Merge pull request #669 from cisagov/improvement/configure_commander_…

…jobs-per-host Add the ability to configure the `cyhy-commander`'s `jobs-per-*-host` values
cisagov · Aug 25, 2023 · 69bd53d · 69bd53d
2 parents 8f9ac72 + 2efa82e
commit 69bd53d
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 10 deletions.
diff --git a/ansible/roles/cyhy_commander/defaults/main.yml b/ansible/roles/cyhy_commander/defaults/main.yml
@@ -1,10 +1,22 @@
 ---
 # defaults file for cyhy_commander
 
+# The maximum number of jobs to assign to each nessus host (vulnscanner).
+# This value is used in the "production" section of the cyhy-commander
+# configuration file this role generates.
+jobs_per_nessus_host: 16
+
+# The maximum number of jobs to assign to each nmap host (portscanner).
+# This value is used in the "production" section of the cyhy-commander
+# configuration file this role generates.
+jobs_per_nmap_host: 8
+
 # The maximum number of hosts that are scheduled to have scanning restarted
 # whose next scan stage should be updated per cyhy-commander cycle. The checks
 # for hosts that were "up" or "down" are processed separately so the total
 # number of hosts that are transitioned is double the provided value. Hosts
 # that are "up" are transitioned to PORTSCAN and hosts that are "down" are
 # transitioned to NETSCAN1.
+# This value is used in the "production" section of the cyhy-commander
+# configuration file this role generates.
 next_scan_limit: 8192
diff --git a/ansible/roles/cyhy_commander/templates/commander.conf.j2 b/ansible/roles/cyhy_commander/templates/commander.conf.j2
@@ -15,8 +15,8 @@ nessus-hosts = vulnscan1
 
 [production]
 database-name = cyhy
-jobs-per-nmap-host = 12
-jobs-per-nessus-host = 128
+jobs-per-nmap-host = {{ jobs_per_nmap_host }}
+jobs-per-nessus-host = {{ jobs_per_nessus_host }}
 next-scan-limit = {{ next_scan_limit }}
 nmap-hosts = {{ nmap_hosts }}
 nessus-hosts = {{ nessus_hosts }}

diff --git a/terraform/README.md b/terraform/README.md
@@ -658,7 +658,7 @@ terraform apply -var-file=<your_workspace>.tfvars
 | bod\_lambda\_functions | A map of information for each BOD 18-01 Lambda. The keys are the scan types and the values are objects that contain the Lambda's name and the key (name) for the corresponding deployment package in the BOD Lambda S3 bucket. Example: `{ pshtt = { lambda_file = "pshtt.zip", lambda_name = "task_pshtt" }}` | `map(object({ lambda_file = string, lambda_name = string }))` | `{}` | no |
 | bod\_nat\_gateway\_eip | The IP corresponding to the EIP to be used for the BOD 18-01 NAT gateway in production.  In a non-production workspace an EIP will be created. | `string` | `""` | no |
 | cloudwatch\_alarm\_emails | A list of the emails to which alerts should be sent if any CloudWatch Alarm is triggered. | `list(string)` | ```[ "[email protected]" ]``` | no |
-| commander\_config | Configuration options for the CyHy commander's configuration file. | `object({ next_scan_limit = number })` | ```{ "next_scan_limit": 8192 }``` | no |
+| commander\_config | Configuration options for the CyHy commander's configuration file. | `object({ jobs_per_nessus_host = number, jobs_per_nmap_host = number, next_scan_limit = number })` | ```{ "jobs_per_nessus_host": 16, "jobs_per_nmap_host": 8, "next_scan_limit": 8192 }``` | no |
 | create\_bod\_flow\_logs | Whether or not to create flow logs for the BOD 18-01 VPC. | `bool` | `false` | no |
 | create\_cyhy\_flow\_logs | Whether or not to create flow logs for the CyHy VPC. | `bool` | `false` | no |
 | create\_mgmt\_flow\_logs | Whether or not to create flow logs for the Management VPC. | `bool` | `false` | no |

diff --git a/terraform/cyhy_mongo_ec2.tf b/terraform/cyhy_mongo_ec2.tf
@@ -182,18 +182,20 @@ module "cyhy_mongo_ansible_provisioner" {
   ]
   envs = [
     "ANSIBLE_SSH_RETRIES=5",
-    "host=${aws_instance.cyhy_mongo[count.index].private_ip}",
+    "aws_region=${var.aws_region}",
     "bastion_host=${aws_instance.cyhy_bastion.public_ip}",
     "cyhy_archive_s3_bucket_name=${aws_s3_bucket.cyhy_archive.bucket}",
     "cyhy_archive_s3_bucket_region=${var.aws_region}",
-    "host_groups=mongo,cyhy_commander,cyhy_archive",
-    "production_workspace=${local.production_workspace}",
-    "aws_region=${var.aws_region}",
     "dmarc_import_aws_region=${var.dmarc_import_aws_region}",
     "dmarc_import_es_role=${var.dmarc_import_es_role_arn}",
-    "nmap_hosts=${join(",", formatlist("portscan%d", range(1, var.nmap_instance_count + 1)))}",
+    "host_groups=mongo,cyhy_commander,cyhy_archive",
+    "host=${aws_instance.cyhy_mongo[count.index].private_ip}",
+    "jobs_per_nessus_host=${var.commander_config.jobs_per_nessus_host}",
+    "jobs_per_nmap_host=${var.commander_config.jobs_per_nmap_host}",
     "nessus_hosts=${join(",", formatlist("vulnscan%d", range(1, var.nessus_instance_count + 1)))}",
     "next_scan_limit=${var.commander_config.next_scan_limit}",
+    "nmap_hosts=${join(",", formatlist("portscan%d", range(1, var.nmap_instance_count + 1)))}",
+    "production_workspace=${local.production_workspace}",
   ]
   playbook = "../ansible/playbook.yml"
   dry_run  = false

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -181,10 +181,12 @@ variable "cloudwatch_alarm_emails" {
 
 variable "commander_config" {
   default = {
-    next_scan_limit = 8192
+    jobs_per_nessus_host = 16
+    jobs_per_nmap_host   = 8
+    next_scan_limit      = 8192
   }
   description = "Configuration options for the CyHy commander's configuration file."
-  type        = object({ next_scan_limit = number })
+  type        = object({ jobs_per_nessus_host = number, jobs_per_nmap_host = number, next_scan_limit = number })
 }
 
 variable "create_bod_flow_logs" {