From a410bd5c15f03401b755ecf76cf20d41acb97d5b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 13 Jun 2023 15:35:10 -0400 Subject: [PATCH] Increase configuration of the CyHy commander with Terraform Allow configuration of the `next-scan-limit` value in the configuration that is deployed for the CyHy commander. --- ansible/roles/cyhy_commander/defaults/main.yml | 8 ++++++++ ansible/roles/cyhy_commander/templates/commander.conf.j2 | 2 +- terraform/README.md | 1 + terraform/cyhy_mongo_ec2.tf | 1 + terraform/variables.tf | 8 ++++++++ 5 files changed, 19 insertions(+), 1 deletion(-) diff --git a/ansible/roles/cyhy_commander/defaults/main.yml b/ansible/roles/cyhy_commander/defaults/main.yml index 0f8bbd1d..f25906e5 100644 --- a/ansible/roles/cyhy_commander/defaults/main.yml +++ b/ansible/roles/cyhy_commander/defaults/main.yml @@ -1,2 +1,10 @@ --- # defaults file for cyhy_commander + +# The maximum number of hosts that are scheduled to have scanning restarted +# whose next scan stage should be updated per cyhy-commander cycle. The checks +# for hosts that were "up" or "down" are processed separately so the total +# number of hosts that are transitioned is double the provided value. Hosts +# that are "up" are transitioned to PORTSCAN and hosts that are "down" are +# transitioned to NETSCAN1. +next_scan_limit: 8192 diff --git a/ansible/roles/cyhy_commander/templates/commander.conf.j2 b/ansible/roles/cyhy_commander/templates/commander.conf.j2 index 4f7cd9e2..fb629498 100644 --- a/ansible/roles/cyhy_commander/templates/commander.conf.j2 +++ b/ansible/roles/cyhy_commander/templates/commander.conf.j2 @@ -4,7 +4,7 @@ database-uri = mongodb://{{ commander_user }}:{{ commander_pw }}@database1.cyhy: jobs-per-nmap-host = 8 jobs-per-nessus-host = 16 poll-interval = 30 -next-scan-limit = 8192 +next-scan-limit = {{ next_scan_limit }} test-mode = false keep-failures = true keep-successes = false diff --git a/terraform/README.md b/terraform/README.md index cf730e8b..d376fd8a 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -658,6 +658,7 @@ terraform apply -var-file=.tfvars | bod\_lambda\_functions | A map of information for each BOD 18-01 Lambda. The keys are the scan types and the values are objects that contain the Lambda's name and the key (name) for the corresponding deployment package in the BOD Lambda S3 bucket. Example: `{ pshtt = { lambda_file = "pshtt.zip", lambda_name = "task_pshtt" }}` | `map(object({ lambda_file = string, lambda_name = string }))` | `{}` | no | | bod\_nat\_gateway\_eip | The IP corresponding to the EIP to be used for the BOD 18-01 NAT gateway in production. In a non-production workspace an EIP will be created. | `string` | `""` | no | | cloudwatch\_alarm\_emails | A list of the emails to which alerts should be sent if any CloudWatch Alarm is triggered. | `list(string)` | ```[ "cisa-cool-group+cyhy@trio.dhs.gov" ]``` | no | +| commander\_config | Configuration options for the CyHy commander's configuration file. | `object({ next_scan_limit = number })` | ```{ "next_scan_limit": 8192 }``` | no | | create\_bod\_flow\_logs | Whether or not to create flow logs for the BOD 18-01 VPC. | `bool` | `false` | no | | create\_cyhy\_flow\_logs | Whether or not to create flow logs for the CyHy VPC. | `bool` | `false` | no | | create\_mgmt\_flow\_logs | Whether or not to create flow logs for the Management VPC. | `bool` | `false` | no | diff --git a/terraform/cyhy_mongo_ec2.tf b/terraform/cyhy_mongo_ec2.tf index ada52c40..891661c8 100644 --- a/terraform/cyhy_mongo_ec2.tf +++ b/terraform/cyhy_mongo_ec2.tf @@ -193,6 +193,7 @@ module "cyhy_mongo_ansible_provisioner" { "dmarc_import_es_role=${var.dmarc_import_es_role_arn}", "nmap_hosts=${join(",", formatlist("portscan%d", range(1, var.nmap_instance_count + 1)))}", "nessus_hosts=${join(",", formatlist("vulnscan%d", range(1, var.nessus_instance_count + 1)))}", + "next_scan_limit=${var.commander_config.next_scan_limit}", ] playbook = "../ansible/playbook.yml" dry_run = false diff --git a/terraform/variables.tf b/terraform/variables.tf index 36d4c526..1b0c8fc4 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -179,6 +179,14 @@ variable "cloudwatch_alarm_emails" { type = list(string) } +variable "commander_config" { + default = { + next_scan_limit = 8192 + } + description = "Configuration options for the CyHy commander's configuration file." + type = object({ next_scan_limit = number }) +} + variable "create_bod_flow_logs" { default = false description = "Whether or not to create flow logs for the BOD 18-01 VPC."