fix(crowdsec): Make the whitelists actually work
This commit is contained in:
parent
2f108e708f
commit
2dd35bce8c
GPG key ID:
49670FD774E43268
|
|
@ -12,6 +12,18 @@
|
||||||
"10.45.249.2"
|
"10.45.249.2"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
|
||||||
|
name = "tetsumaki/matrix";
|
||||||
|
description = "custom matrix whitelist";
|
||||||
|
whitelist = {
|
||||||
|
reason = "whitelist false positive for matrix";
|
||||||
|
expression = [
|
||||||
|
"evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
|
||||||
|
"evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
extraGroups = [
|
extraGroups = [
|
||||||
"systemd-journal"
|
"systemd-journal"
|
||||||
"nginx"
|
"nginx"
|
||||||
|
|
@ -55,36 +67,4 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Add whitelists for matrix
|
|
||||||
systemd.tmpfiles.settings."10-matrix" =
|
|
||||||
let
|
|
||||||
stateDir = config.security.crowdsec.stateDirectory;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
"${stateDir}/config/postoverflows".d = {
|
|
||||||
user = "crowdsec";
|
|
||||||
group = "crowdsec";
|
|
||||||
mode = "0700";
|
|
||||||
};
|
|
||||||
|
|
||||||
"${stateDir}/config/postoverflows/s01-whitelist".d = {
|
|
||||||
user = "crowdsec";
|
|
||||||
group = "crowdsec";
|
|
||||||
mode = "0700";
|
|
||||||
};
|
|
||||||
|
|
||||||
"${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
|
|
||||||
((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
|
|
||||||
name = "tetsumaki/matrix";
|
|
||||||
description = "custom matrix whitelist";
|
|
||||||
whitelist = {
|
|
||||||
reason = "whitelist false positive for matrix";
|
|
||||||
expression = [
|
|
||||||
"evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
|
|
||||||
"evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}).outPath;
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -31,6 +31,22 @@ let
|
||||||
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
|
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
|
||||||
---
|
---
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
extraConfigs = pkgs.symlinkJoin {
|
||||||
|
name = "crowdsec-extra-configs";
|
||||||
|
paths = lib.mapAttrsToList (
|
||||||
|
path: settings:
|
||||||
|
(settingsFormat.generate path settings).overrideAttrs (old: {
|
||||||
|
patchPhase = ''
|
||||||
|
mkdir -p "$out/${dirOf path}/"
|
||||||
|
out="$out/${dirOf path}/"
|
||||||
|
|
||||||
|
echo $out
|
||||||
|
exit 1
|
||||||
|
'';
|
||||||
|
})
|
||||||
|
) cfg.extraConfig;
|
||||||
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [ ./remediations ];
|
imports = [ ./remediations ];
|
||||||
|
|
@ -38,6 +54,7 @@ in
|
||||||
options.security.crowdsec =
|
options.security.crowdsec =
|
||||||
let
|
let
|
||||||
inherit (lib.types)
|
inherit (lib.types)
|
||||||
|
attrsOf
|
||||||
nullOr
|
nullOr
|
||||||
listOf
|
listOf
|
||||||
package
|
package
|
||||||
|
|
@ -85,6 +102,16 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
extraConfig = lib.mkOption {
|
||||||
|
type = attrsOf (settingsFormat.type);
|
||||||
|
default = {
|
||||||
|
"parsers/s02-enrich/nixos-whitelist.yaml" = cfg.parserWhitelist;
|
||||||
|
};
|
||||||
|
description = ''
|
||||||
|
Set of additional configurations to install.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
acquisitions = lib.mkOption {
|
acquisitions = lib.mkOption {
|
||||||
type = listOf settingsFormat.type;
|
type = listOf settingsFormat.type;
|
||||||
default = [ ];
|
default = [ ];
|
||||||
|
|
@ -300,33 +327,6 @@ in
|
||||||
group = "crowdsec";
|
group = "crowdsec";
|
||||||
mode = "0700";
|
mode = "0700";
|
||||||
};
|
};
|
||||||
|
|
||||||
"${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
|
|
||||||
user = "crowdsec";
|
|
||||||
group = "crowdsec";
|
|
||||||
mode = "0700";
|
|
||||||
};
|
|
||||||
|
|
||||||
"${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
|
|
||||||
user = "crowdsec";
|
|
||||||
group = "crowdsec";
|
|
||||||
mode = "0700";
|
|
||||||
};
|
|
||||||
|
|
||||||
"${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
|
|
||||||
lib.mkIf (cfg.parserWhitelist != [ ])
|
|
||||||
{
|
|
||||||
"L+".argument =
|
|
||||||
(settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
|
|
||||||
name = "nixos/parser-whitelist";
|
|
||||||
description = "Parser whitelist generated by the crowdsec NixOS module";
|
|
||||||
whitelist = {
|
|
||||||
reason = "Filtered by NixOS whitelist";
|
|
||||||
ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
|
|
||||||
cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
|
|
||||||
};
|
|
||||||
}).outPath;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
|
@ -336,6 +336,8 @@ in
|
||||||
description = "Crowdsec database and config preparation";
|
description = "Crowdsec database and config preparation";
|
||||||
|
|
||||||
script = ''
|
script = ''
|
||||||
|
cp --copy-contents --recursive ${extraConfigs}/. ${cfg.stateDirectory}/config
|
||||||
|
|
||||||
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
|
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
|
||||||
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
|
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue