首頁 探索 說明
註冊 登入
AFS
/
infrastructure-notes
2
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: b020ec8ea4
分支列表 標籤列表
infrastructure-...
/
Customer Search Head Notes.md

Customer Search Head Notes.md 2.5 KB
文件歷史 原始文件

Customer Search Head Notes

To add a customer-facing search head (including one for qmulos or qcontrol):

Okta Setup - Directory -> Groups

  1. In Okta Admin, go to directory->groups
  2. Add a Group, such as 'FRTIB'
  3. Review the Rules tab, reviewing the group for 'Federated Users are Splunk Users'.

Okta Setup - Security -> Identity Providers

  1. In Okta Admin, go to Security->Identity Providers
  2. Add a provider. Follow one of the examples. For now, make up the customer's IdP URLs and use any certificate you can find temporarily. YOu'll get the real certificate from teh customer later.
  3. Expand the new IdP and download the metadata. Send it to the customer and ask for:
    • IdP Issuer URI (EntityID)
    • IdP Single Sign-on URL (Authn endpoint)
    • IdP Signature Certificate
  4. In the Routing Rules tab, set up a new routing rule with the assigned prefix.

Notes: Okta also has configuration for Federated Users under:

  • Security->Multifactor, Factor Enrollment tab. Federated Users are excluded from enrollment.
  • Security->Authentication, Sign On tab. Federated users are excluded from MFA.

Create the Application for the Search Head

  1. Use our script to create the app in okta

    cd ~/msoc-infrastructure/tools/okta_app_maker
OKTA_API_TOKEN=blah ./okta_app_maker.py 'FRTIB Splunk Customer SH [Prod]' https://search.frtib.xdr.accenturefederalcyber.com

  2. Edit ~/msoc-infrastructure/salt/pillar/CUST_variables.sls

  3. Paste the info from the script and updates the if clause

  4. Submit your PR to develop, then to master.

  5. Edit the application in okta:

    • Fix the icon
    • Assign the groups: CUST, mdr-engineers, mdr-admins, (Maybe more?)

Add the customer SH to the customer

cd ~/xdr-terraform-live/prod/aws-us-gov/mdr-prod-CUST
cp -a ~/xdr-terraform-live/test/aws-us-gov/mdr-test-modelclient/190-splunk-customer-searchhead .
cd 190-splunk-customer-searchhead/
rm -rf .terragrunt-cache/
vim terragrunt.hcl
# update tag to latest
vim ../account.hcl
# Add "splunk-cust-sh" to instance_types
# Add to splunk_volume_sizes:
    "customer_searchhead" = {
      "swap": 8,  # minimum: 8
      "/": 10,    # minimum: 10
      "/home": 4, # minimum: 4
      "/var": 15, # minimum: 15
      "/var/tmp": 4, # minimum: 4
      "/var/log": 8, # minimum: 8
      "/var/log/audit": 8, # minimum: 8
      "/tmp": 4,  # minimum: 4
      "/opt/splunk": 60, # No minimum; not in base image
    },

Do a PR, get approval, then terraform, highstate, and proceed as usual.

When Metadata from Customer is Received

Update the IdP configuration in okta and test.