From ba2392997b1f9cbb1cf5b50b473374560abcc8a6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 15 May 2023 11:14:21 -0400 Subject: [PATCH] enabled/disable elastic-fleet-package-registry via ui --- .../elastic-fleet-package-registry/config.sls | 29 ++++++++++ .../defaults.yaml | 2 + .../disabled.sls | 27 +++++++++ .../enabled.sls | 43 +++++++++++++++ salt/elastic-fleet-package-registry/init.sls | 55 +++---------------- salt/elastic-fleet-package-registry/map.jinja | 7 +++ .../soc_elastic-fleet-package-registry.yaml | 4 ++ .../sostatus.sls | 21 +++++++ salt/manager/tools/sbin/so-minion | 12 ++++ 9 files changed, 153 insertions(+), 47 deletions(-) create mode 100644 salt/elastic-fleet-package-registry/config.sls create mode 100644 salt/elastic-fleet-package-registry/defaults.yaml create mode 100644 salt/elastic-fleet-package-registry/disabled.sls create mode 100644 salt/elastic-fleet-package-registry/enabled.sls create mode 100644 salt/elastic-fleet-package-registry/map.jinja create mode 100644 salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml create mode 100644 salt/elastic-fleet-package-registry/sostatus.sls diff --git a/salt/elastic-fleet-package-registry/config.sls b/salt/elastic-fleet-package-registry/config.sls new file mode 100644 index 000000000..aa2872069 --- /dev/null +++ b/salt/elastic-fleet-package-registry/config.sls @@ -0,0 +1,29 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +# Add Group +elasticsagentprgroup: + group.present: + - name: elastic-agent-pr + - gid: 948 + +# Add user +elastic-agent-pr: + user.present: + - uid: 948 + - gid: 948 + - home: /opt/so/conf/elastic-fleet-pr + - createhome: False + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/elastic-fleet-package-registry/defaults.yaml b/salt/elastic-fleet-package-registry/defaults.yaml new file mode 100644 index 000000000..947ef103c --- /dev/null +++ b/salt/elastic-fleet-package-registry/defaults.yaml @@ -0,0 +1,2 @@ +elastic-fleet-package-registry: + enabled: False diff --git a/salt/elastic-fleet-package-registry/disabled.sls b/salt/elastic-fleet-package-registry/disabled.sls new file mode 100644 index 000000000..8487fc3d6 --- /dev/null +++ b/salt/elastic-fleet-package-registry/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - elastic-fleet-package-registry.sostatus + +so-elastic-fleet-package-registry: + docker_container.absent: + - force: True + +so-elastic-fleet-package-registry_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-elastic-fleet-package-registry$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls new file mode 100644 index 000000000..5f663e78f --- /dev/null +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -0,0 +1,43 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} + +include: + - elastic-fleet-package-registry.config + - elastic-fleet-package-registry.sostatus + +so-elastic-fleet-package-registry: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }} + - name: so-elastic-fleet-package-registry + - hostname: Fleet-package-reg-{{ GLOBALS.hostname }} + - detach: True + - user: 948 + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }} + - extra_hosts: + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + - port_bindings: + {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %} + - {{ BINDING }} + {% endfor %} + +delete_so-elastic-fleet-package-registry_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-elastic-fleet-package-registry$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/elastic-fleet-package-registry/init.sls b/salt/elastic-fleet-package-registry/init.sls index b4cea6542..7a42c57be 100644 --- a/salt/elastic-fleet-package-registry/init.sls +++ b/salt/elastic-fleet-package-registry/init.sls @@ -1,52 +1,13 @@ # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use -# this file except in compliance with the Elastic License 2.0. -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# Add Group -elasticsagentprgroup: - group.present: - - name: elastic-agent-pr - - gid: 948 - - -# Add user -elastic-agent-pr: - user.present: - - uid: 948 - - gid: 948 - - home: /opt/so/conf/elastic-fleet-pr - - createhome: False - -so-elastic-fleet-package-registry: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }} - - name: so-elastic-fleet-package-registry - - hostname: Fleet-package-reg-{{ GLOBALS.hostname }} - - detach: True - - user: 948 - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }} - - extra_hosts: - - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - - port_bindings: - {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %} - - {{ BINDING }} - {% endfor %} - -append_so-elastic-fleet-package-registry_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-elastic-fleet-package-registry +{% from 'elastic-fleet-package-registry/map.jinja' import ELASTICFLEETPACKAGEREGISTRYMERGED %} +include: +{% if ELASTICFLEETPACKAGEREGISTRYMERGED.enabled %} + - elastic-fleet-package-registry.enabled {% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - + - elastic-fleet-package-registry.disabled {% endif %} diff --git a/salt/elastic-fleet-package-registry/map.jinja b/salt/elastic-fleet-package-registry/map.jinja new file mode 100644 index 000000000..00b421490 --- /dev/null +++ b/salt/elastic-fleet-package-registry/map.jinja @@ -0,0 +1,7 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'elastic-fleet-package-registry/defaults.yaml' as ELASTICFLEETPACKAGEREGISTRYDEFAULTS with context %} +{% set ELASTICFLEETPACKAGEREGISTRYMERGED = salt['pillar.get']('elastic-fleet-package-registry', ELASTICFLEETPACKAGEREGISTRYDEFAULTS.elastic-fleet-package-registry, merge=True) %} diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml new file mode 100644 index 000000000..531789571 --- /dev/null +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -0,0 +1,4 @@ +elastic-fleet-package-registry: + enabled: + description: You can enable or disable Elastic Fleet Package Registry. + advanced: True diff --git a/salt/elastic-fleet-package-registry/sostatus.sls b/salt/elastic-fleet-package-registry/sostatus.sls new file mode 100644 index 000000000..191aa7e3d --- /dev/null +++ b/salt/elastic-fleet-package-registry/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-elastic-fleet-package-registry_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-elastic-fleet-package-registry + - unless: grep -q so-elastic-fleet-package-registry /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 5bd205015..d2dae2d74 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -353,6 +353,13 @@ function add_idstools_to_minion() { " " >> $PILLARFILE } +function add_elastic-fleet-package-registry_to_minion() { + printf '%s\n'\ + "elastic-fleet-package-registry:"\ + " enabled: True"\ + " " >> $PILLARFILE +} + function create_fleet_policy() { JSON_STRING=$( jq -n \ @@ -412,6 +419,7 @@ function createEVAL() { add_mysql_to_minion add_kratos_to_minion add_idstools_to_minion + add_elastic-fleet-package-registry_to_minion } function createSTANDALONE() { @@ -433,6 +441,7 @@ function createSTANDALONE() { add_mysql_to_minion add_kratos_to_minion add_idstools_to_minion + add_elastic-fleet-package-registry_to_minion } function createMANAGER() { @@ -452,6 +461,7 @@ function createMANAGER() { add_mysql_to_minion add_kratos_to_minion add_idstools_to_minion + add_elastic-fleet-package-registry_to_minion } function createMANAGERSEARCH() { @@ -471,6 +481,7 @@ function createMANAGERSEARCH() { add_mysql_to_minion add_kratos_to_minion add_idstools_to_minion + add_elastic-fleet-package-registry_to_minion } function createIMPORT() { @@ -484,6 +495,7 @@ function createIMPORT() { add_registry_to_minion add_kratos_to_minion add_idstools_to_minion + add_elastic-fleet-package-registry_to_minion } function createFLEET() {