CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactoring Fleet setup

Browse Source
This commit is contained in:
Josh Brower
2023-04-06 13:21:19 -04:00
parent cda67b2894
commit 17bc96c3b3
5 changed files with 30 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/common/tools/sbin/so-elastic-fleet-setup
View File

@@ -41,10 +41,10 @@ JSON_STRING=$( jq -n \
--arg LOGSTASHCRT "$LOGSTASHCRT" \ --arg LOGSTASHCRT "$LOGSTASHCRT" \
--arg LOGSTASHKEY "$LOGSTASHKEY" \ --arg LOGSTASHKEY "$LOGSTASHKEY" \
--arg LOGSTASHCA "$LOGSTASHCA" \ --arg LOGSTASHCA "$LOGSTASHCA" \
'{"name":"so-manager_logstash","is_default":true,"is_default_monitoring":true,"id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055"],"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]},"proxy_id":null}' '{"name":"grid-logstash","is_default":true,"is_default_monitoring":true,"id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055"],"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]},"proxy_id":null}'
) )
# Add SO-Manager Logstash Ouput # Add Logstash Ouput
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
printf "\n\n" printf "\n\n"
{%- endif %} {%- endif %}

26
salt/common/tools/sbin/so-minion
View File

@@ -139,9 +139,6 @@ function add_fleet_to_minion() {
# TODO: Add error handling # TODO: Add error handling
ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value) ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value)
# Create Logstash Certs
# Write out settings to minion file # Write out settings to minion file
printf '%s\n'\ printf '%s\n'\
"elasticfleet:"\ "elasticfleet:"\
@@ -221,6 +218,28 @@ function add_sensor_to_minion() {
echo " enabled: True" >> $PILLARFILE echo " enabled: True" >> $PILLARFILE
} }
function create_fleet_policy() {
MINIONID="sa-29-261-jb_standalone"
JSON_STRING=$( jq -n \
--arg NAME "FleetServer_$MINIONID" \
--arg DESC "Fleet Server - $MINIONID" \
'{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"has_fleet_server":true}'
)
# Create Fleet Sever Policy
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
JSON_STRING_UPDATE=$( jq -n \
--arg NAME "FleetServer_$MINIONID" \
--arg DESC "Fleet Server - $MINIONID" \
'{"name":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"data_output_id":"so-manager_elasticsearch"}'
)
# Update Fleet Policy - ES Output
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/FleetServer_$MINIONID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING_UPDATE"
}
function updateMine() { function updateMine() {
salt "$MINION_ID" mine.send network.ip_addrs interface="$MNIC" salt "$MINION_ID" mine.send network.ip_addrs interface="$MNIC"
} }
@@ -236,6 +255,7 @@ function createEVAL() {
function createFLEET() { function createFLEET() {
add_fleet_to_minion add_fleet_to_minion
add_logstash_to_minion add_logstash_to_minion
create_fleet_policy
} }
function createIDH() { function createIDH() {

3
salt/elasticfleet/init.sls
View File

@@ -53,6 +53,7 @@ eastatedir:
- replace: True - replace: True
- source: salt://elasticfleet/files/certs/elasticfleet.crt - source: salt://elasticfleet/files/certs/elasticfleet.crt
- mode: 640 - mode: 640
- user: 931
- group: 939 - group: 939
@@ -82,7 +83,7 @@ so-elastic-fleet:
- FLEET_URL=https://{{ GLOBALS.node_ip }}:8220 - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
- FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200 - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
- FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }} - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
- FLEET_SERVER_POLICY_ID={{ FLEETSERVERPOLICY }} - FLEET_SERVER_POLICY_ID=Fleet-Server_{{ GLOBALS.hostname }}
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/intca.crt - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/intca.crt
- FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt - FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt
- FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key

59
salt/kibana/defaults.yaml
View File

@@ -31,62 +31,3 @@ kibana:
reporting: reporting:
kibanaServer: kibanaServer:
hostname: localhost hostname: localhost
fleet:
packages:
- name: fleet_server
version: latest
- name: log
version: latest
- name: osquery_manager
version: latest
- name: system
version: latest
- name: windows
version: latest
agentPolicies:
- name: SO-Manager
id: so-manager
description: "SO Manager Fleet Server Policy"
namespace: default
is_default_fleet_server: true
monitoring_enabled: ['logs']
package_policies:
- name: fleet-server_manager
package:
name: fleet_server
- name: SO-Grid-Nodes
id: so-grid-nodes
description: "SO Grid Node Policy"
namespace: default
monitoring_enabled: ['logs']
package_policies:
- name: osquery-grid-nodes
package:
name: osquery_manager
- name: system-grid-nodes
package:
name: system
inputs:
- type: system/metrics
enabled: false
- name: Endpoints-Initial
id: endpoints-default
description: "Initial Endpoint Policy"
namespace: default
monitoring_enabled: ['logs']
package_policies:
- name: system-endpoints
package:
name: system
inputs:
- type: system/metrics
enabled: false
- name: osquery-endpoints
package:
name: osquery_manager
- name: windows-endpoints
package:
name: windows
inputs:
- type: windows/metrics
enabled: false

4
setup/so-setup
View File

@@ -637,8 +637,8 @@ if ! [[ -f $install_opt_file ]]; then
add_web_user add_web_user
info "Restarting SOC to pick up initial user" info "Restarting SOC to pick up initial user"
logCmd "so-soc-restart" logCmd "so-soc-restart"
title "Setting up Elastic Fleet" #title "Setting up Elastic Fleet"
logCmd "so-elastic-fleet-setup" # logCmd "so-elastic-fleet-setup"
if [[ ! $is_import ]]; then if [[ ! $is_import ]]; then
title "Setting up Playbook" title "Setting up Playbook"
logCmd "so-playbook-reset" logCmd "so-playbook-reset"