Compare commits
2 commits
664c87adad
...
79786fc5d9
| Author | SHA1 | Date | |
|---|---|---|---|
 Tristan Daniël Maat
|
79786fc5d9
|
||
|
Tristan Daniël Maat
|
a60cb7f60c
|
|
|
@ -12,18 +12,6 @@
|
||||||
"10.45.249.2"
|
"10.45.249.2"
|
||||||
];
|
];
|
||||||
|
|
||||||
extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
|
|
||||||
name = "tetsumaki/matrix";
|
|
||||||
description = "custom matrix whitelist";
|
|
||||||
whitelist = {
|
|
||||||
reason = "whitelist false positive for matrix";
|
|
||||||
expression = [
|
|
||||||
"evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
|
|
||||||
"evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
extraGroups = [
|
extraGroups = [
|
||||||
"systemd-journal"
|
"systemd-journal"
|
||||||
"nginx"
|
"nginx"
|
||||||
|
|
@ -67,4 +55,36 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Add whitelists for matrix
|
||||||
|
systemd.tmpfiles.settings."10-matrix" =
|
||||||
|
let
|
||||||
|
stateDir = config.security.crowdsec.stateDirectory;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"${stateDir}/config/postoverflows".d = {
|
||||||
|
user = "crowdsec";
|
||||||
|
group = "crowdsec";
|
||||||
|
mode = "0700";
|
||||||
|
};
|
||||||
|
|
||||||
|
"${stateDir}/config/postoverflows/s01-whitelist".d = {
|
||||||
|
user = "crowdsec";
|
||||||
|
group = "crowdsec";
|
||||||
|
mode = "0700";
|
||||||
|
};
|
||||||
|
|
||||||
|
"${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
|
||||||
|
((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
|
||||||
|
name = "tetsumaki/matrix";
|
||||||
|
description = "custom matrix whitelist";
|
||||||
|
whitelist = {
|
||||||
|
reason = "whitelist false positive for matrix";
|
||||||
|
expression = [
|
||||||
|
"evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
|
||||||
|
"evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}).outPath;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -31,22 +31,6 @@ let
|
||||||
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
|
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
|
||||||
---
|
---
|
||||||
'';
|
'';
|
||||||
|
|
||||||
extraConfigs = pkgs.symlinkJoin {
|
|
||||||
name = "crowdsec-extra-configs";
|
|
||||||
paths = lib.mapAttrsToList (
|
|
||||||
path: settings:
|
|
||||||
(settingsFormat.generate path settings).overrideAttrs (old: {
|
|
||||||
patchPhase = ''
|
|
||||||
mkdir -p "$out/${dirOf path}/"
|
|
||||||
out="$out/${dirOf path}/"
|
|
||||||
|
|
||||||
echo $out
|
|
||||||
exit 1
|
|
||||||
'';
|
|
||||||
})
|
|
||||||
) cfg.extraConfig;
|
|
||||||
};
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [ ./remediations ];
|
imports = [ ./remediations ];
|
||||||
|
|
@ -54,7 +38,6 @@ in
|
||||||
options.security.crowdsec =
|
options.security.crowdsec =
|
||||||
let
|
let
|
||||||
inherit (lib.types)
|
inherit (lib.types)
|
||||||
attrsOf
|
|
||||||
nullOr
|
nullOr
|
||||||
listOf
|
listOf
|
||||||
package
|
package
|
||||||
|
|
@ -102,16 +85,6 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
extraConfig = lib.mkOption {
|
|
||||||
type = attrsOf (settingsFormat.type);
|
|
||||||
default = {
|
|
||||||
"parsers/s02-enrich/nixos-whitelist.yaml" = cfg.parserWhitelist;
|
|
||||||
};
|
|
||||||
description = ''
|
|
||||||
Set of additional configurations to install.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
acquisitions = lib.mkOption {
|
acquisitions = lib.mkOption {
|
||||||
type = listOf settingsFormat.type;
|
type = listOf settingsFormat.type;
|
||||||
default = [ ];
|
default = [ ];
|
||||||
|
|
@ -327,6 +300,33 @@ in
|
||||||
group = "crowdsec";
|
group = "crowdsec";
|
||||||
mode = "0700";
|
mode = "0700";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
|
||||||
|
user = "crowdsec";
|
||||||
|
group = "crowdsec";
|
||||||
|
mode = "0700";
|
||||||
|
};
|
||||||
|
|
||||||
|
"${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
|
||||||
|
user = "crowdsec";
|
||||||
|
group = "crowdsec";
|
||||||
|
mode = "0700";
|
||||||
|
};
|
||||||
|
|
||||||
|
"${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
|
||||||
|
lib.mkIf (cfg.parserWhitelist != [ ])
|
||||||
|
{
|
||||||
|
"L+".argument =
|
||||||
|
(settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
|
||||||
|
name = "nixos/parser-whitelist";
|
||||||
|
description = "Parser whitelist generated by the crowdsec NixOS module";
|
||||||
|
whitelist = {
|
||||||
|
reason = "Filtered by NixOS whitelist";
|
||||||
|
ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
|
||||||
|
cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
|
||||||
|
};
|
||||||
|
}).outPath;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
|
@ -336,8 +336,6 @@ in
|
||||||
description = "Crowdsec database and config preparation";
|
description = "Crowdsec database and config preparation";
|
||||||
|
|
||||||
script = ''
|
script = ''
|
||||||
cp --copy-contents --recursive ${extraConfigs}/. ${cfg.stateDirectory}/config
|
|
||||||
|
|
||||||
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
|
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
|
||||||
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
|
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue