mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Merge remote-tracking branch 'origin/2.4/dev' into byoh
This commit is contained in:
Josh Patterson
@@ -173,7 +173,7 @@ for PCAP in $INPUT_FILES; do
|
|||||||
status "- assigning unique identifier to import: $HASH"
|
status "- assigning unique identifier to import: $HASH"
|
||||||
|
|
||||||
pcap_data=$(pcapinfo "${PCAP}")
|
pcap_data=$(pcapinfo "${PCAP}")
|
||||||
if ! echo "$pcap_data" | grep -q "First packet time:" || echo "$pcap_data" |egrep -q "Last packet time: 1970-01-01|Last packet time: n/a"; then
|
if ! echo "$pcap_data" | grep -q "Earliest packet time:" || echo "$pcap_data" |egrep -q "Latest packet time: 1970-01-01|Latest packet time: n/a"; then
|
||||||
status "- this PCAP file is invalid; skipping"
|
status "- this PCAP file is invalid; skipping"
|
||||||
INVALID_PCAPS_COUNT=$((INVALID_PCAPS_COUNT + 1))
|
INVALID_PCAPS_COUNT=$((INVALID_PCAPS_COUNT + 1))
|
||||||
else
|
else
|
||||||
@@ -205,8 +205,8 @@ for PCAP in $INPUT_FILES; do
|
|||||||
HASHES="${HASHES} ${HASH}"
|
HASHES="${HASHES} ${HASH}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}')
|
START=$(pcapinfo "${PCAP}" -a |grep "Earliest packet time:" | awk '{print $4}')
|
||||||
END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}')
|
END=$(pcapinfo "${PCAP}" -e |grep "Latest packet time:" | awk '{print $4}')
|
||||||
status "- found PCAP data spanning dates $START through $END"
|
status "- found PCAP data spanning dates $START through $END"
|
||||||
|
|
||||||
# compare $START to $START_OLDEST
|
# compare $START to $START_OLDEST
|
||||||
|
|||||||
@@ -27,7 +27,7 @@ fleet_api() {
|
|||||||
local QUERYPATH=$1
|
local QUERYPATH=$1
|
||||||
shift
|
shift
|
||||||
|
|
||||||
curl -sK /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/${QUERYPATH}" "$@" --retry 3 --fail 2>/dev/null
|
curl -sK /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/${QUERYPATH}" "$@" --retry 3 --retry-delay 10 --fail 2>/dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
elastic_fleet_integration_check() {
|
elastic_fleet_integration_check() {
|
||||||
|
|||||||
@@ -8,6 +8,7 @@
|
|||||||
|
|
||||||
. /usr/sbin/so-elastic-fleet-common
|
. /usr/sbin/so-elastic-fleet-common
|
||||||
|
|
||||||
|
ERROR=false
|
||||||
# Manage Elastic Defend Integration for Initial Endpoints Policy
|
# Manage Elastic Defend Integration for Initial Endpoints Policy
|
||||||
for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/elastic-defend/*.json
|
for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/elastic-defend/*.json
|
||||||
do
|
do
|
||||||
@@ -17,13 +18,18 @@ do
|
|||||||
printf "\n\nIntegration $NAME exists - Upgrading integration policy\n"
|
printf "\n\nIntegration $NAME exists - Upgrading integration policy\n"
|
||||||
if ! elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"; then
|
if ! elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"; then
|
||||||
echo -e "\nFailed to upgrade integration policy for ${INTEGRATION##*/}"
|
echo -e "\nFailed to upgrade integration policy for ${INTEGRATION##*/}"
|
||||||
exit 1
|
ERROR=true
|
||||||
|
continue
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
printf "\n\nIntegration does not exist - Creating integration\n"
|
printf "\n\nIntegration does not exist - Creating integration\n"
|
||||||
if ! elastic_fleet_integration_create "@$INTEGRATION"; then
|
if ! elastic_fleet_integration_create "@$INTEGRATION"; then
|
||||||
echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
|
echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
|
||||||
exit 1
|
ERROR=true
|
||||||
|
continue
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
if [[ "$ERROR" == "true" ]]; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
@@ -17,7 +17,6 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
|
|||||||
|
|
||||||
# Third, configure Elastic Defend Integration seperately
|
# Third, configure Elastic Defend Integration seperately
|
||||||
/usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
|
/usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
|
||||||
|
|
||||||
# Initial Endpoints
|
# Initial Endpoints
|
||||||
for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
|
for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
|
||||||
do
|
do
|
||||||
@@ -27,13 +26,15 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
|
|||||||
printf "\n\nIntegration $NAME exists - Updating integration\n"
|
printf "\n\nIntegration $NAME exists - Updating integration\n"
|
||||||
if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then
|
if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then
|
||||||
echo -e "\nFailed to update integration for ${INTEGRATION##*/}"
|
echo -e "\nFailed to update integration for ${INTEGRATION##*/}"
|
||||||
exit 1
|
RETURN_CODE=1
|
||||||
|
continue
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
printf "\n\nIntegration does not exist - Creating integration\n"
|
printf "\n\nIntegration does not exist - Creating integration\n"
|
||||||
if ! elastic_fleet_integration_create "@$INTEGRATION"; then
|
if ! elastic_fleet_integration_create "@$INTEGRATION"; then
|
||||||
echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
|
echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
|
||||||
exit 1
|
RETURN_CODE=1
|
||||||
|
continue
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@@ -47,13 +48,15 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
|
|||||||
printf "\n\nIntegration $NAME exists - Updating integration\n"
|
printf "\n\nIntegration $NAME exists - Updating integration\n"
|
||||||
if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then
|
if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then
|
||||||
echo -e "\nFailed to update integration for ${INTEGRATION##*/}"
|
echo -e "\nFailed to update integration for ${INTEGRATION##*/}"
|
||||||
exit 1
|
RETURN_CODE=1
|
||||||
|
continue
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
printf "\n\nIntegration does not exist - Creating integration\n"
|
printf "\n\nIntegration does not exist - Creating integration\n"
|
||||||
if ! elastic_fleet_integration_create "@$INTEGRATION"; then
|
if ! elastic_fleet_integration_create "@$INTEGRATION"; then
|
||||||
echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
|
echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
|
||||||
exit 1
|
RETURN_CODE=1
|
||||||
|
continue
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@@ -70,14 +73,16 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
|
|||||||
printf "\n\nIntegration $NAME exists - Updating integration\n"
|
printf "\n\nIntegration $NAME exists - Updating integration\n"
|
||||||
if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then
|
if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then
|
||||||
echo -e "\nFailed to update integration for ${INTEGRATION##*/}"
|
echo -e "\nFailed to update integration for ${INTEGRATION##*/}"
|
||||||
exit 1
|
RETURN_CODE=1
|
||||||
|
continue
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
printf "\n\nIntegration does not exist - Creating integration\n"
|
printf "\n\nIntegration does not exist - Creating integration\n"
|
||||||
if [ "$NAME" != "elasticsearch-logs" ]; then
|
if [ "$NAME" != "elasticsearch-logs" ]; then
|
||||||
if ! elastic_fleet_integration_create "@$INTEGRATION"; then
|
if ! elastic_fleet_integration_create "@$INTEGRATION"; then
|
||||||
echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
|
echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
|
||||||
exit 1
|
RETURN_CODE=1
|
||||||
|
continue
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@@ -97,14 +102,16 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
|
|||||||
printf "\n\nIntegration $NAME exists - Updating integration\n"
|
printf "\n\nIntegration $NAME exists - Updating integration\n"
|
||||||
if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then
|
if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then
|
||||||
echo -e "\nFailed to update integration for ${INTEGRATION##*/}"
|
echo -e "\nFailed to update integration for ${INTEGRATION##*/}"
|
||||||
exit 1
|
RETURN_CODE=1
|
||||||
|
continue
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
printf "\n\nIntegration does not exist - Creating integration\n"
|
printf "\n\nIntegration does not exist - Creating integration\n"
|
||||||
if [ "$NAME" != "elasticsearch-logs" ]; then
|
if [ "$NAME" != "elasticsearch-logs" ]; then
|
||||||
if ! elastic_fleet_integration_create "@$INTEGRATION"; then
|
if ! elastic_fleet_integration_create "@$INTEGRATION"; then
|
||||||
echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
|
echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
|
||||||
exit 1
|
RETURN_CODE=1
|
||||||
|
continue
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|||||||
@@ -24,6 +24,7 @@ fi
|
|||||||
|
|
||||||
default_packages=({% for pkg in SUPPORTED_PACKAGES %}"{{ pkg }}"{% if not loop.last %} {% endif %}{% endfor %})
|
default_packages=({% for pkg in SUPPORTED_PACKAGES %}"{{ pkg }}"{% if not loop.last %} {% endif %}{% endfor %})
|
||||||
|
|
||||||
|
ERROR=false
|
||||||
for AGENT_POLICY in $agent_policies; do
|
for AGENT_POLICY in $agent_policies; do
|
||||||
if ! integrations=$(elastic_fleet_integration_policy_names "$AGENT_POLICY"); then
|
if ! integrations=$(elastic_fleet_integration_policy_names "$AGENT_POLICY"); then
|
||||||
# this script upgrades default integration packages, exit 1 and let salt handle retrying
|
# this script upgrades default integration packages, exit 1 and let salt handle retrying
|
||||||
@@ -73,11 +74,13 @@ for AGENT_POLICY in $agent_policies; do
|
|||||||
echo "No errors detected. Proceeding with upgrade..."
|
echo "No errors detected. Proceeding with upgrade..."
|
||||||
if ! elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"; then
|
if ! elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"; then
|
||||||
echo "Error: Upgrade failed for $PACKAGE_NAME with integration ID '$INTEGRATION_ID'."
|
echo "Error: Upgrade failed for $PACKAGE_NAME with integration ID '$INTEGRATION_ID'."
|
||||||
exit 1
|
ERROR=true
|
||||||
|
continue
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "Errors detected during dry run for $PACKAGE_NAME policy upgrade..."
|
echo "Errors detected during dry run for $PACKAGE_NAME policy upgrade..."
|
||||||
exit 1
|
ERROR=true
|
||||||
|
continue
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
{%- if not AUTO_UPGRADE_INTEGRATIONS %}
|
{%- if not AUTO_UPGRADE_INTEGRATIONS %}
|
||||||
@@ -86,4 +89,7 @@ for AGENT_POLICY in $agent_policies; do
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
if [[ "$ERROR" == "true" ]]; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
echo
|
echo
|
||||||
|
|||||||
@@ -1493,6 +1493,7 @@ soc:
|
|||||||
folder: securityonion-normalized
|
folder: securityonion-normalized
|
||||||
assistant:
|
assistant:
|
||||||
apiUrl: https://onionai.securityonion.net
|
apiUrl: https://onionai.securityonion.net
|
||||||
|
healthTimeoutSeconds: 3
|
||||||
salt:
|
salt:
|
||||||
queueDir: /opt/sensoroni/queue
|
queueDir: /opt/sensoroni/queue
|
||||||
timeoutMs: 45000
|
timeoutMs: 45000
|
||||||
|
|||||||
@@ -585,6 +585,10 @@ soc:
|
|||||||
description: The URL of the AI gateway.
|
description: The URL of the AI gateway.
|
||||||
advanced: True
|
advanced: True
|
||||||
global: True
|
global: True
|
||||||
|
healthTimeoutSeconds:
|
||||||
|
description: Timeout in seconds for the Onion AI health check.
|
||||||
|
global: True
|
||||||
|
advanced: True
|
||||||
client:
|
client:
|
||||||
assistant:
|
assistant:
|
||||||
enabled:
|
enabled:
|
||||||
@@ -615,6 +619,7 @@ soc:
|
|||||||
advanced: True
|
advanced: True
|
||||||
lowBalanceColorAlert:
|
lowBalanceColorAlert:
|
||||||
description: Onion AI credit amount at which balance turns red.
|
description: Onion AI credit amount at which balance turns red.
|
||||||
|
global: True
|
||||||
advanced: True
|
advanced: True
|
||||||
apiTimeoutMs:
|
apiTimeoutMs:
|
||||||
description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.
|
description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.
|
||||||
|
|||||||
Reference in New Issue
Block a user