Thursday, September 12, 2013

New package OnionSalt now available for configuration management

Mike Reeves created OnionSalt, a set of Salt configuration management scripts to manage lots of sensors from your master server.  I've packaged OnionSalt and added support for it in Setup.

Please note that Salt is totally optional.  If you're happy with your current method of sensor management, then you don't have to install securityonion-onionsalt and nothing will change for you.  Should you decide to install securityonion-onionsalt, you get the following features out of the box:

  • manage user accounts, sudoers, and SSH keys from one location and have it replicate to all sensors
  • have sensors check for new IDS rules every 15 minutes, copy files, and restart engines as necessary

In addition, Salt is a full configuration management system, so you can script anything that you want to deploy across your army of sensors.

Thanks to Mike Reeves for developing OnionSalt!
Thanks to the following for testing:
JP Bourget
David Zawdie

OnionSalt is still considered experimental.  You'll want to test in a lab environment before deciding to deploy in production.

To read more about how to integrate OnionSalt into a new or existing Security Onion deployment, please see our Salt page:

Enabling Salt on Master Server via Advanced Setup

After completing Setup, verifying that the Master can manage itself

Enabling Salt on sensor1 via Advanced Setup

After completing Setup, verifying that the Master can now manage both boxes

Salt can run arbitrary commands on all boxes at once
Adding johndoe to /opt/onionsalt/pillar/users/init.sls

Adding johndoe's public key to /opt/onionsalt/salt/users/keys/

Running "sudo salt '*' state.highstate" to push accounts and keys to all boxes

Verifying that we can now login using the new account/key

If you have any questions or problems, please use our mailing list:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

No comments: