Merge pull request #522 from Security-Onion-Solutions/bugfix/fleet-ingest

Fleet pipeline fixes
2025-12-06 09:12:45 +01:00 · 2020-04-03 16:14:28 -04:00
parent 476c6018c0 051f6d2310
commit 35fc87e5f6
5 changed files with 23 additions and 39 deletions
--- a/pillar/firewall/fleet_nodes.sls
+++ b/pillar/firewall/fleet_nodes.sls
@@ -1,3 +0,0 @@
-fleet_nodes:
-  - 127.0.0.1
-  
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -8,6 +8,8 @@
 {%- elif grains['role'] == 'so-fleet' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- endif %}
+{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
+{%- set FLEET_NODE_IP = salt['pillar.get']('static:fleet_ip') %}

 # Quick Fix for Docker being difficult
 iptables_fix_docker:
@@ -424,6 +426,22 @@ enable_forwardnode_sensoroni_9822_{{ip}}:

 {% endfor %}

+# Allow Fleet Node to send its beats traffic
+{% if FLEET_NODE %}
+
+enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ FLEET_NODE_IP }}
+    - dport: 5644
+    - position: 1
+    - save: True
+
+{% endif %}
+
 {% for ip in pillar.get('search_nodes')  %}

 enable_searchnode_redis_6379_{{ip}}:
--- a/salt/fleet/event_gen-packages.sls
+++ b/salt/fleet/event_gen-packages.sls
@@ -1,4 +1,4 @@
-{% set ENROLLSECRET = salt['pillar.get']('auth:fleet_enroll-secret') %}
+{% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %}

 so/fleet:
  event.send:
--- a/salt/fleet/files/dedicated-index.html
+++ b/salt/fleet/files/dedicated-index.html
@@ -86,40 +86,9 @@ a {
 			<p>
                <div style="text-align: center;">
                    <h1>Security Onion - Dedicated Fleet Node</h1>
-					<h2>Osquery Packages</h2>
 				</div>
 				<br/>
-				<h2>Notes</h2>
-				<ul>
-					<li>These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from <a href="https://osquery.io/downloads">osquery.io</a></li>
-					<li>Packages are not signed.</li>
-				</ul>
 				<br/>
-				<h2>Downloads</h2>
-				<div>
-					Generated: {{ PACKAGESTS }}
-					<br/>
-					<br/>
-					Packages:
-					<ul>
-						<li><a href="/launcher.msi" download="msi-launcher.msi">MSI (Windows)</a></li>
-						<li><a href="/launcher.deb" download="deb-launcher.deb">DEB (Debian)</a></li>
-                        <li><a href="/launcher.rpm" download="rpm-launcher.rpm">RPM (RPM)</a></li>
-                        <li><a href="/launcher.pkg" download="pkg-launcher.pkg">PKG (MacOS)</a></li>
-					</ul>
-					<br/>
-					<br/>
-					Config Files:
-					<ul>
-						<li><a href="/launcher.flags" download="launcher.flags.txt">RPM & DEB Flag File</a></li>
-						<li><a href="/launcher-msi.flags" download="launcher-msi.flags.txt">MSI Flag File</a></li>
-					</ul>
-				</div>
-				<br/>
-				<h2>Known Issues</h2>
-				<ul>
-					<li>None</li>
-				</ul>
 			  </p>
 		  </div>
 	</div>
--- a/salt/reactor/fleet.sls
+++ b/salt/reactor/fleet.sls
@@ -15,9 +15,9 @@ def run():
  MAINIP = data['data']['mainip']

  STATICFILE = '/opt/so/saltstack/pillar/static.sls'
-  AUTHFILE = '/opt/so/saltstack/pillar/auth.sls'
+  SECRETSFILE = '/opt/so/saltstack/pillar/secrets.sls'

-  if MINIONID.split('_')[-1] in ['master','eval','fleet']:
+  if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']:
    if ACTION == 'enablefleet':
      logging.info('so/fleet enablefleet reactor')
      
@@ -29,8 +29,8 @@ def run():
          line = re.sub(r'fleet_master: \S*', f"fleet_master: True", line.rstrip())
        print(line) 

-      # Update the enroll secret in the auth pillar
-      for line in fileinput.input(AUTHFILE, inplace=True):
+      # Update the enroll secret in the secrets pillar
+      for line in fileinput.input(SECRETSFILE, inplace=True):
        line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip())
        print(line)