설치 후 프로세스의 일부로 RaaS 구성을 검토하는 것이 좋습니다. RaaS(Returner as a Service)는 Automation Config의 중앙 구성 요소입니다. RaaS는 Automation Config 사용자 인터페이스에서 관리 명령을 수신하기 위한 RPC 끝점은 물론 연결된 Salt 마스터와의 상호 작용을 위한 RPC 제어 끝점을 제공합니다. RaaS 구성 설정은 RaaS 노드의 /etc/raas/raas 구성 파일에 있습니다.
시작하기 전에
RaaS 노드 구성은 특정 순서로 수행해야 하는 일련의 여러 단계 중 하나인 설치 후 단계입니다. 먼저 설치 시나리오 중 하나를 완료한 후 다음과 같은 설치 후 페이지를 읽어보십시오.
구성 설정 확인
- RaaS 노드에서 RaaS 구성 파일을 엽니다. 기본적으로 이 파일은 대개
/etc/raas/raas에 저장됩니다. - 다음 필수 설정을 확인합니다.
설정 설명 customer_id고객 ID 또는 샘플 UUID입니다. sqlusername,password,host,port를 데이터베이스 구성과 일치하도록 구성할 수 있습니다. 자격 증명을 안전하게 저장하는 방법에 자세한 내용은 Automation Config 구성에서 자격 증명 보안 기술 자료 문서를 참조하십시오. - 다음 추가 설정을 확인합니다.
설정 설명 tls_minumumRaaS에서 수락하는 최저 TLS 버전을 설정합니다. 기본적으로 이 속성은 1.2로 설정되어 있습니다. 필요한 경우 이 설정을 더 낮은 버전 번호로 변경할 수 있습니다. 그러나 이전 버전의 보안 문제로 인해 1.2보다 낮은 버전을 사용하는 것은 권장되지 않습니다.tls_crt암호화된 통신을 위한 crt파일의 경로입니다. 이 인증서가 자체 서명되었고 알려진 CA를 사용하여 검증되지 않는 경우 Salt 마스터 구성 파일에서sseapi_validate_cert옵션을False로 설정해야 합니다.tls_key인증서 키 파일입니다. portAutomation Config 사용자 인터페이스 및 Salt 컨트롤러에서 연결하는 데 사용되는 포트입니다. audit관리자 계정의 디버그 보고서에 API(RaaS) 정보를 포함합니다. valid_logins가True로 설정되어 있으면 관리자가 아닌 사용자가 생성한 버그 보고서에도 이 정보가 포함됩니다.raas_presence_expiration미니언이 없다고 간주되기 전에 비활성 상태로 경과하는 시간(초)입니다. 기본값은 3600초(1시간)입니다.
기본 RaaS 구성 파일
다음 파일은 다양한 구성 설정에 대한 설명이 포함된 기본 RaaS 구성 파일을 보여줍니다.
# RaaS Default Configuration
# How often to run the compile_commands job that updates the activity tab
activity_tab_cycle: 2
# Elastic APM settings
apm_elastic:
service_name: # Elastic APM Service Name
secret_token: # Elastic APM Secret Token
server_url: # Elastic APM Server URL
environment: production
# audit tracking settings
audit:
enabled: false
valid_logins: false
auth: true
rpc: true
system: true
tasks: false
rpc_max_payload: 100
# authentication backends
authers:
ldap:
log_detail: ERROR
ssl: {}
ldap_receive_timeout: 60
group_level_limit: 20
# Configuration settings for background workers. Settings for each queue:
# concurrency: number of worker processes (0 = auto calc one per core up to max)
# max_tasks: worker recycles after running this many tasks
# max_memory: in kB, 0=auto, None=unlimited
# result_expires: how long results are stored in Redis, in seconds
# prefetch_multiplier: How many messages to prefetch at a time multiplied by the number of concurrent processes
# without_heartbeat: When true, don't send event heartbeats. Reduces Redis usage.
# without_mingle: When true, Don't synchronize with other workers at start-up. Reduces worker startup up time.
# without_gossip: When true, Don't subscribe to other workers events. Reduces redis usage.
# use_fair_scheduler: Use Celery's fair scheduling algorithm, better for long running tasks
background_workers:
combined_process: true # Launch celery workers and RaaS processes together. Set to False if running celery separately.
broker: redis
backend: redis
log_level: warning
celery:
concurrency: 0
max_tasks: 100000
max_memory: 0
result_expires: 60
prefetch_multiplier: 1
without_heartbeat: false
without_mingle: true
without_gossip: true
use_fair_scheduler: true
lr:
concurrency: 0
max_tasks: 100000
max_memory: 0
result_expires: 60
prefetch_multiplier: 1
without_heartbeat: false
without_mingle: true
without_gossip: true
use_fair_scheduler: true
grainscache:
concurrency: 0
max_tasks: 100000
max_memory: 0
result_expires: 60
prefetch_multiplier: 1
without_heartbeat: false
without_mingle: true
without_gossip: true
use_fair_scheduler: true
# how often to run cache jobs (in seconds)
cache_cycle: 30
# path to RaaS cache directory
cachedir: /var/lib/raas/cache
# how often to run clean up jobs (in seconds)
clean_up_cycle: 900
# path to config directory (can be passed multiple times, order is respected)
config_dir:
- /etc/raas
# read files in config_dir subdirs recursively
config_recurse: false
# HTTP Cookie settings
cookie:
name: raas-session
expires: 43200
# for use with the webpack dev server only, Add the Access-Control-Allow-Origin: * header
cors_header_for_webpack: false
# Your customer ID
customer_id: 43cab1f4-de60-4ab1-85b5-1d883c5c5d09
# directory to serve files from
directory_root: /srv/raas
# enable (true) or disable (false) grains indexing.
enable_grains_indexing: true
# enable (true) or disable (false) cmd details in get_cmds API call. Should be disabled when return counts are large.
enable_cmd_details: true
# Limit returns passed to UI so they don't crash the browser. 0 is unlimited. Recommended to set as a mutliple of 50.
cmd_returns_max: 0
# path to extension module directory
extension_modules: /var/lib/raas/cache/ext_mods
# Use FIPS-compliant encryption
fips_mode: false
# Limit masterfs returns passed to UI so they don't crash the browser. 0 is unlimited. Recommended to set as a mutliple of 50.
fs_returns_max: 0
# the address to bind to
interface: 0.0.0.0
# time to check unresponsive jobs (in minutes)
job_unresponsive_check: 5
# time to stop checking unresponsive jobs (in minutes)
job_unresponsive_check_stop: 2880
# JSON Web Token settings
jwt:
expires: 3600 # token expiration in seconds
login_expires: 60 # external authentication, login token expiration in seconds
algorithm: HS256
max_logins: 100
# How long to keep historical data in days (leave unset to keep forever)
keep_history:
audit: # How long to keep audit log (if audit is enabled)
events: 1 # How long to keep salt events
jobs: # How long to keep job data (commands, jids, returns)
schedule: # How long to keep past schedule data
# Content and style of banner to show on UI login screen. A YAML block scalar
# can help with long message content:
# message: >
# Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod
# tempor incididunt ut labore et dolore magna aliqua.
login_banner:
enabled: false
style: info # info or warning
message: ''
# date and time format for console logs
log_datefmt: '%H:%M:%S'
# date and time format for logfile logs
log_datefmt_logfile: '%Y-%m-%d %H:%M:%S'
# path to log file
log_file: /var/log/raas/raas
# loglevel for logfile logs, options: all, garbage, trace, debug, profile, info, warning, error, critical, quiet
log_file_loglevel: error
# log format for console logs
log_fmt_console: '[%(levelname)-8s] %(message)s'
# log format for logfile logs
log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s:%(lineno)-4d][%(processName)s:%(process)d]
%(message)s'
# loglevels for specific python modules
log_granular_levels: {}
# options: all, garbage, trace, debug, profile, info, warning, error, critical, quiet
log_level: error
# master RSA private key size
master_key_size: 2048
# expiration timeout for pending master keys in seconds
master_pending_key_expiration: 7200
# master/minion will be marked as unknown if they haven't reported back within X seconds.
raas_presence_expiration: 3600
# max number of unresponsive master checks
master_unresponsive_check_limit: 2
# template used to generate master users
master_username_template: master_{}
# Automatically accept masters, use only for development.
master_autoaccept: false
# System metrics settings
metrics:
enabled: true # If True, enable the collection of system metrics
prometheus: false # If True, enable the Prometheus endpoint at /metrics (also set prometheus_username and prometheus_password)
prometheus_username: # Static username for retrieving /metrics
prometheus_password: # Static password for retrieving /metrics
snapshot_interval: 60 # How often to record snapshot metrics, in seconds
max_query_timedelta: 86400 # Maximum timedelta for a single call to get_system_metrics, in seconds
keep: 30 # How long to retain metrics data, in days
# ignore some minion grains, glob matching allowed
minion_grains_filter:
mode: blacklist
grains: []
# 0=off, max seconds to lock when adding minion keys and cache. This throttles insert of minions into the database.
minion_onboarding_throttle: 0
# max number of auto calculated processes per type. example: 8 max web, 8 max background workers
max_processes: 8
# Minion deployment settings
minion_deployment:
max_minion_deployment_time: 3600 # Maximum time (in seconds) allowed for minion deployment after which status will be marked as failed
airgap_install: false # Deploy minions in an airgapped environment
newrelic_config_file: /etc/raas/newrelic.ini
newrelic_enabled: false
# number of web server processes (0 = auto calc one per core up to max)
num_processes: 0
# number of password attempts to start blocking
password_attempts: 50
# number of seconds to sleep following a failed attempt
password_sleep: 30
# path to RaaS process ID file
pidfile: /var/lib/raas/run/raas.pid
# path to directory for RaaS PKI keys
pki_dir: /etc/raas/pki
# port to bind to
port: 8080
# delta proxy monitoring options
proxy:
monitored: false
monitor_interval: 90
rebalance_interval: 120
tgt: deltaproxy*
tgt_type: glob
# vRA Integration
vra:
validate_ssl: true # If True, raas proxy will validate ssl certs
exclude_host: false # If True, raas proxy will not pass the host header to CSP
saved_params_timeout: 90 # How many seconds elapse before we get that latest vra params from the db
# To use the the environment variable REDIS_URL, set `url: ENV`.
redis:
url: redis://localhost:6379 # Redis URL without '/{database_number}' at the end
broker_db: '0' # queue database number
result_db: '1' # result storage database number
cache_db: '2' # cache database number
ssl: {}
# multiplier used to calculate retry timing on connection failures
retry_timeout_multiplier: 3
root_dir: /
# how often to check for scheduled jobs (in seconds)
schedule_cycle: 10
# how many future schedules are calculated per cycle
scheduler_max_futures_per_cycle: 500
# how many weeks ahead schedules are calculated out to
scheduler_max_futures_weeks_ahead: 12
# SecOps settings
sec:
stats_snapshot_interval: 3600 # Interval in seconds between when stats for Secops will be gathered (ENV Var: SSE_SEC_STATS_SNAPSHOT_INTERVAL)
username: secops # Username used to log in to enterprise.saltstack.com to get content (ENV Var: SSE_SEC_USERNAME)
content_url: https://enterprise.saltstack.com/secops_downloads # URL from which SaltStack Secops content will be downloaded. (ENV Var: SSE_SEC_CONTENT_URL)
ingest_saltstack_override: true # If True, existing SaltStack content will be updated otherwise the change will be rejected. (ENV Var: SSE_SEC_INGEST_SALTSTACK_OVERRIDE)
ingest_custom_override: true # If True, existing Custom content will be updated otherwise the change will be rejected. (ENV Var: SSE_SEC_INGEST_CUSTOM_OVERRIDE)
locke_dir: locke # Location where SaltStack content in expanded before ingestion. If the path is relative (no leading slash), then it is relative to the RAAS cache dir (ENV Var: SSE_SEC_LOCKE_DIR)
post_ingest_cleanup: true # If True, post ingestion the contents of the locke_dir will be cleaned out. (ENV Var: SSE_SEC_POST_INGEST_CLEANUP)
download_enabled: true # If True, SaltStack content downloading is enabled. (should be False for air gapped systems) (ENV Var: SSE_SEC_DOWNLOAD_ENABLED)
download_frequency: 86400 # The frequency in seconds of automated SaltStack Secops content downloads and ingestion. (ENV Var: SSE_SEC_DOWNLOAD_FREQUENCY)
compile_stats_interval: 10 # Interval in seconds between times that the compile stats will be gathered. (ENV Var: SSE_SEC_COMPILE_STATS_INTERVAL)
archive_interval: 300 # The interval in seconds between attempts to archive old assessment/remediation results (ENV Var: SSE_SEC_ARCHIVE_INTERVAL)
old_policy_file_lifespan: 2 # The lifespan of old lock policy files in days that will remain in the RAAS file system
delete_old_policy_files_interval: 86400 # The interval in seconds between times that theold lock policy files in the RAAS file system will be deleted
ingest_on_boot: true # If True, SaltStack Secops content will be downloaded and ingested soon after RAAS boot (ENV Var: SSE_SEC_INGEST_ON_BOOT)
content_lock_timeout: 60 # When multiple RAAS heads are deployed, the SaltStack SecOps content download and ingestion is serialized so only one RAAS head at a time will attempt it. This is the value for the redis lock timeout. (ENV Var: SSE_SEC_CONTENT_LOCK_TIMEOUT)
content_lock_block_timeout: 120 # This is the maximum time a RAAS head will block on a lock to perform a SaltStack SecOps download and ingestion. (ENV Var: SSE_SEC_CONTENT_LOCK_BLOCK_TIMEOUT)
# Sentry DSN to report errors (sensitive data is obfuscated)
sentry_dsn:
# path to RaaS directory for socket files
sock_dir: /var/lib/raas/sock
# for development only, always serve the session cookie regardless of the request being http or https
spa_serve_cookie_always: false
# REQUIRED: fill in your database info
# - SQLAlchemy options - http://docs.sqlalchemy.org/en/rel_1_0/dialects/index.html
# - To use the the environment variable DATABASE_URL, set `url: ENV`. For example:
# $ export DATABASE_URL=postgres://user:secret@localhost:5432/raas_db_name
# - To store database credentials in an encrypted file, run "raas save_creds"
# after installation.
# - It is possible, but not recommended practice, to specify database credentials
# in plaintext in this section as `username: user` and `password: secret`.
# - Make sure you specify the correct SSL parameters by setting `ssl: False`
# or `True` and filling in the correct fields in `ssl_opts` OR
# adding the right query parameters in the DATABASE_URL.
# - NOTE DATABASE_URL takes precedence over all other settings except username and password
sql:
dialect: postgresql
driver: psycopg2
host:
port:
pool_size: 10
pool_timeout: 10
pool_recycle: 3600
chunksize_yield_per_small_table: 1000
chunksize_yield_per_big_table: 5000
ssl: false
ssl_opts: {}
# strict transport security header enabled (aka HSTS, HTTPS only)
strict_transport_security_header_enabled: true
# Do not calculate target group membership locally, have masters send it.
target_groups_from_master_only: false
# cross-site request forgery cookie enabled
tornado_xsrf_cookies_enabled: true
# check the running environment prior to starting services
verify_env: true
# Vulnerability Management settings
vman:
vman_dir: vman # Location where SaltStack content in expanded before ingestion. If the path is relative (no leading slash), then it is relative to the RAAS cache dir (ENV Var: SSE_VMAN_DIR)
download_enabled: true # If True, SaltStack content downloading is enabled. (should be False for air gapped systems) (ENV Var: SSE_VMAN_DOWNLOAD_ENABLED)
download_frequency: 86400 # The frequency in seconds of automated SaltStack Vulnerability Management content downloads and ingestion. (ENV Var: SSE_VMAN_DOWNLOAD_FREQUENCY)
username: vman # Username used to log in to enterprise.saltstack.com to get content (ENV Var: SSE_VMAN_USERNAME)
content_url: https://enterprise.saltstack.com/vman_downloads # URL from which SaltStack Vulnerability Management content will be downloaded. (ENV Var: SSE_VMAN_CONTENT_URL)
ingest_on_boot: true # If True, SaltStack Vulnerability Management content will be downloaded and ingested soon after RAAS boot (ENV Var: SSE_VMAN_INGEST_ON_BOOT)
post_ingest_cleanup: false # If True, post ingestion the contents of the vman_dir will be cleaned out. (ENV Var: SSE_VMAN_POST_INGEST_CLEANUP)
content_lock_timeout: 2000 # When multiple RAAS heads are deployed, the SaltStack vulnerability management content download and ingestion is serialized so only one RAAS head at a time will attempt it. (ENV Var: SSE_VMAN_CONTENT_LOCK_TIMEOUT)
compile_stats_interval: 60 # Interval in seconds between times that the compile stats will be gathered. (ENV Var: SSE_VMAN_COMPILE_STATS_INTERVAL)
stats_snapshot_interval: 3600 # Interval in seconds between when stats for VMan will be gathered (ENV Var: SSE_VMAN_STATS_SNAPSHOT_INTERVAL)
old_policy_file_lifespan: 2 # The lifespan of old policy files in days that will remain in the RAAS file system
delete_old_policy_files_interval: 86400 # The interval in seconds between times that theold vman policy files in the RAAS file system will be deleted
tenable_asset_import_enabled: true # If True, minion grains in SSE will be sent to tenablefor matching assets
tenable_asset_import_grains: # Choose the minion grains that needs to be sent to tenable.Grain fqdn and ipv4 will be sent even if not included here.For additional information, please refer https://developer.tenable.com/reference#assets-import
- fqdn
- ipv4
- ipv6
- hostname
- mac_address
- netbios_name
- bios_uuid
- manufacturer_tpm_id
- ssh_fingerprint
- mcafee_epo_guid
- mcafee_epo_agent_guid
- symantec_ep_hardware_key
- qualys_asset_id
- qualys_host_id
- servicenow_sys_id
- gcp_project_id
- gcp_zone
- gcp_instance_id
- azure_vm_id
- azure_resource_id
- aws_availability_zone
- aws_ec2_instance_ami_id
- aws_ec2_instance_group_name
- aws_ec2_instance_state_name
- aws_ec2_instance_type
- aws_ec2_name
- aws_ec2_product_code
- aws_owner_id
- aws_region
- aws_subnet_id
- aws_vpc_id
- installed_software
- bigfix_asset_id
# how long to wait while reading body (seconds), when None uses tornado default
webserver_body_timeout:
# maximum amount of data for body, when None uses tornado default
webserver_max_body_size:
# maximum amount of incoming data to buffer, when None uses tornado default
webserver_max_buffer_size:
# in kB, 0=auto
webserver_max_memory: 0
# in seconds, 0=disabled
webserver_max_time: 0
# max interval in seconds subscription updates can be sent
websocket_debounce: 5
# time in seconds to send ping over websocket to keep it open
websocket_ping_interval: 15
# timeout in seconds to wait for websocket ping
websocket_ping_timeout: 600
# in seconds, polling time for non-database listening subscriptions
websocket_polling: 15
# time in seconds for a websocket ticket to expire
websocket_ticket_expiration: 5
후속 작업
RaaS 노드를 구성한 후에는 설치 후 단계를 추가로 완료해야 합니다. 다음 단계는 Automation Config 사용자 인터페이스에 처음으로 로그인하는 단계입니다. 설치 후 프로세스를 계속하려면 처음으로 로그인하고 기본 자격 증명 변경을 참조하십시오.
