Coder Social home page Coder Social logo

threatstack-formula's People

Contributors

amberb617 avatar dglloyd avatar jessebye avatar olhado avatar tmclaugh avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

dglloyd stratasan tehsu rbramwell partyimp olhado callafeucht jasonious

threatstack-formula's Issues

Cloudsight Config Doesn't Accept Getopt Anymore

The latest version of cloudsight (Threat Stack Agent v1.6.8) does not allow for getopts, it now requires a single param=value. The salt state runs a command similar to this:

~# cloudsight config --ruleset="Monitor Base Rule Set" --agent_type=m
2018-02-11T03:12:22.127Z: [-] Usage: cloudsight config "param=value"

Per the error, the config must be passed in one at a time and doesn't support opts:

~# cloudsight config ruleset="Monitor Base Rule Set" agent_type=m
2018-02-11T03:12:28.833Z: [-] Setting: ruleset = Monitor Base Rule Set
~# cloudsight config agent_type=m
2018-02-11T03:12:35.829Z: [-] Setting: agent_type = m
2018-02-11T03:12:35.835Z: [*] Installing audit rules
2018-02-11T03:12:35.838Z: [-] Saved agent type. Please run `sudo cloudsight restart`

Should probably iterate over a list of k=v in the salt state and pass those to cloudsight config.

Alternatively the cloudsight deploy command might be templated to include the extra config stuff.

Not working with new V2 agent (2.0.0.0ubuntu16.56)

I use Saltstack to manage threatstack and ran into a an issue where my systems will not start after upgrading from 1.9 to 2.0.

Specifically, after running the state.apply threatstack it updated my minion to run 2.0.0.0ubuntu16.56 but was unable to handle the tsagent configuration change or the service restart. Instead I get

          ID: tsagent-config
    Function: cmd.wait
        Name: tsagent config log_level=debug
      Result: False
     Comment: Command "tsagent config log_level=debug" run
     Started: 09:19:39.352452
    Duration: 26.25 ms
     Changes:   
              ----------
              pid:
                  28103
              retcode:
                  1
              stderr:
                  tsagent: No option provided to config command
              stdout:
----------
          ID: threatstack
    Function: service.running
      Result: False
     Comment: One or more requisite failed: threatstack.tsagent-config
     Started: 09:19:40.203444
    Duration: 0.024 ms
     Changes:   ```

My pillar looks like this

deploy_key: "nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn"
ts_configure: True
ts_agent_latest: True
ts_agent_config_args: 'log_level=debug'
ts_agent_extra_args: --ruleset="Base Rule Set"

Agent Version Does not take in to account Threatstack OS requirements

Unfortunately, the outlined document from threatstack states that some OS versions can not support the 2.x agent. https://threatstack.zendesk.com/hc/en-us/articles/200343805

Selection_074

the picture above showing an example where centos 6 does not support the 2.x agent

yet the init.sls initial step of determining the boolean for repository choosing does not intuitively determine if the OS can support that version. Many customers have fleets with multiple versions of an OS that need to be managed. considering Salt's use of grains the init.sls should be able to choose correctly.

# Determine if we are installing agent 1.x or agent 2.x
{% if (pillar['ts_agent_latest'] is defined and pillar['ts_agent_latest'] == True) or (pillar['ts_agent_version'] is defined and pillar['ts_agent_version'].startswith('2.')) %}
  {% set install_agent2 = True %}
{% else %}
  {% set install_agent2 = False %}
{% endif %}

The line above dictates the repo

# Allow for package repo override from pillar
{% if pillar['pkg_url'] is defined %}
    {% set pkg_url = pillar['pkg_url'] %}
{% else %}
    {% if install_agent2 == True %}
      {% set pkg_url_base = 'https://pkg.threatstack.com/v2' %}
    {% else %}
      {% set pkg_url_base = 'https://pkg.threatstack.com' %}
    {% endif %}

recommended resolution:

remove the following

# Determine if we are installing agent 1.x or agent 2.x
{% if (pillar['ts_agent_latest'] is defined and pillar['ts_agent_latest'] == True) or (pillar['ts_agent_version'] is defined and pillar['ts_agent_version'].startswith('2.')) %}
  {% set install_agent2 = True %}
{% else %}
  {% set install_agent2 = False %}
{% endif %}

extend

    {% set pkg_maj_ver = grains['osmajorrelease'] %}
    {% if grains['os_family']=="Debian" %}
      {% set pkg_url = [pkg_url_base, 'Ubuntu']|join('/') %}
    {% elif grains['os']=="Amazon" %}
      {% set pkg_url = [pkg_url_base, 'Amazon']|join('/') %}
    {% elif grains['os']=="Centos" %}
      {% set pkg_url = [pkg_url_base, 'EL', pkg_maj_ver]|join('/') %}
    {% else %}
      {% set pkg_url = [pkg_url_base, 'EL', '7']|join('/') %}
    {% endif %}

perform a nested IF under each OS/OS Family example

{% elif grains['os']=="CentOS" %} 
{% if grain['osmajorrelease'] = 7 and pillar['ts_agent_version'].startswith('2.')) %}}
{% set pkg_url_base = 'https://pkg.threatstack.com/v2' %}
{% else %}
{% set pkg_url_base = 'https://pkg.threatstack.com' %}

rinse and repeat for all os families using linked document above so the 2.x agents can not be installed on systems that do not support the 2.x agent.

Add support for Debian 11 "bullseye"

I am getting this error while installing threatstack-agent on the latest Debian 11 (released on August 14th) using this formula:

[ERROR   ] stderr: E: Failed to fetch https://pkg.threatstack.com/v2/Ubuntu/dists/bullseye/InRelease  403  Forbidden [IP: 65.8.49.125 443]
E: The repository 'https://pkg.threatstack.com/v2/Ubuntu bullseye InRelease' is not signed.

Do you have a target date when this will be available?

spelling error causing wrong if statement to be called.

The following line section of code does not work accurately when using CentOS.

    {% set pkg_maj_ver = grains['osmajorrelease'] %}
    {% if grains['os_family']=="Debian" %}
      {% set pkg_url = [pkg_url_base, 'Ubuntu']|join('/') %}
    {% elif grains['os']=="Amazon" %}
      {% set pkg_url = [pkg_url_base, 'Amazon']|join('/') %}
    {% elif grains['os']=="Centos" %}
      {% set pkg_url = [pkg_url_base, 'EL', pkg_maj_ver]|join('/') %}
    {% else %}
      {% set pkg_url = [pkg_url_base, 'EL', '7']|join('/') %}
    {% endif %}

Salt OS grain value for CentOS systems is "CentOS" NOT "Centos". Due to this CentOS 6 system skip to the finial ELSE statement

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.