Merge remote-tracking branch 'origin/2.4/dev' into 2.4/zeekbpf

2026-04-23 21:21:54 +02:00 · 2023-03-21 08:45:07 -04:00
parent 0fff3a5a11 1f23e4aafe
commit 02c79463e1
17 changed files with 102 additions and 64 deletions
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -34,7 +34,7 @@
          'influxdb',
          'soc',
          'kratos',
-          'elastic-fleet',
+          'elasticfleet',
          'firewall',
          'idstools',
          'suricata.manager',
@@ -105,7 +105,7 @@
          'schedule',
          'tcpreplay',
          'docker_clean',
-          'elastic-fleet'
+          'elasticfleet'
          ],
      'so-manager': [
          'salt.master',
@@ -118,7 +118,7 @@
          'influxdb',
          'soc',
          'kratos',
-          'elastic-fleet',
+          'elasticfleet',
          'firewall',
          'idstools',
          'suricata.manager',
@@ -137,7 +137,7 @@
          'influxdb',
          'soc',
          'kratos',
-          'elastic-fleet',
+          'elasticfleet',
          'firewall',
          'manager',
          'idstools',
@@ -166,7 +166,7 @@
          'influxdb',
          'soc',
          'kratos',
-          'elastic-fleet',
+          'elasticfleet',
          'firewall',
          'idstools',
          'suricata.manager',
--- a/salt/common/tools/sbin/so-elastic-agent-gen-installers
+++ b/salt/common/tools/sbin/so-elastic-agent-gen-installers
@@ -24,11 +24,11 @@ mkdir -p /tmp/elastic-agent-workspace
 for OS in "${CONTAINERGOOS[@]}"
 do
    printf "\n\nGenerating $OS Installer..."
-    cp /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz
+    cp /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz
    docker run -e CGO_ENABLED=0 -e GOOS=$OS \
    --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \
    --mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \
-    --mount type=bind,source=/opt/so/saltstack/local/salt/elastic-fleet/files/so_agent-installers/,target=/output/ \
+    --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \
    {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN"  -o /output/so-elastic-agent_$OS
    printf "\n $OS Installer Generated..."
 done
--- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load
+++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load
@@ -17,7 +17,9 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http:

 # Disable certain Features from showing up in the Kibana UI
 echo
-echo "Setting up default Security Onion package policies for Elastic Agent..."
+echo "Disable certain Features from showing up in the Kibana UI"
+so-kibana-space-defaults
+echo

 # Suricata logs
 echo
@@ -71,7 +73,7 @@ echo
 # Kratos logs
 echo
 echo "Setting up Kratos package policy..."
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true\n- rename:\n    fields:\n      - from: \"audience\"\n        to: \"event.dataset\"\n    ignore_missing: true\n- add_fields:\n    when:\n      not: \n        has_fields: ['event.dataset']\n    target: ''\n    fields:\n      event.dataset: access", "custom": "pipeline: kratos" }}}}}}'
+curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: iam\n      module: kratos" }}}}}}'
 echo

 # RITA Logs
--- a/salt/common/tools/sbin/so-elastic-fleet-setup
+++ b/salt/common/tools/sbin/so-elastic-fleet-setup
@@ -91,19 +91,19 @@ printf '%s\n'\
    "" >> "$global_pillar_file"

 # Call Elastic-Fleet Salt State
-salt-call state.apply elastic-fleet queue=True
+salt-call state.apply elasticfleet queue=True

 # Load Elastic Fleet integrations
 /usr/sbin/so-elastic-fleet-integration-policy-load

 # Temp
-wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/  https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz
-wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz
-wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz
+wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/  https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz
+wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz
+wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz

 #git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git
 #cd securityonion-image/so-elastic-agent-builder
 #docker build -t so-elastic-agent-builder .

 so-elastic-agent-gen-installers
-salt-call state.apply elastic-fleet.install_agent_grid queue=True
+salt-call state.apply elasticfleet.install_agent_grid queue=True
--- a/salt/common/tools/sbin/so-kibana-space-defaults
+++ b/salt/common/tools/sbin/so-kibana-space-defaults
@@ -13,6 +13,6 @@ echo "Setting up default Space:"
 {% if HIGHLANDER %}
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log
 {% else %}
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log
+curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log
 {% endif %}
 echo
--- a/salt/common/tools/sbin/so-minion
+++ b/salt/common/tools/sbin/so-minion
@@ -23,7 +23,7 @@ if [[ $# -lt 1 ]]; then
  echo "   accept: Accepts a new key and adds the minion files"
  echo "   delete: Removes the key and deletes the minion files"
  echo "   reject: Rejects a key"
-  echo "     test: Ingest test data"
+  echo "     test: Perform minion test"
  echo ""
  exit 1
 fi
--- a/salt/elastic-fleet/files/so_agent-installers/readme
+++ b/salt/elastic-fleet/files/so_agent-installers/readme
--- a/salt/elastic-fleet/init.sls
+++ b/salt/elastic-fleet/init.sls
--- a/salt/elastic-fleet/install_agent_grid.sls
+++ b/salt/elastic-fleet/install_agent_grid.sls
@@ -9,7 +9,7 @@

 run_installer:
  cmd.script:
-    - name: salt://elastic-fleet/files/so_agent-installers/so-elastic-agent_linux
+    - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux
    - args: -token={{ GRIDNODETOKEN }}

 {% endif %}
--- a/salt/elasticfleet/soc_elasticfleet.yaml
+++ b/salt/elasticfleet/soc_elasticfleet.yaml
@@ -0,0 +1,18 @@
+elasticfleet:
+  server:
+    endpoints_enrollment:
+      description: Endpoint enrollment key.
+      global: True
+      helpLink: elastic-fleet.html
+    es_token:
+      description: Elastic auth token.
+      global: True
+      helpLink: elastic-fleet.html
+    grid_enrollment:
+      description: Grid enrollment key.
+      global: True
+      helpLink: elastic-fleet.html
+    url:
+      description: Agent connection URL.
+      global: True
+      helpLink: elastic-fleet.html
--- a/salt/elasticsearch/files/ingest/kratos
+++ b/salt/elasticsearch/files/ingest/kratos
@@ -1,7 +1,9 @@
 {
  "description" : "kratos",
  "processors" : [
-    { "set": { "field": "event.dataset", "value": "access" } },
+    {"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}},
+    {"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"kratos.{{{audience}}}","media_type":"text/plain"}},
+    {"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg"    }},
    { "pipeline":    { "name": "common" } }
  ]
-}
+}
--- a/salt/idh/init.sls
+++ b/salt/idh/init.sls
@@ -74,8 +74,6 @@ so-idh:
      - file: opencanary_config
    - require:
      - file: opencanary_config
-    - extra_hosts:
-      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}

 append_so-idh_so-status.conf:
  file.append:
--- a/salt/nginx/init.sls
+++ b/salt/nginx/init.sls
@@ -95,7 +95,7 @@ so-nginx:
      - /opt/so/log/nginx/:/var/log/nginx:rw
      - /opt/so/tmp/nginx/:/var/lib/nginx:rw
      - /opt/so/tmp/nginx/:/run:rw
-      - /opt/so/saltstack/local/salt/elastic-fleet/files/so_agent-installers/:/opt/socore/html/packages
+      - /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/:/opt/socore/html/packages
  {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %}
      - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro
      - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -210,19 +210,19 @@ chownilogstashelasticfleetp8:
 # Create Symlinks to the keys so I can distribute it to all the things
 elasticfleetdircerts:
  file.directory:
-    - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs
+    - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs
    - makedirs: True

 efkeylink:
  file.symlink:
-    - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.p8
+    - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet.p8
    - target: /etc/pki/elasticfleet.p8
    - user: socore
    - group: socore

 efcrtlink:
  file.symlink:
-    - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.crt
+    - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet.crt
    - target: /etc/pki/elasticfleet.crt
    - user: socore
    - group: socore
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -59,7 +59,7 @@ base:
    {%- endif %}
    - schedule
    - docker_clean
-    - elastic-fleet.install_agent_grid
+    - elasticfleet.install_agent_grid

  '*_eval and G@saltversion:{{saltversion}}':
    - match: compound
@@ -147,7 +147,7 @@ base:
    - schedule
    - soctopus
    - playbook
-    - elastic-fleet
+    - elasticfleet
    - docker_clean

  '*_standalone and G@saltversion:{{saltversion}}':
@@ -198,7 +198,7 @@ base:
    - schedule
    - soctopus
    - playbook
-    - elastic-fleet
+    - elasticfleet
    - docker_clean

  '*_searchnode and G@saltversion:{{saltversion}}':
@@ -215,7 +215,7 @@ base:
    - logstash
    {%- endif %}
    - schedule
-    - elastic-fleet.install_agent_grid
+    - elasticfleet.install_agent_grid
    - docker_clean

  '*_managersearch and G@saltversion:{{saltversion}}':
@@ -257,7 +257,7 @@ base:
    - schedule
    - soctopus
    - playbook
-    - elastic-fleet
+    - elasticfleet
    - docker_clean

  '*_heavynode and G@saltversion:{{saltversion}}':
@@ -286,7 +286,7 @@ base:
    - zeek
    {%- endif %}
    - schedule
-    - elastic-fleet.install_agent_grid
+    - elasticfleet.install_agent_grid
    - docker_clean
  
  '*_import and G@saltversion:{{saltversion}}':
@@ -317,7 +317,7 @@ base:
    - suricata
    - zeek
    - schedule
-    - elastic-fleet
+    - elasticfleet
    - docker_clean

  '*_receiver and G@saltversion:{{saltversion}}':
@@ -333,7 +333,7 @@ base:
    - redis
    {%- endif %}
    - schedule
-    - elastic-fleet.install_agent_grid
+    - elasticfleet.install_agent_grid
    - docker_clean

  '*_idh and G@saltversion:{{saltversion}}':
@@ -343,7 +343,7 @@ base:
    - telegraf
    - firewall
    - schedule
-    - elastic-fleet.install_agent_grid
+    - elasticfleet.install_agent_grid
    - docker_clean
    - idh