mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-09 02:32:46 +01:00
258 lines
6.7 KiB
Django/Jinja
258 lines
6.7 KiB
Django/Jinja
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
|
# https://securityonion.net/license; you may not use this file except in compliance with the
|
|
# Elastic License 2.0.
|
|
|
|
{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %}
|
|
{% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
|
|
{% set saltversion = saltversion.salt.minion.version %}
|
|
|
|
{# this is the list we are returning from this map file, it gets built below #}
|
|
{% set allowed_states= [] %}
|
|
|
|
{% if grains.saltversion | string == saltversion | string %}
|
|
|
|
{% set allowed_states= salt['grains.filter_by']({
|
|
'so-eval': [
|
|
'salt.master',
|
|
'ca',
|
|
'ssl',
|
|
'registry',
|
|
'manager',
|
|
'nginx',
|
|
'telegraf',
|
|
'influxdb',
|
|
'soc',
|
|
'kratos',
|
|
'elasticfleet',
|
|
'elastic-fleet-package-registry',
|
|
'firewall',
|
|
'idstools',
|
|
'suricata.manager',
|
|
'healthcheck',
|
|
'pcap',
|
|
'suricata',
|
|
'utility',
|
|
'schedule',
|
|
'tcpreplay',
|
|
'docker_clean'
|
|
],
|
|
'so-heavynode': [
|
|
'ssl',
|
|
'nginx',
|
|
'telegraf',
|
|
'firewall',
|
|
'pcap',
|
|
'suricata',
|
|
'healthcheck',
|
|
'elasticagent',
|
|
'schedule',
|
|
'tcpreplay',
|
|
'docker_clean'
|
|
],
|
|
'so-idh': [
|
|
'ssl',
|
|
'telegraf',
|
|
'firewall',
|
|
'idh',
|
|
'schedule',
|
|
'docker_clean'
|
|
],
|
|
'so-import': [
|
|
'salt.master',
|
|
'ca',
|
|
'ssl',
|
|
'registry',
|
|
'manager',
|
|
'nginx',
|
|
'strelka.manager',
|
|
'soc',
|
|
'kratos',
|
|
'influxdb',
|
|
'telegraf',
|
|
'firewall',
|
|
'idstools',
|
|
'suricata.manager',
|
|
'pcap',
|
|
'utility',
|
|
'suricata',
|
|
'zeek',
|
|
'schedule',
|
|
'tcpreplay',
|
|
'docker_clean',
|
|
'elasticfleet',
|
|
'elastic-fleet-package-registry'
|
|
],
|
|
'so-manager': [
|
|
'salt.master',
|
|
'ca',
|
|
'ssl',
|
|
'registry',
|
|
'manager',
|
|
'nginx',
|
|
'telegraf',
|
|
'influxdb',
|
|
'strelka.manager',
|
|
'soc',
|
|
'kratos',
|
|
'elasticfleet',
|
|
'elastic-fleet-package-registry',
|
|
'firewall',
|
|
'idstools',
|
|
'suricata.manager',
|
|
'utility',
|
|
'schedule',
|
|
'docker_clean',
|
|
'stig',
|
|
'kafka'
|
|
],
|
|
'so-managersearch': [
|
|
'salt.master',
|
|
'ca',
|
|
'ssl',
|
|
'registry',
|
|
'nginx',
|
|
'telegraf',
|
|
'influxdb',
|
|
'strelka.manager',
|
|
'soc',
|
|
'kratos',
|
|
'elastic-fleet-package-registry',
|
|
'elasticfleet',
|
|
'firewall',
|
|
'manager',
|
|
'idstools',
|
|
'suricata.manager',
|
|
'utility',
|
|
'schedule',
|
|
'docker_clean',
|
|
'stig',
|
|
'kafka'
|
|
],
|
|
'so-searchnode': [
|
|
'ssl',
|
|
'nginx',
|
|
'telegraf',
|
|
'firewall',
|
|
'schedule',
|
|
'docker_clean',
|
|
'stig'
|
|
],
|
|
'so-standalone': [
|
|
'salt.master',
|
|
'ca',
|
|
'ssl',
|
|
'registry',
|
|
'manager',
|
|
'nginx',
|
|
'telegraf',
|
|
'influxdb',
|
|
'soc',
|
|
'kratos',
|
|
'elastic-fleet-package-registry',
|
|
'elasticfleet',
|
|
'firewall',
|
|
'idstools',
|
|
'suricata.manager',
|
|
'pcap',
|
|
'suricata',
|
|
'healthcheck',
|
|
'utility',
|
|
'schedule',
|
|
'tcpreplay',
|
|
'docker_clean',
|
|
'stig',
|
|
'kafka'
|
|
],
|
|
'so-sensor': [
|
|
'ssl',
|
|
'telegraf',
|
|
'firewall',
|
|
'nginx',
|
|
'pcap',
|
|
'suricata',
|
|
'healthcheck',
|
|
'schedule',
|
|
'tcpreplay',
|
|
'docker_clean',
|
|
'stig'
|
|
],
|
|
'so-fleet': [
|
|
'ssl',
|
|
'telegraf',
|
|
'firewall',
|
|
'logstash',
|
|
'nginx',
|
|
'healthcheck',
|
|
'schedule',
|
|
'elasticfleet',
|
|
'docker_clean'
|
|
],
|
|
'so-receiver': [
|
|
'ssl',
|
|
'telegraf',
|
|
'firewall',
|
|
'schedule',
|
|
'docker_clean',
|
|
'kafka',
|
|
'elasticsearch.ca',
|
|
'stig'
|
|
],
|
|
'so-desktop': [
|
|
'ssl',
|
|
'docker_clean',
|
|
'telegraf'
|
|
],
|
|
}, grain='role') %}
|
|
|
|
{%- if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
|
|
{% do allowed_states.append('zeek') %}
|
|
{%- endif %}
|
|
|
|
{% if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
|
|
{% do allowed_states.append('strelka') %}
|
|
{% endif %}
|
|
|
|
{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %}
|
|
{% do allowed_states.append('elasticsearch') %}
|
|
{% endif %}
|
|
|
|
{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
|
|
{% do allowed_states.append('elasticsearch.auth') %}
|
|
{% endif %}
|
|
|
|
{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
|
|
{% do allowed_states.append('kibana') %}
|
|
{% do allowed_states.append('kibana.secrets') %}
|
|
{% endif %}
|
|
|
|
{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
|
|
{% do allowed_states.append('elastalert') %}
|
|
{% endif %}
|
|
|
|
{% if grains.role in ['so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
|
|
{% do allowed_states.append('logstash') %}
|
|
{% endif %}
|
|
|
|
{% if grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver', 'so-eval'] %}
|
|
{% do allowed_states.append('redis') %}
|
|
{% endif %}
|
|
|
|
{# all nodes on the right salt version can run the following states #}
|
|
{% do allowed_states.append('common') %}
|
|
{% do allowed_states.append('patch.os.schedule') %}
|
|
{% do allowed_states.append('motd') %}
|
|
{% do allowed_states.append('salt.minion-check') %}
|
|
{% do allowed_states.append('sensoroni') %}
|
|
{% do allowed_states.append('salt.lasthighstate') %}
|
|
|
|
{% endif %}
|
|
|
|
|
|
{% if ISAIRGAP %}
|
|
{% do allowed_states.append('airgap') %}
|
|
{% endif %}
|
|
|
|
{# all nodes can always run salt.minion state #}
|
|
{% do allowed_states.append('salt.minion') %}
|