CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Initial support - Elastic Fleet Node

Browse Source
This commit is contained in:
Josh Brower
2023-01-24 13:36:30 -05:00
parent f811223ba7
commit 81ee333b07
8 changed files with 86 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pillar/top.sls
View File

@@ -184,6 +184,12 @@ base:
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }} - minions.adv_{{ grains.id }}
'*_fleet':
- backup.soc_backup
- backup.adv_backup
- minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
'*_workstation': '*_workstation':
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }} - minions.adv_{{ grains.id }}

9
salt/allowed_states.map.jinja
View File

@@ -197,6 +197,15 @@
'tcpreplay', 'tcpreplay',
'docker_clean' 'docker_clean'
], ],
'so-fleet': [
'ssl',
'telegraf',
'firewall',
'healthcheck',
'schedule',
'elastic-fleet',
'docker_clean'
],
'so-receiver': [ 'so-receiver': [
'ssl', 'ssl',
'telegraf', 'telegraf',

15
salt/elastic-fleet/init.sls
View File

@@ -1,15 +1,12 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0. # this file except in compliance with the Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKER %}
# These values are generated during node install and stored in minion pillar # These values are generated during node install and stored in minion pillar
{% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','') %} {% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2NzQzMzE3MTE4MDE6MGRHZDBnd2xRZDJBX0hLVjd2TnJBdw') %}
{% set FLEETSERVERPOLICY = salt['pillar.get']('elasticfleet:server:server_policy','so-manager') %} {% set FLEETSERVERPOLICY = salt['pillar.get']('elasticfleet:server:server_policy','so-manager') %}
{% set FLEETURL = salt['pillar.get']('elasticfleet:server:url') %}
# Add EA Group # Add EA Group
elasticsagentgroup: elasticsagentgroup:
@@ -62,7 +59,7 @@ so-elastic-fleet:
- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw - /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
- environment: - environment:
- FLEET_SERVER_ENABLE=true - FLEET_SERVER_ENABLE=true
- FLEET_URL=https://{{ FLEETURL }}:8220 - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
- FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager_ip }}:9200 - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager_ip }}:9200
- FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }} - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
- FLEET_SERVER_POLICY_ID={{ FLEETSERVERPOLICY }} - FLEET_SERVER_POLICY_ID={{ FLEETSERVERPOLICY }}
@@ -76,11 +73,3 @@ append_so-elastic-fleet_so-status.conf:
file.append: file.append:
- name: /opt/so/conf/so-status/so-status.conf - name: /opt/so/conf/so-status/so-status.conf
- text: so-elastic-fleet - text: so-elastic-fleet
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

45
salt/firewall/assigned_hostgroups.map.yaml
View File

@@ -65,6 +65,41 @@ role:
localhost: localhost:
portgroups: portgroups:
- {{ portgroups.all }} - {{ portgroups.all }}
fleet:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
standalone:
portgroups:
- {{ portgroups.salt_manager }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
manager: manager:
chain: chain:
DOCKER-USER: DOCKER-USER:
@@ -85,6 +120,8 @@ role:
portgroups: portgroups:
- {{ portgroups.beats_5044 }} - {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }} - {{ portgroups.beats_5644 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
searchnodes: searchnodes:
portgroups: portgroups:
- {{ portgroups.redis }} - {{ portgroups.redis }}
@@ -110,6 +147,10 @@ role:
elasticsearch_rest: elasticsearch_rest:
portgroups: portgroups:
- {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame: endgame:
portgroups: portgroups:
- {{ portgroups.endgame }} - {{ portgroups.endgame }}
@@ -144,6 +185,8 @@ role:
portgroups: portgroups:
- {{ portgroups.beats_5044 }} - {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }} - {{ portgroups.beats_5644 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
searchnodes: searchnodes:
portgroups: portgroups:
- {{ portgroups.redis }} - {{ portgroups.redis }}
@@ -220,6 +263,8 @@ role:
- {{ portgroups.yum }} - {{ portgroups.yum }}
- {{ portgroups.beats_5044 }} - {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }} - {{ portgroups.beats_5644 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
searchnodes: searchnodes:
portgroups: portgroups:
- {{ portgroups.docker_registry }} - {{ portgroups.docker_registry }}

0
salt/firewall/hostgroups/fleet Normal file
View File

10
salt/top.sls
View File

@@ -376,6 +376,16 @@ base:
{%- endif %} {%- endif %}
- idh - idh
'*_fleet and G@saltversion:{{saltversion}}':
- match: compound
- ssl
- sensoroni
- telegraf
- firewall
- elastic-fleet
- schedule
- docker_clean
'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )': 'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )':
- match: compound - match: compound
- workstation - workstation

14
setup/so-setup
View File

@@ -408,7 +408,19 @@ if ! [[ -f $install_opt_file ]]; then
whiptail_sensor_nics whiptail_sensor_nics
set_minion_info set_minion_info
whiptail_end_settings whiptail_end_settings
elif [[ $is_fleet ]]; then
check_requirements "fleet"
networking_needful
check_network_manager_conf
set_network_dev_status_list
collect_mngr_hostname
add_mngr_ip_to_hosts
check_manager_connection
detect_cloud
set_minion_info
whiptail_end_settings
elif [[ $is_searchnode ]]; then elif [[ $is_searchnode ]]; then
check_requirements "elasticsearch" check_requirements "elasticsearch"
networking_needful networking_needful

2
setup/so-whiptail
View File

@@ -548,7 +548,7 @@ whiptail_install_type_dist_existing() {
install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 19 58 6 \ install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 19 58 6 \
"SENSOR" "Create a forward only sensor " ON \ "SENSOR" "Create a forward only sensor " ON \
"SEARCHNODE" "Add a search node with parsing " OFF \ "SEARCHNODE" "Add a search node with parsing " OFF \
"FLEET" "Dedicated Fleet Osquery Node " OFF \ "FLEET" "Dedicated Elastic Fleet Node " OFF \
"HEAVYNODE" "Sensor + Search Node " OFF \ "HEAVYNODE" "Sensor + Search Node " OFF \
"IDH" "Intrusion Detection Honeypot Node " OFF \ "IDH" "Intrusion Detection Honeypot Node " OFF \
"RECEIVER" "Receiver Node " OFF \ "RECEIVER" "Receiver Node " OFF \