Policy inventory settings¶
The policy inventory is a list of the Corelight sensors you’ll deploy content to using Corelight-update. The sensors can be a combination of appliances, such as the hardware and virtual sensors, and software sensors.
Corelight-update can utilize Fleet Manager to deploy content to Fleet-enabled appliances, such as the hardware and virtual sensors. For appliances that aren’t Fleet-enabled, you can push content directly to those sensors using Corelight-update.
Fleet Managed Sensors
As of Corelight-update v1.3.0, sensors that are Fleet managed no longer need to be listed individually in the Corelight-update inventory. Corelight-update will collect a list of sensors for each Fleet Manager policy automatically.
If you have version 1.x software sensors, you can use Corelight-update to either push content to the software sensor, or publish threat intel content using Corelight-update’s web interface for the software sensor to fetch.
Overview of adding Fleet Manager and sensor details to the inventory¶
Prepare a list of the sensors that Corelight-update will deploy to.
For Fleet-managed sensors, the sensor inventory will be collected from Fleet Manager.
For all standalone appliance sensors: collect the IP address or FQDN, and the sensor username and password.
For all version 1.x software sensors: collect the IP address or FQDN, and the host ssh key, or the sensor username and password.
If you have Fleet-managed sensors, configure the connection to your Fleet Manager instance under the
fleet:
section of the Corelight-updatedb-config
file.Configure the inventory settings under the
sensors:
portion of the Corelight-update configuration file, adding a new-name
inventory section and associated fields for each non-Fleet managed sensor type in your inventory.Use the configuration file to update the policy in Corelight-update.
Inventory settings¶
The following fields are available for configuring the inventory:
fleet:
ip: # fleet address or fqdn
username: # fleet username
password: # fleet password, leave blank to use encrypted password
encrypted_pass: # use the 'encrypt' CLI command to encrypt a password before it's stored here
ignore_tls: true
sensors:
- name: # sensor name
type: # physical, virtual, software or localhost
fleet: false # true or false
ip: # address or fqdn
username: # sensor username
password: # set to "ssh-key" to use ssh keys with softsensor, leave blank to use encrypted password
encrypted_pass: # use the 'encrypt' CLI command to encrypt a password before it's stored here
ignore_tls: true # physical and virtual sensors ONLY
suricata: true # push suricata rulesets to this sensor
intel: true # push intel files to this sensor
input: true # push input files to this sensor
bundle: true # push package bundle to this sensor
intel_path: "/etc/corelight/intel/intel.dat" # software sensors and localhost ONLY
input_path: "/etc/corelight/input_files/" # software sensors and localhost ONLY
suricata_path: "/etc/corelight/rules/suricata.rules" # software sensors and localhost ONLY
suricata_config_path: "/etc/corelight/suricata/" # software sensors and localhost ONLY
bundle_path: "/etc/corelight/corelight.bundle" # software sensors ONLY
Warning
The suricata_config_path /etc/corelight/suricata/
does not exist by default on Software Sensors v1.x and must be created before Suricata config files
can be pushed. The folder must be writable for the username listed for that sensor.
There are two Corelight-update configuration sample files provided: /etc/corelight-update/configs/defaultPolicy/db-config.json
and /etc/corelight-update/configs/defaultPolicy/db-config.yaml
. They contain identical configuration examples defined in different structured text formats.
Encrypted Passwords
As of Corelight-update version 1.1.0, Fleet and individual sensor passwords can be encrypted before they are stored in inventory. Using the encrypted_pass
field allows you to replace the use of plain text passwords in your Corelight-update configuration file. See Administering encrypted passwords later in this topic.
Corelight-update can use your Fleet Manager instance to collect an inventory of connected sensors, and deploy content to those sensors.
When Corelight-update is deploying content to Fleet-managed sensors, it uses the Fleet Manager API to authenticate and deploy intel files and input files to those sensors through the Fleet Manager instance. If a Fleet-managed sensor is disconnected from Fleet Manager during the content push, that sensor will not receive files until the next content push (assuming it is connected during the push).
Suricata rulesets and package bundles are uploaded directly to Fleet Manager and then the policy in Fleet Manager is updated to use the new content. Once updated, Fleet Manager will handle pushing the new Suricata ruleset and package bundles to the connected sensors. If Fleet Manager details are configured in the Corelight-update policy, new Suricata rulesets and package bundles will be uploaded even if no sensors are connected to that policy in Fleet Manager.
- To configure Corelight-update to deploy to Fleet-managed sensors, you’ll require:
Network connectivity from the Corelight-update host to the Fleet Manager. No additional network configuration is required other than the default sensor-to-Fleet communications.
The policy name used in Fleet Manager and the policy name in Corelight-update must match.
The IP address or FQDN of the Fleet Manager.
The Fleet username and password.
To enable Corelight-update to communicate with the Fleet instance, configure the fleet:
section of the configuration file.
fleet:
ip: # fleet address or fqdn
username: # fleet username
password: # fleet password, leave blank to use encrypted password
encrypted_pass: # use the 'encrypt' CLI command to encrypt a password before it's stored here
ignore_tls: true
Corelight-update will collect a list of sensors for each Fleet Manager policy automatically. If you have Fleet managed sensors manually configured in the Corelight-update inventory, they can be removed from the inventory, or remain if set to fleet: true
in the sensor details. This will cause Corelight-update to skip the sensor while it processes the rest of the policy inventory.
When Corelight-update is deploying content to appliance sensors, such as the hardware and virtual sensors that are not Fleet-managed, it uses the sensor API to authenticate and deploy content to those sensors.
- To configure a standalone appliance sensor in Corelight-update, you’ll require:
Network connectivity from the Corelight-update host to the sensor.
The IP address or FQDN of the sensor.
The sensor username and password.
The sensor inventory requires one entry for each sensor. You can remove any setting that’s not required for a specific sensor’s configuration.
sensors:
- name: # sensor name
type: # physical, virtual
fleet: false
ip: # address or fqdn
username: # sensor username
password: # leave blank to use encrypted password
encrypted_pass: # use the 'encrypt' CLI command to encrypt a password before it's stored here
suricata: true # push suricata rulesets to this sensor
intel: true # push intel files to this sensor
input: true # push input files to this sensor
bundle: true # push package bundle to this sensor
Fleet Managed Sensors
If a stanalone appliance sensor is later connected to Fleet Manager, it can be removed from the Corelight-update inventory, or remain if set to fleet: true
in the sensor details. This will cause Corelight-update to skip the sensor while it processes the rest of the policy inventory.
When Corelight-update is deploying content to software sensors, it uses SCP to push updates to a specific folder path on the sensor.
- To configure a software sensor in Corelight-update, you’ll require:
Network connectivity from the Corelight-update host to the sensor.
The IP address or FQDN of the sensor.
The sensor username, and the password or host ssh key.
The sensor user needs read/write access to the content folders.
Note
The command used to reload the suricata rules requires sudo access. If you’re deploying Suricata rulesets to a software sensor, the host username will also require passwordless sudo access to apply new rulesets.
The sensor inventory requires one entry for each sensor. You can remove any setting that’s not required for a specific sensor’s configuration.
sensors:
- name: # sensor name
type: software
ip: # address or fqdn
username: # host username
password: # set to "ssh-key" to use ssh keys with softsensor, leave blank to use encrypted password
encrypted_pass: # use the 'encrypt' CLI command to encrypt a password before it's stored here
suricata: true # push suricata rulesets to this sensor
intel: true # push intel files to this sensor
input: true # push input files to this sensor
bundle: true # push package bundle to this sensor
intel_path: "/etc/corelight/intel/intel.dat" # software sensors and localhost ONLY
input_path: "/etc/corelight/input_files/" # software sensors and localhost ONLY
suricata_path: "/etc/corelight/rules/suricata.rules" # software sensors and localhost ONLY
bundle_path: "/etc/corelight/corelight.bundle" # software sensors ONLY
If Corelight-update is installed on the same host as a software sensor, no connectivity information is required. The only requirement is to include the path on the sensor to place files. Any package bundles will not be moved, they will just get installed.
sensors:
- name: # sensor name
type: localhost
intel_path: "/etc/corelight/intel/intel.dat" # software sensors and localhost ONLY
input_path: "/etc/corelight/input_files/" # software sensors and localhost ONLY
suricata_path: "/etc/corelight/rules/suricata.rules" # software sensors and localhost ONLY
bundle_path: "/etc/corelight/corelight.bundle" # software sensors ONLY
Administering encrypted passwords¶
As of Corelight-update version 1.1.0, Fleet and individual sensor passwords can now be encrypted before they are stored in inventory. Using the encrypted_pass
field allows you to replace the use of plain text passwords in your Corelight-update configuration file.
To use encrypted passwords:
Use the Corelight-update CLI command with the in
encrypt
switch to encrypt the password string. When using special characters in your password string, wrap it in quotes. See CLI commands for more details.Copy the encrypted password output from the console, and use it to update the
encrypted_pass:
field of the sensor inventory record, or Fleet configuration in the policy configuration file.Verify the
password:
field of the sensor inventory record, or Fleet configuration is empty.Save the changes, and update the Corelight-update policy.
Note
A Fleet Manager configuration or sensor inventory record should not have both the password
and encrypted_pass
fields populated. Make sure to leave the password
field blank when using the encrypted_pass
field. If both fields are populated, the password
field will be used.
Using the Corelight-update CLI command with the in encrypt
switch encrypts the password string using AES256 encryption. The encryption master key is randomly generated, and stored in the file /var/corelight-update/.corelight-update
.
If the master key is removed and regenerated, all encrypted passwords will also have to be regenerated. A password must be encrypted with the current key to be decrypted successfully.
To generate a new master key, delete the existing key, and a new one will automatically be created when needed.