CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 17:52:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6264 from Security-Onion-Solutions/fix/fleet-users

Browse Source 
Migrate FleetDM user mgt to fleetctl
This commit is contained in:
Mike Reeves
2021-11-17 13:16:05 -05:00
committed by GitHub
parent 8d033264e7 6f391dbe50
commit aca684d55a
8 changed files with 150 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
salt/common/tools/sbin/so-fleet-setup
View File

@@ -2,6 +2,8 @@
#so-fleet-setup $FleetEmail $FleetPassword
. /usr/sbin/so-common
if [[ $# -ne 2 ]] ; then
echo "Username or Password was not set - exiting now."
exit 1
@@ -19,6 +21,11 @@ docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-
docker exec so-fleet bash -c 'while [[ "$(curl -s -o /dev/null --insecure -w ''%{http_code}'' https://127.0.0.1:8080/fleet)" != "301" ]]; do sleep 5; done'
docker exec so-fleet fleetctl setup --email $1 --password $2 --name admin --org-name SO
# Create Security Onion Fleet Service Account
FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email)
FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password)
docker exec so-fleet fleetctl user create --email $FLEET_SA_EMAIL --name SO_ServiceAccount --password $FLEET_SA_PW --global-role admin
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/so/so-default.yml

29
salt/common/tools/sbin/so-fleet-user-add
View File

@@ -18,7 +18,7 @@
. /usr/sbin/so-common
usage() {
echo "Usage: $0 <new-user-name>"
echo "Usage: $0 <new-user-email>"
echo ""
echo "Adds a new user to Fleet. The new password will be read from STDIN."
exit 1
@@ -28,34 +28,37 @@ if [ $# -ne 1 ]; then
usage
fi
USER=$1
MYSQL_PASS=$(lookup_pillar_secret mysql)
FLEET_IP=$(lookup_pillar fleet_ip)
FLEET_USER=$USER
USER_EMAIL=$1
FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email)
FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password)
# Read password for new user from stdin
test -t 0
if [[ $? == 0 ]]; then
echo "Enter new password:"
fi
read -rs FLEET_PASS
read -rs USER_PASS
check_password_and_exit "$FLEET_PASS"
check_password_and_exit "$USER_PASS"
# Config fleetctl & login with the SO Service Account
CONFIG_OUTPUT=$(docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet 2>&1 )
SALOGIN_OUTPUT=$(docker exec so-fleet fleetctl login --email $FLEET_SA_EMAIL --password $FLEET_SA_PW 2>&1)
FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1)
if [[ $? -ne 0 ]]; then
echo "Failed to generate Fleet password hash"
exit 2
echo "Unable to add user to Fleet; Fleet Service account login failed"
echo "$SALOGIN_OUTPUT"
exit 2
fi
MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
"INSERT INTO users (password,salt,email,admin,enabled) VALUES ('$FLEET_HASH','','$FLEET_USER',1,1)" 2>&1)
# Create New User
CREATE_OUTPUT=$(docker exec so-fleet fleetctl user create --email $USER_EMAIL --name $USER_EMAIL --password $USER_PASS --global-role admin 2>&1)
if [[ $? -eq 0 ]]; then
echo "Successfully added user to Fleet"
else
echo "Unable to add user to Fleet; user might already exist"
echo "$MYSQL_OUTPUT"
echo "$CREATE_OUTPUT"
exit 2
fi

56
salt/common/tools/sbin/so-fleet-user-delete Normal file
View File

@@ -0,0 +1,56 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
usage() {
echo "Usage: $0 <user-email>"
echo ""
echo "Deletes a user in Fleet"
exit 1
}
if [ $# -ne 1 ]; then
usage
fi
USER_EMAIL=$1
FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email)
FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password)
# Config fleetctl & login with the SO Service Account
CONFIG_OUTPUT=$(docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet 2>&1 )
SALOGIN_OUTPUT=$(docker exec so-fleet fleetctl login --email $FLEET_SA_EMAIL --password $FLEET_SA_PW 2>&1)
if [[ $? -ne 0 ]]; then
echo "Unable to delete user from Fleet; Fleet Service account login failed"
echo "$SALOGIN_OUTPUT"
exit 2
fi
# Delete User
DELETE_OUTPUT=$(docker exec so-fleet fleetctl user delete --email $USER_EMAIL 2>&1)
if [[ $? -eq 0 ]]; then
echo "Successfully deleted user from Fleet"
else
echo "Unable to delete user from Fleet"
echo "$DELETE_OUTPUT"
exit 2
fi

58
salt/common/tools/sbin/so-fleet-user-enable
View File

@@ -1,58 +0,0 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
usage() {
echo "Usage: $0 <user-name>"
echo ""
echo "Enables or disables a user in Fleet"
exit 1
}
if [ $# -ne 2 ]; then
usage
fi
USER=$1
MYSQL_PASS=$(lookup_pillar_secret mysql)
FLEET_IP=$(lookup_pillar fleet_ip)
FLEET_USER=$USER
case "${2^^}" in
FALSE | NO | 0)
FLEET_STATUS=0
;;
TRUE | YES | 1)
FLEET_STATUS=1
;;
*)
usage
;;
esac
MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
"UPDATE users SET enabled=$FLEET_STATUS WHERE email='$FLEET_USER'" 2>&1)
if [[ $? -eq 0 ]]; then
echo "Successfully updated user in Fleet"
else
echo "Failed to update user in Fleet"
echo $resp
exit 2
fi

6
salt/common/tools/sbin/so-user
View File

@@ -517,7 +517,7 @@ case "${operation}" in
syncAll
echo "Successfully enabled user"
check_container thehive && so-thehive-user-enable "$email" true
check_container fleet && so-fleet-user-enable "$email" true
echo "Fleet user will need to be recreated manually with so-fleet-user-add"
;;
"disable")
@@ -529,7 +529,7 @@ case "${operation}" in
syncAll
echo "Successfully disabled user"
check_container thehive && so-thehive-user-enable "$email" false
check_container fleet && so-fleet-user-enable "$email" false
check_container fleet && so-fleet-user-delete "$email"
;;
"delete")
@@ -541,7 +541,7 @@ case "${operation}" in
syncAll
echo "Successfully deleted user"
check_container thehive && so-thehive-user-enable "$email" false
check_container fleet && so-fleet-user-enable "$email" false
check_container fleet && so-fleet-user-delete "$email"
;;
"sync")

36
salt/common/tools/sbin/soup
View File

@@ -439,6 +439,29 @@ post_to_2.3.90() {
# Do Kibana dashboard things
salt-call state.apply kibana.so_savedobjects_defaults queue=True
# Create FleetDM service account
FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email)
FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password)
MYSQL_PW=$(lookup_pillar_secret mysql)
FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_SA_PW'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1)
if [[ $? -ne 0 ]]; then
echo "Failed to generate Fleet password hash"
exit 2
fi
MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PW fleet -e \
"INSERT INTO users (password,salt,email,name,global_role) VALUES ('$FLEET_HASH','','$FLEET_USER','$FLEET_USER','admin')" 2>&1)
if [[ $? -eq 0 ]]; then
echo "Successfully added service account to Fleet"
else
echo "Unable to add service account to Fleet"
echo "$MYSQL_OUTPUT"
exit 2
fi
POSTVERSION=2.3.90
}
@@ -602,6 +625,19 @@ up_to_2.3.90() {
sed -i -e '$a{{'{% endraw %}'}}\n' /opt/so/saltstack/local/salt/elasticsearch/files/ingest-dynamic/common
fi
# Generate FleetDM Service Account creds if they do not exist
if grep -q "fleet_sa_email" /opt/so/saltstack/local/pillar/secrets.sls; then
echo "FleetDM Service Account credentials already created..."
else
echo "Generating FleetDM Service Account credentials..."
FLEETSAPASS=$(get_random_value)
printf '%s\n'\
" fleet_sa_email: service.account@securityonion.invalid"\
" fleet_sa_password: $FLEETSAPASS"\
>> /opt/so/saltstack/local/pillar/secrets.sls
fi
INSTALLEDVERSION=2.3.90
}

57
salt/fleet/files/packs/osquery-config.conf
View File

@@ -4,31 +4,32 @@ kind: config
spec:
server_settings:
enable_analytics: false
config:
decorators:
always:
- SELECT codename FROM os_version;
- SELECT uuid AS live_query FROM system_info;
- SELECT address AS endpoint_ip1 FROM interface_addresses where address not
like '%:%' and address not like '127%' and address not like '169%' order by
interface desc limit 1;
- SELECT address AS endpoint_ip2 FROM interface_addresses where address not
like '%:%' and address not like '127%' and address not like '169%' order by
interface asc limit 1;
- SELECT hardware_serial FROM system_info;
- SELECT hostname AS hostname FROM system_info;
options:
decorations_top_level: true
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
enable_windows_events_publisher: true
enable_windows_events_subscriber: true
logger_plugin: tls
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 10
pack_delimiter: _
overrides: {}
spec:
agent_options:
config:
decorators:
always:
- SELECT codename FROM os_version;
- SELECT uuid AS live_query FROM system_info;
- SELECT address AS endpoint_ip1 FROM interface_addresses where address not
like '%:%' and address not like '127%' and address not like '169%' order by
interface desc limit 1;
- SELECT address AS endpoint_ip2 FROM interface_addresses where address not
like '%:%' and address not like '127%' and address not like '169%' order by
interface asc limit 1;
- SELECT hardware_serial FROM system_info;
- SELECT hostname AS hostname FROM system_info;
options:
decorations_top_level: true
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
enable_windows_events_publisher: true
enable_windows_events_subscriber: true
logger_plugin: tls
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 10
pack_delimiter: _

3
setup/so-functions
View File

@@ -1440,6 +1440,7 @@ generate_passwords(){
PLAYBOOKADMINPASS=$(get_random_value)
PLAYBOOKAUTOMATIONPASS=$(get_random_value)
FLEETPASS=$(get_random_value)
FLEETSAPASS=$(get_random_value)
FLEETJWT=$(get_random_value)
GRAFANAPASS=$(get_random_value)
if [[ "$THEHIVE" == "1" ]]; then
@@ -2369,6 +2370,8 @@ secrets_pillar(){
" playbook_automation: $PLAYBOOKAUTOMATIONPASS"\
" grafana_admin: $GRAFANAPASS"\
" fleet: $FLEETPASS"\
" fleet_sa_email: service.account@securityonion.invalid"\
" fleet_sa_password: $FLEETSAPASS"\
" fleet_jwt: $FLEETJWT"\
" fleet_enroll-secret: False" > $local_salt_dir/pillar/secrets.sls
fi