From 81ee333b07a55ac3f5e1e83fb67e153e0a6aba9c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 24 Jan 2023 13:36:30 -0500 Subject: [PATCH] Initial support - Elastic Fleet Node --- pillar/top.sls | 6 +++ salt/allowed_states.map.jinja | 9 +++++ salt/elastic-fleet/init.sls | 15 +------- salt/firewall/assigned_hostgroups.map.yaml | 45 ++++++++++++++++++++++ salt/firewall/hostgroups/fleet | 0 salt/top.sls | 10 +++++ setup/so-setup | 14 ++++++- setup/so-whiptail | 2 +- 8 files changed, 86 insertions(+), 15 deletions(-) create mode 100644 salt/firewall/hostgroups/fleet diff --git a/pillar/top.sls b/pillar/top.sls index 074a0a9d4..7c34bbe85 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -184,6 +184,12 @@ base: - minions.{{ grains.id }} - minions.adv_{{ grains.id }} + '*_fleet': + - backup.soc_backup + - backup.adv_backup + - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} + '*_workstation': - minions.{{ grains.id }} - minions.adv_{{ grains.id }} diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 2f6cc60a0..a91796a4a 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -197,6 +197,15 @@ 'tcpreplay', 'docker_clean' ], + 'so-fleet': [ + 'ssl', + 'telegraf', + 'firewall', + 'healthcheck', + 'schedule', + 'elastic-fleet', + 'docker_clean' + ], 'so-receiver': [ 'ssl', 'telegraf', diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index 1460fda38..4062cff46 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -1,15 +1,12 @@ # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} # These values are generated during node install and stored in minion pillar -{% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','') %} +{% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2NzQzMzE3MTE4MDE6MGRHZDBnd2xRZDJBX0hLVjd2TnJBdw') %} {% set FLEETSERVERPOLICY = salt['pillar.get']('elasticfleet:server:server_policy','so-manager') %} -{% set FLEETURL = salt['pillar.get']('elasticfleet:server:url') %} # Add EA Group elasticsagentgroup: @@ -62,7 +59,7 @@ so-elastic-fleet: - /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw - environment: - FLEET_SERVER_ENABLE=true - - FLEET_URL=https://{{ FLEETURL }}:8220 + - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220 - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager_ip }}:9200 - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }} - FLEET_SERVER_POLICY_ID={{ FLEETSERVERPOLICY }} @@ -76,11 +73,3 @@ append_so-elastic-fleet_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf - text: so-elastic-fleet - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index e91859743..4c300a496 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -65,6 +65,41 @@ role: localhost: portgroups: - {{ portgroups.all }} + fleet: + chain: + DOCKER-USER: + hostgroups: + sensors: + portgroups: + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} + elastic_agent_endpoint: + portgroups: + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} + INPUT: + hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} + dockernet: + portgroups: + - {{ portgroups.all }} + localhost: + portgroups: + - {{ portgroups.all }} + standalone: + portgroups: + - {{ portgroups.salt_manager }} + sensors: + portgroups: + - {{ portgroups.salt_manager }} + searchnodes: + portgroups: + - {{ portgroups.salt_manager }} + heavynodes: + portgroups: + - {{ portgroups.salt_manager }} manager: chain: DOCKER-USER: @@ -85,6 +120,8 @@ role: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} searchnodes: portgroups: - {{ portgroups.redis }} @@ -110,6 +147,10 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} + elastic_agent_endpoint: + portgroups: + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} endgame: portgroups: - {{ portgroups.endgame }} @@ -144,6 +185,8 @@ role: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} searchnodes: portgroups: - {{ portgroups.redis }} @@ -220,6 +263,8 @@ role: - {{ portgroups.yum }} - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} searchnodes: portgroups: - {{ portgroups.docker_registry }} diff --git a/salt/firewall/hostgroups/fleet b/salt/firewall/hostgroups/fleet new file mode 100644 index 000000000..e69de29bb diff --git a/salt/top.sls b/salt/top.sls index e29d3b081..54b1fefd9 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -376,6 +376,16 @@ base: {%- endif %} - idh + '*_fleet and G@saltversion:{{saltversion}}': + - match: compound + - ssl + - sensoroni + - telegraf + - firewall + - elastic-fleet + - schedule + - docker_clean + 'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )': - match: compound - workstation diff --git a/setup/so-setup b/setup/so-setup index 2b0abedc8..1583e4b66 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -408,7 +408,19 @@ if ! [[ -f $install_opt_file ]]; then whiptail_sensor_nics set_minion_info whiptail_end_settings - + + elif [[ $is_fleet ]]; then + check_requirements "fleet" + networking_needful + check_network_manager_conf + set_network_dev_status_list + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + detect_cloud + set_minion_info + whiptail_end_settings + elif [[ $is_searchnode ]]; then check_requirements "elasticsearch" networking_needful diff --git a/setup/so-whiptail b/setup/so-whiptail index a03c85645..5cc1d0c6f 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -548,7 +548,7 @@ whiptail_install_type_dist_existing() { install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 19 58 6 \ "SENSOR" "Create a forward only sensor " ON \ "SEARCHNODE" "Add a search node with parsing " OFF \ - "FLEET" "Dedicated Fleet Osquery Node " OFF \ + "FLEET" "Dedicated Elastic Fleet Node " OFF \ "HEAVYNODE" "Sensor + Search Node " OFF \ "IDH" "Intrusion Detection Honeypot Node " OFF \ "RECEIVER" "Receiver Node " OFF \