From 1043315e6b35cf8d07d924ab8ce6d296b5752e62 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 12 Oct 2023 09:22:26 -0400 Subject: [PATCH 1/5] Manage Elastic Defend Integration manually --- .../elastic-defend-endpoints.json | 0 .../tools/sbin/so-elastic-fleet-common | 18 +++++++++++++ ...ic-fleet-integration-policy-elastic-defend | 27 +++++++++++++++++++ .../so-elastic-fleet-integration-policy-load | 4 +++ 4 files changed, 49 insertions(+) rename salt/elasticfleet/files/integrations/{endpoints-initial => elastic-defend}/elastic-defend-endpoints.json (100%) mode change 100755 => 100644 salt/elasticfleet/tools/sbin/so-elastic-fleet-common create mode 100755 salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend mode change 100755 => 100644 salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json similarity index 100% rename from salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json rename to salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common old mode 100755 new mode 100644 index 6ada43003b..c0b4db53a7 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -42,6 +42,23 @@ elastic_fleet_integration_create() { curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" } + +elastic_fleet_integration_remove() { + + AGENT_POLICY=$1 + + NAME=$2 + + INTEGRATION_ID=$(/usr/sbin/so-elastic-fleet-agent-policy-view "$AGENT_POLICY" | jq -r '.item.package_policies[] | select(.name=="'"$NAME"'") | .id') + + JSON_STRING=$( jq -n \ + --arg INTEGRATIONID "$INTEGRATION_ID" \ + '{"packagePolicyIds":[$INTEGRATIONID]}' + ) + + curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies/delete" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} + elastic_fleet_integration_update() { UPDATE_ID=$1 @@ -98,3 +115,4 @@ elastic_fleet_policy_update() { curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" } + diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend new file mode 100755 index 0000000000..c4a7d39fd5 --- /dev/null +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend @@ -0,0 +1,27 @@ +#!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +# Usage: Run with --force to update the Elastic Defend integration policy + +. /usr/sbin/so-elastic-fleet-common + +# Manage Elastic Defend Integration for Initial Endpoints Policy +for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/elastic-defend/*.json +do + printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n" + elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION" + if [ -n "$INTEGRATION_ID" ]; then + if [ "$1" = "--force" ]; then + printf "\n\nIntegration $NAME exists - Updating integration\n" + elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" + else + printf "\n\nIntegration $NAME exists - Not updating - rerun with --force to force the update.\n" + fi + else + printf "\n\nIntegration does not exist - Creating integration\n" + elastic_fleet_integration_create "@$INTEGRATION" + fi +done diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load old mode 100755 new mode 100644 index ae0fbb6ba0..44e7ccf2b3 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -12,6 +12,9 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then # First, check for any package upgrades /usr/sbin/so-elastic-fleet-package-upgrade + # Second, configure Elastic Defend Integration seperately + /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend + # Initial Endpoints for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json do @@ -65,3 +68,4 @@ else exit $RETURN_CODE fi + From a671ac387a39a49d384323239692df3857478596 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 12 Oct 2023 09:45:20 -0400 Subject: [PATCH 2/5] Add hotfix changes --- HOTFIX | 2 +- salt/manager/tools/sbin/soup | 11 +++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/HOTFIX b/HOTFIX index d3f5a12faa..afd2e4c40b 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +20231012 diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 960c50f311..fa714cda44 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -691,13 +691,16 @@ verify_latest_update_script() { # Keeping this block in case we need to do a hotfix that requires salt update apply_hotfix() { -# if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then -# fix_wazuh + if [[ "$INSTALLEDVERSION" == "2.4.20" ]] ; then + salt-call state.appply elastic-fleet -l info queue=True + . /usr/sbin/so-elastic-fleet-common + elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints + /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend # elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then # 2_3_10_hotfix_1 -# else + else echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" -# fi + fi } From 967138cdff029ff5d0be3dac016be1cc2e7d9b13 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 12 Oct 2023 10:54:26 -0400 Subject: [PATCH 3/5] Apply state correctly --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index fa714cda44..d128a7c4d1 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -692,7 +692,7 @@ verify_latest_update_script() { # Keeping this block in case we need to do a hotfix that requires salt update apply_hotfix() { if [[ "$INSTALLEDVERSION" == "2.4.20" ]] ; then - salt-call state.appply elastic-fleet -l info queue=True + salt-call state.apply elastic-fleet -l info queue=True . /usr/sbin/so-elastic-fleet-common elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend From 98eab906aff0d269bc92ed02c721afa02408a3ac Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 12 Oct 2023 11:00:24 -0400 Subject: [PATCH 4/5] Apply named state --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index d128a7c4d1..375d482097 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -692,7 +692,7 @@ verify_latest_update_script() { # Keeping this block in case we need to do a hotfix that requires salt update apply_hotfix() { if [[ "$INSTALLEDVERSION" == "2.4.20" ]] ; then - salt-call state.apply elastic-fleet -l info queue=True + salt-call state.apply elasticfleet -l info queue=True . /usr/sbin/so-elastic-fleet-common elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend From b6af59d9b09c8ea405275cdebedd9ec000ca042c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 12 Oct 2023 15:47:53 -0400 Subject: [PATCH 5/5] 2.4.20 hotfix --- DOWNLOAD_AND_VERIFY_ISO.md | 22 ++++++++++----------- sigs/securityonion-2.4.20-20231012.iso.sig | Bin 0 -> 566 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.4.20-20231012.iso.sig diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index dabfd285cc..539dd9e8e4 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.4.20-20231006 ISO image released on 2023/10/06 +### 2.4.20-20231012 ISO image released on 2023/10/12 ### Download and Verify -2.4.20-20231006 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso +2.4.20-20231012 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231012.iso -MD5: 269F00308C53976BF0EAE788D1DB29DB -SHA1: 3F7C2324AE1271112F3B752BA4724AF36688FC27 -SHA256: 542B8B3F4F75AD24DC78007F8FE0857E00DC4CC9F4870154DCB8D5D0C4144B65 +MD5: 7D6ACA843068BA9432B3FF63BFD1EF0F +SHA1: BEF2B906066A1B04921DF0B80E7FDD4BC8ECED5C +SHA256: 5D511D50F11666C69AE12435A47B9A2D30CB3CC88F8D38DC58A5BC0ECADF1BF5 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231012.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231012.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231012.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.20-20231006.iso.sig securityonion-2.4.20-20231006.iso +gpg --verify securityonion-2.4.20-20231012.iso.sig securityonion-2.4.20-20231012.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 03 Oct 2023 11:40:51 AM EDT using RSA key ID FE507013 +gpg: Signature made Thu 12 Oct 2023 01:28:32 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.4.20-20231012.iso.sig b/sigs/securityonion-2.4.20-20231012.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..0704f7d1c253915a81383222f6238a3d5d62bdc7 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%a&HzyJyf5PT3| zxBgIY6GqGr|4VA;xMiecEI{gjUYL2W<40M5tH3?g_4Y`oAyjO0cF^+WeS(7J&}s@- zOx2!={+X!hztM{3;w{PuK!3{CmAU`PQ&$_PYvXIryf9AkQx<`1Y-n?Q4}$ReYDY3- zkL(mYW^n4{y1r-VgH^6u3?|#b4##(wrBYf2cnH-$P@^;F?}mn^Shy*wY1|{RxVK>Y zkDh@Zu0{#DHO9VL@2m3obxlgVjXDj#1DCsA3)icR&Ga?8SBYq)3A$0cy(Dt zXwe(*W;p4(pZ6@(4I~+#m-LG}X3CVX>(h6_RFs@|0})09rzd0EGN)L=x8R@##@1yl zTVF>NT-rxZS))jQ$y*ZN_uG}Wzt-83>^~YInB}AP#c_kMtOq^Mq9Fz_pnaBK5n3=- ze5mCQDqMFZ9Cq2l_+r2>`LTS*y7qBP8muMVWwBg4Dkfo?^4ljQ#&zf*JT^%6ZGk$fS=MJ$EP$=Oler)b>|nKO z;BgH?2IF-C&M23kWqbMLwfY-*_FiIR`KjmETbDAfJ!Ut}G&{9jy!%A#P6!6+BY-Uc zNhi2Du?+1A*_2tG5E20s%kvm{T=H}fPuvT@XbP{zF+!aqy+vby-3$^HTHk}9KXsA{ EFqyLvWB>pF literal 0 HcmV?d00001