use yq instead of envsubst (#1366)
This commit is contained in:
parent
9a6a254a90
commit
f7f4ca9541
|
@ -1,16 +0,0 @@
|
||||||
filenames:
|
|
||||||
- /var/log/nginx/*.log
|
|
||||||
- ./tests/nginx/nginx.log
|
|
||||||
#this is not a syslog log, indicate which kind of logs it is
|
|
||||||
labels:
|
|
||||||
type: nginx
|
|
||||||
---
|
|
||||||
filenames:
|
|
||||||
- /var/log/auth.log
|
|
||||||
- /var/log/syslog
|
|
||||||
labels:
|
|
||||||
type: syslog
|
|
||||||
---
|
|
||||||
filename: /var/log/apache2/*.log
|
|
||||||
labels:
|
|
||||||
type: apache2
|
|
|
@ -1,54 +0,0 @@
|
||||||
common:
|
|
||||||
daemonize: false
|
|
||||||
# pid_dir: /var/run/
|
|
||||||
log_media: file
|
|
||||||
log_level: info
|
|
||||||
log_dir: ${LOG_DIR}
|
|
||||||
working_dir: .
|
|
||||||
config_paths:
|
|
||||||
config_dir: ${CONFIG_DIR}
|
|
||||||
data_dir: ${DATA_DIR}
|
|
||||||
simulation_path: ${CONFIG_DIR}/simulation.yaml
|
|
||||||
hub_dir: ${CONFIG_DIR}/hub/
|
|
||||||
index_path: ${CONFIG_DIR}/hub/.index.json
|
|
||||||
notification_dir: ${CONFIG_DIR}/notifications/
|
|
||||||
plugin_dir: ${PLUGIN_DIR}
|
|
||||||
crowdsec_service:
|
|
||||||
acquisition_path: ${CONFIG_DIR}/acquis.yaml
|
|
||||||
parser_routines: 1
|
|
||||||
cscli:
|
|
||||||
output: human
|
|
||||||
db_config:
|
|
||||||
log_level: info
|
|
||||||
type: sqlite
|
|
||||||
db_path: ${DATA_DIR}/crowdsec.db
|
|
||||||
#user:
|
|
||||||
#password:
|
|
||||||
#db_name:
|
|
||||||
#host:
|
|
||||||
#port:
|
|
||||||
flush:
|
|
||||||
max_items: 5000
|
|
||||||
max_age: 7d
|
|
||||||
plugin_config:
|
|
||||||
user: nobody # plugin process would be ran on behalf of this user
|
|
||||||
group: nogroup # plugin process would be ran on behalf of this group
|
|
||||||
api:
|
|
||||||
client:
|
|
||||||
insecure_skip_verify: false
|
|
||||||
credentials_path: ${CONFIG_DIR}/local_api_credentials.yaml
|
|
||||||
server:
|
|
||||||
log_level: info
|
|
||||||
listen_uri: 127.0.0.1:8080
|
|
||||||
profiles_path: ${CONFIG_DIR}/profiles.yaml
|
|
||||||
console_path: ${CONFIG_DIR}/console.yaml
|
|
||||||
online_client: # Central API credentials (to push signals and receive bad IPs)
|
|
||||||
credentials_path: ${CONFIG_DIR}/online_api_credentials.yaml
|
|
||||||
# tls:
|
|
||||||
# cert_file: ${CONFIG_DIR}/ssl/cert.pem
|
|
||||||
# key_file: ${CONFIG_DIR}/ssl/key.pem
|
|
||||||
prometheus:
|
|
||||||
enabled: true
|
|
||||||
level: full
|
|
||||||
listen_addr: 127.0.0.1
|
|
||||||
listen_port: 6060
|
|
|
@ -1 +0,0 @@
|
||||||
url: http://127.0.0.1:8080
|
|
|
@ -1,22 +0,0 @@
|
||||||
type: dummy # Don't change
|
|
||||||
name: dummy_default # Must match the registered plugin in the profile
|
|
||||||
|
|
||||||
# One of "trace", "debug", "info", "warn", "error", "off"
|
|
||||||
log_level: info
|
|
||||||
|
|
||||||
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
|
|
||||||
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
|
|
||||||
# max_retry: # Number of attempts to relay messages to plugins in case of error
|
|
||||||
# timeout: # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
|
|
||||||
|
|
||||||
#-------------------------
|
|
||||||
# plugin-specific options
|
|
||||||
|
|
||||||
# The following template receives a list of models.Alert objects
|
|
||||||
# The output goes in the logs and to a text file, if defined
|
|
||||||
format: |
|
|
||||||
{{.|toJson}}
|
|
||||||
|
|
||||||
#
|
|
||||||
# output_file: # notifications will be appended here. optional
|
|
||||||
|
|
|
@ -1,38 +0,0 @@
|
||||||
type: email # Don't change
|
|
||||||
name: email_default # Must match the registered plugin in the profile
|
|
||||||
|
|
||||||
# One of "trace", "debug", "info", "warn", "error", "off"
|
|
||||||
log_level: info
|
|
||||||
|
|
||||||
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
|
|
||||||
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
|
|
||||||
# max_retry: # Number of attempts to relay messages to plugins in case of error
|
|
||||||
timeout: 20s # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
|
|
||||||
|
|
||||||
#-------------------------
|
|
||||||
# plugin-specific options
|
|
||||||
|
|
||||||
# The following template receives a list of models.Alert objects
|
|
||||||
# The output goes in the email message body
|
|
||||||
format: |
|
|
||||||
{{range . -}}
|
|
||||||
{{$alert := . -}}
|
|
||||||
{{range .Decisions -}}
|
|
||||||
<a href=https://www.whois.com/whois/{{.Value}}>{{.Value}}</a> will get <b>{{.Type}}</b> for next <b>{{.Duration}}</b> for triggering <b>{{.Scenario}}</b> on machine <b>{{$alert.MachineID}}</b>. <a href=https://www.shodan.io/host/{{.Value}}>Shodan</a>
|
|
||||||
{{end -}}
|
|
||||||
{{end -}}
|
|
||||||
|
|
||||||
smtp_host: # example: smtp.gmail.com
|
|
||||||
smtp_username: # Replace with your actual username
|
|
||||||
smtp_password: # Replace with your actual password
|
|
||||||
smtp_port: # Common values are any of [25, 465, 587, 2525]
|
|
||||||
auth_type: # Valid choices are "none", "crammd5", "login", "plain"
|
|
||||||
sender_email: # example: foo@gmail.com
|
|
||||||
email_subject: "CrowdSec Notification"
|
|
||||||
receiver_emails:
|
|
||||||
# - email1@gmail.com
|
|
||||||
# - email2@gmail.com
|
|
||||||
|
|
||||||
# One of "ssltls", "none"
|
|
||||||
encryption_type: ssltls
|
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
type: http # Don't change
|
|
||||||
name: http_default # Must match the registered plugin in the profile
|
|
||||||
|
|
||||||
# One of "trace", "debug", "info", "warn", "error", "off"
|
|
||||||
log_level: info
|
|
||||||
|
|
||||||
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
|
|
||||||
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
|
|
||||||
# max_retry: # Number of attempts to relay messages to plugins in case of error
|
|
||||||
# timeout: # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
|
|
||||||
|
|
||||||
#-------------------------
|
|
||||||
# plugin-specific options
|
|
||||||
|
|
||||||
# The following template receives a list of models.Alert objects
|
|
||||||
# The output goes in the http request body
|
|
||||||
format: |
|
|
||||||
{{.|toJson}}
|
|
||||||
|
|
||||||
# The plugin will make requests to this url, eg: https://www.example.com/
|
|
||||||
url: <HTTP_url>
|
|
||||||
|
|
||||||
# Any of the http verbs: "POST", "GET", "PUT"...
|
|
||||||
method: POST
|
|
||||||
|
|
||||||
# headers:
|
|
||||||
# Authorization: token 0x64312313
|
|
||||||
|
|
||||||
# skip_tls_verification: # true or false. Default is false
|
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
type: slack # Don't change
|
|
||||||
name: slack_default # Must match the registered plugin in the profile
|
|
||||||
|
|
||||||
# One of "trace", "debug", "info", "warn", "error", "off"
|
|
||||||
log_level: info
|
|
||||||
|
|
||||||
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
|
|
||||||
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
|
|
||||||
# max_retry: # Number of attempts to relay messages to plugins in case of error
|
|
||||||
# timeout: # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
|
|
||||||
|
|
||||||
#-------------------------
|
|
||||||
# plugin-specific options
|
|
||||||
|
|
||||||
# The following template receives a list of models.Alert objects
|
|
||||||
# The output goes in the slack message
|
|
||||||
format: |
|
|
||||||
{{range . -}}
|
|
||||||
{{$alert := . -}}
|
|
||||||
{{range .Decisions -}}
|
|
||||||
{{if $alert.Source.Cn -}}
|
|
||||||
:flag-{{$alert.Source.Cn}}: <https://www.whois.com/whois/{{.Value}}|{{.Value}}> will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine '{{$alert.MachineID}}'. <https://www.shodan.io/host/{{.Value}}|Shodan>{{end}}
|
|
||||||
{{if not $alert.Source.Cn -}}
|
|
||||||
:pirate_flag: <https://www.whois.com/whois/{{.Value}}|{{.Value}}> will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine '{{$alert.MachineID}}'. <https://www.shodan.io/host/{{.Value}}|Shodan>{{end}}
|
|
||||||
{{end -}}
|
|
||||||
{{end -}}
|
|
||||||
|
|
||||||
|
|
||||||
webhook: <WEBHOOK_URL>
|
|
||||||
|
|
|
@ -1,21 +0,0 @@
|
||||||
type: splunk # Don't change
|
|
||||||
name: splunk_default # Must match the registered plugin in the profile
|
|
||||||
|
|
||||||
# One of "trace", "debug", "info", "warn", "error", "off"
|
|
||||||
log_level: info
|
|
||||||
|
|
||||||
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
|
|
||||||
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
|
|
||||||
# max_retry: # Number of attempts to relay messages to plugins in case of error
|
|
||||||
# timeout: # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
|
|
||||||
|
|
||||||
#-------------------------
|
|
||||||
# plugin-specific options
|
|
||||||
|
|
||||||
# The following template receives a list of models.Alert objects
|
|
||||||
# The output goes in the splunk notification
|
|
||||||
format: |
|
|
||||||
{{.|toJson}}
|
|
||||||
|
|
||||||
url: <SPLUNK_HTTP_URL>
|
|
||||||
token: <SPLUNK_TOKEN>
|
|
|
@ -1,13 +0,0 @@
|
||||||
name: default_ip_remediation
|
|
||||||
#debug: true
|
|
||||||
filters:
|
|
||||||
- Alert.Remediation == true && Alert.GetScope() == "Ip"
|
|
||||||
decisions:
|
|
||||||
- type: ban
|
|
||||||
duration: 4h
|
|
||||||
# notifications:
|
|
||||||
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
|
|
||||||
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
|
|
||||||
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
|
|
||||||
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
|
|
||||||
on_success: break
|
|
|
@ -1,4 +0,0 @@
|
||||||
simulation: off
|
|
||||||
# exclusions:
|
|
||||||
# - crowdsecurity/ssh-bf
|
|
||||||
|
|
|
@ -42,22 +42,45 @@ remove_init_data() {
|
||||||
rm -rf -- "${CONFIG_DIR:?}"/* "${DATA_DIR:?}"/*
|
rm -rf -- "${CONFIG_DIR:?}"/* "${DATA_DIR:?}"/*
|
||||||
}
|
}
|
||||||
|
|
||||||
|
config_generate() {
|
||||||
|
cp ../config/acquis.yaml "${CONFIG_DIR}/"
|
||||||
|
cp ../config/profiles.yaml "${CONFIG_DIR}/"
|
||||||
|
cp ../config/simulation.yaml "${CONFIG_DIR}/"
|
||||||
|
cp ../config/local_api_credentials.yaml "${CONFIG_DIR}/"
|
||||||
|
cp ../config/online_api_credentials.yaml "${CONFIG_DIR}/"
|
||||||
|
|
||||||
|
cp ../plugins/notifications/http/http.yaml "${CONFIG_DIR}/notifications/"
|
||||||
|
cp ../plugins/notifications/email/email.yaml "${CONFIG_DIR}/notifications/"
|
||||||
|
cp ../plugins/notifications/slack/slack.yaml "${CONFIG_DIR}/notifications/"
|
||||||
|
cp ../plugins/notifications/splunk/splunk.yaml "${CONFIG_DIR}/notifications/"
|
||||||
|
cp ../plugins/notifications/dummy/dummy.yaml "${CONFIG_DIR}/notifications/"
|
||||||
|
|
||||||
|
yq '
|
||||||
|
.common.daemonize=false |
|
||||||
|
del(.common.pid_dir) |
|
||||||
|
.common.log_dir=strenv(LOG_DIR) |
|
||||||
|
.config_paths.config_dir=strenv(CONFIG_DIR) |
|
||||||
|
.config_paths.data_dir=strenv(DATA_DIR) |
|
||||||
|
.config_paths.simulation_path=strenv(CONFIG_DIR)+"/simulation.yaml" |
|
||||||
|
.config_paths.hub_dir=strenv(CONFIG_DIR)+"/hub/" |
|
||||||
|
.config_paths.index_path=strenv(CONFIG_DIR)+"/hub/.index.json" |
|
||||||
|
.config_paths.notification_dir=strenv(CONFIG_DIR)+"/notifications/" |
|
||||||
|
.config_paths.plugin_dir=strenv(PLUGIN_DIR) |
|
||||||
|
.crowdsec_service.acquisition_path=strenv(CONFIG_DIR)+"/acquis.yaml" |
|
||||||
|
.db_config.db_path=strenv(DATA_DIR)+"/crowdsec.db" |
|
||||||
|
.api.client.credentials_path=strenv(CONFIG_DIR)+"/local_api_credentials.yaml" |
|
||||||
|
.api.server.profiles_path=strenv(CONFIG_DIR)+"/profiles.yaml" |
|
||||||
|
.api.server.console_path=strenv(CONFIG_DIR)+"/console.yaml" |
|
||||||
|
.api.server.online_client.credentials_path=strenv(CONFIG_DIR)+"/online_api_credentials.yaml"
|
||||||
|
' <../config/config.yaml >"${CONFIG_DIR}/config.yaml"
|
||||||
|
}
|
||||||
|
|
||||||
make_init_data() {
|
make_init_data() {
|
||||||
remove_init_data
|
remove_init_data
|
||||||
|
|
||||||
mkdir -p "${CONFIG_DIR}/notifications"
|
mkdir -p "${CONFIG_DIR}/notifications"
|
||||||
|
|
||||||
envsubst < "./config-templates/acquis.yaml" > "${CONFIG_DIR}/acquis.yaml"
|
config_generate
|
||||||
envsubst < "./config-templates/config.yaml" > "${CONFIG_DIR}/config.yaml"
|
|
||||||
envsubst < "./config-templates/simulation.yaml" > "${CONFIG_DIR}/simulation.yaml"
|
|
||||||
envsubst < "./config-templates/local_api_credentials.yaml" > "${CONFIG_DIR}/local_api_credentials.yaml"
|
|
||||||
envsubst < "./config-templates/online_api_credentials.yaml" > "${CONFIG_DIR}/online_api_credentials.yaml"
|
|
||||||
envsubst < "./config-templates/profiles.yaml" > "${CONFIG_DIR}/profiles.yaml"
|
|
||||||
envsubst < "./config-templates/notifications/http.yaml" > "${CONFIG_DIR}/notifications/http.yaml"
|
|
||||||
envsubst < "./config-templates/notifications/email.yaml" > "${CONFIG_DIR}/notifications/email.yaml"
|
|
||||||
envsubst < "./config-templates/notifications/slack.yaml" > "${CONFIG_DIR}/notifications/slack.yaml"
|
|
||||||
envsubst < "./config-templates/notifications/splunk.yaml" > "${CONFIG_DIR}/notifications/splunk.yaml"
|
|
||||||
envsubst < "./config-templates/notifications/dummy.yaml" > "${CONFIG_DIR}/notifications/dummy.yaml"
|
|
||||||
|
|
||||||
mkdir -p "${CONFIG_DIR}/hub"
|
mkdir -p "${CONFIG_DIR}/hub"
|
||||||
"${BIN_DIR}/cscli" machines add githubciXXXXXXXXXXXXXXXXXXXXXXXX --auto
|
"${BIN_DIR}/cscli" machines add githubciXXXXXXXXXXXXXXXXXXXXXXXX --auto
|
||||||
|
|
Loading…
Reference in a new issue