From 544fa824ea3b5efe9cb0c24920db8e8227a94f59 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 2 May 2023 14:17:59 -0400 Subject: [PATCH] Initial cut for Artifact Registry --- salt/docker/defaults.yaml | 1 + salt/elasticfleet/artifact_registry.sls | 11 +++++++++++ salt/firewall/assigned_hostgroups.map.yaml | 18 ++++++++++++++++++ salt/firewall/ports/ports.yaml | 3 +++ salt/nginx/etc/nginx.conf | 16 ++++++++++++++++ salt/nginx/init.sls | 1 + setup/so-functions | 11 +++++++++++ setup/so-setup | 2 ++ 8 files changed, 63 insertions(+) create mode 100644 salt/elasticfleet/artifact_registry.sls diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 0fb1d91b8..19dda3d35 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -54,6 +54,7 @@ docker: port_bindings: - 80:80 - 443:443 + - 8443:8443 'so-playbook': final_octet: 32 port_bindings: diff --git a/salt/elasticfleet/artifact_registry.sls b/salt/elasticfleet/artifact_registry.sls new file mode 100644 index 000000000..565bdbb46 --- /dev/null +++ b/salt/elasticfleet/artifact_registry.sls @@ -0,0 +1,11 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. + + +fleetartifactdir: + file.directory: + - name: /nsm/elastic-fleet/artifacts + - user: 947 + - group: 939 + - makedirs: True diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index b9a8f7fb2..cd75c07a1 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -46,6 +46,7 @@ role: portgroups: - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} strelka_frontend: portgroups: - {{ portgroups.strelka_frontend }} @@ -74,10 +75,12 @@ role: portgroups: - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} elastic_agent_endpoint: portgroups: - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} INPUT: hostgroups: anywhere: @@ -117,6 +120,7 @@ role: - {{ portgroups.docker_registry }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} {% if ISAIRGAP is sameas true %} - {{ portgroups.agrules }} {% endif %} @@ -126,6 +130,7 @@ role: - {{ portgroups.beats_5644 }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} - {{ portgroups.yum }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} @@ -140,6 +145,7 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} heavynodes: portgroups: - {{ portgroups.redis }} @@ -151,6 +157,7 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} self: portgroups: - {{ portgroups.syslog}} @@ -170,6 +177,7 @@ role: portgroups: - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} endgame: portgroups: - {{ portgroups.endgame }} @@ -212,12 +220,14 @@ role: - {{ portgroups.docker_registry }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} - {{ portgroups.yum }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} @@ -231,6 +241,7 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} heavynodes: portgroups: - {{ portgroups.redis }} @@ -241,6 +252,7 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} self: portgroups: - {{ portgroups.syslog}} @@ -257,6 +269,7 @@ role: portgroups: - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} endgame: portgroups: - {{ portgroups.endgame }} @@ -312,6 +325,7 @@ role: - {{ portgroups.elasticsearch_node }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} - {{ portgroups.endgame }} - {{ portgroups.strelka_frontend }} fleet: @@ -326,6 +340,7 @@ role: - {{ portgroups.beats_5056 }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} sensors: portgroups: - {{ portgroups.docker_registry }} @@ -337,6 +352,7 @@ role: - {{ portgroups.beats_5056 }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} searchnodes: portgroups: - {{ portgroups.docker_registry }} @@ -371,6 +387,7 @@ role: portgroups: - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} endgame: portgroups: - {{ portgroups.endgame }} @@ -529,6 +546,7 @@ role: portgroups: - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.elastic_agent_update }} analyst: portgroups: - {{ portgroups.nginx }} diff --git a/salt/firewall/ports/ports.yaml b/salt/firewall/ports/ports.yaml index 79bdf93b4..68b93fafd 100644 --- a/salt/firewall/ports/ports.yaml +++ b/salt/firewall/ports/ports.yaml @@ -35,6 +35,9 @@ firewall: elastic_agent_data: tcp: - 5055 + elastic_agent_update: + tcp: + - 8443 endgame: tcp: - 3765 diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index e6a7f3c87..502f6302a 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -43,6 +43,22 @@ http { return 307 https://{{ GLOBALS.url_base }}$request_uri; } + server { + listen 8443; + server_name {{ GLOBALS.url_base }}; + root /opt/socore/html; + location /artifacts/ { + try_files $uri =206; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + } + server { listen 443 ssl http2 default_server; server_name _; diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 52d018354..833bda98a 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -96,6 +96,7 @@ so-nginx: - /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/run:rw - /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/:/opt/socore/html/packages + - /nsm/elastic-fleet/artifacts/:/opt/socore/html/artifacts {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro diff --git a/setup/so-functions b/setup/so-functions index f7f67dfe2..8bd738830 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -962,6 +962,17 @@ detect_os() { } +download_elastic_agent_artifacts() { + #TODO - ISO + + mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/ + + curl --retry 5 --retry-delay 60 https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz + + tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/ + + } + installer_progress_loop() { local i=0 local msg="${1:-Performing background actions...}" diff --git a/setup/so-setup b/setup/so-setup index aa35a459a..0cc19d990 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -605,6 +605,8 @@ if ! [[ -f $install_opt_file ]]; then gpg_rpm_import # Create the local repo and point the box to use the local repo securityonion_repo + # Download Elastic Agent Artifacts + download_elastic_agent_artifacts # Update existing packages update_packages # Install salt