From 98cdf015e415a19920919c80fbd8dbe8263c288a Mon Sep 17 00:00:00 2001
From: SG <13872653+mmguero@users.noreply.github.com>
Date: Tue, 17 Aug 2021 14:04:59 -0600
Subject: [PATCH] work on idaholab/Malcolm#19, assigning severity to certain
 types of events

---
 docker-compose-standalone.yml                                 | 1 +
 docker-compose.yml                                            | 1 +
 ...m_event_categories_severity.yaml => malcolm_severity.yaml} | 0
 logstash/pipelines/enrichment/19_severity.conf                | 4 ++--
 malcolm-iso/build.sh                                          | 2 ++
 scripts/malcolm_appliance_packager.sh                         | 2 ++
 6 files changed, 8 insertions(+), 2 deletions(-)
 rename logstash/maps/{malcolm_event_categories_severity.yaml => malcolm_severity.yaml} (100%)

diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
index db55f6743..11ee028b5 100644
--- a/docker-compose-standalone.yml
+++ b/docker-compose-standalone.yml
@@ -229,6 +229,7 @@ services:
       - 9600
     volumes:
       - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:rw
+      - ./logstash/maps/malcolm_severity.yaml:/etc/logstash/maps/malcolm_severity.yaml:ro
       - ./nginx/ca-trust:/usr/share/logstash/ca-trust:ro
       - ./logstash/certs/ca.crt:/certs/ca.crt:ro
       - ./logstash/certs/server.crt:/certs/server.crt:ro
diff --git a/docker-compose.yml b/docker-compose.yml
index 26f5c20fd..00ffb25cd 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -242,6 +242,7 @@ services:
     volumes:
       - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
       - ./logstash/pipelines:/usr/share/logstash/malcolm-pipelines.available:ro
+      - ./logstash/maps/malcolm_severity.yaml:/etc/logstash/maps/malcolm_severity.yaml:ro
       - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:rw
       - ./nginx/ca-trust:/usr/share/logstash/ca-trust:ro
       - ./logstash/certs/ca.crt:/certs/ca.crt:ro
diff --git a/logstash/maps/malcolm_event_categories_severity.yaml b/logstash/maps/malcolm_severity.yaml
similarity index 100%
rename from logstash/maps/malcolm_event_categories_severity.yaml
rename to logstash/maps/malcolm_severity.yaml
diff --git a/logstash/pipelines/enrichment/19_severity.conf b/logstash/pipelines/enrichment/19_severity.conf
index 0efaa4ab1..d7aedd072 100644
--- a/logstash/pipelines/enrichment/19_severity.conf
+++ b/logstash/pipelines/enrichment/19_severity.conf
@@ -1,6 +1,6 @@
 filter {
 
-  # see malcolm_event_categories_severity.yaml for mappings to severity scores
+  # see malcolm_severity.yaml for mappings to severity scores
 
   # identify cross-segment traffic based on previously-populated tag
   if ("cross_segment" in [tags]) {
@@ -267,7 +267,7 @@ filter {
     id => "ruby_calculate_final_severity_score"
     # pre-load severity score mapping in init outside of processing pipeline
     init => "
-      require 'yaml'; $severityMappings = YAML.load(File.read('/etc/malcolm_event_categories_severity.yaml'))
+      require 'yaml'; $severityMappings = YAML.load(File.read('/etc/malcolm_severity.yaml'))
     "
     # to calculate severity:
     # - look up list of severity_tags against severity score mapping (generate hash), ignoring <= 0 or missing (nil) values
diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh
index b745abe83..2fbf88022 100755
--- a/malcolm-iso/build.sh
+++ b/malcolm-iso/build.sh
@@ -96,6 +96,7 @@ if [ -d "$WORKDIR" ]; then
   mkdir -p "$MALCOLM_DEST_DIR/nginx/certs/"
   mkdir -p "$MALCOLM_DEST_DIR/htadmin/"
   mkdir -p "$MALCOLM_DEST_DIR/logstash/certs/"
+  mkdir -p "$MALCOLM_DEST_DIR/logstash/maps/"
   mkdir -p "$MALCOLM_DEST_DIR/filebeat/certs/"
   mkdir -p "$MALCOLM_DEST_DIR/elasticsearch/nodes/"
   mkdir -p "$MALCOLM_DEST_DIR/elasticsearch-backup/"
@@ -130,6 +131,7 @@ if [ -d "$WORKDIR" ]; then
   cp ./scripts/malcolm_common.py "$MALCOLM_DEST_DIR/scripts/"
   cp ./README.md "$MALCOLM_DEST_DIR/"
   cp ./logstash/certs/*.conf "$MALCOLM_DEST_DIR/logstash/certs/"
+  cp ./logstash/maps/malcolm_severity.yaml "$MALCOLM_DEST_DIR/logstash/maps/"
   touch "$MALCOLM_DEST_DIR"/firstrun
   popd >/dev/null 2>&1
 
diff --git a/scripts/malcolm_appliance_packager.sh b/scripts/malcolm_appliance_packager.sh
index b35e7a758..214d1fcf9 100755
--- a/scripts/malcolm_appliance_packager.sh
+++ b/scripts/malcolm_appliance_packager.sh
@@ -65,6 +65,7 @@ if mkdir "$DESTDIR"; then
   mkdir $VERBOSE -p "$DESTDIR/nginx/ca-trust/"
   mkdir $VERBOSE -p "$DESTDIR/htadmin/"
   mkdir $VERBOSE -p "$DESTDIR/logstash/certs/"
+  mkdir $VERBOSE -p "$DESTDIR/logstash/maps/"
   mkdir $VERBOSE -p "$DESTDIR/filebeat/certs/"
   mkdir $VERBOSE -p "$DESTDIR/elasticsearch/nodes/"
   mkdir $VERBOSE -p "$DESTDIR/elasticsearch-backup/"
@@ -89,6 +90,7 @@ if mkdir "$DESTDIR"; then
   cp $VERBOSE ./scripts/malcolm_common.py "$DESTDIR/scripts/"
   cp $VERBOSE ./README.md "$DESTDIR/"
   cp $VERBOSE ./logstash/certs/*.conf "$DESTDIR/logstash/certs/"
+  cp $VERBOSE ./logstash/maps/malcolm_severity.yaml "$DESTDIR/logstash/maps/"
   pushd "$DESTDIR" >/dev/null 2>&1
   pushd "./scripts" >/dev/null 2>&1
   ln -s ./control.py auth_setup