q

xMerge remote-tracking branch 'origin/2.4/dev' into vlb2

salt/manager/init.sls

@@ -14,6 +14,7 @@ include:
   - manager.sync_es_users
   - manager.elasticsearch
   - manager.kibana
+  - manager.managed_soc_annotations
 
 repo_log_dir:
   file.directory:

salt/manager/managed_soc_annotations.sls

@@ -0,0 +1,59 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{# Managed elasticsearch/soc_elasticsearch.yaml file for adding integration configuration items to UI #}
+{% set managed_integrations = salt['pillar.get']('elasticsearch:managed_integrations', []) %}
+{% if managed_integrations %}
+{%   from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %}
+{%   set addon_integration_keys = ADDON_INTEGRATION_DEFAULTS.keys() %}
+{%   set matched_integration_names = [] %}
+{%   for k in addon_integration_keys %}
+{%     for i in managed_integrations %}
+{%       if i in k %}
+{%         do matched_integration_names.append(k) %}
+{%       endif %}
+{%     endfor %}
+{%   endfor %}
+{%   set es_soc_annotations = '/opt/so/saltstack/default/salt/elasticsearch/soc_elasticsearch.yaml' %}
+{{   es_soc_annotations }}:
+     file.serialize:
+       - dataset:
+           {% set data = salt['file.read'](es_soc_annotations) | load_yaml %}
+           {% set es = data.get('elasticsearch', {}) %}
+           {% set index_settings = es.get('index_settings', {}) %}
+           {% set input = index_settings.get('so-logs', {}) %}
+           {% for k in matched_integration_names %}
+           {%   if k not in index_settings %}
+           {%     set _ = index_settings.update({k: input}) %}
+           {%   endif %}
+           {% endfor %}
+           {% for k in addon_integration_keys %}
+           {%   if k not in matched_integration_names and k in index_settings %}
+           {%     set _ = index_settings.pop(k) %}
+           {%   endif %}
+           {% endfor %}
+           {{ data }}
+
+{#   Managed elasticsearch/defaults.yaml file for enabling 'Revert to default' via SOC UI for newly added config items #}
+{%   set es_defaults = '/opt/so/saltstack/default/salt/elasticsearch/defaults.yaml' %}
+{{   es_defaults }}:
+     file.serialize:
+       - dataset:
+           {% set data = salt['file.read'](es_defaults) | load_yaml %}
+           {% set es = data.get('elasticsearch', {}) %}
+           {% set index_settings = es.get('index_settings', {}) %}
+           {% for k in matched_integration_names %}
+           {%   if k not in index_settings %}
+           {%     set input = ADDON_INTEGRATION_DEFAULTS[k] %}
+           {%     set _ = index_settings.update({k: input})%}
+           {%   endif %}
+           {% endfor %}
+           {% for k in addon_integration_keys %}
+           {%   if k not in matched_integration_names and k in index_settings %}
+           {%     set _ = index_settings.pop(k) %}
+           {%   endif %}
+           {% endfor %}
+           {{ data }}
+{% endif %}

salt/manager/tools/sbin/soup

@@ -406,6 +406,7 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110
     [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.111
     [[ "$INSTALLEDVERSION" == 2.4.111 ]] && up_to_2.4.120
+    [[ "$INSTALLEDVERSION" == 2.4.120 ]] && up_to_2.4.130
     true
 }
 
@@ -429,6 +430,7 @@ postupgrade_changes() {
     [[ "$POSTVERSION"  == 2.4.100 ]] && post_to_2.4.110
     [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111
     [[ "$POSTVERSION"  == 2.4.111 ]] && post_to_2.4.120
+    [[ "$POSTVERSION"  == 2.4.120 ]] && post_to_2.4.130
     true
 }
 
@@ -531,10 +533,24 @@ post_to_2.4.120() {
   # Manually rollover suricata alerts index to ensure data_stream.dataset expected mapping is set to 'suricata'
   rollover_index "logs-suricata.alerts-so"
 
+  POSTVERSION=2.4.120
+}
+
+post_to_2.4.130() {
+  # Optional integrations are loaded AFTER initial successful load of core ES templates (/opt/so/state/estemplates.txt)
+  #   Dynamic templates are created in elasticsearch.enabled for every optional integration based on output of so-elastic-fleet-optional-integrations-load script
+  echo "Ensuring Elasticsearch templates are up to date after updating package registry"
+  salt-call state.apply elasticsearch queue=True
+
+  # Update kibana default space
+  salt-call state.apply kibana.config queue=True
+  echo "Updating Kibana default space"
+  /usr/sbin/so-kibana-space-defaults
+
   echo "Regenerating Elastic Agent Installers"
   /sbin/so-elastic-agent-gen-installers
 
-  POSTVERSION=2.4.120
+  POSTVERSION=2.4.130
 }
 
 repo_sync() {
@@ -716,8 +732,8 @@ up_to_2.4.90() {
 }
 
 up_to_2.4.100() {
-  # Elastic Update for this release, so download Elastic Agent files
-  determine_elastic_agent_upgrade
+  echo "Nothing to do for 2.4.100"
+
   INSTALLEDVERSION=2.4.100
 }
 
@@ -740,12 +756,23 @@ up_to_2.4.120() {
   mkdir -p /opt/so/saltstack/local/pillar/versionlock
   touch /opt/so/saltstack/local/pillar/versionlock/adv_versionlock.sls /opt/so/saltstack/local/pillar/versionlock/soc_versionlock.sls
 
-  # New Grid Integration added this release
-  rm -f /opt/so/state/eaintegrations.txt
 
   INSTALLEDVERSION=2.4.120
 }
 
+up_to_2.4.130() {
+  # Remove any old Elastic Defend config files
+  rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json
+
+  # Elastic Update for this release, so download Elastic Agent files
+  determine_elastic_agent_upgrade
+
+  # Ensure override exists to allow nmcli access to other devices
+  touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf
+
+  INSTALLEDVERSION=2.4.130
+}
+
 add_hydra_pillars() {
   mkdir -p /opt/so/saltstack/local/pillar/hydra
   touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls