Merge pull request #10381 from Security-Onion-Solutions/2.4/smallfixes

2.4/ElasticFleetPunchList
2025-12-06 09:12:45 +01:00 · 2023-05-18 09:04:30 -04:00
parent 1d611e618f d11479ec5f
commit 97b68609bc
12 changed files with 54 additions and 10 deletions
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -172,12 +172,14 @@ elastic_fleet_policy_create() {
    NAME=$1
    DESC=$2
    FLEETSERVER=$3
+	TIMEOUT=$4

    JSON_STRING=$( jq -n \
                    --arg NAME "$NAME" \
                    --arg DESC "$DESC" \
+                    --arg TIMEOUT $TIMEOUT \
                    --arg FLEETSERVER "$FLEETSERVER" \
-                    '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"has_fleet_server":$FLEETSERVER}'
+                    '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":$TIMEOUT,"has_fleet_server":$FLEETSERVER}'
                    )
    # Create Fleet Policy
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" 
--- a/salt/common/tools/sbin/so-restart
+++ b/salt/common/tools/sbin/so-restart
@@ -24,6 +24,7 @@ if [ $# -ge 1 ]; then

        case $1 in
                "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
+                "elastic-fleet") docker stop so-elastic-fleet && docker rm so-elastic-fleet && salt-call state.apply elasticfleet queue=True;;
                *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
        esac
 else
--- a/salt/common/tools/sbin/so-start
+++ b/salt/common/tools/sbin/so-start
@@ -24,6 +24,7 @@ if [ $# -ge 1 ]; then
 	case $1 in
   		"all") salt-call state.highstate queue=True;;
   		"steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
+   		"elastic-fleet") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply elasticfleet queue=True; fi ;; 
   		*) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 	esac
 else
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart
@@ -9,4 +9,4 @@

 . /usr/sbin/so-common

-/usr/sbin/so-restart elasticfleet $1
+/usr/sbin/so-restart elastic-fleet $1
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-start
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-start
@@ -9,4 +9,4 @@

 . /usr/sbin/so-common

-/usr/sbin/so-start elasticfleet $1
+/usr/sbin/so-start elastic-fleet $1
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop
@@ -9,4 +9,4 @@

 . /usr/sbin/so-common

-/usr/sbin/so-stop elasticfleet $1
+/usr/sbin/so-stop elastic-fleet $1
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
@@ -44,7 +44,7 @@ printf "\n\n"
 ### Create Policies & Associated Integration Configuration ###

 # Manager Fleet Server Host
-elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" | jq
+elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" "120"

 #Temp Fixup for ES Output bug
 JSON_STRING=$( jq -n \
@@ -54,10 +54,10 @@ JSON_STRING=$( jq -n \
 curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/FleetServer_{{ GLOBALS.hostname }}" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"

 # Initial Endpoints Policy
-elastic_fleet_policy_create "endpoints-initial" "Initial Endpoint Policy" "false"
+elastic_fleet_policy_create "endpoints-initial" "Initial Endpoint Policy" "false" "1209600"

 # Grid Nodes Policy
-elastic_fleet_policy_create "so-grid-nodes" "SO Grid Node Policy" "false"
+elastic_fleet_policy_create "so-grid-nodes" "SO Grid Node Policy" "false" "1209600"

 # Load Integrations for default policies
 so-elastic-fleet-integration-policy-load
--- a/salt/firewall/defaults.yaml
+++ b/salt/firewall/defaults.yaml
@@ -370,6 +370,19 @@ firewall:
                - elastic_agent_data
                - elastic_agent_update
                - localrules
+            fleet:
+              portgroups:
+                - elasticsearch_rest
+                - docker_registry
+                - influxdb
+                - sensoroni
+                - yum
+                - beats_5044
+                - beats_5644
+                - beats_5056
+                - elastic_agent_control
+                - elastic_agent_data
+                - elastic_agent_update
            sensor:
              portgroups:
                - beats_5044
@@ -458,6 +471,9 @@ firewall:
            dockernet:
              portgroups:
                - all
+            fleet:
+              portgroups:
+                - salt_manager
            localhost:
              portgroups:
                - all
@@ -508,6 +524,19 @@ firewall:
                - elastic_agent_data
                - elastic_agent_update
                - localrules
+            fleet:
+              portgroups:
+                - elasticsearch_rest
+                - docker_registry
+                - influxdb
+                - sensoroni
+                - yum
+                - beats_5044
+                - beats_5644
+                - beats_5056
+                - elastic_agent_control
+                - elastic_agent_data
+                - elastic_agent_update
            sensor:
              portgroups:
                - beats_5044
@@ -594,6 +623,9 @@ firewall:
            dockernet:
              portgroups:
                - all
+            fleet:
+              portgroups:
+                - salt_manager
            localhost:
              portgroups:
                - all
--- a/salt/logstash/defaults.yaml
+++ b/salt/logstash/defaults.yaml
@@ -21,11 +21,11 @@ logstash:
  defined_pipelines:
    fleet:
      - so/0012_input_elastic_agent.conf     
-      - so/9806_output_lumberjack_fleet.conf.jinja
+      - so/9806_output_http_fleet.conf.jinja
    manager:
      - so/0011_input_endgame.conf
      - so/0012_input_elastic_agent.conf
-      - so/0013_input_lumberjack_fleet.conf
+      - so/0013_input_http_fleet.conf
      - so/9999_output_redis.conf.jinja        
    receiver:
      - so/0011_input_endgame.conf
--- a/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf
+++ b/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf
@@ -10,4 +10,12 @@ input {
    ssl_verify_mode => "peer"
    ecs_compatibility => v8
  }
+}
+
+filter {
+   if "elastic-agent" in [tags] {
+  mutate {
+    remove_field => ["http","[metadata][input]","url","user_agent"]
+}
+   }
 }
--- a/salt/logstash/pipelines/config/so/9806_output_lumberjack_fleet.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9806_output_lumberjack_fleet.conf.jinja
--- a/salt/manager/tools/sbin/so-minion
+++ b/salt/manager/tools/sbin/so-minion
@@ -375,7 +375,7 @@ function create_fleet_policy() {
 	JSON_STRING_UPDATE=$( jq -n \
 					--arg NAME "FleetServer_$LSHOSTNAME" \
 					--arg DESC "Fleet Server - $LSHOSTNAME" \
-					'{"name":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"data_output_id":"so-manager_elasticsearch"}'
+					'{"name":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":120,"data_output_id":"so-manager_elasticsearch"}'
 					)

 	# Update Fleet Policy - ES Output