Add additional cyhy-commander configurability

Add the ability to configure the `jobs-per-nessus-host` and `jobs-per-nmap-host` values in the `commander.conf` file through the Terraform configuration.
cisagov · Aug 1, 2023 · a47453d · a47453d
1 parent a410bd5
commit a47453d
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 6 deletions.
diff --git a/ansible/roles/cyhy_commander/defaults/main.yml b/ansible/roles/cyhy_commander/defaults/main.yml
@@ -8,3 +8,9 @@
 # that are "up" are transitioned to PORTSCAN and hosts that are "down" are
 # transitioned to NETSCAN1.
 next_scan_limit: 8192
+
+# The maximum number of jobs to assign to each nmap host (portscanner)
+jobs_per_nmap_host: 8
+
+# The maximum number o jobs to assign to each nessus host (vulnscanner)
+jobs_per_nessus_host: 16
diff --git a/ansible/roles/cyhy_commander/templates/commander.conf.j2 b/ansible/roles/cyhy_commander/templates/commander.conf.j2
@@ -1,8 +1,8 @@
 [DEFAULT]
 default-section = production
 database-uri = mongodb://{{ commander_user }}:{{ commander_pw }}@database1.cyhy:27017/{{ commander_db }}
-jobs-per-nmap-host = 8
-jobs-per-nessus-host = 16
+jobs-per-nmap-host = {{ jobs_per_nmap_host }}
+jobs-per-nessus-host = {{ jobs_per_nessus_host }}
 poll-interval = 30
 next-scan-limit = {{ next_scan_limit }}
 test-mode = false

diff --git a/terraform/README.md b/terraform/README.md
@@ -658,7 +658,7 @@ terraform apply -var-file=<your_workspace>.tfvars
 | bod\_lambda\_functions | A map of information for each BOD 18-01 Lambda. The keys are the scan types and the values are objects that contain the Lambda's name and the key (name) for the corresponding deployment package in the BOD Lambda S3 bucket. Example: `{ pshtt = { lambda_file = "pshtt.zip", lambda_name = "task_pshtt" }}` | `map(object({ lambda_file = string, lambda_name = string }))` | `{}` | no |
 | bod\_nat\_gateway\_eip | The IP corresponding to the EIP to be used for the BOD 18-01 NAT gateway in production.  In a non-production workspace an EIP will be created. | `string` | `""` | no |
 | cloudwatch\_alarm\_emails | A list of the emails to which alerts should be sent if any CloudWatch Alarm is triggered. | `list(string)` | ```[ "cisa-cool-group+cyhy@trio.dhs.gov" ]``` | no |
-| commander\_config | Configuration options for the CyHy commander's configuration file. | `object({ next_scan_limit = number })` | ```{ "next_scan_limit": 8192 }``` | no |
+| commander\_config | Configuration options for the CyHy commander's configuration file. | `object({ jobs_per_nessus_host = number, jobs_per_nmap_host = number, next_scan_limit = number })` | ```{ "jobs_per_nessus_host": 16, "jobs_per_nmap_host": 8, "next_scan_limit": 8192 }``` | no |
 | create\_bod\_flow\_logs | Whether or not to create flow logs for the BOD 18-01 VPC. | `bool` | `false` | no |
 | create\_cyhy\_flow\_logs | Whether or not to create flow logs for the CyHy VPC. | `bool` | `false` | no |
 | create\_mgmt\_flow\_logs | Whether or not to create flow logs for the Management VPC. | `bool` | `false` | no |

diff --git a/terraform/cyhy_mongo_ec2.tf b/terraform/cyhy_mongo_ec2.tf
@@ -191,9 +191,12 @@ module "cyhy_mongo_ansible_provisioner" {
     "aws_region=${var.aws_region}",
     "dmarc_import_aws_region=${var.dmarc_import_aws_region}",
     "dmarc_import_es_role=${var.dmarc_import_es_role_arn}",
-    "nmap_hosts=${join(",", formatlist("portscan%d", range(1, var.nmap_instance_count + 1)))}",
+    # cyhy-commander configuration values
+    "jobs_per_nessus_host=${var.commander_config.jobs_per_nessus_host}",
+    "jobs_per_nmap_host=${var.commander_config.jobs_per_nmap_host}",
     "nessus_hosts=${join(",", formatlist("vulnscan%d", range(1, var.nessus_instance_count + 1)))}",
     "next_scan_limit=${var.commander_config.next_scan_limit}",
+    "nmap_hosts=${join(",", formatlist("portscan%d", range(1, var.nmap_instance_count + 1)))}",
   ]
   playbook = "../ansible/playbook.yml"
   dry_run  = false

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -181,10 +181,12 @@ variable "cloudwatch_alarm_emails" {
 
 variable "commander_config" {
   default = {
-    next_scan_limit = 8192
+    jobs_per_nessus_host = 16
+    jobs_per_nmap_host   = 8
+    next_scan_limit      = 8192
   }
   description = "Configuration options for the CyHy commander's configuration file."
-  type        = object({ next_scan_limit = number })
+  type        = object({ jobs_per_nessus_host = number, jobs_per_nmap_host = number, next_scan_limit = number })
 }
 
 variable "create_bod_flow_logs" {