Elastic-agent on Fedora Silverblue

Elastic Security
1

Hello!

Has anyone got elastic-agent working on Fedora Silverblue or other immutable Linux OS?

The problem is that elastic-agent wants to install its executable under /usr, but in Silverblue it is read-only. There is a way to fix it by using these commands before enrolling the host:

sed -i s/"\/usr\/bin\/elastic-agent"/"\/opt\/bin\/elastic-agent"/ elastic-agent
sudo semanage fcontext -a -t bin_t "/var/opt/bin(/.*)?"
sudo restorecon -R -v /var/opt/bin/

While this allow to install elastic-agent, the "Defend integration" is still failing.

image
image885×995 58.5 KB

Is there a way to allow elastic-agent to be installed elsewhere?

[EDIT]
You can sort of fix this by using:

ostree admin unlock --hotfix
./elastic-agent install ...

but it still complains Elastic Defend is not at the default path:

# ps aux | grep Elastic
root       15483  0.1  0.7 1985116 58280 ?       Sl   09:41   0:00 /var/opt/Elastic/Agent/data/elastic-agent-8.13.4-a2e31a/components/filebeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true -E logging.level=info -E logging.to_stderr=true -E gc_percent=${FILEBEAT_GOGC:100} -E filebeat.config.modules.enabled=false -E http.enabled=true -E http.host=unix:///var/opt/Elastic/Agent/data/tmp/PGwsYWcynGUYZEjD872Gs-npqbv-30jS.sock -E path.data=/var/opt/Elastic/Agent/data/elastic-agent-8.13.4-a2e31a/run/log-default
root       15492  1.6  1.0 2092644 79792 ?       Sl   09:41   0:02 /var/opt/Elastic/Agent/data/elastic-agent-8.13.4-a2e31a/components/metricbeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true -E logging.level=info -E logging.to_stderr=true -E gc_percent=${METRICBEAT_GOGC:100} -E metricbeat.config.modules.enabled=false -E http.enabled=true -E http.host=unix:///var/opt/Elastic/Agent/data/tmp/iThI_df0cBKC6YUNGGlKscMkOfz3FBH3.sock -E path.data=/var/opt/Elastic/Agent/data/elastic-agent-8.13.4-a2e31a/run/system/metrics-default
root       15500  0.1  0.6 2015500 46336 ?       Sl   09:41   0:00 /var/opt/Elastic/Agent/data/elastic-agent-8.13.4-a2e31a/components/auditbeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true -E logging.level=info -E logging.to_stderr=true -E gc_percent=${AUDITBEAT_GOGC:100} -E auditbeat.config.modules.enabled=false -E http.enabled=true -E http.host=unix:///var/opt/Elastic/Agent/data/tmp/3eljxlWKeJO3S9gwrrPPiNozl_k8bSCW.sock -E path.data=/var/opt/Elastic/Agent/data/elastic-agent-8.13.4-a2e31a/run/audit/auditd-default
root       15511  0.1  0.3 1926552 23168 ?       Sl   09:41   0:00 /var/opt/Elastic/Agent/data/elastic-agent-8.13.4-a2e31a/components/osquerybeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true -E logging.level=info -E logging.to_stderr=true -E gc_percent=${OSQUERYBEAT_GOGC:100} -E http.enabled=true -E http.host=unix:///var/opt/Elastic/Agent/data/tmp/Vhoh3bgcZkgcqBzzf_sxoKMS9KzE63ch.sock -E path.data=/var/opt/Elastic/Agent/data/elastic-agent-8.13.4-a2e31a/run/osquery-default
root       15525  0.0  0.1 1010612 11008 ?       Sl   09:41   0:00 /var/opt/Elastic/Agent/data/elastic-agent-8.13.4-a2e31a/components/osqueryd --tls_server_certs=/var/opt/Elastic/Agent/data/elastic-agent-8.13.4-a2e31a/components/certs/certs.pem --utc=true --config_refresh=60 --force=true --pidfile=osquery/osquery.pid --extensions_interval=3 --extensions_socket=/var/run/2860521625/osquery.sock --augeas_lenses=/var/opt/Elastic/Agent/data/elastic-agent-8.13.4-a2e31a/components/lenses --disable_watchdog=true --extensions_timeout=10 --disable_tables=carves,curl --events_expiry=1 --extensions_autoload=osquery/osquery.autoload --database_path=osquery/osquery.db --logger_event_type=false --pack_delimiter=_ --config_plugin=osq_config --logger_plugin=osq_logger --flagfile=osquery/osquery.flags
root       15527  0.0  0.0 1601056 3072 ?        Sl   09:41   0:00 /var/opt/Elastic/Agent/data/elastic-agent-8.13.4-a2e31a/components/osquery-extension.ext --socket /var/run/2860521625/osquery.sock --timeout 10 --interval 3
root       15623  0.0  0.0 227752  1920 pts/1    S+   09:44   0:00 grep --color=auto Elastic

[EDIT2]
I can manually edit the "endpoint-security.spec.yml" file and remove the following:

        - condition: ${install.in_default} == false
          message: "Elastic Defend requires Elastic Agent be installed at the default installation path"

After restarting elastic-agent, it is green, even without installing elastic-agent into /usr, but after rebooting there seem to be SELinux problems that are not logged, maybe later will try finding what is blocked without the "dont audit" rule.

2

The Elastic Defend integration does not work if it is not installed on one of the default paths.

If /usr is read-only in your system, then you need to install it using the tar.gz distribution, which will install under /opt/Elastic.

3

But I do use the tar.gz option already.
That "sed" line is used on the elastic-agent executable that is found when extracting the archive.
What I believe running the elastic-agent install does it that it copies itself to /usr/bin/ and to /opt/Elastic. With "rpm-ostree admin --hotfix" I can make /usr writable, but that seems to be only a part of the issue.

By editing the .yml file I removed the check that it is in the default install path, but if you look at my "ps aux" output, then you can see that Elastic Agent is actually running in /var/opt, not /opt.
This is expected since /var/opt is the actual directory on Silverblue, but /opt is a symlink to /var/opt.

TL;DR
Elastic Agent is installed in /opt, but due to how Silverblue is made it thinks it is not!

4

Yeah, I'm not sure this will work, you may need to bind mount /var/opt into /opt to make it work.

It is a limitation fo the Defend integration.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.