From df6ff027b549bb582f0e151a72dae3ef49883392 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Mon, 19 Aug 2024 16:05:27 -0400 Subject: [PATCH 1/8] Remove unneeded elastic upgrade config --- salt/manager/tools/sbin/soup | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 521247eeb..e634e0489 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -453,8 +453,6 @@ post_to_2.4.20() { } post_to_2.4.30() { - echo "Regenerating Elastic Agent Installers" - /sbin/so-elastic-agent-gen-installers # there is an occasional error with this state: pki_public_ca_crt: TypeError: list indices must be integers or slices, not str set +e salt-call state.apply ca queue=True @@ -479,8 +477,7 @@ post_to_2.4.50() { } post_to_2.4.60() { - echo "Regenerating Elastic Agent Installers..." - so-elastic-agent-gen-installers + echo "Nothing to apply" POSTVERSION=2.4.60 } @@ -507,7 +504,8 @@ post_to_2.4.90() { } post_to_2.4.100() { - echo "Nothing to apply" + echo "Regenerating Elastic Agent Installers" + /sbin/so-elastic-agent-gen-installers POSTVERSION=2.4.100 } @@ -587,18 +585,7 @@ up_to_2.4.20() { } up_to_2.4.30() { - - # Remove older defend integration json & installed integration - rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json - - . $UPDATE_DIR/salt/elasticfleet/tools/sbin/so-elastic-fleet-common - elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints - - rm -f /opt/so/state/eaintegrations.txt - - # Elastic Update for this release, so download Elastic Agent files - determine_elastic_agent_upgrade - rm -f /opt/so/state/estemplates*.txt + echo "Nothing to do for 2.4.30" INSTALLEDVERSION=2.4.30 } From ca209ed54c180f8c207b6870316e8d8743283e69 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Tue, 20 Aug 2024 09:14:08 -0400 Subject: [PATCH 2/8] Disable auto-upgrade --- salt/elasticfleet/enabled.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index af5e552eb..fb8f41329 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -138,10 +138,10 @@ so-elastic-fleet-integrations: cmd.run: - name: /usr/sbin/so-elastic-fleet-integration-policy-load -so-elastic-agent-grid-upgrade: - cmd.run: - - name: /usr/sbin/so-elastic-agent-grid-upgrade - - retry: True +#so-elastic-agent-grid-upgrade: +# cmd.run: +# - name: /usr/sbin/so-elastic-agent-grid-upgrade +# - retry: True {% endif %} delete_so-elastic-fleet_so-status.disabled: From e3ecc9d4bed34044ecda62841c50e35f92c99718 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Tue, 20 Aug 2024 15:06:16 -0400 Subject: [PATCH 3/8] Directly manage the Fleet Server integration config --- .../fleet-server/fleet-server.json | 21 +++++++++++++++++++ .../tools/sbin_jinja/so-elastic-fleet-setup | 5 ++++- 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 salt/elasticfleet/files/integrations-dynamic/fleet-server/fleet-server.json diff --git a/salt/elasticfleet/files/integrations-dynamic/fleet-server/fleet-server.json b/salt/elasticfleet/files/integrations-dynamic/fleet-server/fleet-server.json new file mode 100644 index 000000000..202345c80 --- /dev/null +++ b/salt/elasticfleet/files/integrations-dynamic/fleet-server/fleet-server.json @@ -0,0 +1,21 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} + +{ + "package": { + "name": "fleet_server", + "version": "" + }, + "name": "fleet_server-1", + "namespace": "default", + "policy_id": "FleetServer_{{ GLOBALS.hostname }}", + "vars": {}, + "inputs": { + "fleet_server-fleet-server": { + "enabled": true, + "vars": { + "custom": "server.ssl.supported_protocols: [\"TLSv1.2\", \"TLSv1.3\"]\nserver.ssl.cipher_suites: [ \"ECDHE-RSA-AES-128-GCM-SHA256\", \"ECDHE-RSA-AES-256-GCM-SHA384\", \"ECDHE-RSA-AES-128-CBC-SHA\", \"ECDHE-RSA-AES-256-CBC-SHA\", \"RSA-AES-128-GCM-SHA256\", \"RSA-AES-256-GCM-SHA384\"]" + }, + "streams": {} + } + } +} diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index d53a5a21a..714c2d407 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -66,7 +66,10 @@ printf "\n\n" # Create the Manager Fleet Server Host Agent Policy # This has to be done while the Elasticsearch Output is set to the default Output printf "Create Manager Fleet Server Policy...\n" -elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" "120" +elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "false" "120" + +# Now that the Manager Fleet Server Policy is created, add the Fleet Server Integration to it +elastic_fleet_integration_create "@/opt/so/conf/elastic-fleet/integrations/fleet-server/fleet-server.json" # Now we can create the Logstash Output and set it to to be the default Output printf "\n\nCreate Logstash Output Config if node is not an Import or Eval install\n" From 07f8bda27e26a3e44e3493524a74d372dce98e66 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Tue, 20 Aug 2024 15:23:31 -0400 Subject: [PATCH 4/8] Update agent --- salt/elasticfleet/enabled.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index fb8f41329..af5e552eb 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -138,10 +138,10 @@ so-elastic-fleet-integrations: cmd.run: - name: /usr/sbin/so-elastic-fleet-integration-policy-load -#so-elastic-agent-grid-upgrade: -# cmd.run: -# - name: /usr/sbin/so-elastic-agent-grid-upgrade -# - retry: True +so-elastic-agent-grid-upgrade: + cmd.run: + - name: /usr/sbin/so-elastic-agent-grid-upgrade + - retry: True {% endif %} delete_so-elastic-fleet_so-status.disabled: From f01825166d22533ca9620d936b1190ed6ccbc224 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Wed, 21 Aug 2024 08:31:37 -0400 Subject: [PATCH 5/8] Update Fleet Server policy --- ...et-integration-policy-elastic-fleet-server | 23 +++++++++++++++++++ .../so-elastic-fleet-integration-policy-load | 5 +++- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-fleet-server diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-fleet-server b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-fleet-server new file mode 100644 index 000000000..42ffaede2 --- /dev/null +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-fleet-server @@ -0,0 +1,23 @@ +#!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-elastic-fleet-common + +# Make the curl request to fetch the JSON data +json_output=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -L -X GET "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true') + +# Extract the IDs that start with "FleetServer_" using jq +POLICY=$(echo "$json_output" | jq -r '.items[] | select(.id | startswith("FleetServer_")) | .id') + +echo $POLICY + +# Iterate over each ID in the POLICY variable and run the specified commands +for POLICYNAME in $POLICY; do + # First get the Integration ID + elastic_fleet_integration_check "$POLICYNAME" "/opt/so/conf/elastic-fleet/integrations/fleet-server/fleet-server.json" + # Now update the integration policy + elastic_fleet_integration_update "$INTEGRATION_ID" "@/opt/so/conf/elastic-fleet/integrations/fleet-server/fleet-server.json" +done \ No newline at end of file diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load index 518d29d26..26414a94b 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -12,7 +12,10 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then # First, check for any package upgrades /usr/sbin/so-elastic-fleet-package-upgrade - # Second, configure Elastic Defend Integration seperately + # Second, update Fleet Server policies + /sbin/so-elastic-fleet-integration-policy-elastic-fleet-server + + # Third, configure Elastic Defend Integration seperately /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend # Initial Endpoints From c30537fe6a9f8bff5cbdca0304f24f0aa418372d Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 21 Aug 2024 13:00:04 -0400 Subject: [PATCH 6/8] Ensure endpoint is installed --- .../tools/sbin_jinja/so-elasticsearch-templates-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load index 12ef4dbf6..5d1e88798 100755 --- a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load @@ -69,7 +69,7 @@ if [ ! -f $STATE_FILE_SUCCESS ]; then retry 240 1 "so-elasticsearch-query / -k --output /dev/null --silent --head --fail" || fail "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" {% if GLOBALS.role != 'so-heavynode' %} SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') - INSTALLED=$(elastic_fleet_package_is_installed {{ SUPPORTED_PACKAGES[0] }} ) + INSTALLED=$(elastic_fleet_package_is_installed endpoint }} ) if [ "$INSTALLED" != "installed" ]; then echo echo "Packages not yet installed." From 0a5725a62ee94ccc9ef0dddaf43cfd38e45fde5c Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Fri, 23 Aug 2024 11:36:47 -0400 Subject: [PATCH 7/8] Refactor for Elastic Upgrade --- .../fleet-server/fleet-server.json | 4 +- ...et-integration-policy-elastic-fleet-server | 20 ++++++---- salt/manager/tools/sbin/so-minion | 40 ++++++++++++------- 3 files changed, 40 insertions(+), 24 deletions(-) diff --git a/salt/elasticfleet/files/integrations-dynamic/fleet-server/fleet-server.json b/salt/elasticfleet/files/integrations-dynamic/fleet-server/fleet-server.json index 202345c80..116f78500 100644 --- a/salt/elasticfleet/files/integrations-dynamic/fleet-server/fleet-server.json +++ b/salt/elasticfleet/files/integrations-dynamic/fleet-server/fleet-server.json @@ -1,5 +1,3 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} - { "package": { "name": "fleet_server", @@ -7,7 +5,7 @@ }, "name": "fleet_server-1", "namespace": "default", - "policy_id": "FleetServer_{{ GLOBALS.hostname }}", + "policy_id": "FleetServer_hostname", "vars": {}, "inputs": { "fleet_server-fleet-server": { diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-fleet-server b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-fleet-server index 42ffaede2..c304d5ba5 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-fleet-server +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-fleet-server @@ -6,18 +6,24 @@ . /usr/sbin/so-elastic-fleet-common -# Make the curl request to fetch the JSON data +# Get all the fleet policies json_output=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -L -X GET "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true') -# Extract the IDs that start with "FleetServer_" using jq +# Extract the IDs that start with "FleetServer_" POLICY=$(echo "$json_output" | jq -r '.items[] | select(.id | startswith("FleetServer_")) | .id') -echo $POLICY - -# Iterate over each ID in the POLICY variable and run the specified commands +# Iterate over each ID in the POLICY variable for POLICYNAME in $POLICY; do + printf "\nUpdating Policy: $POLICYNAME\n" + # First get the Integration ID elastic_fleet_integration_check "$POLICYNAME" "/opt/so/conf/elastic-fleet/integrations/fleet-server/fleet-server.json" - # Now update the integration policy - elastic_fleet_integration_update "$INTEGRATION_ID" "@/opt/so/conf/elastic-fleet/integrations/fleet-server/fleet-server.json" + + # Modify the default integration policy to update the policy_id and an with the correct naming + UPDATED_INTEGRATION_POLICY=$(jq --arg policy_id "$POLICYNAME" --arg name "fleet_server-$POLICYNAME" ' + .policy_id = $policy_id | + .name = $name' /opt/so/conf/elastic-fleet/integrations/fleet-server/fleet-server.json) + + # Now update the integration policy using the modified JSON + elastic_fleet_integration_update "$INTEGRATION_ID" "$UPDATED_INTEGRATION_POLICY" done \ No newline at end of file diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 6f14104c3..ebbfa8fff 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -9,6 +9,10 @@ if [ -f /usr/sbin/so-common ]; then . /usr/sbin/so-common fi +if [ -f /usr/sbin/so-elastic-fleet-common ]; then + . /usr/sbin/so-elastic-fleet-common +fi + function usage() { echo "Usage: $0 -o= -m=[id]" echo "" @@ -380,23 +384,31 @@ function add_elastic_fleet_package_registry_to_minion() { function create_fleet_policy() { - JSON_STRING=$( jq -n \ - --arg NAME "FleetServer_$LSHOSTNAME" \ - --arg DESC "Fleet Server - $LSHOSTNAME" \ - '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"has_fleet_server":true}' - ) + # First, set the default output to Elasticsearch + # This is required because of the license output bug + JSON_STRING=$(jq -n \ + '{ + "name": "so-manager_elasticsearch", + "type": "elasticsearch", + "is_default": true, + "is_default_monitoring": false + }') - # Create Fleet Sever Policy - curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" + curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" - JSON_STRING_UPDATE=$( jq -n \ - --arg NAME "FleetServer_$LSHOSTNAME" \ - --arg DESC "Fleet Server - $LSHOSTNAME" \ - '{"name":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":120,"data_output_id":"so-manager_elasticsearch"}' - ) + # Create the Fleet Server Policy + elastic_fleet_policy_create "FleetServer_$LSHOSTNAME" "Fleet Server - $LSHOSTNAME" "false" "120" - # Update Fleet Policy - ES Output - curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/FleetServer_$LSHOSTNAME" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING_UPDATE" + # Modify the default integration policy to update the policy_id with the correct naming + UPDATED_INTEGRATION_POLICY=$(jq --arg policy_id "FleetServer_$LSHOSTNAME" --arg name "fleet_server-$LSHOSTNAME" ' + .policy_id = $policy_id | + .name = $name' /opt/so/conf/elastic-fleet/integrations/fleet-server/fleet-server.json) + + # Add the Fleet Server Integration to the new Fleet Policy + elastic_fleet_integration_create "$UPDATED_INTEGRATION_POLICY" + + # Set the default output back to the default + /sbin/so-elastic-fleet-outputs-update } function update_fleet_host_urls() { From c575e02fbb344b2081540a2459c725e7d7658126 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Fri, 23 Aug 2024 13:52:20 -0400 Subject: [PATCH 8/8] Use correct name --- .../elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index 714c2d407..deb16dadf 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -68,8 +68,13 @@ printf "\n\n" printf "Create Manager Fleet Server Policy...\n" elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "false" "120" -# Now that the Manager Fleet Server Policy is created, add the Fleet Server Integration to it -elastic_fleet_integration_create "@/opt/so/conf/elastic-fleet/integrations/fleet-server/fleet-server.json" +# Modify the default integration policy to update the policy_id with the correct naming +UPDATED_INTEGRATION_POLICY=$(jq --arg policy_id "FleetServer_{{ GLOBALS.hostname }}" --arg name "fleet_server-{{ GLOBALS.hostname }}" ' +.policy_id = $policy_id | +.name = $name' /opt/so/conf/elastic-fleet/integrations/fleet-server/fleet-server.json) + +# Add the Fleet Server Integration to the new Fleet Policy +elastic_fleet_integration_create "$UPDATED_INTEGRATION_POLICY" # Now we can create the Logstash Output and set it to to be the default Output printf "\n\nCreate Logstash Output Config if node is not an Import or Eval install\n"