising from attempting to reassign a Kafka broker into a controller. Enter 'YES_RESET_KAFKA' and submit to disable and reset Kafka. Make any configuration changes required and re-enable Kafka when ready. This action CANNOT be reversed. description: Disable and reset the Kafka cluster. This will remove all Kafka data including logs that may have not yet been ingested into Elasticsearch and reverts the grid to using REDIS as the global pipeline. This is useful when testing different Kafka configurations such as rearranging Kafka brokers / controllers allowing you to reset the cluster rather than manually fixing any issues arising from attempting to reassign a Kafka broker into a controller. Enter 'YES_RESET_KAFKA' and submit to disable and reset Kafka. Make any configuration changes required and re-enable Kafka when ready. This action CANNOT be reversed.
advanced: True advanced: True
helpLink: kafka helpLink: kafka.html
logstash: logstash:
description: By default logstash is disabled when Kafka is enabled. This option allows you to specify any hosts you would like to re-enable logstash on alongside Kafka. description: By default logstash is disabled when Kafka is enabled. This option allows you to specify any hosts you would like to re-enable logstash on alongside Kafka.
forcedType: "[]string" forcedType: "[]string"
multiline: True multiline: True
advanced: True advanced: True
helpLink: kafka helpLink: kafka.html
config: config:
password: password:
description: The password used for the Kafka certificates. description: The password used for the Kafka certificates.
readonly: True readonly: True
sensitive: True sensitive: True
helpLink: kafka helpLink: kafka.html
trustpass: trustpass:
description: The password used for the Kafka truststore. description: The password used for the Kafka truststore.
readonly: True readonly: True
sensitive: True sensitive: True
helpLink: kafka helpLink: kafka.html
broker: broker:
auto_x_create_x_topics_x_enable: auto_x_create_x_topics_x_enable:
description: Enable the auto creation of topics. description: Enable the auto creation of topics.
title: auto.create.topics.enable title: auto.create.topics.enable
forcedType: bool forcedType: bool
helpLink: kafka helpLink: kafka.html
default_x_replication_x_factor: default_x_replication_x_factor:
description: The default replication factor for automatically created topics. This value must be less than the amount of brokers in the cluster. Hosts specified in controllers should not be counted towards total broker count. description: The default replication factor for automatically created topics. This value must be less than the amount of brokers in the cluster. Hosts specified in controllers should not be counted towards total broker count.
title: default.replication.factor title: default.replication.factor
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
inter_x_broker_x_listener_x_name: inter_x_broker_x_listener_x_name:
description: The name of the listener used for inter-broker communication. description: The name of the listener used for inter-broker communication.
title: inter.broker.listener.name title: inter.broker.listener.name
helpLink: kafka helpLink: kafka.html
listeners: listeners:
description: Set of URIs that is listened on and the listener names in a comma-seperated list. description: Set of URIs that is listened on and the listener names in a comma-seperated list.
helpLink: kafka helpLink: kafka.html
listener_x_security_x_protocol_x_map: listener_x_security_x_protocol_x_map:
description: Comma-seperated mapping of listener name and security protocols. description: Comma-seperated mapping of listener name and security protocols.
title: listener.security.protocol.map title: listener.security.protocol.map
helpLink: kafka helpLink: kafka.html
log_x_dirs: log_x_dirs:
description: Where Kafka logs are stored within the Docker container. description: Where Kafka logs are stored within the Docker container.
title: log.dirs title: log.dirs
helpLink: kafka helpLink: kafka.html
log_x_retention_x_check_x_interval_x_ms: log_x_retention_x_check_x_interval_x_ms:
description: Frequency at which log files are checked if they are qualified for deletion. description: Frequency at which log files are checked if they are qualified for deletion.
title: log.retention.check.interval.ms title: log.retention.check.interval.ms
helpLink: kafka helpLink: kafka.html
log_x_retention_x_hours: log_x_retention_x_hours:
description: How long, in hours, a log file is kept. description: How long, in hours, a log file is kept.
title: log.retention.hours title: log.retention.hours
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
log_x_segment_x_bytes: log_x_segment_x_bytes:
description: The maximum allowable size for a log file. description: The maximum allowable size for a log file.
title: log.segment.bytes title: log.segment.bytes
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
num_x_io_x_threads: num_x_io_x_threads:
description: The number of threads used by Kafka. description: The number of threads used by Kafka.
title: num.io.threads title: num.io.threads
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
num_x_network_x_threads: num_x_network_x_threads:
description: The number of threads used for network communication. description: The number of threads used for network communication.
title: num.network.threads title: num.network.threads
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
num_x_partitions: num_x_partitions:
description: The number of log partitions assigned per topic. description: The number of log partitions assigned per topic.
title: num.partitions title: num.partitions
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
num_x_recovery_x_threads_x_per_x_data_x_dir: num_x_recovery_x_threads_x_per_x_data_x_dir:
description: The number of threads used for log recuperation at startup and purging at shutdown. This ammount of threads is used per data directory. description: The number of threads used for log recuperation at startup and purging at shutdown. This ammount of threads is used per data directory.
title: num.recovery.threads.per.data.dir title: num.recovery.threads.per.data.dir
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
offsets_x_topic_x_replication_x_factor: offsets_x_topic_x_replication_x_factor:
description: The offsets topic replication factor. description: The offsets topic replication factor.
title: offsets.topic.replication.factor title: offsets.topic.replication.factor
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
process_x_roles: process_x_roles:
description: The role performed by Kafka brokers. description: The role performed by Kafka brokers.
title: process.roles title: process.roles
readonly: True readonly: True
helpLink: kafka helpLink: kafka.html
socket_x_receive_x_buffer_x_bytes: socket_x_receive_x_buffer_x_bytes:
description: Size, in bytes of the SO_RCVBUF buffer. A value of -1 will use the OS default. description: Size, in bytes of the SO_RCVBUF buffer. A value of -1 will use the OS default.
title: socket.receive.buffer.bytes title: socket.receive.buffer.bytes
#forcedType: int - soc needs to allow -1 as an int before we can use this #forcedType: int - soc needs to allow -1 as an int before we can use this
helpLink: kafka helpLink: kafka.html
socket_x_request_x_max_x_bytes: socket_x_request_x_max_x_bytes:
description: The maximum bytes allowed for a request to the socket. description: The maximum bytes allowed for a request to the socket.
title: socket.request.max.bytes title: socket.request.max.bytes
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
socket_x_send_x_buffer_x_bytes: socket_x_send_x_buffer_x_bytes:
description: Size, in bytes of the SO_SNDBUF buffer. A value of -1 will use the OS default. description: Size, in bytes of the SO_SNDBUF buffer. A value of -1 will use the OS default.
title: socket.send.buffer.byte title: socket.send.buffer.byte
#forcedType: int - soc needs to allow -1 as an int before we can use this #forcedType: int - soc needs to allow -1 as an int before we can use this
helpLink: kafka helpLink: kafka.html
ssl_x_keystore_x_location: ssl_x_keystore_x_location:
description: The key store file location within the Docker container. description: The key store file location within the Docker container.
title: ssl.keystore.location title: ssl.keystore.location
helpLink: kafka helpLink: kafka.html
ssl_x_keystore_x_password: ssl_x_keystore_x_password:
description: The key store file password. Invalid for PEM format. description: The key store file password. Invalid for PEM format.
title: ssl.keystore.password title: ssl.keystore.password
sensitive: True sensitive: True
helpLink: kafka helpLink: kafka.html
ssl_x_keystore_x_type: ssl_x_keystore_x_type:
description: The key store file format. description: The key store file format.
title: ssl.keystore.type title: ssl.keystore.type
regex: ^(JKS|PKCS12|PEM)$ regex: ^(JKS|PKCS12|PEM)$
helpLink: kafka helpLink: kafka.html
ssl_x_truststore_x_location: ssl_x_truststore_x_location:
description: The trust store file location within the Docker container. description: The trust store file location within the Docker container.
title: ssl.truststore.location title: ssl.truststore.location
helpLink: kafka helpLink: kafka.html
ssl_x_truststore_x_type: ssl_x_truststore_x_type:
description: The trust store file format. description: The trust store file format.
title: ssl.truststore.type title: ssl.truststore.type
helpLink: kafka helpLink: kafka.html
ssl_x_truststore_x_password: ssl_x_truststore_x_password:
description: The trust store file password. If null, the trust store file is still use, but integrity checking is disabled. Invalid for PEM format. description: The trust store file password. If null, the trust store file is still use, but integrity checking is disabled. Invalid for PEM format.
title: ssl.truststore.password title: ssl.truststore.password
sensitive: True sensitive: True
helpLink: kafka helpLink: kafka.html
transaction_x_state_x_log_x_min_x_isr: transaction_x_state_x_log_x_min_x_isr:
description: Overrides min.insync.replicas for the transaction topic. When a producer configures acks to "all" (or "-1"), this setting determines the minimum number of replicas required to acknowledge a write as successful. Failure to meet this minimum triggers an exception (either NotEnoughReplicas or NotEnoughReplicasAfterAppend). When used in conjunction, min.insync.replicas and acks enable stronger durability guarantees. For instance, creating a topic with a replication factor of 3, setting min.insync.replicas to 2, and using acks of "all" ensures that the producer raises an exception if a majority of replicas fail to receive a write. description: Overrides min.insync.replicas for the transaction topic. When a producer configures acks to "all" (or "-1"), this setting determines the minimum number of replicas required to acknowledge a write as successful. Failure to meet this minimum triggers an exception (either NotEnoughReplicas or NotEnoughReplicasAfterAppend). When used in conjunction, min.insync.replicas and acks enable stronger durability guarantees. For instance, creating a topic with a replication factor of 3, setting min.insync.replicas to 2, and using acks of "all" ensures that the producer raises an exception if a majority of replicas fail to receive a write.
title: transaction.state.log.min.isr title: transaction.state.log.min.isr
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
transaction_x_state_x_log_x_replication_x_factor: transaction_x_state_x_log_x_replication_x_factor:
description: Set the replication factor higher for the transaction topic to ensure availability. Internal topic creation will not proceed until the cluster size satisfies this replication factor prerequisite. description: Set the replication factor higher for the transaction topic to ensure availability. Internal topic creation will not proceed until the cluster size satisfies this replication factor prerequisite.
title: transaction.state.log.replication.factor title: transaction.state.log.replication.factor
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
client: client:
security_x_protocol: security_x_protocol:
description: 'Broker communication protocol. Options are: SASL_SSL, PLAINTEXT, SSL, SASL_PLAINTEXT' description: 'Broker communication protocol. Options are: SASL_SSL, PLAINTEXT, SSL, SASL_PLAINTEXT'
title: security.protocol title: security.protocol
regex: ^(SASL_SSL|PLAINTEXT|SSL|SASL_PLAINTEXT) regex: ^(SASL_SSL|PLAINTEXT|SSL|SASL_PLAINTEXT)
helpLink: kafka helpLink: kafka.html
ssl_x_keystore_x_location: ssl_x_keystore_x_location:
description: The key store file location within the Docker container. description: The key store file location within the Docker container.
title: ssl.keystore.location title: ssl.keystore.location
helpLink: kafka helpLink: kafka.html
ssl_x_keystore_x_password: ssl_x_keystore_x_password:
description: The key store file password. Invalid for PEM format. description: The key store file password. Invalid for PEM format.
title: ssl.keystore.password title: ssl.keystore.password
sensitive: True sensitive: True
helpLink: kafka helpLink: kafka.html
ssl_x_keystore_x_type: ssl_x_keystore_x_type:
description: The key store file format. description: The key store file format.
title: ssl.keystore.type title: ssl.keystore.type
regex: ^(JKS|PKCS12|PEM)$ regex: ^(JKS|PKCS12|PEM)$
helpLink: kafka helpLink: kafka.html
ssl_x_truststore_x_location: ssl_x_truststore_x_location:
description: The trust store file location within the Docker container. description: The trust store file location within the Docker container.
title: ssl.truststore.location title: ssl.truststore.location
helpLink: kafka helpLink: kafka.html
ssl_x_truststore_x_type: ssl_x_truststore_x_type:
description: The trust store file format. description: The trust store file format.
title: ssl.truststore.type title: ssl.truststore.type
helpLink: kafka helpLink: kafka.html
ssl_x_truststore_x_password: ssl_x_truststore_x_password:
description: The trust store file password. If null, the trust store file is still use, but integrity checking is disabled. Invalid for PEM format. description: The trust store file password. If null, the trust store file is still use, but integrity checking is disabled. Invalid for PEM format.
title: ssl.truststore.password title: ssl.truststore.password
sensitive: True sensitive: True
helpLink: kafka helpLink: kafka.html
controller: controller:
controller_x_listener_x_names: controller_x_listener_x_names:
description: Set listeners used by the controller in a comma-seperated list. description: Set listeners used by the controller in a comma-seperated list.
title: controller.listener.names title: controller.listener.names
helpLink: kafka helpLink: kafka.html
listeners: listeners:
description: Set of URIs that is listened on and the listener names in a comma-seperated list. description: Set of URIs that is listened on and the listener names in a comma-seperated list.
helpLink: kafka helpLink: kafka.html
listener_x_security_x_protocol_x_map: listener_x_security_x_protocol_x_map:
description: Comma-seperated mapping of listener name and security protocols. description: Comma-seperated mapping of listener name and security protocols.
title: listener.security.protocol.map title: listener.security.protocol.map
helpLink: kafka helpLink: kafka.html
log_x_dirs: log_x_dirs:
description: Where Kafka logs are stored within the Docker container. description: Where Kafka logs are stored within the Docker container.
title: log.dirs title: log.dirs
helpLink: kafka helpLink: kafka.html
log_x_retention_x_check_x_interval_x_ms: log_x_retention_x_check_x_interval_x_ms:
description: Frequency at which log files are checked if they are qualified for deletion. description: Frequency at which log files are checked if they are qualified for deletion.
title: log.retention.check.interval.ms title: log.retention.check.interval.ms
helpLink: kafka helpLink: kafka.html
log_x_retention_x_hours: log_x_retention_x_hours:
description: How long, in hours, a log file is kept. description: How long, in hours, a log file is kept.
title: log.retention.hours title: log.retention.hours
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
log_x_segment_x_bytes: log_x_segment_x_bytes:
description: The maximum allowable size for a log file. description: The maximum allowable size for a log file.
title: log.segment.bytes title: log.segment.bytes
forcedType: int forcedType: int
helpLink: kafka helpLink: kafka.html
process_x_roles: process_x_roles:
description: The role performed by controller node. description: The role performed by controller node.
title: process.roles title: process.roles
readonly: True readonly: True
helpLink: kafka helpLink: kafka.html
external_access: external_access:
enabled: enabled:
description: Enables or disables access to Kafka topics using user/password authentication. Used for producing / consuming messages via an external client. description: Enables or disables access to Kafka topics using user/password authentication. Used for producing / consuming messages via an external client.
forcedType: bool forcedType: bool
helpLink: kafka helpLink: kafka.html
listeners: listeners:
description: Set of URIs that is listened on and the listener names in a comma-seperated list. description: Set of URIs that is listened on and the listener names in a comma-seperated list.
title: listeners title: listeners
readonly: True readonly: True
advanced: True advanced: True
helpLink: kafka helpLink: kafka.html
listener_x_security_x_protocol_x_map: listener_x_security_x_protocol_x_map:
description: External listener name and mapped security protocol. description: External listener name and mapped security protocol.
title: listener.security.protocol.map title: listener.security.protocol.map
readonly: True readonly: True
advanced: True advanced: True
helpLink: kafka helpLink: kafka.html
sasl_x_enabled_x_mechanisms: sasl_x_enabled_x_mechanisms:
description: SASL/PLAIN is a simple username/password authentication mechanism, used with TLS to implement secure authentication. description: SASL/PLAIN is a simple username/password authentication mechanism, used with TLS to implement secure authentication.
title: sasl.enabled.mechanisms title: sasl.enabled.mechanisms
readonly: True readonly: True
advanced: True advanced: True
helpLink: kafka helpLink: kafka.html
sasl_x_mechanism_x_inter_x_broker_x_protocol: sasl_x_mechanism_x_inter_x_broker_x_protocol:
description: SASL mechanism used for inter-broker communication description: SASL mechanism used for inter-broker communication
title: sasl.mechanism.inter.broker.protocol title: sasl.mechanism.inter.broker.protocol
readonly: True readonly: True
advanced: True advanced: True
helpLink: kafka helpLink: kafka.html
remote_users: remote_users:
user01: &remote_user user01: &remote_user
username: username:

22
salt/kibana/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -20,20 +20,20 @@ so-kibana:
- user: kibana - user: kibana
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }} - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
- environment: - environment:
- ELASTICSEARCH_HOST={{ GLOBALS.manager }} - ELASTICSEARCH_HOST={{ GLOBALS.manager }}
- ELASTICSEARCH_PORT=9200 - ELASTICSEARCH_PORT=9200
- MANAGER={{ GLOBALS.manager }} - MANAGER={{ GLOBALS.manager }}
{% if DOCKERMERGED.containers['so-kibana'].extra_env %} {% if DOCKER.containers['so-kibana'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %} {% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKERMERGED.containers['so-kibana'].extra_hosts %} {% if DOCKER.containers['so-kibana'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -42,18 +42,18 @@ so-kibana:
- /opt/so/log/kibana:/var/log/kibana:rw - /opt/so/log/kibana:/var/log/kibana:rw
- /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
- /sys/fs/cgroup:/sys/fs/cgroup:ro - /sys/fs/cgroup:/sys/fs/cgroup:ro
{% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %} {% if DOCKER.containers['so-kibana'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %} {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKERMERGED.containers['so-kibana'].ulimits %} {% if DOCKER.containers['so-kibana'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %} {% for ULIMIT in DOCKER.containers['so-kibana'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

40
salt/kibana/soc_kibana.yaml
View File

@@ -1,46 +1,10 @@
kibana: kibana:
enabled: enabled:
description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results. description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
forcedType: bool helpLink: kibana.html
helpLink: kibana
config: config:
server:
rewriteBasePath:
description: Specifies whether Kibana should rewrite requests that are prefixed with the server basePath.
forcedType: bool
global: True
advanced: True
helpLink: kibana
elasticsearch: elasticsearch:
requestTimeout: requestTimeout:
description: The length of time before the request reaches timeout. description: The length of time before the request reaches timeout.
global: True global: True
helpLink: kibana helpLink: kibana.html
telemetry:
enabled:
description: Enables or disables telemetry data collection in Kibana.
forcedType: bool
global: True
advanced: True
helpLink: kibana
xpack:
security:
secureCookies:
description: Sets the secure flag on session cookies. Cookies are only sent over HTTPS when enabled.
forcedType: bool
global: True
advanced: True
helpLink: kibana
showInsecureClusterWarning:
description: Shows a warning in Kibana when the cluster does not have security enabled.
forcedType: bool
global: True
advanced: True
helpLink: kibana
apm:
enabled:
description: Enables or disables the APM agent in Kibana.
forcedType: bool
global: True
advanced: True
helpLink: kibana

22
salt/kratos/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -19,35 +19,35 @@ so-kratos:
- name: so-kratos - name: so-kratos
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }} - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
- binds: - binds:
- /opt/so/conf/kratos/:/kratos-conf:ro - /opt/so/conf/kratos/:/kratos-conf:ro
- /opt/so/log/kratos/:/kratos-log:rw - /opt/so/log/kratos/:/kratos-log:rw
- /nsm/kratos/db:/kratos-data:rw - /nsm/kratos/db:/kratos-data:rw
{% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %} {% if DOCKER.containers['so-kratos'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %} {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKERMERGED.containers['so-kratos'].extra_hosts %} {% if DOCKER.containers['so-kratos'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-kratos'].extra_env %} {% if DOCKER.containers['so-kratos'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %} {% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-kratos'].ulimits %} {% if DOCKER.containers['so-kratos'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %} {% for ULIMIT in DOCKER.containers['so-kratos'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

96
salt/kratos/soc_kratos.yaml
View File

@@ -1,91 +1,88 @@
kratos: kratos:
enabled: enabled:
description: Enables or disables the Kratos authentication system. WARNING - Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH. description: Enables or disables the Kratos authentication system. WARNING - Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH.
forcedType: bool
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
oidc: oidc:
enabled: enabled:
description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key. description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key.
forcedType: bool
global: True global: True
helpLink: oidc helpLink: oidc.html
config: config:
id: id:
description: Customize the OIDC provider name. This name appears on the login page. Required. It is strongly recommended to leave this to the default value, unless you are aware of the other configuration pieces that will be affected by changing it. description: Customize the OIDC provider name. This name appears on the login page. Required. It is strongly recommended to leave this to the default value, unless you are aware of the other configuration pieces that will be affected by changing it.
global: True global: True
forcedType: string forcedType: string
helpLink: oidc helpLink: oidc.html
provider: provider:
description: "Specify the provider type. Required. Valid values are: auth0, generic, github, google, microsoft" description: "Specify the provider type. Required. Valid values are: auth0, generic, github, google, microsoft"
global: True global: True
forcedType: string forcedType: string
regex: "auth0|generic|github|google|microsoft" regex: "auth0|generic|github|google|microsoft"
regexFailureMessage: "Valid values are: auth0, generic, github, google, microsoft" regexFailureMessage: "Valid values are: auth0, generic, github, google, microsoft"
helpLink: oidc helpLink: oidc.html
client_id: client_id:
description: Specify the client ID, also referenced as the application ID. Required. description: Specify the client ID, also referenced as the application ID. Required.
global: True global: True
forcedType: string forcedType: string
helpLink: oidc helpLink: oidc.html
client_secret: client_secret:
description: Specify the client secret. Required. description: Specify the client secret. Required.
global: True global: True
forcedType: string forcedType: string
helpLink: oidc helpLink: oidc.html
microsoft_tenant: microsoft_tenant:
description: Specify the Microsoft Active Directory Tenant ID. Required when provider is 'microsoft'. description: Specify the Microsoft Active Directory Tenant ID. Required when provider is 'microsoft'.
global: True global: True
forcedType: string forcedType: string
helpLink: oidc helpLink: oidc.html
subject_source: subject_source:
description: The source of the subject identifier. Typically 'userinfo'. Only used when provider is 'microsoft'. description: The source of the subject identifier. Typically 'userinfo'. Only used when provider is 'microsoft'.
global: True global: True
forcedType: string forcedType: string
regex: me|userinfo regex: me|userinfo
regexFailureMessage: "Valid values are: me, userinfo" regexFailureMessage: "Valid values are: me, userinfo"
helpLink: oidc helpLink: oidc.html
auth_url: auth_url:
description: Provider's auth URL. Required when provider is 'generic'. description: Provider's auth URL. Required when provider is 'generic'.
global: True global: True
forcedType: string forcedType: string
helpLink: oidc helpLink: oidc.html
issuer_url: issuer_url:
description: Provider's issuer URL. Required when provider is 'auth0' or 'generic'. description: Provider's issuer URL. Required when provider is 'auth0' or 'generic'.
global: True global: True
forcedType: string forcedType: string
helpLink: oidc helpLink: oidc.html
mapper_url: mapper_url:
description: A file path or URL in Jsonnet format, used to map OIDC claims to the Kratos schema. Defaults to an included file that maps the email claim. Note that the contents of the included file can be customized via the "OIDC Claims Mapping" setting. description: A file path or URL in Jsonnet format, used to map OIDC claims to the Kratos schema. Defaults to an included file that maps the email claim. Note that the contents of the included file can be customized via the "OIDC Claims Mapping" setting.
advanced: True advanced: True
global: True global: True
forcedType: string forcedType: string
helpLink: oidc helpLink: oidc.html
token_url: token_url:
description: Provider's token URL. Required when provider is 'generic'. description: Provider's token URL. Required when provider is 'generic'.
global: True global: True
forcedType: string forcedType: string
helpLink: oidc helpLink: oidc.html
scope: scope:
description: List of scoped data categories to request in the authentication response. Typically 'email' and 'profile' are the minimum required scopes. However, GitHub requires `user:email', instead and Auth0 requires 'profile', 'email', and 'openid'. description: List of scoped data categories to request in the authentication response. Typically 'email' and 'profile' are the minimum required scopes. However, GitHub requires `user:email', instead and Auth0 requires 'profile', 'email', and 'openid'.
global: True global: True
forcedType: "[]string" forcedType: "[]string"
helpLink: oidc helpLink: oidc.html
pkce: pkce:
description: Set to 'force' if the OIDC provider does not support auto-detection of PKCE, but does support PKCE. Set to `never` to disable PKCE. The default setting automatically attempts to detect if PKCE is supported. The provider's `well-known/openid-configuration` JSON response must contain the `S256` algorithm within the `code_challenge_methods_supported` list in order for the auto-detection to correctly detect PKCE is supported. description: Set to 'force' if the OIDC provider does not support auto-detection of PKCE, but does support PKCE. Set to `never` to disable PKCE. The default setting automatically attempts to detect if PKCE is supported. The provider's `well-known/openid-configuration` JSON response must contain the `S256` algorithm within the `code_challenge_methods_supported` list in order for the auto-detection to correctly detect PKCE is supported.
global: True global: True
forcedType: string forcedType: string
helpLink: oidc helpLink: oidc.html
requested_claims: requested_claims:
id_token: id_token:
email: email:
essential: essential:
description: Specifies whether the email claim is necessary. Typically leave this value set to true. description: Specifies whether the email claim is necessary. Typically leave this value set to true.
forcedType: bool
advanced: True advanced: True
global: True global: True
helpLink: oidc helpLink: oidc.html
files: files:
oidc__jsonnet: oidc__jsonnet:
title: OIDC Claims Mapping title: OIDC Claims Mapping
@@ -93,169 +90,164 @@ kratos:
advanced: True advanced: True
file: True file: True
global: True global: True
helpLink: oidc helpLink: oidc.html
config: config:
session: session:
lifespan: lifespan:
description: Defines the length of a login session. description: Defines the length of a login session.
global: True global: True
helpLink: kratos helpLink: kratos.html
whoami: whoami:
required_aal: required_aal:
description: Sets the Authenticator Assurance Level. Leave as default to ensure proper security protections remain in place. description: Sets the Authenticator Assurance Level. Leave as default to ensure proper security protections remain in place.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
selfservice: selfservice:
methods: methods:
password: password:
enabled: enabled:
description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled. description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled.
forcedType: bool
global: True global: True
advanced: True advanced: True
helpLink: oidc helpLink: oidc.html
config: config:
haveibeenpwned_enabled: haveibeenpwned_enabled:
description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled. description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
forcedType: bool
global: True global: True
helpLink: kratos helpLink: kratos.html
totp: totp:
enabled: enabled:
description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in. description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
forcedType: bool
global: True global: True
helpLink: kratos helpLink: kratos.html
config: config:
issuer: issuer:
description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address. description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address.
global: True global: True
helpLink: kratos helpLink: kratos.html
webauthn: webauthn:
enabled: enabled:
description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in. description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
forcedType: bool
global: True global: True
helpLink: kratos helpLink: kratos.html
config: config:
passwordless: passwordless:
description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in. description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in.
forcedType: bool
global: True global: True
helpLink: kratos helpLink: kratos.html
rp: rp:
id: id:
description: The internal identification used for registering new Security Keys. Leave as default to ensure Security Keys function properly. description: The internal identification used for registering new Security Keys. Leave as default to ensure Security Keys function properly.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
origin: origin:
description: The URL used to login to SOC. Leave as default to ensure Security Keys function properly. description: The URL used to login to SOC. Leave as default to ensure Security Keys function properly.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
display_name: display_name:
description: The name assigned to the security key. Note that URL_BASE is replaced with the hostname or IP address used to login to SOC, to help distinguish multiple Security Onion installations. description: The name assigned to the security key. Note that URL_BASE is replaced with the hostname or IP address used to login to SOC, to help distinguish multiple Security Onion installations.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
flows: flows:
settings: settings:
privileged_session_max_age: privileged_session_max_age:
description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change. description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change.
global: True global: True
helpLink: kratos helpLink: kratos.html
ui_url: ui_url:
description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation. description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
required_aal: required_aal:
description: Sets the Authenticator Assurance Level for accessing user self-service profile and security settings. Leave as default to ensure proper security enforcement remains in place. description: Sets the Authenticator Assurance Level for accessing user self-service profile and security settings. Leave as default to ensure proper security enforcement remains in place.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
verification: verification:
ui_url: ui_url:
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
login: login:
ui_url: ui_url:
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
lifespan: lifespan:
description: Defines the duration that a login form will remain valid. description: Defines the duration that a login form will remain valid.
global: True global: True
helpLink: kratos helpLink: kratos.html
error: error:
ui_url: ui_url:
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
registration: registration:
ui_url: ui_url:
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
default_browser_return_url: default_browser_return_url:
description: Security Onion Console landing page URL. Leave as default to ensure proper operation. description: Security Onion Console landing page URL. Leave as default to ensure proper operation.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
allowed_return_urls: allowed_return_urls:
description: Internal redirect URL. Leave as default to ensure proper operation. description: Internal redirect URL. Leave as default to ensure proper operation.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
log: log:
level: level:
description: Log level to use for Kratos logs. description: Log level to use for Kratos logs.
global: True global: True
helpLink: kratos helpLink: kratos.html
format: format:
description: Log output format for Kratos logs. description: Log output format for Kratos logs.
global: True global: True
helpLink: kratos helpLink: kratos.html
secrets: secrets:
default: default:
description: Secret key used for protecting session cookie data. Generated during installation. description: Secret key used for protecting session cookie data. Generated during installation.
global: True global: True
sensitive: True sensitive: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
serve: serve:
public: public:
base_url: base_url:
description: User accessible URL for authenticating to Kratos. Leave as default for proper operation. description: User accessible URL for authenticating to Kratos. Leave as default for proper operation.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
admin: admin:
base_url: base_url:
description: User accessible URL for accessing Kratos administration API. Leave as default for proper operation. description: User accessible URL for accessing Kratos administration API. Leave as default for proper operation.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
hashers: hashers:
bcrypt: bcrypt:
cost: cost:
description: Bcrypt hashing algorithm cost. Higher values consume more CPU and take longer to complete. Actual cost is computed as 2^X where X is the value in this setting. description: Bcrypt hashing algorithm cost. Higher values consume more CPU and take longer to complete. Actual cost is computed as 2^X where X is the value in this setting.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html
courier: courier:
smtp: smtp:
connection_uri: connection_uri:
description: SMTPS URL for sending outbound account-related emails. Not utilized with the standard Security Onion installation. description: SMTPS URL for sending outbound account-related emails. Not utilized with the standard Security Onion installation.
global: True global: True
advanced: True advanced: True
helpLink: kratos helpLink: kratos.html

22
salt/logstash/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %} {% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
{% from 'logstash/map.jinja' import LOGSTASH_NODES %} {% from 'logstash/map.jinja' import LOGSTASH_NODES %}
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %} {% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
@@ -32,7 +32,7 @@ so-logstash:
- name: so-logstash - name: so-logstash
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }} - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
- user: logstash - user: logstash
- extra_hosts: - extra_hosts:
{% for node in LOGSTASH_NODES %} {% for node in LOGSTASH_NODES %}
@@ -40,20 +40,20 @@ so-logstash:
- {{hostname}}:{{ip}} - {{hostname}}:{{ip}}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% if DOCKERMERGED.containers['so-logstash'].extra_hosts %} {% if DOCKER.containers['so-logstash'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- environment: - environment:
- LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
{% if DOCKERMERGED.containers['so-logstash'].extra_env %} {% if DOCKER.containers['so-logstash'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %} {% for XTRAENV in DOCKER.containers['so-logstash'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %} {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -91,14 +91,14 @@ so-logstash:
- /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/log/fleet/:/osquery/logs:ro
- /opt/so/log/strelka:/strelka:ro - /opt/so/log/strelka:/strelka:ro
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %} {% if DOCKER.containers['so-logstash'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-logstash'].ulimits %} {% if DOCKER.containers['so-logstash'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %} {% for ULIMIT in DOCKER.containers['so-logstash'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

23
salt/logstash/soc_logstash.yaml
View File

@@ -1,14 +1,13 @@
logstash: logstash:
enabled: enabled:
description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend. description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend.
forcedType: bool helpLink: logstash.html
helpLink: logstash
assigned_pipelines: assigned_pipelines:
roles: roles:
standalone: &assigned_pipelines standalone: &assigned_pipelines
description: List of defined pipelines to add to this role. description: List of defined pipelines to add to this role.
advanced: True advanced: True
helpLink: logstash helpLink: logstash.html
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
duplicates: True duplicates: True
@@ -22,7 +21,7 @@ logstash:
receiver: &defined_pipelines receiver: &defined_pipelines
description: List of pipeline configurations assign to this group. description: List of pipeline configurations assign to this group.
advanced: True advanced: True
helpLink: logstash helpLink: logstash.html
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
duplicates: True duplicates: True
@@ -40,7 +39,7 @@ logstash:
advanced: True advanced: True
multiline: True multiline: True
forcedType: string forcedType: string
helpLink: logstash helpLink: logstash.html
duplicates: True duplicates: True
custom002: *pipeline_config custom002: *pipeline_config
custom003: *pipeline_config custom003: *pipeline_config
@@ -54,35 +53,35 @@ logstash:
settings: settings:
lsheap: lsheap:
description: Heap size to use for logstash description: Heap size to use for logstash
helpLink: logstash helpLink: logstash.html
global: False global: False
config: config:
api_x_http_x_host: api_x_http_x_host:
description: Host interface to listen to connections. description: Host interface to listen to connections.
helpLink: logstash helpLink: logstash.html
readonly: True readonly: True
advanced: True advanced: True
path_x_logs: path_x_logs:
description: Path inside the container to wrote logs. description: Path inside the container to wrote logs.
helpLink: logstash helpLink: logstash.html
readonly: True readonly: True
advanced: True advanced: True
pipeline_x_workers: pipeline_x_workers:
description: Number of worker threads to process events in logstash. description: Number of worker threads to process events in logstash.
helpLink: logstash helpLink: logstash.html
global: False global: False
pipeline_x_batch_x_size: pipeline_x_batch_x_size:
description: Logstash batch size. description: Logstash batch size.
helpLink: logstash helpLink: logstash.html
global: False global: False
pipeline_x_ecs_compatibility: pipeline_x_ecs_compatibility:
description: Sets ECS compatibility. This is set per pipeline so you should never need to change this. description: Sets ECS compatibility. This is set per pipeline so you should never need to change this.
helpLink: logstash helpLink: logstash.html
readonly: True readonly: True
advanced: True advanced: True
dmz_nodes: dmz_nodes:
description: "List of receiver nodes in DMZs. Prevents sensors from sending to these receivers. Primarily used for external Elastic agents." description: "List of receiver nodes in DMZs. Prevents sensors from sending to these receivers. Primarily used for external Elastic agents."
helpLink: logstash helpLink: logstash.html
multiline: True multiline: True
advanced: True advanced: True
forcedType: "[]string" forcedType: "[]string"

33
salt/manager/soc_manager.yaml
View File

@@ -2,82 +2,81 @@ manager:
reposync: reposync:
enabled: enabled:
description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis. description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis.
forcedType: bool
global: True global: True
helpLink: soup helpLink: soup.html
hour: hour:
description: The hour of the day in which the repo sync takes place. description: The hour of the day in which the repo sync takes place.
global: True global: True
helpLink: soup helpLink: soup.html
minute: minute:
description: The minute within the hour to run the repo sync. description: The minute within the hour to run the repo sync.
global: True global: True
helpLink: soup helpLink: soup.html
elastalert: elastalert:
description: Enable elastalert 1=enabled 0=disabled. description: Enable elastalert 1=enabled 0=disabled.
global: True global: True
helpLink: elastalert helpLink: elastalert.html
no_proxy: no_proxy:
description: String of hosts to ignore the proxy settings for. description: String of hosts to ignore the proxy settings for.
global: True global: True
helpLink: proxy helpLink: proxy.html
proxy: proxy:
description: Proxy server to use for updates. description: Proxy server to use for updates.
global: True global: True
helpLink: proxy helpLink: proxy.html
additionalCA: additionalCA:
description: Additional CA certificates to trust in PEM format. description: Additional CA certificates to trust in PEM format.
global: True global: True
advanced: True advanced: True
multiline: True multiline: True
forcedType: string forcedType: string
helpLink: proxy helpLink: proxy.html
insecureSkipVerify: insecureSkipVerify:
description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes. description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes.
advanced: True advanced: True
forcedType: bool forcedType: bool
global: True global: True
helpLink: proxy helpLink: proxy.html
agent_monitoring: agent_monitoring:
enabled: enabled:
description: Enable monitoring elastic agents for health issues. Can be used to trigger an alert when a 'critical' agent hasn't checked in with fleet for longer than the configured offline threshold. description: Enable monitoring elastic agents for health issues. Can be used to trigger an alert when a 'critical' agent hasn't checked in with fleet for longer than the configured offline threshold.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
forcedType: bool forcedType: bool
config: config:
critical_agents: critical_agents:
description: List of 'critical' agents to log when they haven't checked in longer than the maximum allowed time. If there are no 'critical' agents specified all offline agents will be logged once they reach the offline threshold. description: List of 'critical' agents to log when they haven't checked in longer than the maximum allowed time. If there are no 'critical' agents specified all offline agents will be logged once they reach the offline threshold.
global: True global: True
multiline: True multiline: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
forcedType: "[]string" forcedType: "[]string"
custom_kquery: custom_kquery:
description: For more granular control over what agents to monitor for offline|degraded status add a kquery here. It is recommended to create & test within Elastic Fleet first to ensure your agents are targeted correctly using the query. eg 'status:offline AND tags:INFRA' description: For more granular control over what agents to monitor for offline|degraded status add a kquery here. It is recommended to create & test within Elastic Fleet first to ensure your agents are targeted correctly using the query. eg 'status:offline AND tags:INFRA'
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
forcedType: string forcedType: string
advanced: True advanced: True
offline_threshold: offline_threshold:
description: The maximum allowed time in hours a 'critical' agent has been offline before being logged. description: The maximum allowed time in hours a 'critical' agent has been offline before being logged.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
forcedType: int forcedType: int
realert_threshold: realert_threshold:
description: The time to pass before another alert for an offline agent exceeding the offline_threshold is generated. description: The time to pass before another alert for an offline agent exceeding the offline_threshold is generated.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
forcedType: int forcedType: int
page_size: page_size:
description: The amount of agents that can be processed per API request to fleet. description: The amount of agents that can be processed per API request to fleet.
global: True global: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
forcedType: int forcedType: int
advanced: True advanced: True
run_interval: run_interval:
description: The time in minutes between checking fleet agent statuses. description: The time in minutes between checking fleet agent statuses.
global: True global: True
advanced: True advanced: True
helpLink: elastic-fleet helpLink: elastic-fleet.html
forcedType: int forcedType: int
managed_integrations: managed_integrations:
description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass
@@ -85,4 +84,4 @@ manager:
multiline: True multiline: True
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch.html

86
salt/manager/tools/sbin/soup
View File

@@ -383,67 +383,6 @@ check_minimum_version() {
### 3.0.0 Scripts ### ### 3.0.0 Scripts ###
convert_suricata_yes_no() {
echo "Starting suricata yes/no values to true/false conversion."
local SURICATA_FILE=/opt/so/saltstack/local/pillar/suricata/soc_suricata.sls
local MINIONDIR=/opt/so/saltstack/local/pillar/minions
local pillar_files=()
[[ -f "$SURICATA_FILE" ]] && pillar_files+=("$SURICATA_FILE")
for suffix in _eval _heavynode _sensor _standalone; do
for f in "$MINIONDIR"/*${suffix}.sls; do
[[ -f "$f" ]] && pillar_files+=("$f")
done
done
for pillar_file in "${pillar_files[@]}"; do
echo "Checking $pillar_file for suricata yes/no values."
local yaml_output
yaml_output=$(so-yaml.py get -r "$pillar_file" suricata 2>/dev/null) || continue
local keys_to_fix
keys_to_fix=$(python3 -c "
import yaml, sys
def find(d, prefix=''):
if isinstance(d, dict):
for k, v in d.items():
path = f'{prefix}.{k}' if prefix else k
if isinstance(v, dict):
find(v, path)
elif isinstance(v, str) and v.lower() in ('yes', 'no'):
print(f'{path} {v.lower()}')
find(yaml.safe_load(sys.stdin) or {})
" <<< "$yaml_output") || continue
while IFS=' ' read -r key value; do
[[ -z "$key" ]] && continue
if [[ "$value" == "yes" ]]; then
echo "Replacing suricata.${key} yes -> true in $pillar_file"
so-yaml.py replace "$pillar_file" "suricata.${key}" true
else
echo "Replacing suricata.${key} no -> false in $pillar_file"
so-yaml.py replace "$pillar_file" "suricata.${key}" false
fi
done <<< "$keys_to_fix"
done
echo "Completed suricata yes/no conversion."
}
migrate_pcap_to_suricata() {
echo "Starting pillar pcap.enabled to suricata.pcap.enabled migration."
local MINIONDIR=/opt/so/saltstack/local/pillar/minions
local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
[[ -f "$pillar_file" ]] || continue
pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
echo "Migrating pcap.enabled -> suricata.pcap.enabled in $pillar_file"
so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
so-yaml.py remove "$pillar_file" pcap
done
echo "Completed pcap.enabled to suricata.pcap.enabled pillar migration."
}
up_to_3.0.0() { up_to_3.0.0() {
determine_elastic_agent_upgrade determine_elastic_agent_upgrade
migrate_pcap_to_suricata migrate_pcap_to_suricata
@@ -451,19 +390,20 @@ up_to_3.0.0() {
INSTALLEDVERSION=3.0.0 INSTALLEDVERSION=3.0.0
} }
migrate_pcap_to_suricata() {
local MINIONDIR=/opt/so/saltstack/local/pillar/minions
local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
[[ -f "$pillar_file" ]] || continue
pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
so-yaml.py remove "$pillar_file" pcap
done
}
post_to_3.0.0() { post_to_3.0.0() {
for idx in "logs-idh-so" "logs-redis.log-default"; do echo "Nothing to apply"
rollover_index "$idx"
done
# Remove ILM for so-case and so-detection indices
for idx in "so-case" "so-casehistory" "so-detection" "so-detectionhistory"; do
so-elasticsearch-query $idx/_ilm/remove -XPOST
done
# convert yes/no in suricata pillars to true/false
convert_suricata_yes_no
POSTVERSION=3.0.0 POSTVERSION=3.0.0
} }

22
salt/nginx/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'nginx/map.jinja' import NGINXMERGED %} {% from 'nginx/map.jinja' import NGINXMERGED %}
include: include:
@@ -37,11 +37,11 @@ so-nginx:
- hostname: so-nginx - hostname: so-nginx
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }} - ipv4_address: {{ DOCKER.containers[container_config].ip }}
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKERMERGED.containers[container_config].extra_hosts %} {% if DOCKER.containers[container_config].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %} {% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -64,26 +64,26 @@ so-nginx:
- /opt/so/rules/nids/suri:/surirules:ro - /opt/so/rules/nids/suri:/surirules:ro
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers[container_config].custom_bind_mounts %} {% if DOCKER.containers[container_config].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %} {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers[container_config].extra_env %} {% if DOCKER.containers[container_config].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %} {% for XTRAENV in DOCKER.containers[container_config].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers[container_config].ulimits %} {% if DOCKER.containers[container_config].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %} {% for ULIMIT in DOCKER.containers[container_config].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- cap_add: NET_BIND_SERVICE - cap_add: NET_BIND_SERVICE
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %} {% for BINDING in DOCKER.containers[container_config].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- watch: - watch:

4
salt/nginx/etc/nginx.conf
View File

@@ -1,5 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'docker/docker.map.jinja' import DOCKERMERGED %} {%- from 'docker/docker.map.jinja' import DOCKER %}
{%- from 'nginx/map.jinja' import NGINXMERGED %} {%- from 'nginx/map.jinja' import NGINXMERGED %}
{%- set role = grains.id.split('_') | last %} {%- set role = grains.id.split('_') | last %}
{%- set influxpass = salt['pillar.get']('secrets:influx_pass') %} {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
@@ -387,7 +387,7 @@ http {
error_page 429 = @error429; error_page 429 = @error429;
location @error401 { location @error401 {
if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) { if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
return 401; return 401;
} }

17
salt/nginx/soc_nginx.yaml
View File

@@ -1,13 +1,12 @@
nginx: nginx:
enabled: enabled:
description: Enables or disables the Nginx web server and reverse proxy. WARNING - Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support. description: Enables or disables the Nginx web server and reverse proxy. WARNING - Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support.
forcedType: bool
advanced: True advanced: True
helpLink: nginx helpLink: nginx.html
external_suricata: external_suricata:
description: Enable this to allow external access to Suricata Rulesets managed by Detections. description: Enable this to allow external access to Suricata Rulesets managed by Detections.
advanced: True advanced: True
helpLink: nginx helplink: nginx.html
forcedType: bool forcedType: bool
ssl: ssl:
replace_cert: replace_cert:
@@ -16,33 +15,33 @@ nginx:
advanced: True advanced: True
forcedType: bool forcedType: bool
title: Replace Default Cert title: Replace Default Cert
helpLink: nginx helpLink: nginx.html
ssl__key: ssl__key:
description: If you enabled the replace_cert option, paste the contents of your .key file here. description: If you enabled the replace_cert option, paste the contents of your .key file here.
file: True file: True
title: SSL/TLS Key File title: SSL/TLS Key File
advanced: True advanced: True
global: True global: True
helpLink: nginx helpLink: nginx.html
ssl__crt: ssl__crt:
description: If you enabled the replace_cert option, paste the contents of your .crt file here. description: If you enabled the replace_cert option, paste the contents of your .crt file here.
file: True file: True
title: SSL/TLS Cert File title: SSL/TLS Cert File
advanced: True advanced: True
global: True global: True
helpLink: nginx helpLink: nginx.html
alt_names: alt_names:
description: Provide a list of alternate names to allow remote systems the ability to refer to the SOC API as another hostname. description: Provide a list of alternate names to allow remote systems the ability to refer to the SOC API as another hostname.
global: True global: True
forcedType: '[]string' forcedType: '[]string'
multiline: True multiline: True
helpLink: nginx helpLink: nginx.html
config: config:
throttle_login_burst: throttle_login_burst:
description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow. description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow.
global: True global: True
helpLink: nginx helpLink: nginx.html
throttle_login_rate: throttle_login_rate:
description: Number of login API requests per minute that can be processed without triggering a rate limit. Higher values allow more repeated login attempts. Requests are counted by unique client IP and averaged over time. Note that a single login flow will perform multiple requests to the login API, so this value will need to be adjusted accordingly. description: Number of login API requests per minute that can be processed without triggering a rate limit. Higher values allow more repeated login attempts. Requests are counted by unique client IP and averaged over time. Note that a single login flow will perform multiple requests to the login API, so this value will need to be adjusted accordingly.
global: True global: True
helpLink: nginx helpLink: nginx.html

2
salt/ntp/soc_ntp.yaml
View File

@@ -3,4 +3,4 @@ ntp:
servers: servers:
description: NTP Server List description: NTP Server List
title: NTP Servers title: NTP Servers
helpLink: ntp helpLink: ntp.html

15
salt/patch/soc_patch.yaml
View File

@@ -2,20 +2,19 @@ patch:
os: os:
enabled: enabled:
description: Enable OS updates. WARNING - Disabling this setting will prevent important operating system updates from being applied on a scheduled basis. description: Enable OS updates. WARNING - Disabling this setting will prevent important operating system updates from being applied on a scheduled basis.
forcedType: bool helpLink: soup.html
helpLink: soup
schedule_to_run: schedule_to_run:
description: Currently running schedule for updates. description: Currently running schedule for updates.
helpLink: soup helpLink: soup.html
schedules: schedules:
auto: auto:
splay: &splayOptions splay: &splayOptions
description: Seconds to splay updates. description: Seconds to splay updates.
helpLink: soup helpLink: soup.html
schedule: schedule:
hours: hours:
description: Run the OS updates every X hours. description: Run the OS updates every X hours.
helpLink: soup helpLink: soup.html
monday: monday:
splay: *splayOptions splay: *splayOptions
schedule: schedule:
@@ -52,7 +51,7 @@ patch:
Monday: &dailyOptions Monday: &dailyOptions
description: List of times to apply OS patches daily. description: List of times to apply OS patches daily.
multiline: True multiline: True
helpLink: soup helpLink: soup.html
Tuesday: *dailyOptions Tuesday: *dailyOptions
Wednesday: *dailyOptions Wednesday: *dailyOptions
Thursday: *dailyOptions Thursday: *dailyOptions
@@ -65,7 +64,7 @@ patch:
Monday: &weekdayOptions Monday: &weekdayOptions
description: List of times for weekdays. description: List of times for weekdays.
multiline: True multiline: True
helpLink: soup helpLink: soup.html
Tuesday: *weekdayOptions Tuesday: *weekdayOptions
Wednesday: *weekdayOptions Wednesday: *weekdayOptions
Thursday: *weekdayOptions Thursday: *weekdayOptions
@@ -76,5 +75,5 @@ patch:
Saturday: &weekendOptions Saturday: &weekendOptions
description: List of times for weekend days. description: List of times for weekend days.
multiline: true multiline: true
helpLink: soup helpLink: soup.html
Sunday: *weekendOptions Sunday: *weekendOptions

22
salt/redis/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -21,9 +21,9 @@ so-redis:
- user: socore - user: socore
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }} - ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %} {% for BINDING in DOCKER.containers['so-redis'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -34,26 +34,26 @@ so-redis:
- /etc/pki/redis.crt:/certs/redis.crt:ro - /etc/pki/redis.crt:/certs/redis.crt:ro
- /etc/pki/redis.key:/certs/redis.key:ro - /etc/pki/redis.key:/certs/redis.key:ro
- /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
{% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %} {% if DOCKER.containers['so-redis'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-redis'].extra_hosts %} {% if DOCKER.containers['so-redis'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-redis'].extra_env %} {% if DOCKER.containers['so-redis'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %} {% for XTRAENV in DOCKER.containers['so-redis'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-redis'].ulimits %} {% if DOCKER.containers['so-redis'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %} {% for ULIMIT in DOCKER.containers['so-redis'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

115
salt/redis/soc_redis.yaml
View File

@@ -1,19 +1,18 @@
redis: redis:
enabled: enabled:
description: Enables the log event in-memory buffering process. This process might already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events. description: Enables the log event in-memory buffering process. This process might already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events.
forcedType: bool helpLink: redis.html
helpLink: redis
config: config:
bind: bind:
description: The IP address to bind to. description: The IP address to bind to.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
protected-mode: protected-mode:
description: Force authentication to access redis. description: Force authentication to access redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
requirepass: requirepass:
description: Password for accessing Redis. description: Password for accessing Redis.
global: True global: True
@@ -22,262 +21,262 @@ redis:
description: TLS cert file location. description: TLS cert file location.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
tls-key-file: tls-key-file:
description: TLS key file location. description: TLS key file location.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
tls-ca-cert-file: tls-ca-cert-file:
description: TLS CA file location. description: TLS CA file location.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
tls-port: tls-port:
description: Port to use TLS encryption on. description: Port to use TLS encryption on.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
tls-auth-clients: tls-auth-clients:
description: Force TLS authentication. description: Force TLS authentication.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
port: port:
description: Non TLS port for Redis access. description: Non TLS port for Redis access.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
tcp-backlog: tcp-backlog:
description: Set the TCP backlog value. This is normally increasd in high request environments. description: Set the TCP backlog value. This is normally increasd in high request environments.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
timeout: timeout:
description: Time in seconds to close an idle connection. 0 to disable. description: Time in seconds to close an idle connection. 0 to disable.
global: True global: True
helpLink: redis helpLink: redis.html
tcp-keepalive: tcp-keepalive:
description: Time in seconds to send a keepalive. description: Time in seconds to send a keepalive.
global: True global: True
helpLink: redis helpLink: redis.html
tls-replication: tls-replication:
description: Enable TLS replication links. description: Enable TLS replication links.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
tls-protocols: tls-protocols:
description: List of acceptable TLS protocols separated by spaces. description: List of acceptable TLS protocols separated by spaces.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
tls-prefer-server-ciphers: tls-prefer-server-ciphers:
description: Prefer the server side ciphers. description: Prefer the server side ciphers.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
tls-session-caching: tls-session-caching:
description: Enable TLS session caching. description: Enable TLS session caching.
global: True global: True
helpLink: redis helpLink: redis.html
tls-session-cache-size: tls-session-cache-size:
description: The number of TLS sessions to cache. description: The number of TLS sessions to cache.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
tls-session-cache-timeout: tls-session-cache-timeout:
description: Timeout in seconds to cache TLS sessions. description: Timeout in seconds to cache TLS sessions.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
loglevel: loglevel:
description: Log verbosity level. description: Log verbosity level.
global: True global: True
helpLink: redis helpLink: redis.html
logfile: logfile:
description: Log file name. description: Log file name.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
syslog-enabled: syslog-enabled:
description: Enable syslog output. description: Enable syslog output.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
syslog-ident: syslog-ident:
description: Set the syslog identity. description: Set the syslog identity.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
syslog-facility: syslog-facility:
description: Set the syslog facility. description: Set the syslog facility.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
databases: databases:
description: Total amount of databases. description: Total amount of databases.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
always-show-logo: always-show-logo:
description: The amount of time that a write will wait before fsyncing. description: The amount of time that a write will wait before fsyncing.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
save: save:
'900': '900':
description: Set the amount of keys that need to change to save after 15 minutes. description: Set the amount of keys that need to change to save after 15 minutes.
global: True global: True
helpLink: redis helpLink: redis.html
'300': '300':
description: Set the amount of keys that need to change to save after 5 minutes. description: Set the amount of keys that need to change to save after 5 minutes.
global: True global: True
helpLink: redis helpLink: redis.html
'60': '60':
description: Set the amount of keys that need to change to save after 1 minute description: Set the amount of keys that need to change to save after 1 minute
global: True global: True
helpLink: redis helpLink: redis.html
stop-writes-on-bgsave-error: stop-writes-on-bgsave-error:
description: Stop writes to redis is there is an error with the save. description: Stop writes to redis is there is an error with the save.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
rdbcompression: rdbcompression:
description: Compress string objects with LZF. description: Compress string objects with LZF.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
rdbchecksum: rdbchecksum:
description: Enable checksum of rdb files. description: Enable checksum of rdb files.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
dbfilename: dbfilename:
description: Filename of the rdb saves. description: Filename of the rdb saves.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
acllog-max-len: acllog-max-len:
description: Maximum length of the ACL log. description: Maximum length of the ACL log.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
maxmemory: maxmemory:
description: Maximum memory for storing redis objects. description: Maximum memory for storing redis objects.
global: True global: True
helpLink: redis helpLink: redis.html
maxmemory-policy: maxmemory-policy:
description: The policy to use when maxmemory is reached. description: The policy to use when maxmemory is reached.
global: True global: True
helpLink: redis helpLink: redis.html
maxmemory-samples: maxmemory-samples:
description: maxmemory sample size. description: maxmemory sample size.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
lua-time-limit: lua-time-limit:
description: Maximum execution time of LUA scripts. description: Maximum execution time of LUA scripts.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
slowlog-log-slower-than: slowlog-log-slower-than:
description: Time in microseconds to write to the slow log. description: Time in microseconds to write to the slow log.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
slowlog-max-len: slowlog-max-len:
description: Maximum size of the slow log. description: Maximum size of the slow log.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
hash-max-ziplist-entries: hash-max-ziplist-entries:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
hash-max-ziplist-value: hash-max-ziplist-value:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
list-max-ziplist-size: list-max-ziplist-size:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
list-compress-depth: list-compress-depth:
description: Depth for list compression. description: Depth for list compression.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
set-max-intset-entries: set-max-intset-entries:
description: Sets the limit on the size of the set in order to use the special memory saving encoding. description: Sets the limit on the size of the set in order to use the special memory saving encoding.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
zset-max-ziplist-entries: zset-max-ziplist-entries:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
zset-max-ziplist-value: zset-max-ziplist-value:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
hll-sparse-max-bytes: hll-sparse-max-bytes:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
stream-node-max-bytes: stream-node-max-bytes:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
stream-node-max-entries: stream-node-max-entries:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
activerehashing: activerehashing:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
client-output-buffer-limit: client-output-buffer-limit:
normal: normal:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
replica: replica:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
pubsub: pubsub:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
hz: hz:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
dynamic-hz: dynamic-hz:
description: Used for advanced performance tuning of Redis. description: Used for advanced performance tuning of Redis.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
rdb-save-incremental-fsync: rdb-save-incremental-fsync:
description: fsync redis data. description: fsync redis data.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html
jemalloc-bg-thread: jemalloc-bg-thread:
description: Jemalloc background thread for purging. description: Jemalloc background thread for purging.
global: True global: True
advanced: True advanced: True
helpLink: redis helpLink: redis.html

22
salt/registry/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
include: include:
- registry.ssl - registry.ssl
@@ -20,10 +20,10 @@ so-dockerregistry:
- hostname: so-registry - hostname: so-registry
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }} - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
- restart_policy: always - restart_policy: always
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %} {% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -32,28 +32,28 @@ so-dockerregistry:
- /nsm/docker-registry/docker:/var/lib/registry/docker:rw - /nsm/docker-registry/docker:/var/lib/registry/docker:rw
- /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
- /etc/pki/registry.key:/etc/pki/registry.key:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro
{% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %} {% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %} {% if DOCKER.containers['so-dockerregistry'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- client_timeout: 180 - client_timeout: 180
- environment: - environment:
- HOME=/root - HOME=/root
{% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %} {% if DOCKER.containers['so-dockerregistry'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %} {% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %} {% if DOCKER.containers['so-dockerregistry'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %} {% for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

1
salt/registry/soc_registry.yaml
View File

@@ -1,5 +1,4 @@
registry: registry:
enabled: enabled:
description: Enables or disables the Docker registry on the manager node. WARNING - If this process is disabled the grid will malfunction and a manual effort may be needed to re-enable the setting. description: Enables or disables the Docker registry on the manager node. WARNING - If this process is disabled the grid will malfunction and a manual effort may be needed to re-enable the setting.
forcedType: bool
advanced: True advanced: True

6
salt/sensor/soc_sensor.yaml
View File

@@ -1,15 +1,15 @@
sensor: sensor:
interface: interface:
description: Main sensor monitoring interface. description: Main sensor monitoring interface.
helpLink: network-visibility helpLink: network.html
readonly: True readonly: True
mtu: mtu:
description: Maximum Transmission Unit (MTU) of the sensor monitoring interface. description: Maximum Transmission Unit (MTU) of the sensor monitoring interface.
helpLink: network-visibility helpLink: network.html
readonly: True readonly: True
channels: channels:
description: Set the size of the nic channels. This is rarely changed from 1 description: Set the size of the nic channels. This is rarely changed from 1
helpLink: network-visibility helpLink: network.html
forcedType: int forcedType: int
node: True node: True
advanced: True advanced: True

18
salt/sensoroni/enabled.sls
View File

@@ -4,7 +4,7 @@
# Elastic License 2.0. # Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
include: include:
@@ -23,26 +23,26 @@ so-sensoroni:
- /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro - /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
- /opt/so/log/sensoroni:/opt/sensoroni/logs:rw - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
- /nsm/suripcap/:/nsm/suripcap:rw - /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %} {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %} {% if DOCKER.containers['so-sensoroni'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-sensoroni'].extra_env %} {% if DOCKER.containers['so-sensoroni'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %} {% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-sensoroni'].ulimits %} {% if DOCKER.containers['so-sensoroni'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %} {% for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

134
salt/sensoroni/soc_sensoroni.yaml
View File

@@ -1,82 +1,80 @@
sensoroni: sensoroni:
enabled: enabled:
description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid. description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid.
forcedType: bool
advanced: True advanced: True
helpLink: grid helpLink: grid.html
config: config:
analyze: analyze:
enabled: enabled:
description: Enable or disable the analyzer. description: Enable or disable the analyzer.
forcedType: bool
advanced: True advanced: True
helpLink: cases helpLink: cases.html
timeout_ms: timeout_ms:
description: Timeout period for the analyzer. description: Timeout period for the analyzer.
advanced: True advanced: True
helpLink: cases helpLink: cases.html
parallel_limit: parallel_limit:
description: Parallel limit for the analyzer. description: Parallel limit for the analyzer.
advanced: True advanced: True
helpLink: cases helpLink: cases.html
export: export:
timeout_ms: timeout_ms:
description: Timeout period for the exporter to finish export-related tasks. description: Timeout period for the exporter to finish export-related tasks.
advanced: True advanced: True
helpLink: reports helpLink: reports.html
cache_refresh_interval_ms: cache_refresh_interval_ms:
description: Refresh interval for cache updates. Longer intervals result in less compute usage but risks stale data included in reports. description: Refresh interval for cache updates. Longer intervals result in less compute usage but risks stale data included in reports.
advanced: True advanced: True
helpLink: reports helpLink: reports.html
export_metric_limit: export_metric_limit:
description: Maximum number of metric values to include in each metric aggregation group. description: Maximum number of metric values to include in each metric aggregation group.
advanced: True advanced: True
helpLink: reports helpLink: reports.html
export_event_limit: export_event_limit:
description: Maximum number of events to include per event list. description: Maximum number of events to include per event list.
advanced: True advanced: True
helpLink: reports helpLink: reports.html
csv_separator: csv_separator:
description: Separator character to use for CSV exports. description: Separator character to use for CSV exports.
advanced: False advanced: False
helpLink: reports helpLink: reports.html
node_checkin_interval_ms: node_checkin_interval_ms:
description: Interval in ms to checkin to the soc_host. description: Interval in ms to checkin to the soc_host.
advanced: True advanced: True
helpLink: grid helpLink: grid.html
node_description: node_description:
description: Description of the specific node. description: Description of the specific node.
helpLink: grid helpLink: grid.html
node: True node: True
forcedType: string forcedType: string
sensoronikey: sensoronikey:
description: Shared key for sensoroni authentication. description: Shared key for sensoroni authentication.
helpLink: grid helpLink: grid.html
global: True global: True
sensitive: True sensitive: True
advanced: True advanced: True
soc_host: soc_host:
description: Host for sensoroni agents to connect to. description: Host for sensoroni agents to connect to.
helpLink: grid helpLink: grid.html
global: True global: True
advanced: True advanced: True
suripcap: suripcap:
pcapMaxCount: pcapMaxCount:
description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface. description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface.
helpLink: pcap helpLink: sensoroni.html
advanced: True advanced: True
analyzers: analyzers:
echotrail: echotrail:
api_key: api_key:
description: API key for the Echotrail analyzer. description: API key for the Echotrail analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: True sensitive: True
advanced: False advanced: False
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the Echotrail analyzer. description: Base URL for the Echotrail analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: False sensitive: False
advanced: False advanced: False
@@ -84,70 +82,70 @@ sensoroni:
elasticsearch: elasticsearch:
api_key: api_key:
description: API key for the Elasticsearch analyzer. description: API key for the Elasticsearch analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Connection URL for the Elasticsearch analyzer. description: Connection URL for the Elasticsearch analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: False sensitive: False
advanced: False advanced: False
forcedType: string forcedType: string
auth_user: auth_user:
description: Username for the Elasticsearch analyzer. description: Username for the Elasticsearch analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: False sensitive: False
advanced: False advanced: False
forcedType: string forcedType: string
auth_pwd: auth_pwd:
description: User password for the Elasticsearch analyzer. description: User password for the Elasticsearch analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: True sensitive: True
advanced: False advanced: False
forcedType: string forcedType: string
num_results: num_results:
description: Number of documents to return for the Elasticsearch analyzer. description: Number of documents to return for the Elasticsearch analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: string forcedType: string
index: index:
description: Search index for the Elasticsearch analyzer. description: Search index for the Elasticsearch analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: False sensitive: False
advanced: False advanced: False
forcedType: string forcedType: string
time_delta_minutes: time_delta_minutes:
description: Time (in minutes) to search back for the Elasticsearch analyzer. description: Time (in minutes) to search back for the Elasticsearch analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: int forcedType: int
timestamp_field_name: timestamp_field_name:
description: Specified name for a documents' timestamp field for the Elasticsearch analyzer. description: Specified name for a documents' timestamp field for the Elasticsearch analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: string forcedType: string
map: map:
description: Map between observable types and search field for the Elasticsearch analyzer. description: Map between observable types and search field for the Elasticsearch analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: False sensitive: False
advanced: False advanced: False
forcedType: string forcedType: string
cert_path: cert_path:
description: Path to a TLS certificate for the Elasticsearch analyzer. description: Path to a TLS certificate for the Elasticsearch analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: False sensitive: False
advanced: False advanced: False
@@ -155,14 +153,14 @@ sensoroni:
emailrep: emailrep:
api_key: api_key:
description: API key for the EmailRep analyzer. description: API key for the EmailRep analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the EmailRep analyzer. description: Base URL for the EmailRep analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -170,21 +168,21 @@ sensoroni:
greynoise: greynoise:
api_key: api_key:
description: API key for the GreyNoise analyzer. description: API key for the GreyNoise analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
api_version: api_version:
description: API version for the GreyNoise analyzer. description: API version for the GreyNoise analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the GreyNoise analyzer. description: Base URL for the GreyNoise analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -192,7 +190,7 @@ sensoroni:
localfile: localfile:
file_path: file_path:
description: File path for the LocalFile analyzer. description: File path for the LocalFile analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -200,7 +198,7 @@ sensoroni:
malwarebazaar: malwarebazaar:
api_key: api_key:
description: API key for the malwarebazaar analyzer. description: API key for the malwarebazaar analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: True sensitive: True
advanced: False advanced: False
@@ -208,14 +206,14 @@ sensoroni:
otx: otx:
api_key: api_key:
description: API key for the OTX analyzer. description: API key for the OTX analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the OTX analyzer. description: Base URL for the OTX analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -223,14 +221,14 @@ sensoroni:
pulsedive: pulsedive:
api_key: api_key:
description: API key for the Pulsedive analyzer. description: API key for the Pulsedive analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the Pulsedive analyzer. description: Base URL for the Pulsedive analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -238,14 +236,14 @@ sensoroni:
spamhaus: spamhaus:
lookup_host: lookup_host:
description: Host to use for lookups. description: Host to use for lookups.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: string forcedType: string
nameservers: nameservers:
description: Nameservers used for queries. description: Nameservers used for queries.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
multiline: True multiline: True
@@ -254,35 +252,35 @@ sensoroni:
sublime_platform: sublime_platform:
api_key: api_key:
description: API key for the Sublime Platform analyzer. description: API key for the Sublime Platform analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the Sublime Platform analyzer. description: Base URL for the Sublime Platform analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: string forcedType: string
live_flow: live_flow:
description: Determines if live flow analysis is used. description: Determines if live flow analysis is used.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: bool forcedType: bool
mailbox_email_address: mailbox_email_address:
description: Source mailbox address used for live flow analysis. description: Source mailbox address used for live flow analysis.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: string forcedType: string
message_source_id: message_source_id:
description: ID of the message source used for live flow analysis. description: ID of the message source used for live flow analysis.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -290,7 +288,7 @@ sensoroni:
threatfox: threatfox:
api_key: api_key:
description: API key for the threatfox analyzer. description: API key for the threatfox analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: True sensitive: True
advanced: False advanced: False
@@ -298,35 +296,35 @@ sensoroni:
urlscan: urlscan:
api_key: api_key:
description: API key for the Urlscan analyzer. description: API key for the Urlscan analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the Urlscan analyzer. description: Base URL for the Urlscan analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: string forcedType: string
enabled: enabled:
description: Analyzer enabled description: Analyzer enabled
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: bool forcedType: bool
timeout: timeout:
description: Timeout for the Urlscan analyzer. description: Timeout for the Urlscan analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: int forcedType: int
visibility: visibility:
description: Type of visibility. description: Type of visibility.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -334,7 +332,7 @@ sensoroni:
urlhaus: urlhaus:
api_key: api_key:
description: API key for the urlhaus analyzer. description: API key for the urlhaus analyzer.
helpLink: cases#configuring-analyzers helpLink: sensoroni.html
global: False global: False
sensitive: True sensitive: True
advanced: False advanced: False
@@ -342,14 +340,14 @@ sensoroni:
virustotal: virustotal:
api_key: api_key:
description: API key for the VirusTotal analyzer. description: API key for the VirusTotal analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the VirusTotal analyzer. description: Base URL for the VirusTotal analyzer.
helpLink: cases helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -364,21 +362,21 @@ sensoroni:
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: reports helpLink: reports.html
productivity_report__md: productivity_report__md:
title: Productivity Report Template title: Productivity Report Template
description: The template used when generating a comprehensive productivity report. Supports markdown format. description: The template used when generating a comprehensive productivity report. Supports markdown format.
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: reports helpLink: reports.html
assistant_session_report__md: assistant_session_report__md:
title: Assistant Session Report Template title: Assistant Session Report Template
description: The template used when generating an assistant session report. Supports markdown format. description: The template used when generating an assistant session report. Supports markdown format.
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: reports helplink: reports.html
custom: custom:
generic_report1__md: generic_report1__md:
title: Custom Report 1 title: Custom Report 1
@@ -386,63 +384,63 @@ sensoroni:
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: reports helpLink: reports.html
generic_report2__md: generic_report2__md:
title: Custom Report 2 title: Custom Report 2
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: reports helpLink: reports.html
generic_report3__md: generic_report3__md:
title: Custom Report 3 title: Custom Report 3
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: reports helpLink: reports.html
generic_report4__md: generic_report4__md:
title: Custom Report 4 title: Custom Report 4
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: reports helpLink: reports.html
generic_report5__md: generic_report5__md:
title: Custom Report 5 title: Custom Report 5
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: reports helpLink: reports.html
generic_report6__md: generic_report6__md:
title: Custom Report 6 title: Custom Report 6
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: reports helpLink: reports.html
generic_report7__md: generic_report7__md:
title: Custom Report 7 title: Custom Report 7
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: reports helpLink: reports.html
generic_report8__md: generic_report8__md:
title: Custom Report 8 title: Custom Report 8
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: reports helpLink: reports.html
generic_report9__md: generic_report9__md:
title: Custom Report 9 title: Custom Report 9
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: reports helpLink: reports.html
addl_generic_report__md: addl_generic_report__md:
title: Additional Custom Report title: Additional Custom Report
description: A duplicatable custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. This is an unsupported feature due to the inability to edit duplicated reports via the SOC app. description: A duplicatable custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. This is an unsupported feature due to the inability to edit duplicated reports via the SOC app.
@@ -451,4 +449,4 @@ sensoroni:
global: True global: True
syntax: md syntax: md
duplicates: True duplicates: True
helpLink: reports helpLink: reports.html

4
salt/soc/defaults.map.jinja
View File

@@ -5,7 +5,7 @@
{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %} {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%} {% from 'docker/docker.map.jinja' import DOCKER -%}
{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %} {% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
{% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %} {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
@@ -32,7 +32,7 @@
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %} {% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
{% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %} {% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
{% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %} {% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}

16
salt/soc/defaults.yaml
View File

@@ -584,18 +584,6 @@ soc:
- destination.port - destination.port
- event.action - event.action
- tunnel.type - tunnel.type
'::websocket':
- soc_timestamp
- event.dataset
- source.ip
- source.port
- destination.ip
- destination.port
- websocket.host
- websocket.uri
- websocket.user_agent
- log.id.uid
- network.community_id
'::weird': '::weird':
- soc_timestamp - soc_timestamp
- event.dataset - event.dataset
@@ -1691,8 +1679,8 @@ soc:
client: client:
docsUrl: /docs/ docsUrl: /docs/
cheatsheetUrl: /docs/cheatsheet.pdf cheatsheetUrl: /docs/cheatsheet.pdf
releaseNotesUrl: /docs/release-notes releaseNotesUrl: /docs/release-notes.html
apiTimeoutMs: apiTimeoutMs: 300000
webSocketTimeoutMs: 15000 webSocketTimeoutMs: 15000
tipTimeoutMs: 6000 tipTimeoutMs: 6000
cacheExpirationMs: 300000 cacheExpirationMs: 300000

18
salt/soc/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %} {% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
{% from 'soc/merged.map.jinja' import SOCMERGED %} {% from 'soc/merged.map.jinja' import SOCMERGED %}
@@ -22,7 +22,7 @@ so-soc:
- name: so-soc - name: so-soc
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-soc'].ip }} - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
- binds: - binds:
- /nsm/rules:/nsm/rules:rw - /nsm/rules:/nsm/rules:rw
- /opt/so/conf/strelka:/opt/sensoroni/yara:rw - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
@@ -63,24 +63,24 @@ so-soc:
- {{hostname}}:{{ip}} - {{hostname}}:{{ip}}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% if DOCKERMERGED.containers['so-soc'].extra_hosts %} {% if DOCKER.containers['so-soc'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-soc'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-soc'].port_bindings %} {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKERMERGED.containers['so-soc'].extra_env %} {% if DOCKER.containers['so-soc'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-soc'].extra_env %} {% for XTRAENV in DOCKER.containers['so-soc'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-soc'].ulimits %} {% if DOCKER.containers['so-soc'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %} {% for ULIMIT in DOCKER.containers['so-soc'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

2
salt/soc/files/soc/motd.md
View File

@@ -18,7 +18,7 @@ For more coverage of your enterprise, you can deploy the Elastic Agent to endpoi
## What's New ## What's New
To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes) link. To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link.
## Security Onion Pro ## Security Onion Pro

75
salt/soc/soc_soc.yaml
View File

@@ -1,13 +1,12 @@
soc: soc:
enabled: enabled:
description: Enables or disables SOC. WARNING - Disabling this setting is unsupported and will cause the grid to malfunction. Re-enabling this setting is a manual effort via SSH. description: Enables or disables SOC. WARNING - Disabling this setting is unsupported and will cause the grid to malfunction. Re-enabling this setting is a manual effort via SSH.
forcedType: bool
advanced: True advanced: True
telemetryEnabled: telemetryEnabled:
title: SOC Telemetry title: SOC Telemetry
description: When this setting is enabled and the grid is not in airgap mode, SOC will provide feature usage data to the Security Onion development team via Google Analytics. This data helps Security Onion developers determine which product features are being used and can also provide insight into improving the user interface. When changing this setting, wait for the grid to fully synchronize and then perform a hard browser refresh on SOC, to force the browser cache to update and reflect the new setting. description: When this setting is enabled and the grid is not in airgap mode, SOC will provide feature usage data to the Security Onion development team via Google Analytics. This data helps Security Onion developers determine which product features are being used and can also provide insight into improving the user interface. When changing this setting, wait for the grid to fully synchronize and then perform a hard browser refresh on SOC, to force the browser cache to update and reflect the new setting.
global: True global: True
helpLink: telemetry helpLink: telemetry.html
files: files:
soc: soc:
banner__md: banner__md:
@@ -16,28 +15,28 @@ soc:
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: security-onion-console-customization helpLink: soc-customization.html
motd__md: motd__md:
title: Overview Page title: Overview Page
description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser. description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser.
file: True file: True
global: True global: True
syntax: md syntax: md
helpLink: security-onion-console-customization helpLink: soc-customization.html
custom__js: custom__js:
title: Custom Javascript title: Custom Javascript
description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades. description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades.
file: True file: True
global: True global: True
advanced: True advanced: True
helpLink: security-onion-console-customization helpLink: soc-customization.html
custom_roles: custom_roles:
title: Custom Roles title: Custom Roles
description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system. description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system.
file: True file: True
global: True global: True
advanced: True advanced: True
helpLink: security-onion-console-customization helpLink: soc-customization.html
sigma_final_pipeline__yaml: sigma_final_pipeline__yaml:
title: Final Sigma Pipeline title: Final Sigma Pipeline
description: Final Processing Pipeline for Sigma Rules. description: Final Processing Pipeline for Sigma Rules.
@@ -45,7 +44,7 @@ soc:
file: True file: True
global: True global: True
advanced: True advanced: True
helpLink: security-onion-console-customization helpLink: soc-customization.html
config: config:
licenseKey: licenseKey:
title: License Key title: License Key
@@ -184,7 +183,7 @@ soc:
enableReverseLookup: enableReverseLookup:
description: "Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. To add your own local lookups, create a CSV file at /nsm/custom-mappings/ip-descriptions.csv on your Manager and populate the file with IP addresses and descriptions as follows: IP, Description. Elasticsearch will then ingest the CSV during the next high state." description: "Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. To add your own local lookups, create a CSV file at /nsm/custom-mappings/ip-descriptions.csv on your Manager and populate the file with IP addresses and descriptions as follows: IP, Description. Elasticsearch will then ingest the CSV during the next high state."
global: True global: True
helpLink: security-onion-console-customization#reverse-dns helpLink: soc-customization.html#reverse-dns
modules: modules:
elastalertengine: elastalertengine:
aiRepoUrl: aiRepoUrl:
@@ -206,7 +205,7 @@ soc:
title: "Notifications: Sev 0/Default Alerters" title: "Notifications: Sev 0/Default Alerters"
description: "Specify default alerters to enable for outbound notifications. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." description: "Specify default alerters to enable for outbound notifications. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True global: True
helpLink: notifications helpLink: notifications.html
forcedType: "[]string" forcedType: "[]string"
multiline: True multiline: True
additionalSev0AlertersParams: additionalSev0AlertersParams:
@@ -215,14 +214,14 @@ soc:
global: True global: True
multiline: True multiline: True
syntax: yaml syntax: yaml
helpLink: notifications helpLink: notifications.html
forcedType: string forcedType: string
jinjaEscaped: True jinjaEscaped: True
additionalSev1Alerters: additionalSev1Alerters:
title: "Notifications: Sev 1/Informational Alerters" title: "Notifications: Sev 1/Informational Alerters"
description: "Specify specific alerters to use when alerting at the info severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." description: "Specify specific alerters to use when alerting at the info severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True global: True
helpLink: notifications helpLink: notifications.html
forcedType: "[]string" forcedType: "[]string"
multiline: True multiline: True
additionalSev1AlertersParams: additionalSev1AlertersParams:
@@ -231,14 +230,14 @@ soc:
global: True global: True
multiline: True multiline: True
syntax: yaml syntax: yaml
helpLink: notifications helpLink: notifications.html
forcedType: string forcedType: string
jinjaEscaped: True jinjaEscaped: True
additionalSev2Alerters: additionalSev2Alerters:
title: "Notifications: Sev 2/Low Alerters" title: "Notifications: Sev 2/Low Alerters"
description: "Specify specific alerters to use when alerting at the low severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." description: "Specify specific alerters to use when alerting at the low severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True global: True
helpLink: notifications helpLink: notifications.html
forcedType: "[]string" forcedType: "[]string"
multiline: True multiline: True
additionalSev2AlertersParams: additionalSev2AlertersParams:
@@ -247,14 +246,14 @@ soc:
global: True global: True
multiline: True multiline: True
syntax: yaml syntax: yaml
helpLink: notifications helpLink: notifications.html
forcedType: string forcedType: string
jinjaEscaped: True jinjaEscaped: True
additionalSev3Alerters: additionalSev3Alerters:
title: "Notifications: Sev 3/Medium Alerters" title: "Notifications: Sev 3/Medium Alerters"
description: "Specify specific alerters to use when alerting at the medium severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." description: "Specify specific alerters to use when alerting at the medium severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True global: True
helpLink: notifications helpLink: notifications.html
forcedType: "[]string" forcedType: "[]string"
multiline: True multiline: True
additionalSev3AlertersParams: additionalSev3AlertersParams:
@@ -263,14 +262,14 @@ soc:
global: True global: True
multiline: True multiline: True
syntax: yaml syntax: yaml
helpLink: notifications helpLink: notifications.html
forcedType: string forcedType: string
jinjaEscaped: True jinjaEscaped: True
additionalSev4Alerters: additionalSev4Alerters:
title: "Notifications: Sev 4/High Alerters" title: "Notifications: Sev 4/High Alerters"
description: "Specify specific alerters to use when alerting at the high severity level or critical severity level. These alerters will be used unless overridden by critical severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." description: "Specify specific alerters to use when alerting at the high severity level or critical severity level. These alerters will be used unless overridden by critical severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True global: True
helpLink: notifications helpLink: notifications.html
forcedType: "[]string" forcedType: "[]string"
multiline: True multiline: True
additionalSev4AlertersParams: additionalSev4AlertersParams:
@@ -279,14 +278,14 @@ soc:
global: True global: True
multiline: True multiline: True
syntax: yaml syntax: yaml
helpLink: notifications helpLink: notifications.html
forcedType: string forcedType: string
jinjaEscaped: True jinjaEscaped: True
additionalSev5Alerters: additionalSev5Alerters:
title: "Notifications: Sev 5/Critical Alerters" title: "Notifications: Sev 5/Critical Alerters"
description: "Specify specific alerters to use when alerting at the critical severity level. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." description: "Specify specific alerters to use when alerting at the critical severity level. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True global: True
helpLink: notifications helpLink: notifications.html
forcedType: "[]string" forcedType: "[]string"
multiline: True multiline: True
additionalSev5AlertersParams: additionalSev5AlertersParams:
@@ -295,14 +294,14 @@ soc:
global: True global: True
multiline: True multiline: True
syntax: yaml syntax: yaml
helpLink: notifications helpLink: notifications.html
forcedType: string forcedType: string
jinjaEscaped: True jinjaEscaped: True
additionalUserDefinedNotifications: additionalUserDefinedNotifications:
customAlerters: customAlerters:
description: "Specify custom notification alerters to use when the Sigma rule contains the following tag: so.alerters.customAlerters. This setting can be duplicated to create new custom alerter configurations. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." description: "Specify custom notification alerters to use when the Sigma rule contains the following tag: so.alerters.customAlerters. This setting can be duplicated to create new custom alerter configurations. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
global: True global: True
helpLink: notifications helpLink: notifications.html
forcedType: "[]string" forcedType: "[]string"
duplicates: True duplicates: True
multiline: True multiline: True
@@ -311,7 +310,7 @@ soc:
global: True global: True
multiline: True multiline: True
syntax: yaml syntax: yaml
helpLink: notifications helpLink: notifications.html
duplicates: True duplicates: True
forcedType: string forcedType: string
jinjaEscaped: True jinjaEscaped: True
@@ -319,7 +318,7 @@ soc:
default: &enabledSigmaRules default: &enabledSigmaRules
description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.' description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.'
global: True global: True
helpLink: sigma helpLink: sigma.html
multiline: True multiline: True
syntax: yaml syntax: yaml
forcedType: string forcedType: string
@@ -331,7 +330,7 @@ soc:
description: 'DEPRECATED: Will be removed in a future release - use enabledSigmaRules instead.' description: 'DEPRECATED: Will be removed in a future release - use enabledSigmaRules instead.'
global: True global: True
advanced: True advanced: True
helpLink: sigma helpLink: sigma.html
so-eval: *autoEnabledSigmaRules so-eval: *autoEnabledSigmaRules
so-import: *autoEnabledSigmaRules so-import: *autoEnabledSigmaRules
autoUpdateEnabled: autoUpdateEnabled:
@@ -342,7 +341,7 @@ soc:
description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.' description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.'
global: True global: True
advanced: True advanced: True
helpLink: sigma helpLink: sigma.html
integrityCheckFrequencySeconds: integrityCheckFrequencySeconds:
description: 'How often the ElastAlert integrity checker runs (in seconds). This verifies the integrity of deployed rules.' description: 'How often the ElastAlert integrity checker runs (in seconds). This verifies the integrity of deployed rules.'
global: True global: True
@@ -353,7 +352,7 @@ soc:
global: True global: True
advanced: True advanced: True
forcedType: "[]{}" forcedType: "[]{}"
helpLink: sigma helpLink: sigma.html
syntax: json syntax: json
uiElements: uiElements:
- field: rulesetName - field: rulesetName
@@ -376,7 +375,7 @@ soc:
description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, the new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by nagivating to Detections --> Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing non-overlapping Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.' description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, the new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by nagivating to Detections --> Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing non-overlapping Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
global: True global: True
advanced: False advanced: False
helpLink: sigma helpLink: sigma.html
elastic: elastic:
index: index:
description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records. description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
@@ -485,12 +484,12 @@ soc:
description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
global: True global: True
advanced: True advanced: True
helpLink: sigma helpLink: sigma.html
communityRulesImportFrequencySeconds: communityRulesImportFrequencySeconds:
description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.' description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.'
global: True global: True
advanced: True advanced: True
helpLink: yara helpLink: yara.html
integrityCheckFrequencySeconds: integrityCheckFrequencySeconds:
description: 'How often the Strelka integrity checker runs (in seconds). This verifies the integrity of deployed rules.' description: 'How often the Strelka integrity checker runs (in seconds). This verifies the integrity of deployed rules.'
global: True global: True
@@ -501,7 +500,7 @@ soc:
global: True global: True
advanced: True advanced: True
forcedType: "[]{}" forcedType: "[]{}"
helpLink: yara helpLink: yara.html
syntax: json syntax: json
uiElements: uiElements:
- field: rulesetName - field: rulesetName
@@ -544,7 +543,7 @@ soc:
description: 'How often to check for new Suricata rules (in seconds).' description: 'How often to check for new Suricata rules (in seconds).'
global: True global: True
advanced: True advanced: True
helpLink: suricata helpLink: suricata.html
disableRegex: disableRegex:
description: A list of regular expressions used to automatically disable rules that match any of them. Each regular expression is tested against the rule's content. description: A list of regular expressions used to automatically disable rules that match any of them. Each regular expression is tested against the rule's content.
global: True global: True
@@ -563,20 +562,20 @@ soc:
advanced: True advanced: True
forcedType: "[]{}" forcedType: "[]{}"
readonly: True readonly: True
helpLink: suricata helpLink: suricata.html
ignoredSidRanges: ignoredSidRanges:
description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.' description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.'
global: True global: True
advanced: True advanced: True
forcedType: "[]string" forcedType: "[]string"
helpLink: detections#rule-engine-status helpLink: detections.html#rule-engine-status
rulesetSources: rulesetSources:
default: &serulesetSources default: &serulesetSources
description: "Ruleset sources for Suricata rules. Supports URL downloads and local directories. Refer to the linked documentation for details on how to configure this setting." description: "Ruleset sources for Suricata rules. Supports URL downloads and local directories. Refer to the linked documentation for details on how to configure this setting."
global: True global: True
advanced: False advanced: False
forcedType: "[]{}" forcedType: "[]{}"
helpLink: suricata helpLink: suricata.html
syntax: json syntax: json
uiElements: uiElements:
- field: name - field: name
@@ -632,11 +631,11 @@ soc:
intervalMinutes: intervalMinutes:
description: How often to generate the Navigator Layers. (minutes) description: How often to generate the Navigator Layers. (minutes)
global: True global: True
helpLink: attack-navigator helpLink: attack-navigator.html
lookbackDays: lookbackDays:
description: How far back to search for ATT&CK-tagged alerts. (days) description: How far back to search for ATT&CK-tagged alerts. (days)
global: True global: True
helpLink: attack-navigator helpLink: attack-navigator.html
playbook: playbook:
playbookRepos: playbookRepos:
default: &pbRepos default: &pbRepos
@@ -671,7 +670,7 @@ soc:
global: True global: True
advanced: True advanced: True
forcedType: "[]{}" forcedType: "[]{}"
helpLink: onion-ai helpLink: assistant.html
syntax: json syntax: json
uiElements: uiElements:
- field: name - field: name
@@ -736,7 +735,7 @@ soc:
global: True global: True
advanced: True advanced: True
forcedType: "[]{}" forcedType: "[]{}"
helpLink: onion-ai helpLink: assistant.html
syntax: json syntax: json
uiElements: uiElements:
- field: id - field: id

20
salt/strelka/backend/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -18,32 +18,32 @@ strelka_backend:
- binds: - binds:
- /opt/so/conf/strelka/backend/:/etc/strelka/:ro - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
- /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro - /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro
{% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %} {% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- name: so-strelka-backend - name: so-strelka-backend
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
- command: strelka-backend - command: strelka-backend
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %} {% if DOCKER.containers['so-strelka-backend'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-strelka-backend'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %} {% if DOCKER.containers['so-strelka-backend'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %} {% for XTRAENV in DOCKER.containers['so-strelka-backend'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %} {% if DOCKER.containers['so-strelka-backend'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %} {% for ULIMIT in DOCKER.containers['so-strelka-backend'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/strelka/coordinator/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -18,35 +18,35 @@ strelka_coordinator:
- name: so-strelka-coordinator - name: so-strelka-coordinator
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-coordinator'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
- entrypoint: redis-server --save "" --appendonly no - entrypoint: redis-server --save "" --appendonly no
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %} {% if DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-strelka-coordinator'].port_bindings %} {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %} {% if DOCKER.containers['so-strelka-coordinator'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %} {% for XTRAENV in DOCKER.containers['so-strelka-coordinator'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- binds: - binds:
- /nsm/strelka/coord-redis-data:/data:rw - /nsm/strelka/coord-redis-data:/data:rw
{% if DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %} {% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %} {% if DOCKER.containers['so-strelka-coordinator'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %} {% for ULIMIT in DOCKER.containers['so-strelka-coordinator'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

20
salt/strelka/filestream/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -18,32 +18,32 @@ strelka_filestream:
- binds: - binds:
- /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
- /nsm/strelka:/nsm/strelka - /nsm/strelka:/nsm/strelka
{% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %} {% if DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- name: so-strelka-filestream - name: so-strelka-filestream
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
- command: strelka-filestream - command: strelka-filestream
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %} {% if DOCKER.containers['so-strelka-filestream'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-strelka-filestream'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %} {% if DOCKER.containers['so-strelka-filestream'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %} {% for XTRAENV in DOCKER.containers['so-strelka-filestream'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %} {% if DOCKER.containers['so-strelka-filestream'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %} {% for ULIMIT in DOCKER.containers['so-strelka-filestream'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/strelka/frontend/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -18,8 +18,8 @@ strelka_frontend:
- binds: - binds:
- /opt/so/conf/strelka/frontend/:/etc/strelka/:ro - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
- /nsm/strelka/log/:/var/log/strelka/:rw - /nsm/strelka/log/:/var/log/strelka/:rw
{% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %} {% if DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -27,28 +27,28 @@ strelka_frontend:
- name: so-strelka-frontend - name: so-strelka-frontend
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
- command: strelka-frontend - command: strelka-frontend
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %} {% if DOCKER.containers['so-strelka-frontend'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-strelka-frontend'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %} {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %} {% if DOCKER.containers['so-strelka-frontend'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %} {% for XTRAENV in DOCKER.containers['so-strelka-frontend'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %} {% if DOCKER.containers['so-strelka-frontend'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %} {% for ULIMIT in DOCKER.containers['so-strelka-frontend'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/strelka/gatekeeper/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -18,35 +18,35 @@ strelka_gatekeeper:
- name: so-strelka-gatekeeper - name: so-strelka-gatekeeper
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
- entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %} {% if DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %} {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
- /nsm/strelka/gk-redis-data:/data:rw - /nsm/strelka/gk-redis-data:/data:rw
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %} {% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %} {% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %} {% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %} {% if DOCKER.containers['so-strelka-gatekeeper'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %} {% for ULIMIT in DOCKER.containers['so-strelka-gatekeeper'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

20
salt/strelka/manager/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -17,32 +17,32 @@ strelka_manager:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }} - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
- binds: - binds:
- /opt/so/conf/strelka/manager/:/etc/strelka/:ro - /opt/so/conf/strelka/manager/:/etc/strelka/:ro
{% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %} {% if DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- name: so-strelka-manager - name: so-strelka-manager
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
- command: strelka-manager - command: strelka-manager
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %} {% if DOCKER.containers['so-strelka-manager'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-strelka-manager'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %} {% if DOCKER.containers['so-strelka-manager'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %} {% for XTRAENV in DOCKER.containers['so-strelka-manager'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %} {% if DOCKER.containers['so-strelka-manager'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %} {% for ULIMIT in DOCKER.containers['so-strelka-manager'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

179
salt/strelka/soc_strelka.yaml
View File

@@ -2,74 +2,73 @@ strelka:
backend: backend:
enabled: enabled:
description: Enables or disables the Strelka file analysis process. description: Enables or disables the Strelka file analysis process.
forcedType: bool helpLink: strelka.html
helpLink: strelka
config: config:
backend: backend:
logging_cfg: logging_cfg:
description: Path to the Python logging configuration. description: Path to the Python logging configuration.
readonly: True readonly: True
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
limits: limits:
max_files: max_files:
description: Number of files the backend will process before shutting down. description: Number of files the backend will process before shutting down.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
time_to_live: time_to_live:
description: Amount of time (in seconds) that the backend will run before shutting down (0 to disable). description: Amount of time (in seconds) that the backend will run before shutting down (0 to disable).
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
max_depth: max_depth:
description: Maximum depth that extracted files will be processed by the backend. description: Maximum depth that extracted files will be processed by the backend.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
distribution: distribution:
description: Amount of time (in seconds) that a single file can be distributed to all scanners. description: Amount of time (in seconds) that a single file can be distributed to all scanners.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
scanner: scanner:
description: Amount of time (in seconds) that a scanner can spend scanning a file (can be overridden per scanner). description: Amount of time (in seconds) that a scanner can spend scanning a file (can be overridden per scanner).
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
coordinator: coordinator:
addr: addr:
description: Network address of the coordinator. description: Network address of the coordinator.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
db: db:
description: Redis database of the coordinator. description: Redis database of the coordinator.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
tasting: tasting:
mime_db: mime_db:
description: Location of the MIME database used to taste files. description: Location of the MIME database used to taste files.
readonly: True readonly: True
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
yara_rules: yara_rules:
description: Location of the directory of YARA files that contains rules used to taste files. description: Location of the directory of YARA files that contains rules used to taste files.
readonly: True readonly: True
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
scanners: scanners:
'ScanBase64PE': &scannerOptions 'ScanBase64PE': &scannerOptions
description: Configuration options for this scanner. description: Configuration options for this scanner.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
forcedType: "[]{}" forcedType: "[]{}"
syntax: json syntax: json
@@ -140,7 +139,7 @@ strelka:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
formatters: formatters:
simple: simple:
@@ -148,13 +147,13 @@ strelka:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
datefmt: datefmt:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
handlers: handlers:
console: console:
@@ -162,32 +161,32 @@ strelka:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
formatter: formatter:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
stream: stream:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
root: root:
level: level:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
handlers: handlers:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
loggers: loggers:
OpenSSL: OpenSSL:
@@ -195,433 +194,425 @@ strelka:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
bs4: bs4:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
bz2: bz2:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
chardet: chardet:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
docx: docx:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
elftools: elftools:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
email: email:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
entropy: entropy:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
esprima: esprima:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
gzip: gzip:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
hashlib: hashlib:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
json: json:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
libarchive: libarchive:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
lxml: lxml:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
lzma: lzma:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
macholibre: macholibre:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
olefile: olefile:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
oletools: oletools:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
pdfminer: pdfminer:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
pefile: pefile:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
pgpdump: pgpdump:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
pygments: pygments:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
pylzma: pylzma:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
rarfile: rarfile:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
requests: requests:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
rpmfile: rpmfile:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
ssdeep: ssdeep:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
tarfile: tarfile:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
tnefparse: tnefparse:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
yara: yara:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
zipfile: zipfile:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
zlib: zlib:
propagate: propagate:
description: This is an advanced option for Strelka logging. description: This is an advanced option for Strelka logging.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
passwords: passwords:
description: Passwords that will be stored in the password_file used in scanner options. description: Passwords that will be stored in the password_file used in scanner options.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
multiline: True multiline: True
filestream: filestream:
enabled: enabled:
description: You can enable or disable Strelka filestream. description: You can enable or disable Strelka filestream.
forcedType: bool helpLink: strelka.html
helpLink: strelka
config: config:
conn: conn:
server: server:
description: Network address of the frontend server. description: Network address of the frontend server.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
cert: cert:
description: Local path to the frontend SSL server certificate. description: Local path to the frontend SSL server certificate.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
timeout: timeout:
dial: dial:
description: Amount of time to wait for the client to dial the server. description: Amount of time to wait for the client to dial the server.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
file: file:
description: Amount of time to wait for an individual file to complete a scan. description: Amount of time to wait for an individual file to complete a scan.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
throughput: throughput:
concurrency: concurrency:
description: Number of concurrent requests to make. description: Number of concurrent requests to make.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
chunk: chunk:
description: Size of file chunks that will be sent to the frontend server. description: Size of file chunks that will be sent to the frontend server.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
delay: delay:
description: Artificial sleep between the submission of each chunk. description: Artificial sleep between the submission of each chunk.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
files: files:
patterns: patterns:
description: List of glob patterns that determine which files will be sent for scanning. description: List of glob patterns that determine which files will be sent for scanning.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
delete: delete:
description: Boolean that determines if files should be deleted after being sent for scanning. description: Boolean that determines if files should be deleted after being sent for scanning.
forcedType: bool
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
gatekeeper: gatekeeper:
description: Boolean that determines if events should be pulled from the temporary event cache. description: Boolean that determines if events should be pulled from the temporary event cache.
forcedType: bool
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
processed: processed:
description: Directory where files will be moved after being submitted for scanning. description: Directory where files will be moved after being submitted for scanning.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
response: response:
report: report:
description: Frequency at which the frontend reports the number of files processed. description: Frequency at which the frontend reports the number of files processed.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
delta: delta:
description: Time value that determines how much time must pass since a file was last modified before it is sent for scanning. description: Time value that determines how much time must pass since a file was last modified before it is sent for scanning.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
staging: staging:
description: Directory where files are staged before being sent to the cluster. description: Directory where files are staged before being sent to the cluster.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
frontend: frontend:
enabled: enabled:
description: You can enable or disable Strelka frontend. description: You can enable or disable Strelka frontend.
forcedType: bool helpLink: strelka.html
helpLink: strelka
config: config:
server: server:
description: Network address of the frontend server. description: Network address of the frontend server.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
coordinator: coordinator:
addr: addr:
description: Network address of the coordinator. description: Network address of the coordinator.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
db: db:
description: Redis database of the coordinator. description: Redis database of the coordinator.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
gatekeeper: gatekeeper:
addr: addr:
description: Network address of the gatekeeper. description: Network address of the gatekeeper.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
db: db:
description: Redis database of the gatekeeper. description: Redis database of the gatekeeper.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
ttl: ttl:
description: Time-to-live for events added to the gatekeeper. description: Time-to-live for events added to the gatekeeper.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
response: response:
log: log:
description: Location where worker scan results are logged to. description: Location where worker scan results are logged to.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
manager: manager:
enabled: enabled:
description: You can enable or disable Strelka manager. description: You can enable or disable Strelka manager.
forcedType: bool helpLink: strelka.html
helpLink: strelka
config: config:
coordinator: coordinator:
addr: addr:
description: Network address of the coordinator. description: Network address of the coordinator.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
db: db:
description: Redis database of the coordinator. description: Redis database of the coordinator.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
coordinator: coordinator:
enabled: enabled:
description: You can enable or disable Strelka coordinator. description: You can enable or disable Strelka coordinator.
forcedType: bool helpLink: strelka.html
helpLink: strelka
gatekeeper: gatekeeper:
enabled: enabled:
description: You can enable or disable Strelka gatekeeper. description: You can enable or disable Strelka gatekeeper.
forcedType: bool helpLink: strelka.html
helpLink: strelka
rules: rules:
enabled: enabled:
description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes. description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes.
forcedType: bool
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: False advanced: False
filecheck: filecheck:
historypath: historypath:
description: The path for previously scanned files. description: The path for previously scanned files.
readonly: True readonly: True
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
strelkapath: strelkapath:
description: The path for unprocessed files. description: The path for unprocessed files.
readonly: True readonly: True
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True
logfile: logfile:
description: The path for the filecheck log. description: The path for the filecheck log.
readonly: False readonly: False
global: False global: False
helpLink: strelka helpLink: strelka.html
advanced: True advanced: True

184
salt/suricata/defaults.yaml
View File

@@ -1,20 +1,20 @@
suricata: suricata:
enabled: False enabled: False
pcap: pcap:
enabled: false enabled: "no"
filesize: 1000mb filesize: 1000mb
maxsize: 25 maxsize: 25
compression: "none" compression: "none"
lz4-checksum: false lz4-checksum: "no"
lz4-level: 8 lz4-level: 8
filename: "%n/so-pcap.%t" filename: "%n/so-pcap.%t"
mode: "multi" mode: "multi"
use-stream-depth: false use-stream-depth: "no"
conditional: "all" conditional: "all"
dir: "/nsm/suripcap" dir: "/nsm/suripcap"
config: config:
threading: threading:
set-cpu-affinity: false set-cpu-affinity: "no"
cpu-affinity: cpu-affinity:
management-cpu-set: management-cpu-set:
cpu: cpu:
@@ -29,17 +29,17 @@ suricata:
interface: bond0 interface: bond0
cluster-id: 59 cluster-id: 59
cluster-type: cluster_flow cluster-type: cluster_flow
defrag: true defrag: "yes"
use-mmap: true use-mmap: "yes"
mmap-locked: false mmap-locked: "no"
threads: 1 threads: 1
tpacket-v3: true tpacket-v3: "yes"
ring-size: 5000 ring-size: 5000
block-size: 69632 block-size: 69632
block-timeout: 10 block-timeout: 10
use-emergency-flush: true use-emergency-flush: "yes"
buffer-size: 32768 buffer-size: 32768
disable-promisc: false disable-promisc: "no"
checksum-checks: kernel checksum-checks: kernel
vars: vars:
address-groups: address-groups:
@@ -105,15 +105,15 @@ suricata:
- 6081 - 6081
default-log-dir: /var/log/suricata/ default-log-dir: /var/log/suricata/
stats: stats:
enabled: true enabled: "yes"
interval: 30 interval: 30
outputs: outputs:
fast: fast:
enabled: false enabled: "no"
filename: fast.log filename: fast.log
append: true append: "yes"
eve-log: eve-log:
enabled: true enabled: "yes"
filetype: regular filetype: regular
filename: /nsm/eve-%Y-%m-%d-%H:%M.json filename: /nsm/eve-%Y-%m-%d-%H:%M.json
rotate-interval: hour rotate-interval: hour
@@ -122,104 +122,104 @@ suricata:
community-id-seed: 0 community-id-seed: 0
types: types:
alert: alert:
payload: false payload: "no"
payload-buffer-size: 4kb payload-buffer-size: 4kb
payload-printable: true payload-printable: "yes"
packet: true packet: "yes"
metadata: metadata:
app-layer: false app-layer: false
flow: false flow: false
rule: rule:
metadata: true metadata: true
raw: true raw: true
tagged-packets: false tagged-packets: "no"
xff: xff:
enabled: false enabled: "no"
mode: extra-data mode: extra-data
deployment: reverse deployment: reverse
header: X-Forwarded-For header: X-Forwarded-For
unified2-alert: unified2-alert:
enabled: false enabled: "no"
tls-store: tls-store:
enabled: false enabled: "no"
alert-debug: alert-debug:
enabled: false enabled: "no"
alert-prelude: alert-prelude:
enabled: false enabled: "no"
stats: stats:
enabled: true enabled: "yes"
filename: stats.log filename: stats.log
append: true append: "yes"
totals: true totals: "yes"
threads: false threads: "no"
null-values: true null-values: "yes"
drop: drop:
enabled: false enabled: "no"
file-store: file-store:
version: 2 version: 2
enabled: false enabled: "no"
xff: xff:
enabled: false enabled: "no"
mode: extra-data mode: extra-data
deployment: reverse deployment: reverse
header: X-Forwarded-For header: X-Forwarded-For
tcp-data: tcp-data:
enabled: false enabled: "no"
type: file type: file
filename: tcp-data.log filename: tcp-data.log
http-body-data: http-body-data:
enabled: false enabled: "no"
type: file type: file
filename: http-data.log filename: http-data.log
lua: lua:
enabled: false enabled: "no"
scripts: scripts:
logging: logging:
default-log-level: notice default-log-level: notice
outputs: outputs:
- console: - console:
enabled: true enabled: "yes"
- file: - file:
enabled: true enabled: "yes"
level: info level: info
filename: suricata.log filename: suricata.log
- syslog: - syslog:
enabled: false enabled: "no"
facility: local5 facility: local5
format: "[%i] <%d> -- " format: "[%i] <%d> -- "
app-layer: app-layer:
protocols: protocols:
krb5: krb5:
enabled: true enabled: "yes"
snmp: snmp:
enabled: true enabled: "yes"
ikev2: ikev2:
enabled: true enabled: "yes"
tls: tls:
enabled: true enabled: "yes"
detection-ports: detection-ports:
dp: 443 dp: 443
ja3-fingerprints: auto ja3-fingerprints: auto
ja4-fingerprints: auto ja4-fingerprints: auto
encryption-handling: track-only encryption-handling: track-only
dcerpc: dcerpc:
enabled: true enabled: "yes"
ftp: ftp:
enabled: true enabled: "yes"
rdp: rdp:
enabled: true enabled: "yes"
ssh: ssh:
enabled: true enabled: "yes"
smtp: smtp:
enabled: true enabled: "yes"
raw-extraction: false raw-extraction: "no"
mime: mime:
decode-mime: true decode-mime: "yes"
decode-base64: true decode-base64: "yes"
decode-quoted-printable: true decode-quoted-printable: "yes"
header-value-depth: 2000 header-value-depth: 2000
extract-urls: true extract-urls: "yes"
body-md5: false body-md5: "no"
inspected-tracker: inspected-tracker:
content-limit: 100000 content-limit: 100000
content-inspect-min-size: 32768 content-inspect-min-size: 32768
@@ -227,27 +227,27 @@ suricata:
imap: imap:
enabled: detection-only enabled: detection-only
smb: smb:
enabled: true enabled: "yes"
detection-ports: detection-ports:
dp: 139, 445 dp: 139, 445
nfs: nfs:
enabled: true enabled: "yes"
tftp: tftp:
enabled: true enabled: "yes"
dns: dns:
global-memcap: 16mb global-memcap: 16mb
state-memcap: 512kb state-memcap: 512kb
request-flood: 500 request-flood: 500
tcp: tcp:
enabled: true enabled: "yes"
detection-ports: detection-ports:
dp: 53 dp: 53
udp: udp:
enabled: true enabled: "yes"
detection-ports: detection-ports:
dp: 53 dp: 53
http: http:
enabled: true enabled: "yes"
libhtp: libhtp:
default-config: default-config:
personality: IDS personality: IDS
@@ -260,43 +260,43 @@ suricata:
response-body-decompress-layer-limit: 2 response-body-decompress-layer-limit: 2
http-body-inline: auto http-body-inline: auto
swf-decompression: swf-decompression:
enabled: false enabled: "no"
type: both type: both
compress-depth: 100 KiB compress-depth: 100 KiB
decompress-depth: 100 KiB decompress-depth: 100 KiB
randomize-inspection-sizes: true randomize-inspection-sizes: "yes"
randomize-inspection-range: 10 randomize-inspection-range: 10
double-decode-path: false double-decode-path: "no"
double-decode-query: false double-decode-query: "no"
server-config: server-config:
modbus: modbus:
enabled: true enabled: "yes"
detection-ports: detection-ports:
dp: 502 dp: 502
stream-depth: 0 stream-depth: 0
dnp3: dnp3:
enabled: true enabled: "yes"
detection-ports: detection-ports:
dp: 20000 dp: 20000
enip: enip:
enabled: true enabled: "yes"
detection-ports: detection-ports:
dp: 44818 dp: 44818
sp: 44818 sp: 44818
ntp: ntp:
enabled: true enabled: "yes"
dhcp: dhcp:
enabled: true enabled: "yes"
sip: sip:
enabled: true enabled: "yes"
rfb: rfb:
enabled: true enabled: 'yes'
detection-ports: detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt: mqtt:
enabled: false enabled: 'no'
http2: http2:
enabled: true enabled: 'yes'
asn1-max-frames: 256 asn1-max-frames: 256
run-as: run-as:
user: suricata user: suricata
@@ -312,8 +312,8 @@ suricata:
legacy: legacy:
uricontent: enabled uricontent: enabled
engine-analysis: engine-analysis:
rules-fast-pattern: true rules-fast-pattern: "yes"
rules: true rules: "yes"
pcre: pcre:
match-limit: 3500 match-limit: 3500
match-limit-recursion: 1500 match-limit-recursion: 1500
@@ -336,7 +336,7 @@ suricata:
hash-size: 65536 hash-size: 65536
trackers: 65535 trackers: 65535
max-frags: 65535 max-frags: 65535
prealloc: true prealloc: "yes"
timeout: 60 timeout: 60
flow: flow:
memcap: 128mb memcap: 128mb
@@ -380,14 +380,14 @@ suricata:
emergency-bypassed: 50 emergency-bypassed: 50
stream: stream:
memcap: 64mb memcap: 64mb
checksum-validation: true checksum-validation: "yes"
inline: auto inline: auto
reassembly: reassembly:
memcap: 256mb memcap: 256mb
depth: 1mb depth: 1mb
toserver-chunk-size: 2560 toserver-chunk-size: 2560
toclient-chunk-size: 2560 toclient-chunk-size: 2560
randomize-chunk-size: true randomize-chunk-size: "yes"
host: host:
hash-size: 4096 hash-size: 4096
prealloc: 1000 prealloc: 1000
@@ -432,38 +432,38 @@ suricata:
allow-restricted-functions: false allow-restricted-functions: false
profiling: profiling:
rules: rules:
enabled: true enabled: "yes"
filename: rule_perf.log filename: rule_perf.log
append: true append: "yes"
limit: 10 limit: 10
json: true json: "yes"
keywords: keywords:
enabled: true enabled: "yes"
filename: keyword_perf.log filename: keyword_perf.log
append: true append: "yes"
prefilter: prefilter:
enabled: true enabled: "yes"
filename: prefilter_perf.log filename: prefilter_perf.log
append: true append: "yes"
rulegroups: rulegroups:
enabled: true enabled: "yes"
filename: rule_group_perf.log filename: rule_group_perf.log
append: true append: "yes"
packets: packets:
enabled: true enabled: "yes"
filename: packet_stats.log filename: packet_stats.log
append: true append: "yes"
csv: csv:
enabled: false enabled: "no"
filename: packet_stats.csv filename: packet_stats.csv
locks: locks:
enabled: false enabled: "no"
filename: lock_stats.log filename: lock_stats.log
append: true append: "yes"
pcap-log: pcap-log:
enabled: false enabled: "no"
filename: pcaplog_stats.log filename: pcaplog_stats.log
append: true append: "yes"
default-rule-path: /etc/suricata/rules default-rule-path: /etc/suricata/rules
rule-files: rule-files:
- all-rulesets.rules - all-rulesets.rules

19
salt/suricata/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'suricata/map.jinja' import SURICATAMERGED %} {% from 'suricata/map.jinja' import SURICATAMERGED %}
@@ -20,14 +20,15 @@ so-suricata:
- privileged: True - privileged: True
- environment: - environment:
- INTERFACE={{ GLOBALS.sensor.interface }} - INTERFACE={{ GLOBALS.sensor.interface }}
{% if DOCKERMERGED.containers['so-suricata'].extra_env %} {% if DOCKER.containers['so-suricata'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-suricata'].extra_env %} {% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-suricata'].ulimits %} {# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
{% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %} {% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -41,15 +42,15 @@ so-suricata:
- /nsm/suricata/extracted:/var/log/suricata//filestore:rw - /nsm/suricata/extracted:/var/log/suricata//filestore:rw
- /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
- /nsm/suripcap/:/nsm/suripcap:rw - /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %} {% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- network_mode: host - network_mode: host
{% if DOCKERMERGED.containers['so-suricata'].extra_hosts %} {% if DOCKER.containers['so-suricata'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-suricata'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

16
salt/suricata/map.jinja
View File

@@ -43,18 +43,22 @@
- interface: {{ GLOBALS.sensor.interface }} - interface: {{ GLOBALS.sensor.interface }}
cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }} cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }} cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
defrag: {{ SURICATAMERGED.config['af-packet'].defrag }} defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}"
use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }} use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}"
mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }} mmap-locked: "{{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}"
threads: {{ SURICATAMERGED.config['af-packet'].threads }} threads: {{ SURICATAMERGED.config['af-packet'].threads }}
tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }} tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}"
ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }} ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }} block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }} block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
use-emergency-flush: {{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }} use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }} buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
disable-promisc: {{ SURICATAMERGED.config['af-packet']['disable-promisc'] }} disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
{% if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %}
checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}"
{% else %}
checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }} checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
{% endif %}
{% endload %} {% endload %}
{% do SURICATAMERGED.config.pop('af-packet') %} {% do SURICATAMERGED.config.pop('af-packet') %}
{% do SURICATAMERGED.config.update({'af-packet': afpacket}) %} {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}

239
salt/suricata/soc_suricata.yaml
View File

@@ -1,8 +1,7 @@
suricata: suricata:
enabled: enabled:
description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture. description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture.
forcedType: bool helpLink: suricata.html
helpLink: suricata
thresholding: thresholding:
sids__yaml: sids__yaml:
description: Threshold SIDS List. This setting is readonly; Use the Detections screen to modify rules. description: Threshold SIDS List. This setting is readonly; Use the Detections screen to modify rules.
@@ -11,7 +10,7 @@ suricata:
global: True global: True
multiline: True multiline: True
title: SIDS title: SIDS
helpLink: suricata helpLink: suricata.html
readonlyUi: True readonlyUi: True
advanced: True advanced: True
classification: classification:
@@ -21,84 +20,83 @@ suricata:
global: True global: True
multiline: True multiline: True
title: Classifications title: Classifications
helpLink: suricata helpLink: suricata.html
pcap: pcap:
enabled: enabled:
description: Enables or disables the Suricata packet recording process. description: Enables or disables the Suricata packet recording process.
forcedType: bool forcedType: bool
helpLink: suricata helpLink: suricata.html
filesize: filesize:
description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time. description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
advanced: True advanced: True
helpLink: suricata helpLink: suricata.html
maxsize: maxsize:
description: Maximum size in GB for total disk usage of all PCAP files written by Suricata. description: Maximum size in GB for total disk usage of all PCAP files written by Suricata.
helpLink: suricata helpLink: suricata.html
compression: compression:
description: Enable compression of Suricata PCAP files. description: Enable compression of Suricata PCAP files.
advanced: True advanced: True
helpLink: suricata helpLink: suricata.html
lz4-checksum: lz4-checksum:
description: Enable PCAP lz4 checksum. description: Enable PCAP lz4 checksum.
forcedType: bool
advanced: True advanced: True
helpLink: suricata helpLink: suricata.html
lz4-level: lz4-level:
description: lz4 compression level of PCAP files. Set to 0 for no compression. Set to 16 for maximum compression. description: lz4 compression level of PCAP files. Set to 0 for no compression. Set to 16 for maximum compression.
advanced: True advanced: True
helpLink: suricata helpLink: suricata.html
filename: filename:
description: Filename output for Suricata PCAP files. description: Filename output for Suricata PCAP files.
advanced: True advanced: True
readonly: True readonly: True
helpLink: suricata helpLink: suricata.html
mode: mode:
description: Suricata PCAP mode. Currently only multi is supported. description: Suricata PCAP mode. Currently only multi is supported.
advanced: True advanced: True
readonly: True readonly: True
helpLink: suricata helpLink: suricata.html
use-stream-depth: use-stream-depth:
description: Set to false to ignore the stream depth and capture the entire flow. Set to true to truncate the flow based on the stream depth. description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth.
forcedType: bool
advanced: True advanced: True
helpLink: suricata regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata.html
conditional: conditional:
description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules. description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
regex: ^(all|alerts|tag)$ regex: ^(all|alerts|tag)$
regexFailureMessage: You must enter either all, alert or tag. regexFailureMessage: You must enter either all, alert or tag.
helpLink: suricata helpLink: suricata.html
dir: dir:
description: Parent directory to store PCAP. description: Parent directory to store PCAP.
advanced: True advanced: True
readonly: True readonly: True
helpLink: suricata helpLink: suricata.html
config: config:
af-packet: af-packet:
interface: interface:
description: The network interface that Suricata will monitor. This is set under sensor > interface. description: The network interface that Suricata will monitor. This is set under sensor > interface.
advanced: True advanced: True
readonly: True readonly: True
helpLink: suricata helpLink: suricata.html
cluster-id: cluster-id:
advanced: True advanced: True
cluster-type: cluster-type:
advanced: True advanced: True
regex: ^(cluster_flow|cluster_qm)$ regex: ^(cluster_flow|cluster_qm)$
defrag: defrag:
description: Enable defragmentation of IP packets before processing.
forcedType: bool
advanced: True advanced: True
regex: ^(yes|no)$
use-mmap: use-mmap:
advanced: True advanced: True
readonly: True readonly: True
mmap-locked: mmap-locked:
description: Prevent swapping by locking the memory map. description: Prevent swapping by locking the memory map.
forcedType: bool
advanced: True advanced: True
helpLink: suricata regex: ^(yes|no)$
helpLink: suricata.html
threads: threads:
description: The amount of worker threads. description: The amount of worker threads.
helpLink: suricata helpLink: suricata.html
forcedType: int forcedType: int
tpacket-v3: tpacket-v3:
advanced: True advanced: True
@@ -106,71 +104,68 @@ suricata:
ring-size: ring-size:
description: Buffer size for packets per thread. description: Buffer size for packets per thread.
forcedType: int forcedType: int
helpLink: suricata helpLink: suricata.html
block-size: block-size:
description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size. description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
advanced: True advanced: True
forcedType: int forcedType: int
helpLink: suricata helpLink: suricata.html
block-timeout: block-timeout:
description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace. description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace.
advanced: True advanced: True
forcedType: int forcedType: int
helpLink: suricata helpLink: suricata.html
use-emergency-flush: use-emergency-flush:
description: In high-traffic environments, enabling this option aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
forcedType: bool
advanced: True advanced: True
helpLink: suricata regex: ^(yes|no)$
helpLink: suricata.html
buffer-size: buffer-size:
description: Increasing the value of the receive buffer may improve performance. description: Increasing the value of the receive buffer may improve performance.
advanced: True advanced: True
forcedType: int forcedType: int
helpLink: suricata helpLink: suricata.html
disable-promisc: disable-promisc:
description: Disable promiscuous mode on the capture interface. description: Promiscuous mode can be disabled by setting this to "yes".
forcedType: bool
advanced: True advanced: True
helpLink: suricata regex: ^(yes|no)$
helpLink: suricata.html
checksum-checks: checksum-checks:
description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading." description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
advanced: True advanced: True
options: regex: ^(kernel|yes|no|auto)$
- kernel helpLink: suricata.html
- yes
- no
- auto
helpLink: suricata
threading: threading:
set-cpu-affinity: set-cpu-affinity:
description: Bind or unbind management and worker threads to a core or range of cores. description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
forcedType: bool regex: ^(yes|no)$
helpLink: suricata regexFailureMessage: You must enter either yes or no.
helpLink: suricata.html
cpu-affinity: cpu-affinity:
management-cpu-set: management-cpu-set:
cpu: cpu:
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used. description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
forcedType: "[]string" forcedType: "[]string"
helpLink: suricata helpLink: suricata.html
worker-cpu-set: worker-cpu-set:
cpu: cpu:
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used. description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
forcedType: "[]string" forcedType: "[]string"
helpLink: suricata helpLink: suricata.html
vars: vars:
address-groups: address-groups:
HOME_NET: HOME_NET:
description: Assign a list of hosts, or networks, using CIDR notation, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. description: Assign a list of hosts, or networks, using CIDR notation, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
regex: ^!?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^!?((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$ regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
regexFailureMessage: You must enter a valid IP address or CIDR. regexFailureMessage: You must enter a valid IP address or CIDR.
forcedType: "[]string" forcedType: "[]string"
duplicates: True duplicates: True
helpLink: suricata helpLink: suricata.html
EXTERNAL_NET: &suriaddressgroup EXTERNAL_NET: &suriaddressgroup
description: Assign a list of hosts, or networks, or other customization, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. description: Assign a list of hosts, or networks, or other customization, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
forcedType: "[]string" forcedType: "[]string"
duplicates: True duplicates: True
helpLink: suricata helpLink: suricata.html
HTTP_SERVERS: *suriaddressgroup HTTP_SERVERS: *suriaddressgroup
SMTP_SERVERS: *suriaddressgroup SMTP_SERVERS: *suriaddressgroup
SQL_SERVERS: *suriaddressgroup SQL_SERVERS: *suriaddressgroup
@@ -189,7 +184,7 @@ suricata:
description: Assign a list of network port numbers to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. description: Assign a list of network port numbers to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
forcedType: "[]string" forcedType: "[]string"
duplicates: True duplicates: True
helpLink: suricata helpLink: suricata.html
SHELLCODE_PORTS: *suriportgroup SHELLCODE_PORTS: *suriportgroup
ORACLE_PORTS: *suriportgroup ORACLE_PORTS: *suriportgroup
SSH_PORTS: *suriportgroup SSH_PORTS: *suriportgroup
@@ -203,189 +198,109 @@ suricata:
GENEVE_PORTS: *suriportgroup GENEVE_PORTS: *suriportgroup
outputs: outputs:
eve-log: eve-log:
pcap-file:
description: Log the PCAP filename that a packet was read from when processing pcap files.
forcedType: bool
advanced: True
helpLink: suricata
community-id:
description: Enable Community ID flow hashing for consistent event correlation across tools.
forcedType: bool
advanced: True
helpLink: suricata
types: types:
alert: alert:
metadata:
app-layer:
description: Include app-layer metadata in alert events.
forcedType: bool
advanced: True
helpLink: suricata
flow:
description: Include flow metadata in alert events.
forcedType: bool
advanced: True
helpLink: suricata
rule:
metadata:
description: Include rule metadata in alert events.
forcedType: bool
advanced: True
helpLink: suricata
raw:
description: Include raw rule text in alert events.
forcedType: bool
advanced: True
helpLink: suricata
xff: xff:
enabled: enabled:
description: Enable X-Forward-For support. description: Enable X-Forward-For support.
forcedType: bool helpLink: suricata.html
helpLink: suricata
mode: mode:
description: Operation mode. This should always be extra-data if you use PCAP. description: Operation mode. This should always be extra-data if you use PCAP.
helpLink: suricata helpLink: suricata.html
deployment: deployment:
description: forward would use the first IP address and reverse would use the last. description: forward would use the first IP address and reverse would use the last.
helpLink: suricata helpLink: suricata.html
header: header:
description: Header name where the actual IP address will be reported. description: Header name where the actual IP address will be reported.
helpLink: suricata helpLink: suricata.html
asn1-max-frames: asn1-max-frames:
description: Maximum nuber of asn1 frames to decode. description: Maximum nuber of asn1 frames to decode.
helpLink: suricata helpLink: suricata.html
max-pending-packets: max-pending-packets:
description: Number of packets preallocated per thread. description: Number of packets preallocated per thread.
helpLink: suricata helpLink: suricata.html
default-packet-size: default-packet-size:
description: Preallocated size for each packet. description: Preallocated size for each packet.
helpLink: suricata helpLink: suricata.html
pcre: pcre:
match-limit: match-limit:
description: Match limit for PCRE. description: Match limit for PCRE.
helpLink: suricata helpLink: suricata.html
match-limit-recursion: match-limit-recursion:
description: Recursion limit for PCRE. description: Recursion limit for PCRE.
helpLink: suricata helpLink: suricata.html
defrag: defrag:
memcap: memcap:
description: Max memory to use for defrag. You should only change this if you know what you are doing. description: Max memory to use for defrag. You should only change this if you know what you are doing.
helpLink: suricata helpLink: suricata.html
hash-size: hash-size:
description: Hash size description: Hash size
helpLink: suricata helpLink: suricata.html
trackers: trackers:
description: Number of defragmented flows to follow. description: Number of defragmented flows to follow.
helpLink: suricata helpLink: suricata.html
max-frags: max-frags:
description: Max number of fragments to keep description: Max number of fragments to keep
helpLink: suricata helpLink: suricata.html
prealloc: prealloc:
description: Preallocate memory. description: Preallocate memory.
forcedType: bool helpLink: suricata.html
helpLink: suricata
timeout: timeout:
description: Timeout value. description: Timeout value.
helpLink: suricata helpLink: suricata.html
flow: flow:
memcap: memcap:
description: Reserverd memory for flows. description: Reserverd memory for flows.
helpLink: suricata helpLink: suricata.html
hash-size: hash-size:
description: Determines the size of the hash used to identify flows inside the engine. description: Determines the size of the hash used to identify flows inside the engine.
helpLink: suricata helpLink: suricata.html
prealloc: prealloc:
description: Number of preallocated flows. description: Number of preallocated flows.
helpLink: suricata helpLink: suricata.html
stream: stream:
memcap: memcap:
description: Can be specified in kb,mb,gb. description: Can be specified in kb,mb,gb.
helpLink: suricata helpLink: suricata.html
checksum-validation: checksum-validation:
description: Validate checksum of packets. description: Validate checksum of packets.
forcedType: bool helpLink: suricata.html
helpLink: suricata
reassembly: reassembly:
memcap: memcap:
description: Can be specified in kb,mb,gb. description: Can be specified in kb,mb,gb.
helpLink: suricata helpLink: suricata.html
depth: depth:
description: Controls how far into a stream that reassembly is done. description: Controls how far into a stream that reassembly is done.
helpLink: suricata helpLink: suricata.html
host: host:
hash-size: hash-size:
description: Hash size in bytes. description: Hash size in bytes.
helpLink: suricata helpLink: suricata.html
prealloc: prealloc:
description: How many streams to preallocate. description: How many streams to preallocate.
helpLink: suricata helpLink: suricata.html
memcap: memcap:
description: Memory settings for host. description: Memory settings for host.
helpLink: suricata helpLink: suricata.html
decoder: decoder:
teredo: teredo:
enabled: enabled:
description: Enable TEREDO capabilities description: Enable TEREDO capabilities
forcedType: bool helpLink: suricata.html
helpLink: suricata
ports: ports:
description: Ports to listen for. This should be a variable. description: Ports to listen for. This should be a variable.
helpLink: suricata helpLink: suricata.html
vxlan: vxlan:
enabled: enabled:
description: Enable VXLAN capabilities. description: Enable VXLAN capabilities.
forcedType: bool helpLink: suricata.html
helpLink: suricata
ports: ports:
description: Ports to listen for. This should be a variable. description: Ports to listen for. This should be a variable.
helpLink: suricata helpLink: suricata.html
geneve: geneve:
enabled: enabled:
description: Enable VXLAN capabilities. description: Enable VXLAN capabilities.
forcedType: bool helpLink: suricata.html
helpLink: suricata
ports: ports:
description: Ports to listen for. This should be a variable. description: Ports to listen for. This should be a variable.
helpLink: suricata helpLink: suricata.html
recursion-level:
use-for-tracking:
description: Controls whether the decoder recursion level is used for flow tracking.
forcedType: bool
advanced: True
helpLink: suricata
vlan:
use-for-tracking:
description: Enable VLAN tracking for flow identification. When enabled, VLAN tags are used to differentiate flows.
forcedType: bool
advanced: True
helpLink: suricata
detect:
profiling:
grouping:
dump-to-disk:
description: Dump detection engine grouping information to disk for analysis.
forcedType: bool
advanced: True
helpLink: suricata
include-rules:
description: Include individual rule details in grouping profiling output.
forcedType: bool
advanced: True
helpLink: suricata
include-mpm-stats:
description: Include multi-pattern matcher statistics in grouping profiling output.
forcedType: bool
advanced: True
helpLink: suricata
security:
lua:
allow-rules:
description: Allow Lua rules in the Suricata ruleset. Enabling Lua rules may introduce security risks.
forcedType: bool
advanced: True
helpLink: suricata
allow-restricted-functions:
description: Allow restricted Lua functions such as file I/O. Enabling this may introduce security risks.
forcedType: bool
advanced: True
helpLink: suricata

4
salt/telegraf/defaults.yaml
View File

@@ -7,8 +7,8 @@ telegraf:
collection_jitter: '0s' collection_jitter: '0s'
flush_interval: '10s' flush_interval: '10s'
flush_jitter: '0s' flush_jitter: '0s'
debug: false debug: 'false'
quiet: false quiet: 'false'
scripts: scripts:
eval: eval:
- agentstatus.sh - agentstatus.sh

18
salt/telegraf/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %} {% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
include: include:
@@ -25,8 +25,8 @@ so-telegraf:
- HOST_SYS=/host/sys - HOST_SYS=/host/sys
- HOST_MOUNT_PREFIX=/host - HOST_MOUNT_PREFIX=/host
- GODEBUG=x509ignoreCN=0 - GODEBUG=x509ignoreCN=0
{% if DOCKERMERGED.containers['so-telegraf'].extra_env %} {% if DOCKER.containers['so-telegraf'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-telegraf'].extra_env %} {% for XTRAENV in DOCKER.containers['so-telegraf'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -55,20 +55,20 @@ so-telegraf:
{% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %} {% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
- /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro - /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %} {% if DOCKER.containers['so-telegraf'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-telegraf'].extra_hosts %} {% if DOCKER.containers['so-telegraf'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-telegraf'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-telegraf'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-telegraf'].ulimits %} {% if DOCKER.containers['so-telegraf'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %} {% for ULIMIT in DOCKER.containers['so-telegraf'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

4
salt/telegraf/etc/telegraf.conf
View File

@@ -56,9 +56,9 @@
## Logging configuration: ## Logging configuration:
## Run telegraf with debug log messages. ## Run telegraf with debug log messages.
debug = {{ 'true' if TELEGRAFMERGED.config.debug else 'false' }} debug = {{ TELEGRAFMERGED.config.debug }}
## Run telegraf in quiet mode (error log messages only). ## Run telegraf in quiet mode (error log messages only).
quiet = {{ 'true' if TELEGRAFMERGED.config.quiet else 'false'}} quiet = false
## Specify the log file name. The empty string means to log to stderr. ## Specify the log file name. The empty string means to log to stderr.
logfile = "/var/log/telegraf/telegraf.log" logfile = "/var/log/telegraf/telegraf.log"

29
salt/telegraf/soc_telegraf.yaml
View File

@@ -1,56 +1,55 @@
telegraf: telegraf:
enabled: enabled:
description: Enables the grid metrics collection process. WARNING - Security Onion grid health monitoring requires this process to remain enabled. Disabling it will cause unexpected and unsupported results. description: Enables the grid metrics collection process. WARNING - Security Onion grid health monitoring requires this process to remain enabled. Disabling it will cause unexpected and unsupported results.
forcedType: bool
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
config: config:
interval: interval:
description: Data collection interval. description: Data collection interval.
global: True global: True
helpLink: influxdb helpLink: influxdb.html
metric_batch_size: metric_batch_size:
description: Data collection batch size. description: Data collection batch size.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
metric_buffer_limit: metric_buffer_limit:
description: Data collection buffer size. description: Data collection buffer size.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
collection_jitter: collection_jitter:
description: Jitter of the flush interval. description: Jitter of the flush interval.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
flush_interval: flush_interval:
description: Flush interval for all outputs. description: Flush interval for all outputs.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
flush_jitter: flush_jitter:
description: Jitter the flush interval. description: Jitter the flush interval.
global: True global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
debug: debug:
description: Run telegraf with debug log messages description: Data collection interval.
forcedType: bool global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
quiet: quiet:
description: Run telegraf in quiet mode (error log messages only). description: Data collection interval.
forcedType: bool global: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
scripts: scripts:
eval: &telegrafscripts eval: &telegrafscripts
description: List of input.exec scripts to run for this node type. The script must be present in salt/telegraf/scripts. description: List of input.exec scripts to run for this node type. The script must be present in salt/telegraf/scripts.
forcedType: "[]string" forcedType: "[]string"
multiline: True multiline: True
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb.html
standalone: *telegrafscripts standalone: *telegrafscripts
manager: *telegrafscripts manager: *telegrafscripts
managersearch: *telegrafscripts managersearch: *telegrafscripts

6
salt/vars/globals.map.jinja
View File

@@ -1,5 +1,5 @@
{% import 'vars/init.map.jinja' as INIT %} {% import 'vars/init.map.jinja' as INIT %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'global/map.jinja' import GLOBALMERGED %} {% from 'global/map.jinja' import GLOBALMERGED %}
{% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #} {% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #}
@@ -25,8 +25,8 @@
'pcap_engine': GLOBALMERGED.pcapengine, 'pcap_engine': GLOBALMERGED.pcapengine,
'pipeline': GLOBALMERGED.pipeline, 'pipeline': GLOBALMERGED.pipeline,
'so_version': INIT.PILLAR.global.soversion, 'so_version': INIT.PILLAR.global.soversion,
'so_docker_gateway': DOCKERMERGED.gateway, 'so_docker_gateway': DOCKER.gateway,
'so_docker_range': DOCKERMERGED.range, 'so_docker_range': DOCKER.range,
'url_base': INIT.PILLAR.global.url_base, 'url_base': INIT.PILLAR.global.url_base,
'so_model': INIT.GRAINS.get('sosmodel',''), 'so_model': INIT.GRAINS.get('sosmodel',''),
'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey, 'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,

2
salt/versionlock/soc_versionlock.yaml
View File

@@ -4,4 +4,4 @@ versionlock:
global: True global: True
forcedType: "[]string" forcedType: "[]string"
multiline: True multiline: True
helpLink: soup#holding-os-updates helpLink: versionlock.html

2
salt/zeek/config.sls
View File

@@ -167,7 +167,7 @@ zeekja4cfg:
- group: 939 - group: 939
- template: jinja - template: jinja
- defaults: - defaults:
JA4PLUS: {{ ZEEKMERGED.ja4plus.enabled }} JA4PLUS_ENABLED: {{ ZEEKMERGED.ja4plus_enabled }}
# BPF compilation failed # BPF compilation failed
{% if ZEEKBPF and not ZEEK_BPF_STATUS %} {% if ZEEKBPF and not ZEEK_BPF_STATUS %}

3
salt/zeek/defaults.yaml
View File

@@ -1,7 +1,6 @@
zeek: zeek:
enabled: False enabled: False
ja4plus: ja4plus_enabled: False
enabled: False
config: config:
node: node:
lb_procs: 0 lb_procs: 0

18
salt/zeek/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'docker/docker.map.jinja' import DOCKER %}
include: include:
@@ -18,9 +18,9 @@ so-zeek:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }} - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
- start: True - start: True
- privileged: True - privileged: True
{% if DOCKERMERGED.containers['so-zeek'].ulimits %} {% if DOCKER.containers['so-zeek'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %} {% for ULIMIT in DOCKER.containers['so-zeek'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -39,21 +39,21 @@ so-zeek:
- /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
- /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
- /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro - /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
{% if DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %} {% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- network_mode: host - network_mode: host
{% if DOCKERMERGED.containers['so-zeek'].extra_hosts %} {% if DOCKER.containers['so-zeek'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-zeek'].extra_hosts %} {% for XTRAHOST in DOCKER.containers['so-zeek'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKERMERGED.containers['so-zeek'].extra_env %} {% if DOCKER.containers['so-zeek'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKERMERGED.containers['so-zeek'].extra_env %} {% for XTRAENV in DOCKER.containers['so-zeek'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

16
salt/zeek/files/config.zeek.ja4
View File

@@ -8,20 +8,20 @@ export {
option JA4_raw: bool = F; option JA4_raw: bool = F;
# FoxIO license required for JA4+ # FoxIO license required for JA4+
option JA4S_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; option JA4S_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4S_raw: bool = F; option JA4S_raw: bool = F;
option JA4D_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; option JA4D_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4H_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; option JA4H_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4H_raw: bool = F; option JA4H_raw: bool = F;
option JA4L_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; option JA4L_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4T_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; option JA4T_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4TS_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; option JA4TS_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
option JA4X_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; option JA4X_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
} }

43
salt/zeek/soc_zeek.yaml
View File

@@ -1,35 +1,32 @@
zeek: zeek:
enabled: enabled:
description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled. description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled.
helpLink: zeek.html
ja4plus_enabled:
description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license (https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
forcedType: bool forcedType: bool
helpLink: zeek helpLink: zeek.html
ja4plus:
enabled:
description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
forcedType: bool
helpLink: zeek
advanced: False
config: config:
local: local:
load: load:
description: Contains a list of policies and scripts loaded by Zeek. Values in the Current Grid Value dialog box apply to every instance of Zeek. Values in a dialog box for a specific node will only apply to that node. description: Contains a list of policies and scripts loaded by Zeek. Values in the Current Grid Value dialog box apply to every instance of Zeek. Values in a dialog box for a specific node will only apply to that node.
forcedType: "[]string" forcedType: "[]string"
helpLink: zeek helpLink: zeek.html
load-sigs: load-sigs:
description: Contains a list of signatures loaded by Zeek. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node. description: Contains a list of signatures loaded by Zeek. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
forcedType: "[]string" forcedType: "[]string"
helpLink: zeek helpLink: zeek.html
redef: redef:
description: List of Zeek variables to redefine. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node. description: List of Zeek variables to redefine. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
forcedType: "[]string" forcedType: "[]string"
advanced: True advanced: True
helpLink: zeek helpLink: zeek.html
networks: networks:
HOME_NET: HOME_NET:
description: List of IP or CIDR blocks to define as the HOME_NET. description: List of IP or CIDR blocks to define as the HOME_NET.
forcedType: "[]string" forcedType: "[]string"
advanced: False advanced: False
helpLink: zeek helpLink: zeek.html
multiline: True multiline: True
regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$ regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
regexFailureMessage: You must enter a valid IP address or CIDR. regexFailureMessage: You must enter a valid IP address or CIDR.
@@ -37,13 +34,13 @@ zeek:
lb_procs: lb_procs:
description: Contains the number of CPU cores or workers used by Zeek. This setting should only be applied to individual nodes and will be ignored if CPU affinity is enabled. description: Contains the number of CPU cores or workers used by Zeek. This setting should only be applied to individual nodes and will be ignored if CPU affinity is enabled.
title: workers title: workers
helpLink: zeek helpLink: zeek.html
node: True node: True
pins_enabled: pins_enabled:
description: Enabling this setting allows you to pin Zeek to specific CPUs. description: Enabling this setting allows you to pin Zeek to specific CPUs.
title: cpu affinity enabled title: cpu affinity enabled
forcedType: bool forcedType: bool
helpLink: zeek helpLink: zeek.html
node: True node: True
advanced: True advanced: True
pins: pins:
@@ -51,61 +48,61 @@ zeek:
title: cpu affinity title: cpu affinity
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
helpLink: zeek helpLink: zeek.html
node: True node: True
advanced: True advanced: True
zeekctl: zeekctl:
CompressLogs: CompressLogs:
description: This setting enables compression of Zeek logs. If you are seeing packet loss at the top of the hour in Zeek or PCAP you might need to disable this by seting it to 0. This will use more disk space but save IO and CPU. description: This setting enables compression of Zeek logs. If you are seeing packet loss at the top of the hour in Zeek or PCAP you might need to disable this by seting it to 0. This will use more disk space but save IO and CPU.
helpLink: zeek helpLink: zeek.html
policy: policy:
custom: custom:
filters: filters:
conn: conn:
description: Conn Filter for Zeek. This is an advanced setting and will take further action to enable. description: Conn Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek helpLink: zeek.html
file: True file: True
global: True global: True
advanced: True advanced: True
duplicates: True duplicates: True
dns: dns:
description: DNS Filter for Zeek. This is an advanced setting and will take further action to enable. description: DNS Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek helpLink: zeek.html
file: True file: True
global: True global: True
advanced: True advanced: True
duplicates: True duplicates: True
files: files:
description: Files Filter for Zeek. This is an advanced setting and will take further action to enable. description: Files Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek helpLink: zeek.html
file: True file: True
global: True global: True
advanced: True advanced: True
duplicates: True duplicates: True
httphost: httphost:
description: HTTP Hosts Filter for Zeek. This is an advanced setting and will take further action to enable. description: HTTP Hosts Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek helpLink: zeek.html
file: True file: True
global: True global: True
advanced: True advanced: True
duplicates: True duplicates: True
httpuri: httpuri:
description: HTTP URI Filter for Zeek. This is an advanced setting and will take further action to enable. description: HTTP URI Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek helpLink: zeek.html
file: True file: True
global: True global: True
advanced: True advanced: True
duplicates: True duplicates: True
ssl: ssl:
description: SSL Filter for Zeek. This is an advanced setting and will take further action to enable. description: SSL Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek helpLink: zeek.html
file: True file: True
global: True global: True
advanced: True advanced: True
duplicates: True duplicates: True
tunnel: tunnel:
description: Tunnel Filter for Zeek. This is an advanced setting and will take further action to enable. description: Tunnel Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek helpLink: zeek.html
file: True file: True
global: True global: True
advanced: True advanced: True
@@ -113,4 +110,4 @@ zeek:
file_extraction: file_extraction:
description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENSION"} description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENSION"}
forcedType: "[]{}" forcedType: "[]{}"
helpLink: zeek helpLink: zeek.html