Merge pull request #14255 from Security-Onion-Solutions/foxtrot

ES 8.17.1

salt/manager/init.sls

@@ -14,6 +14,7 @@ include:
   - manager.sync_es_users
   - manager.elasticsearch
   - manager.kibana
+  - manager.managed_soc_annotations
 
 repo_log_dir:
   file.directory:

salt/manager/managed_soc_annotations.sls

@@ -0,0 +1,59 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{# Managed elasticsearch/soc_elasticsearch.yaml file for adding integration configuration items to UI #}
+{% set managed_integrations = salt['pillar.get']('elasticsearch:managed_integrations', []) %}
+{% if managed_integrations %}
+{%   from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %}
+{%   set addon_integration_keys = ADDON_INTEGRATION_DEFAULTS.keys() %}
+{%   set matched_integration_names = [] %}
+{%   for k in addon_integration_keys %}
+{%     for i in managed_integrations %}
+{%       if i in k %}
+{%         do matched_integration_names.append(k) %}
+{%       endif %}
+{%     endfor %}
+{%   endfor %}
+{%   set es_soc_annotations = '/opt/so/saltstack/default/salt/elasticsearch/soc_elasticsearch.yaml' %}
+{{   es_soc_annotations }}:
+     file.serialize:
+       - dataset:
+           {% set data = salt['file.read'](es_soc_annotations) | load_yaml %}
+           {% set es = data.get('elasticsearch', {}) %}
+           {% set index_settings = es.get('index_settings', {}) %}
+           {% set input = index_settings.get('so-logs', {}) %}
+           {% for k in matched_integration_names %}
+           {%   if k not in index_settings %}
+           {%     set _ = index_settings.update({k: input}) %}
+           {%   endif %}
+           {% endfor %}
+           {% for k in addon_integration_keys %}
+           {%   if k not in matched_integration_names and k in index_settings %}
+           {%     set _ = index_settings.pop(k) %}
+           {%   endif %}
+           {% endfor %}
+           {{ data }}
+
+{#   Managed elasticsearch/defaults.yaml file for enabling 'Revert to default' via SOC UI for newly added config items #}
+{%   set es_defaults = '/opt/so/saltstack/default/salt/elasticsearch/defaults.yaml' %}
+{{   es_defaults }}:
+     file.serialize:
+       - dataset:
+           {% set data = salt['file.read'](es_defaults) | load_yaml %}
+           {% set es = data.get('elasticsearch', {}) %}
+           {% set index_settings = es.get('index_settings', {}) %}
+           {% for k in matched_integration_names %}
+           {%   if k not in index_settings %}
+           {%     set input = ADDON_INTEGRATION_DEFAULTS[k] %}
+           {%     set _ = index_settings.update({k: input})%}
+           {%   endif %}
+           {% endfor %}
+           {% for k in addon_integration_keys %}
+           {%   if k not in matched_integration_names and k in index_settings %}
+           {%     set _ = index_settings.pop(k) %}
+           {%   endif %}
+           {% endfor %}
+           {{ data }}
+{% endif %}

salt/manager/tools/sbin/soup

@@ -406,6 +406,7 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110
     [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.111
     [[ "$INSTALLEDVERSION" == 2.4.111 ]] && up_to_2.4.120
+    [[ "$INSTALLEDVERSION" == 2.4.120 ]] && up_to_2.4.130
     true
 }
 
@@ -429,6 +430,7 @@ postupgrade_changes() {
     [[ "$POSTVERSION"  == 2.4.100 ]] && post_to_2.4.110
     [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111
     [[ "$POSTVERSION"  == 2.4.111 ]] && post_to_2.4.120
+    [[ "$POSTVERSION"  == 2.4.120 ]] && post_to_2.4.130
     true
 }
 
@@ -537,6 +539,21 @@ post_to_2.4.120() {
   POSTVERSION=2.4.120
 }
 
+post_to_2.4.130() {
+  # Integrations policies need to be updated, along with ingest pipelines & index templates.
+  rm -f /opt/so/state/eaintegrations.txt /opt/so/state/espipelines.txt /opt/so/state/estemplates.txt
+
+  # Sync the newly generated index templates for elasticfleet integrations
+  salt-call state.apply elasticsearch queue=True
+
+  # Update kibana default space
+  salt-call state.apply kibana.config queue=True
+  echo "Updating Kibana default space"
+  /usr/sbin/so-kibana-space-defaults
+
+  POSTVERSION=2.4.130
+}
+
 repo_sync() {
   echo "Sync the local repo."
   su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -716,8 +733,8 @@ up_to_2.4.90() {
 }
 
 up_to_2.4.100() {
-  # Elastic Update for this release, so download Elastic Agent files
-  determine_elastic_agent_upgrade
+  echo "Nothing to do for 2.4.100"
+
   INSTALLEDVERSION=2.4.100
 }
 
@@ -743,9 +760,18 @@ up_to_2.4.120() {
   # New Grid Integration added this release
   rm -f /opt/so/state/eaintegrations.txt
 
+
+
   INSTALLEDVERSION=2.4.120
 }
 
+up_to_2.4.130() {
+  # Elastic Update for this release, so download Elastic Agent files
+  determine_elastic_agent_upgrade
+
+  INSTALLEDVERSION=2.4.130
+}
+
 add_hydra_pillars() {
   mkdir -p /opt/so/saltstack/local/pillar/hydra
   touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls