インストール後のプロセスの一環として、RaaS 構成を確認することを検討してください。RaaS (Returner as a Service) は、Automation Config の中心的なコンポーネントです。RaaS は、Automation Config ユーザー インターフェイスから管理コマンドを受け取るための RPC エンドポイントと、接続された Salt マスターとのインターフェイスとなる RPC 制御エンドポイントを提供します。RaaS 構成設定は、RaaS ノードの /etc/raas/raas 構成ファイルに保存されます。
開始する前に
RaaS ノードの構成はインストール後の一連の手順の 1 つであり、特定の順序で実行する必要があります。まず、インストール シナリオのいずれかを完了してから、次のインストール後の手順に関するページを確認します。
構成設定の確認
- RaaS ノードで RaaS 構成ファイルを開きます。デフォルトでは、このファイルは通常
/etc/raas/raasに保存されます。 - 次の必須設定を確認します。
設定 説明 customer_idユーザーの ID またはサンプル UUID。 sqlusername、password、host、およびportは、データベース構成に合わせて構成できます。認証情報を安全に保存する方法の詳細については、ナレッジベースの記事Securing credentials in your Automation Config configurationを参照してください。 - 次の追加設定を確認します。
設定 説明 tls_minumumRaaS が受け入れる最小の TLS バージョンを設定します。デフォルトでは、このプロパティは 1.2に設定されています。この設定は、必要に応じて小さいバージョン番号に変更できます。ただし、以前のバージョンではセキュリティの問題があるため、1.2 より前のバージョンを使用することは推奨されません。tls_crt暗号化された通信を実行するための crtファイルへのパス。この証明書が自己署名で、既知の CA を使用して検証しない場合は、Salt マスター構成ファイルでsseapi_validate_certオプションをFalseに設定してください。tls_key証明書キー ファイル。 portAutomation Config ユーザー インターフェイスおよび Salt コントローラからの接続に使用されるポート。 audit管理者アカウントのデバッグ レポートに API (RaaS) 情報を含めます。 valid_loginsがTrueに設定されている場合、この情報は管理者以外のユーザーによって生成されるバグ レポートにも含まれます。raas_presence_expirationミニオンが存在しないと見なされるまでの非アクティブ状態の秒数。デフォルトは 3,600 秒(1 時間)です。 target_grou[s_from_master_pnlysalt-master で tgtmatch エンジンが有効になっている場合は true に、それ以外の場合は false に設定します。
デフォルトの RaaS 構成ファイル
次のファイルは、さまざまな構成設定の説明が含まれるデフォルトの RaaS 構成ファイルを示しています。
# RaaS Default Configuration
# How often to run the compile_commands job that updates the activity tab
activity_tab_cycle: 2
# Elastic APM settings
apm_elastic:
service_name: # Elastic APM Service Name
secret_token: # Elastic APM Secret Token
server_url: # Elastic APM Server URL
environment: production
# audit tracking settings
audit:
enabled: false
valid_logins: false
auth: true
rpc: true
system: true
tasks: false
rpc_max_payload: 100
# authentication backends
authers:
ldap:
log_detail: ERROR
ssl: {}
ldap_receive_timeout: 60
group_level_limit: 20
# Configuration settings for background workers. Settings for each queue:
# concurrency: number of worker processes (0 = auto calc one per core up to max)
# max_tasks: worker recycles after running this many tasks
# max_memory: in kB, 0=auto, None=unlimited
# result_expires: how long results are stored in Redis, in seconds
# prefetch_multiplier: How many messages to prefetch at a time multiplied by the number of concurrent processes
# without_heartbeat: When true, don't send event heartbeats. Reduces Redis usage.
# without_mingle: When true, Don't synchronize with other workers at start-up. Reduces worker startup up time.
# without_gossip: When true, Don't subscribe to other workers events. Reduces redis usage.
# use_fair_scheduler: Use Celery's fair scheduling algorithm, better for long running tasks
background_workers:
combined_process: true # Launch celery workers and RaaS processes together. Set to False if running celery separately.
broker: redis
backend: redis
log_level: warning
celery:
concurrency: 0
max_tasks: 100000
max_memory: 0
result_expires: 60
prefetch_multiplier: 1
without_heartbeat: false
without_mingle: true
without_gossip: true
use_fair_scheduler: true
lr:
concurrency: 0
max_tasks: 100000
max_memory: 0
result_expires: 60
prefetch_multiplier: 1
without_heartbeat: false
without_mingle: true
without_gossip: true
use_fair_scheduler: true
grainscache:
concurrency: 0
max_tasks: 100000
max_memory: 0
result_expires: 60
prefetch_multiplier: 1
without_heartbeat: false
without_mingle: true
without_gossip: true
use_fair_scheduler: true
# how often to run cache jobs (in seconds)
cache_cycle: 30
# path to RaaS cache directory
cachedir: /var/lib/raas/cache
# how often to run clean up jobs (in seconds)
clean_up_cycle: 900
# path to config directory (can be passed multiple times, order is respected)
config_dir:
- /etc/raas
# read files in config_dir subdirs recursively
config_recurse: false
# HTTP Cookie settings
cookie:
name: raas-session
expires: 43200
# for use with the webpack dev server only, Add the Access-Control-Allow-Origin: * header
cors_header_for_webpack: false
# Your customer ID
customer_id: 43cab1f4-de60-4ab1-85b5-1d883c5c5d09
# directory to serve files from
directory_root: /srv/raas
# enable (true) or disable (false) grains indexing.
enable_grains_indexing: true
# enable (true) or disable (false) cmd details in get_cmds API call. Should be disabled when return counts are large.
enable_cmd_details: true
# Limit returns passed to UI so they don't crash the browser. 0 is unlimited. Recommended to set as a mutliple of 50.
cmd_returns_max: 0
# path to extension module directory
extension_modules: /var/lib/raas/cache/ext_mods
# Use FIPS-compliant encryption
fips_mode: false
# Limit masterfs returns passed to UI so they don't crash the browser. 0 is unlimited. Recommended to set as a mutliple of 50.
fs_returns_max: 0
# the address to bind to
interface: 0.0.0.0
# time to check unresponsive jobs (in minutes)
job_unresponsive_check: 5
# time to stop checking unresponsive jobs (in minutes)
job_unresponsive_check_stop: 2880
# JSON Web Token settings
jwt:
expires: 3600 # token expiration in seconds
login_expires: 60 # external authentication, login token expiration in seconds
algorithm: HS256
max_logins: 100
# How long to keep historical data in days (leave unset to keep forever)
keep_history:
audit: # How long to keep audit log (if audit is enabled)
events: 1 # How long to keep salt events
jobs: # How long to keep job data (commands, jids, returns)
schedule: # How long to keep past schedule data
# Content and style of banner to show on UI login screen. A YAML block scalar
# can help with long message content:
# message: >
# Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod
# tempor incididunt ut labore et dolore magna aliqua.
login_banner:
enabled: false
style: info # info or warning
message: ''
# date and time format for console logs
log_datefmt: '%H:%M:%S'
# date and time format for logfile logs
log_datefmt_logfile: '%Y-%m-%d %H:%M:%S'
# path to log file
log_file: /var/log/raas/raas
# loglevel for logfile logs, options: all, garbage, trace, debug, profile, info, warning, error, critical, quiet
log_file_loglevel: error
# log format for console logs
log_fmt_console: '[%(levelname)-8s] %(message)s'
# log format for logfile logs
log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s:%(lineno)-4d][%(processName)s:%(process)d]
%(message)s'
# loglevels for specific python modules
log_granular_levels: {}
# options: all, garbage, trace, debug, profile, info, warning, error, critical, quiet
log_level: error
# master RSA private key size
master_key_size: 2048
# expiration timeout for pending master keys in seconds
master_pending_key_expiration: 7200
# master/minion will be marked as unknown if they haven't reported back within X seconds.
raas_presence_expiration: 3600
# max number of unresponsive master checks
master_unresponsive_check_limit: 2
# template used to generate master users
master_username_template: master_{}
# Automatically accept masters, use only for development.
master_autoaccept: false
# System metrics settings
metrics:
enabled: true # If True, enable the collection of system metrics
prometheus: false # If True, enable the Prometheus endpoint at /metrics (also set prometheus_username and prometheus_password)
prometheus_username: # Static username for retrieving /metrics
prometheus_password: # Static password for retrieving /metrics
snapshot_interval: 60 # How often to record snapshot metrics, in seconds
max_query_timedelta: 86400 # Maximum timedelta for a single call to get_system_metrics, in seconds
keep: 30 # How long to retain metrics data, in days
# ignore some minion grains, glob matching allowed
minion_grains_filter:
mode: blacklist
grains: []
# 0=off, max seconds to lock when adding minion keys and cache. This throttles insert of minions into the database.
minion_onboarding_throttle: 0
# max number of auto calculated processes per type. example: 8 max web, 8 max background workers
max_processes: 8
# Minion deployment settings
minion_deployment:
max_minion_deployment_time: 3600 # Maximum time (in seconds) allowed for minion deployment after which status will be marked as failed
airgap_install: false # Deploy minions in an airgapped environment
newrelic_config_file: /etc/raas/newrelic.ini
newrelic_enabled: false
# number of web server processes (0 = auto calc one per core up to max)
num_processes: 0
# number of password attempts to start blocking
password_attempts: 50
# number of seconds to sleep following a failed attempt
password_sleep: 30
# path to RaaS process ID file
pidfile: /var/lib/raas/run/raas.pid
# path to directory for RaaS PKI keys
pki_dir: /etc/raas/pki
# port to bind to
port: 8080
# delta proxy monitoring options
proxy:
monitored: false
monitor_interval: 90
rebalance_interval: 120
tgt: deltaproxy*
tgt_type: glob
# vRA Integration
vra:
validate_ssl: true # If True, raas proxy will validate ssl certs
exclude_host: false # If True, raas proxy will not pass the host header to CSP
saved_params_timeout: 90 # How many seconds elapse before we get that latest vra params from the db
# To use the the environment variable REDIS_URL, set `url: ENV`.
redis:
url: redis://localhost:6379 # Redis URL without '/{database_number}' at the end
broker_db: '0' # queue database number
result_db: '1' # result storage database number
cache_db: '2' # cache database number
ssl: {}
# multiplier used to calculate retry timing on connection failures
retry_timeout_multiplier: 3
root_dir: /
# how often to check for scheduled jobs (in seconds)
schedule_cycle: 10
# how many future schedules are calculated per cycle
scheduler_max_futures_per_cycle: 500
# how many weeks ahead schedules are calculated out to
scheduler_max_futures_weeks_ahead: 12
# SecOps settings
sec:
stats_snapshot_interval: 3600 # Interval in seconds between when stats for Secops will be gathered (ENV Var: SSE_SEC_STATS_SNAPSHOT_INTERVAL)
username: secops # Username used to log in to enterprise.saltstack.com to get content (ENV Var: SSE_SEC_USERNAME)
content_url: https://enterprise.saltstack.com/secops_downloads # URL from which SaltStack Secops content will be downloaded. (ENV Var: SSE_SEC_CONTENT_URL)
ingest_saltstack_override: true # If True, existing SaltStack content will be updated otherwise the change will be rejected. (ENV Var: SSE_SEC_INGEST_SALTSTACK_OVERRIDE)
ingest_custom_override: true # If True, existing Custom content will be updated otherwise the change will be rejected. (ENV Var: SSE_SEC_INGEST_CUSTOM_OVERRIDE)
locke_dir: locke # Location where SaltStack content in expanded before ingestion. If the path is relative (no leading slash), then it is relative to the RAAS cache dir (ENV Var: SSE_SEC_LOCKE_DIR)
post_ingest_cleanup: true # If True, post ingestion the contents of the locke_dir will be cleaned out. (ENV Var: SSE_SEC_POST_INGEST_CLEANUP)
download_enabled: true # If True, SaltStack content downloading is enabled. (should be False for air gapped systems) (ENV Var: SSE_SEC_DOWNLOAD_ENABLED)
download_frequency: 86400 # The frequency in seconds of automated SaltStack Secops content downloads and ingestion. (ENV Var: SSE_SEC_DOWNLOAD_FREQUENCY)
compile_stats_interval: 10 # Interval in seconds between times that the compile stats will be gathered. (ENV Var: SSE_SEC_COMPILE_STATS_INTERVAL)
archive_interval: 300 # The interval in seconds between attempts to archive old assessment/remediation results (ENV Var: SSE_SEC_ARCHIVE_INTERVAL)
old_policy_file_lifespan: 2 # The lifespan of old lock policy files in days that will remain in the RAAS file system
delete_old_policy_files_interval: 86400 # The interval in seconds between times that theold lock policy files in the RAAS file system will be deleted
ingest_on_boot: true # If True, SaltStack Secops content will be downloaded and ingested soon after RAAS boot (ENV Var: SSE_SEC_INGEST_ON_BOOT)
content_lock_timeout: 60 # When multiple RAAS heads are deployed, the SaltStack SecOps content download and ingestion is serialized so only one RAAS head at a time will attempt it. This is the value for the redis lock timeout. (ENV Var: SSE_SEC_CONTENT_LOCK_TIMEOUT)
content_lock_block_timeout: 120 # This is the maximum time a RAAS head will block on a lock to perform a SaltStack SecOps download and ingestion. (ENV Var: SSE_SEC_CONTENT_LOCK_BLOCK_TIMEOUT)
# Sentry DSN to report errors (sensitive data is obfuscated)
sentry_dsn:
# path to RaaS directory for socket files
sock_dir: /var/lib/raas/sock
# for development only, always serve the session cookie regardless of the request being http or https
spa_serve_cookie_always: false
# REQUIRED: fill in your database info
# - SQLAlchemy options - http://docs.sqlalchemy.org/en/rel_1_0/dialects/index.html
# - To use the the environment variable DATABASE_URL, set `url: ENV`. For example:
# $ export DATABASE_URL=postgres://user:secret@localhost:5432/raas_db_name
# - To store database credentials in an encrypted file, run "raas save_creds"
# after installation.
# - It is possible, but not recommended practice, to specify database credentials
# in plaintext in this section as `username: user` and `password: secret`.
# - Make sure you specify the correct SSL parameters by setting `ssl: False`
# or `True` and filling in the correct fields in `ssl_opts` OR
# adding the right query parameters in the DATABASE_URL.
# - NOTE DATABASE_URL takes precedence over all other settings except username and password
sql:
dialect: postgresql
driver: psycopg2
host:
port:
pool_size: 10
pool_timeout: 10
pool_recycle: 3600
chunksize_yield_per_small_table: 1000
chunksize_yield_per_big_table: 5000
ssl: false
ssl_opts: {}
# strict transport security header enabled (aka HSTS, HTTPS only)
strict_transport_security_header_enabled: true
# Do not calculate target group membership locally, have masters send it.
target_groups_from_master_only: false
# cross-site request forgery cookie enabled
tornado_xsrf_cookies_enabled: true
# check the running environment prior to starting services
verify_env: true
# Vulnerability Management settings
vman:
vman_dir: vman # Location where SaltStack content in expanded before ingestion. If the path is relative (no leading slash), then it is relative to the RAAS cache dir (ENV Var: SSE_VMAN_DIR)
download_enabled: true # If True, SaltStack content downloading is enabled. (should be False for air gapped systems) (ENV Var: SSE_VMAN_DOWNLOAD_ENABLED)
download_frequency: 86400 # The frequency in seconds of automated SaltStack Vulnerability Management content downloads and ingestion. (ENV Var: SSE_VMAN_DOWNLOAD_FREQUENCY)
username: vman # Username used to log in to enterprise.saltstack.com to get content (ENV Var: SSE_VMAN_USERNAME)
content_url: https://enterprise.saltstack.com/vman_downloads # URL from which SaltStack Vulnerability Management content will be downloaded. (ENV Var: SSE_VMAN_CONTENT_URL)
ingest_on_boot: true # If True, SaltStack Vulnerability Management content will be downloaded and ingested soon after RAAS boot (ENV Var: SSE_VMAN_INGEST_ON_BOOT)
post_ingest_cleanup: false # If True, post ingestion the contents of the vman_dir will be cleaned out. (ENV Var: SSE_VMAN_POST_INGEST_CLEANUP)
content_lock_timeout: 2000 # When multiple RAAS heads are deployed, the SaltStack vulnerability management content download and ingestion is serialized so only one RAAS head at a time will attempt it. (ENV Var: SSE_VMAN_CONTENT_LOCK_TIMEOUT)
compile_stats_interval: 60 # Interval in seconds between times that the compile stats will be gathered. (ENV Var: SSE_VMAN_COMPILE_STATS_INTERVAL)
stats_snapshot_interval: 3600 # Interval in seconds between when stats for VMan will be gathered (ENV Var: SSE_VMAN_STATS_SNAPSHOT_INTERVAL)
old_policy_file_lifespan: 2 # The lifespan of old policy files in days that will remain in the RAAS file system
delete_old_policy_files_interval: 86400 # The interval in seconds between times that theold vman policy files in the RAAS file system will be deleted
tenable_asset_import_enabled: true # If True, minion grains in SSE will be sent to tenablefor matching assets
tenable_asset_import_grains: # Choose the minion grains that needs to be sent to tenable.Grain fqdn and ipv4 will be sent even if not included here.For additional information, please refer https://developer.tenable.com/reference#assets-import
- fqdn
- ipv4
- ipv6
- hostname
- mac_address
- netbios_name
- bios_uuid
- manufacturer_tpm_id
- ssh_fingerprint
- mcafee_epo_guid
- mcafee_epo_agent_guid
- symantec_ep_hardware_key
- qualys_asset_id
- qualys_host_id
- servicenow_sys_id
- gcp_project_id
- gcp_zone
- gcp_instance_id
- azure_vm_id
- azure_resource_id
- aws_availability_zone
- aws_ec2_instance_ami_id
- aws_ec2_instance_group_name
- aws_ec2_instance_state_name
- aws_ec2_instance_type
- aws_ec2_name
- aws_ec2_product_code
- aws_owner_id
- aws_region
- aws_subnet_id
- aws_vpc_id
- installed_software
- bigfix_asset_id
# how long to wait while reading body (seconds), when None uses tornado default
webserver_body_timeout:
# maximum amount of data for body, when None uses tornado default
webserver_max_body_size:
# maximum amount of incoming data to buffer, when None uses tornado default
webserver_max_buffer_size:
# in kB, 0=auto
webserver_max_memory: 0
# in seconds, 0=disabled
webserver_max_time: 0
# max interval in seconds subscription updates can be sent
websocket_debounce: 5
# time in seconds to send ping over websocket to keep it open
websocket_ping_interval: 15
# timeout in seconds to wait for websocket ping
websocket_ping_timeout: 600
# in seconds, polling time for non-database listening subscriptions
websocket_polling: 15
# time in seconds for a websocket ticket to expire
websocket_ticket_expiration: 5
次の手順
RaaS ノードを構成したら、残りのインストール後の手順を実行する必要があります。次の手順は、Automation Config ユーザー インターフェイスへの初回ログインです。インストール後のプロセスを続行するには、初回ログインとデフォルトの認証情報の変更を参照してください。
