beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

use yq instead of envsubst (#1366)

Browse source
This commit is contained in:
mmetc 2022-03-17 12:28:45 +01:00 committed by GitHub
parent 9a6a254a90
commit f7f4ca9541
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 34 additions and 240 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
tests/config-templates/acquis.yaml
View file

@ -1,16 +0,0 @@
filenames:
- /var/log/nginx/*.log
- ./tests/nginx/nginx.log
#this is not a syslog log, indicate which kind of logs it is
labels:
type: nginx
---
filenames:
- /var/log/auth.log
- /var/log/syslog
labels:
type: syslog
---
filename: /var/log/apache2/*.log
labels:
type: apache2

54
tests/config-templates/config.yaml
View file

@ -1,54 +0,0 @@
common:
daemonize: false
# pid_dir: /var/run/
log_media: file
log_level: info
log_dir: ${LOG_DIR}
working_dir: .
config_paths:
config_dir: ${CONFIG_DIR}
data_dir: ${DATA_DIR}
simulation_path: ${CONFIG_DIR}/simulation.yaml
hub_dir: ${CONFIG_DIR}/hub/
index_path: ${CONFIG_DIR}/hub/.index.json
notification_dir: ${CONFIG_DIR}/notifications/
plugin_dir: ${PLUGIN_DIR}
crowdsec_service:
acquisition_path: ${CONFIG_DIR}/acquis.yaml
parser_routines: 1
cscli:
output: human
db_config:
log_level: info
type: sqlite
db_path: ${DATA_DIR}/crowdsec.db
#user:
#password:
#db_name:
#host:
#port:
flush:
max_items: 5000
max_age: 7d
plugin_config:
user: nobody # plugin process would be ran on behalf of this user
group: nogroup # plugin process would be ran on behalf of this group
api:
client:
insecure_skip_verify: false
credentials_path: ${CONFIG_DIR}/local_api_credentials.yaml
server:
log_level: info
listen_uri: 127.0.0.1:8080
profiles_path: ${CONFIG_DIR}/profiles.yaml
console_path: ${CONFIG_DIR}/console.yaml
online_client: # Central API credentials (to push signals and receive bad IPs)
credentials_path: ${CONFIG_DIR}/online_api_credentials.yaml
# tls:
# cert_file: ${CONFIG_DIR}/ssl/cert.pem
# key_file: ${CONFIG_DIR}/ssl/key.pem
prometheus:
enabled: true
level: full
listen_addr: 127.0.0.1
listen_port: 6060

1
tests/config-templates/local_api_credentials.yaml
View file

@ -1 +0,0 @@
url: http://127.0.0.1:8080

22
tests/config-templates/notifications/dummy.yaml
View file

@ -1,22 +0,0 @@
type: dummy # Don't change
name: dummy_default # Must match the registered plugin in the profile
# One of "trace", "debug", "info", "warn", "error", "off"
log_level: info
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry: # Number of attempts to relay messages to plugins in case of error
# timeout: # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
#-------------------------
# plugin-specific options
# The following template receives a list of models.Alert objects
# The output goes in the logs and to a text file, if defined
format: |
{{.|toJson}}
#
# output_file: # notifications will be appended here. optional

38
tests/config-templates/notifications/email.yaml
View file

@ -1,38 +0,0 @@
type: email # Don't change
name: email_default # Must match the registered plugin in the profile
# One of "trace", "debug", "info", "warn", "error", "off"
log_level: info
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry: # Number of attempts to relay messages to plugins in case of error
timeout: 20s # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
#-------------------------
# plugin-specific options
# The following template receives a list of models.Alert objects
# The output goes in the email message body
format: |
{{range . -}}
{{$alert := . -}}
{{range .Decisions -}}
<a href=https://www.whois.com/whois/{{.Value}}>{{.Value}}</a> will get <b>{{.Type}}</b> for next <b>{{.Duration}}</b> for triggering <b>{{.Scenario}}</b> on machine <b>{{$alert.MachineID}}</b>. <a href=https://www.shodan.io/host/{{.Value}}>Shodan</a>
{{end -}}
{{end -}}
smtp_host: # example: smtp.gmail.com
smtp_username: # Replace with your actual username
smtp_password: # Replace with your actual password
smtp_port: # Common values are any of [25, 465, 587, 2525]
auth_type: # Valid choices are "none", "crammd5", "login", "plain"
sender_email: # example: foo@gmail.com
email_subject: "CrowdSec Notification"
receiver_emails:
# - email1@gmail.com
# - email2@gmail.com
# One of "ssltls", "none"
encryption_type: ssltls

30
tests/config-templates/notifications/http.yaml
View file

@ -1,30 +0,0 @@
type: http # Don't change
name: http_default # Must match the registered plugin in the profile
# One of "trace", "debug", "info", "warn", "error", "off"
log_level: info
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry: # Number of attempts to relay messages to plugins in case of error
# timeout: # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
#-------------------------
# plugin-specific options
# The following template receives a list of models.Alert objects
# The output goes in the http request body
format: |
{{.|toJson}}
# The plugin will make requests to this url, eg: https://www.example.com/
url: <HTTP_url>
# Any of the http verbs: "POST", "GET", "PUT"...
method: POST
# headers:
# Authorization: token 0x64312313
# skip_tls_verification: # true or false. Default is false

30
tests/config-templates/notifications/slack.yaml
View file

@ -1,30 +0,0 @@
type: slack # Don't change
name: slack_default # Must match the registered plugin in the profile
# One of "trace", "debug", "info", "warn", "error", "off"
log_level: info
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry: # Number of attempts to relay messages to plugins in case of error
# timeout: # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
#-------------------------
# plugin-specific options
# The following template receives a list of models.Alert objects
# The output goes in the slack message
format: |
{{range . -}}
{{$alert := . -}}
{{range .Decisions -}}
{{if $alert.Source.Cn -}}
:flag-{{$alert.Source.Cn}}: <https://www.whois.com/whois/{{.Value}}|{{.Value}}> will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine '{{$alert.MachineID}}'. <https://www.shodan.io/host/{{.Value}}|Shodan>{{end}}
{{if not $alert.Source.Cn -}}
:pirate_flag: <https://www.whois.com/whois/{{.Value}}|{{.Value}}> will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine '{{$alert.MachineID}}'. <https://www.shodan.io/host/{{.Value}}|Shodan>{{end}}
{{end -}}
{{end -}}
webhook: <WEBHOOK_URL>

21
tests/config-templates/notifications/splunk.yaml
View file

@ -1,21 +0,0 @@
type: splunk # Don't change
name: splunk_default # Must match the registered plugin in the profile
# One of "trace", "debug", "info", "warn", "error", "off"
log_level: info
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry: # Number of attempts to relay messages to plugins in case of error
# timeout: # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
#-------------------------
# plugin-specific options
# The following template receives a list of models.Alert objects
# The output goes in the splunk notification
format: |
{{.|toJson}}
url: <SPLUNK_HTTP_URL>
token: <SPLUNK_TOKEN>

0
tests/config-templates/online_api_credentials.yaml
View file

13
tests/config-templates/profiles.yaml
View file

@ -1,13 +0,0 @@
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
# notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break

4
tests/config-templates/simulation.yaml
View file

@ -1,4 +0,0 @@
simulation: off
# exclusions:
# - crowdsecurity/ssh-bf

45
tests/instance-data
View file

@ -42,22 +42,45 @@ remove_init_data() {
rm -rf -- "${CONFIG_DIR:?}"/* "${DATA_DIR:?}"/*
}
config_generate() {
cp ../config/acquis.yaml "${CONFIG_DIR}/"
cp ../config/profiles.yaml "${CONFIG_DIR}/"
cp ../config/simulation.yaml "${CONFIG_DIR}/"
cp ../config/local_api_credentials.yaml "${CONFIG_DIR}/"
cp ../config/online_api_credentials.yaml "${CONFIG_DIR}/"
cp ../plugins/notifications/http/http.yaml "${CONFIG_DIR}/notifications/"
cp ../plugins/notifications/email/email.yaml "${CONFIG_DIR}/notifications/"
cp ../plugins/notifications/slack/slack.yaml "${CONFIG_DIR}/notifications/"
cp ../plugins/notifications/splunk/splunk.yaml "${CONFIG_DIR}/notifications/"
cp ../plugins/notifications/dummy/dummy.yaml "${CONFIG_DIR}/notifications/"
yq '
.common.daemonize=false |
del(.common.pid_dir) |
.common.log_dir=strenv(LOG_DIR) |
.config_paths.config_dir=strenv(CONFIG_DIR) |
.config_paths.data_dir=strenv(DATA_DIR) |
.config_paths.simulation_path=strenv(CONFIG_DIR)+"/simulation.yaml" |
.config_paths.hub_dir=strenv(CONFIG_DIR)+"/hub/" |
.config_paths.index_path=strenv(CONFIG_DIR)+"/hub/.index.json" |
.config_paths.notification_dir=strenv(CONFIG_DIR)+"/notifications/" |
.config_paths.plugin_dir=strenv(PLUGIN_DIR) |
.crowdsec_service.acquisition_path=strenv(CONFIG_DIR)+"/acquis.yaml" |
.db_config.db_path=strenv(DATA_DIR)+"/crowdsec.db" |
.api.client.credentials_path=strenv(CONFIG_DIR)+"/local_api_credentials.yaml" |
.api.server.profiles_path=strenv(CONFIG_DIR)+"/profiles.yaml" |
.api.server.console_path=strenv(CONFIG_DIR)+"/console.yaml" |
.api.server.online_client.credentials_path=strenv(CONFIG_DIR)+"/online_api_credentials.yaml"
' <../config/config.yaml >"${CONFIG_DIR}/config.yaml"
}
make_init_data() {
remove_init_data
mkdir -p "${CONFIG_DIR}/notifications"
envsubst < "./config-templates/acquis.yaml" > "${CONFIG_DIR}/acquis.yaml"
envsubst < "./config-templates/config.yaml" > "${CONFIG_DIR}/config.yaml"
envsubst < "./config-templates/simulation.yaml" > "${CONFIG_DIR}/simulation.yaml"
envsubst < "./config-templates/local_api_credentials.yaml" > "${CONFIG_DIR}/local_api_credentials.yaml"
envsubst < "./config-templates/online_api_credentials.yaml" > "${CONFIG_DIR}/online_api_credentials.yaml"
envsubst < "./config-templates/profiles.yaml" > "${CONFIG_DIR}/profiles.yaml"
envsubst < "./config-templates/notifications/http.yaml" > "${CONFIG_DIR}/notifications/http.yaml"
envsubst < "./config-templates/notifications/email.yaml" > "${CONFIG_DIR}/notifications/email.yaml"
envsubst < "./config-templates/notifications/slack.yaml" > "${CONFIG_DIR}/notifications/slack.yaml"
envsubst < "./config-templates/notifications/splunk.yaml" > "${CONFIG_DIR}/notifications/splunk.yaml"
envsubst < "./config-templates/notifications/dummy.yaml" > "${CONFIG_DIR}/notifications/dummy.yaml"
config_generate
mkdir -p "${CONFIG_DIR}/hub"
"${BIN_DIR}/cscli" machines add githubciXXXXXXXXXXXXXXXXXXXXXXXX --auto