在安裝後過程中,請考慮檢閱 RaaS 組態。RaaS (表示傳回程式即服務) 是 Automation Config 中的中心元件。RaaS 提供 RPC 端點 (用於從 Automation Config 使用者介面接收管理命令) 以及 RPC 控制端點 (用於與連線的 Salt 主節點建立連接)。RaaS 組態設定位於 RaaS 節點上的 /etc/raas/raas 組態檔中。
開始之前
設定 RaaS 節點是一系列步驟中的一個安裝後步驟,這些步驟應按特定順序執行。首先,完成其中一個安裝案例,然後閱讀以下安裝後頁面:
檢查組態設定
- 開啟 RaaS 節點上的 RaaS 組態檔。依預設,它通常儲存在
/etc/raas/raas中。 - 檢查以下必要設定:
設定 說明 customer_id您的客戶識別碼或範例 UUID。 sql可以設定
username、password、host和port以與資料庫組態相符。如需有關安全儲存認證的詳細資訊,請參閱〈在 Automation Config 組態中保護認證〉知識庫文章。 - 檢查以下其他設定:
設定 說明 tls_minumum設定 RaaS 接受的最低 TLS 版本。依預設,該內容會設為 1.2。如果需要,可以將此設定變更為更低的版本號碼。但是,由於舊版中存在安全性問題,建議不要使用低於 1.2 的版本。tls_crt用於加密通訊的 crt檔案的路徑。如果此憑證是自我簽署憑證,且不應使用已知 CA 進行驗證,請務必將 Salt 主節點組態檔中的sseapi_validate_cert選項設定為False。tls_key憑證金鑰檔案。 port用於從 Automation Config 使用者介面和 Salt 控制器進行連線的連接埠。 audit在管理員帳戶的偵錯報告中包含 API (RaaS) 資訊。如果 valid_logins已設為True,則由非管理員使用者產生的錯誤報告中也包含此資訊。raas_presence_expiration在部屬節點被視為不存在之前處於非作用中狀態的秒數。預設值為 3600 秒 (1 小時)。
預設 RaaS 組態檔
以下檔案顯示了預設 RaaS 組態檔,其中包括不同組態設定的說明:
# RaaS Default Configuration
# How often to run the compile_commands job that updates the activity tab
activity_tab_cycle: 2
# Elastic APM settings
apm_elastic:
service_name: # Elastic APM Service Name
secret_token: # Elastic APM Secret Token
server_url: # Elastic APM Server URL
environment: production
# audit tracking settings
audit:
enabled: false
valid_logins: false
auth: true
rpc: true
system: true
tasks: false
rpc_max_payload: 100
# authentication backends
authers:
ldap:
log_detail: ERROR
ssl: {}
ldap_receive_timeout: 60
group_level_limit: 20
# Configuration settings for background workers. Settings for each queue:
# concurrency: number of worker processes (0 = auto calc one per core up to max)
# max_tasks: worker recycles after running this many tasks
# max_memory: in kB, 0=auto, None=unlimited
# result_expires: how long results are stored in Redis, in seconds
# prefetch_multiplier: How many messages to prefetch at a time multiplied by the number of concurrent processes
# without_heartbeat: When true, don't send event heartbeats. Reduces Redis usage.
# without_mingle: When true, Don't synchronize with other workers at start-up. Reduces worker startup up time.
# without_gossip: When true, Don't subscribe to other workers events. Reduces redis usage.
# use_fair_scheduler: Use Celery's fair scheduling algorithm, better for long running tasks
background_workers:
combined_process: true # Launch celery workers and RaaS processes together. Set to False if running celery separately.
broker: redis
backend: redis
log_level: warning
celery:
concurrency: 0
max_tasks: 100000
max_memory: 0
result_expires: 60
prefetch_multiplier: 1
without_heartbeat: false
without_mingle: true
without_gossip: true
use_fair_scheduler: true
lr:
concurrency: 0
max_tasks: 100000
max_memory: 0
result_expires: 60
prefetch_multiplier: 1
without_heartbeat: false
without_mingle: true
without_gossip: true
use_fair_scheduler: true
grainscache:
concurrency: 0
max_tasks: 100000
max_memory: 0
result_expires: 60
prefetch_multiplier: 1
without_heartbeat: false
without_mingle: true
without_gossip: true
use_fair_scheduler: true
# how often to run cache jobs (in seconds)
cache_cycle: 30
# path to RaaS cache directory
cachedir: /var/lib/raas/cache
# how often to run clean up jobs (in seconds)
clean_up_cycle: 900
# path to config directory (can be passed multiple times, order is respected)
config_dir:
- /etc/raas
# read files in config_dir subdirs recursively
config_recurse: false
# HTTP Cookie settings
cookie:
name: raas-session
expires: 43200
# for use with the webpack dev server only, Add the Access-Control-Allow-Origin: * header
cors_header_for_webpack: false
# Your customer ID
customer_id: 43cab1f4-de60-4ab1-85b5-1d883c5c5d09
# directory to serve files from
directory_root: /srv/raas
# enable (true) or disable (false) grains indexing.
enable_grains_indexing: true
# enable (true) or disable (false) cmd details in get_cmds API call. Should be disabled when return counts are large.
enable_cmd_details: true
# Limit returns passed to UI so they don't crash the browser. 0 is unlimited. Recommended to set as a mutliple of 50.
cmd_returns_max: 0
# path to extension module directory
extension_modules: /var/lib/raas/cache/ext_mods
# Use FIPS-compliant encryption
fips_mode: false
# Limit masterfs returns passed to UI so they don't crash the browser. 0 is unlimited. Recommended to set as a mutliple of 50.
fs_returns_max: 0
# the address to bind to
interface: 0.0.0.0
# time to check unresponsive jobs (in minutes)
job_unresponsive_check: 5
# time to stop checking unresponsive jobs (in minutes)
job_unresponsive_check_stop: 2880
# JSON Web Token settings
jwt:
expires: 3600 # token expiration in seconds
login_expires: 60 # external authentication, login token expiration in seconds
algorithm: HS256
max_logins: 100
# How long to keep historical data in days (leave unset to keep forever)
keep_history:
audit: # How long to keep audit log (if audit is enabled)
events: 1 # How long to keep salt events
jobs: # How long to keep job data (commands, jids, returns)
schedule: # How long to keep past schedule data
# Content and style of banner to show on UI login screen. A YAML block scalar
# can help with long message content:
# message: >
# Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod
# tempor incididunt ut labore et dolore magna aliqua.
login_banner:
enabled: false
style: info # info or warning
message: ''
# date and time format for console logs
log_datefmt: '%H:%M:%S'
# date and time format for logfile logs
log_datefmt_logfile: '%Y-%m-%d %H:%M:%S'
# path to log file
log_file: /var/log/raas/raas
# loglevel for logfile logs, options: all, garbage, trace, debug, profile, info, warning, error, critical, quiet
log_file_loglevel: error
# log format for console logs
log_fmt_console: '[%(levelname)-8s] %(message)s'
# log format for logfile logs
log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s:%(lineno)-4d][%(processName)s:%(process)d]
%(message)s'
# loglevels for specific python modules
log_granular_levels: {}
# options: all, garbage, trace, debug, profile, info, warning, error, critical, quiet
log_level: error
# master RSA private key size
master_key_size: 2048
# expiration timeout for pending master keys in seconds
master_pending_key_expiration: 7200
# master/minion will be marked as unknown if they haven't reported back within X seconds.
raas_presence_expiration: 3600
# max number of unresponsive master checks
master_unresponsive_check_limit: 2
# template used to generate master users
master_username_template: master_{}
# Automatically accept masters, use only for development.
master_autoaccept: false
# System metrics settings
metrics:
enabled: true # If True, enable the collection of system metrics
prometheus: false # If True, enable the Prometheus endpoint at /metrics (also set prometheus_username and prometheus_password)
prometheus_username: # Static username for retrieving /metrics
prometheus_password: # Static password for retrieving /metrics
snapshot_interval: 60 # How often to record snapshot metrics, in seconds
max_query_timedelta: 86400 # Maximum timedelta for a single call to get_system_metrics, in seconds
keep: 30 # How long to retain metrics data, in days
# ignore some minion grains, glob matching allowed
minion_grains_filter:
mode: blacklist
grains: []
# 0=off, max seconds to lock when adding minion keys and cache. This throttles insert of minions into the database.
minion_onboarding_throttle: 0
# max number of auto calculated processes per type. example: 8 max web, 8 max background workers
max_processes: 8
# Minion deployment settings
minion_deployment:
max_minion_deployment_time: 3600 # Maximum time (in seconds) allowed for minion deployment after which status will be marked as failed
airgap_install: false # Deploy minions in an airgapped environment
newrelic_config_file: /etc/raas/newrelic.ini
newrelic_enabled: false
# number of web server processes (0 = auto calc one per core up to max)
num_processes: 0
# number of password attempts to start blocking
password_attempts: 50
# number of seconds to sleep following a failed attempt
password_sleep: 30
# path to RaaS process ID file
pidfile: /var/lib/raas/run/raas.pid
# path to directory for RaaS PKI keys
pki_dir: /etc/raas/pki
# port to bind to
port: 8080
# delta proxy monitoring options
proxy:
monitored: false
monitor_interval: 90
rebalance_interval: 120
tgt: deltaproxy*
tgt_type: glob
# vRA Integration
vra:
validate_ssl: true # If True, raas proxy will validate ssl certs
exclude_host: false # If True, raas proxy will not pass the host header to CSP
saved_params_timeout: 90 # How many seconds elapse before we get that latest vra params from the db
# To use the the environment variable REDIS_URL, set `url: ENV`.
redis:
url: redis://localhost:6379 # Redis URL without '/{database_number}' at the end
broker_db: '0' # queue database number
result_db: '1' # result storage database number
cache_db: '2' # cache database number
ssl: {}
# multiplier used to calculate retry timing on connection failures
retry_timeout_multiplier: 3
root_dir: /
# how often to check for scheduled jobs (in seconds)
schedule_cycle: 10
# how many future schedules are calculated per cycle
scheduler_max_futures_per_cycle: 500
# how many weeks ahead schedules are calculated out to
scheduler_max_futures_weeks_ahead: 12
# SecOps settings
sec:
stats_snapshot_interval: 3600 # Interval in seconds between when stats for Secops will be gathered (ENV Var: SSE_SEC_STATS_SNAPSHOT_INTERVAL)
username: secops # Username used to log in to enterprise.saltstack.com to get content (ENV Var: SSE_SEC_USERNAME)
content_url: https://enterprise.saltstack.com/secops_downloads # URL from which SaltStack Secops content will be downloaded. (ENV Var: SSE_SEC_CONTENT_URL)
ingest_saltstack_override: true # If True, existing SaltStack content will be updated otherwise the change will be rejected. (ENV Var: SSE_SEC_INGEST_SALTSTACK_OVERRIDE)
ingest_custom_override: true # If True, existing Custom content will be updated otherwise the change will be rejected. (ENV Var: SSE_SEC_INGEST_CUSTOM_OVERRIDE)
locke_dir: locke # Location where SaltStack content in expanded before ingestion. If the path is relative (no leading slash), then it is relative to the RAAS cache dir (ENV Var: SSE_SEC_LOCKE_DIR)
post_ingest_cleanup: true # If True, post ingestion the contents of the locke_dir will be cleaned out. (ENV Var: SSE_SEC_POST_INGEST_CLEANUP)
download_enabled: true # If True, SaltStack content downloading is enabled. (should be False for air gapped systems) (ENV Var: SSE_SEC_DOWNLOAD_ENABLED)
download_frequency: 86400 # The frequency in seconds of automated SaltStack Secops content downloads and ingestion. (ENV Var: SSE_SEC_DOWNLOAD_FREQUENCY)
compile_stats_interval: 10 # Interval in seconds between times that the compile stats will be gathered. (ENV Var: SSE_SEC_COMPILE_STATS_INTERVAL)
archive_interval: 300 # The interval in seconds between attempts to archive old assessment/remediation results (ENV Var: SSE_SEC_ARCHIVE_INTERVAL)
old_policy_file_lifespan: 2 # The lifespan of old lock policy files in days that will remain in the RAAS file system
delete_old_policy_files_interval: 86400 # The interval in seconds between times that theold lock policy files in the RAAS file system will be deleted
ingest_on_boot: true # If True, SaltStack Secops content will be downloaded and ingested soon after RAAS boot (ENV Var: SSE_SEC_INGEST_ON_BOOT)
content_lock_timeout: 60 # When multiple RAAS heads are deployed, the SaltStack SecOps content download and ingestion is serialized so only one RAAS head at a time will attempt it. This is the value for the redis lock timeout. (ENV Var: SSE_SEC_CONTENT_LOCK_TIMEOUT)
content_lock_block_timeout: 120 # This is the maximum time a RAAS head will block on a lock to perform a SaltStack SecOps download and ingestion. (ENV Var: SSE_SEC_CONTENT_LOCK_BLOCK_TIMEOUT)
# Sentry DSN to report errors (sensitive data is obfuscated)
sentry_dsn:
# path to RaaS directory for socket files
sock_dir: /var/lib/raas/sock
# for development only, always serve the session cookie regardless of the request being http or https
spa_serve_cookie_always: false
# REQUIRED: fill in your database info
# - SQLAlchemy options - http://docs.sqlalchemy.org/en/rel_1_0/dialects/index.html
# - To use the the environment variable DATABASE_URL, set `url: ENV`. For example:
# $ export DATABASE_URL=postgres://user:secret@localhost:5432/raas_db_name
# - To store database credentials in an encrypted file, run "raas save_creds"
# after installation.
# - It is possible, but not recommended practice, to specify database credentials
# in plaintext in this section as `username: user` and `password: secret`.
# - Make sure you specify the correct SSL parameters by setting `ssl: False`
# or `True` and filling in the correct fields in `ssl_opts` OR
# adding the right query parameters in the DATABASE_URL.
# - NOTE DATABASE_URL takes precedence over all other settings except username and password
sql:
dialect: postgresql
driver: psycopg2
host:
port:
pool_size: 10
pool_timeout: 10
pool_recycle: 3600
chunksize_yield_per_small_table: 1000
chunksize_yield_per_big_table: 5000
ssl: false
ssl_opts: {}
# strict transport security header enabled (aka HSTS, HTTPS only)
strict_transport_security_header_enabled: true
# Do not calculate target group membership locally, have masters send it.
target_groups_from_master_only: false
# cross-site request forgery cookie enabled
tornado_xsrf_cookies_enabled: true
# check the running environment prior to starting services
verify_env: true
# Vulnerability Management settings
vman:
vman_dir: vman # Location where SaltStack content in expanded before ingestion. If the path is relative (no leading slash), then it is relative to the RAAS cache dir (ENV Var: SSE_VMAN_DIR)
download_enabled: true # If True, SaltStack content downloading is enabled. (should be False for air gapped systems) (ENV Var: SSE_VMAN_DOWNLOAD_ENABLED)
download_frequency: 86400 # The frequency in seconds of automated SaltStack Vulnerability Management content downloads and ingestion. (ENV Var: SSE_VMAN_DOWNLOAD_FREQUENCY)
username: vman # Username used to log in to enterprise.saltstack.com to get content (ENV Var: SSE_VMAN_USERNAME)
content_url: https://enterprise.saltstack.com/vman_downloads # URL from which SaltStack Vulnerability Management content will be downloaded. (ENV Var: SSE_VMAN_CONTENT_URL)
ingest_on_boot: true # If True, SaltStack Vulnerability Management content will be downloaded and ingested soon after RAAS boot (ENV Var: SSE_VMAN_INGEST_ON_BOOT)
post_ingest_cleanup: false # If True, post ingestion the contents of the vman_dir will be cleaned out. (ENV Var: SSE_VMAN_POST_INGEST_CLEANUP)
content_lock_timeout: 2000 # When multiple RAAS heads are deployed, the SaltStack vulnerability management content download and ingestion is serialized so only one RAAS head at a time will attempt it. (ENV Var: SSE_VMAN_CONTENT_LOCK_TIMEOUT)
compile_stats_interval: 60 # Interval in seconds between times that the compile stats will be gathered. (ENV Var: SSE_VMAN_COMPILE_STATS_INTERVAL)
stats_snapshot_interval: 3600 # Interval in seconds between when stats for VMan will be gathered (ENV Var: SSE_VMAN_STATS_SNAPSHOT_INTERVAL)
old_policy_file_lifespan: 2 # The lifespan of old policy files in days that will remain in the RAAS file system
delete_old_policy_files_interval: 86400 # The interval in seconds between times that theold vman policy files in the RAAS file system will be deleted
tenable_asset_import_enabled: true # If True, minion grains in SSE will be sent to tenablefor matching assets
tenable_asset_import_grains: # Choose the minion grains that needs to be sent to tenable.Grain fqdn and ipv4 will be sent even if not included here.For additional information, please refer https://developer.tenable.com/reference#assets-import
- fqdn
- ipv4
- ipv6
- hostname
- mac_address
- netbios_name
- bios_uuid
- manufacturer_tpm_id
- ssh_fingerprint
- mcafee_epo_guid
- mcafee_epo_agent_guid
- symantec_ep_hardware_key
- qualys_asset_id
- qualys_host_id
- servicenow_sys_id
- gcp_project_id
- gcp_zone
- gcp_instance_id
- azure_vm_id
- azure_resource_id
- aws_availability_zone
- aws_ec2_instance_ami_id
- aws_ec2_instance_group_name
- aws_ec2_instance_state_name
- aws_ec2_instance_type
- aws_ec2_name
- aws_ec2_product_code
- aws_owner_id
- aws_region
- aws_subnet_id
- aws_vpc_id
- installed_software
- bigfix_asset_id
# how long to wait while reading body (seconds), when None uses tornado default
webserver_body_timeout:
# maximum amount of data for body, when None uses tornado default
webserver_max_body_size:
# maximum amount of incoming data to buffer, when None uses tornado default
webserver_max_buffer_size:
# in kB, 0=auto
webserver_max_memory: 0
# in seconds, 0=disabled
webserver_max_time: 0
# max interval in seconds subscription updates can be sent
websocket_debounce: 5
# time in seconds to send ping over websocket to keep it open
websocket_ping_interval: 15
# timeout in seconds to wait for websocket ping
websocket_ping_timeout: 600
# in seconds, polling time for non-database listening subscriptions
websocket_polling: 15
# time in seconds for a websocket ticket to expire
websocket_ticket_expiration: 5
後續步驟
設定 RaaS 節點後,必須完成其他安裝後步驟。下一步是首次登入 Automation Config 使用者介面。若要繼續執行安裝後程序,請參閱〈首次登入並變更預設認證〉。
