From ac540bbed8c3bf74bf879656c013de3abccac942 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Fri, 22 Mar 2024 09:29:24 +1030 Subject: [PATCH] cisco_meraki: fix webhook configuration and behavior Cisco Meraki's approach to 'authentication' is not actually based on authentication. Instead a shared secret is passed as part of the event that is sent in the web hook publication[1]. So, in order to prevent ingestion of invalid or unauthorised events, check for shared secret matching in the ingest pipeline and drop event that do not match. Note that Cisco Meraki's approach does not provide any mechanism to prevent unauthorized connections. [1]https://developer.cisco.com/meraki/webhooks/introduction/#shared-secret --- .../cisco_meraki/_dev/deploy/docker/docker-compose.yml | 2 -- .../_dev/deploy/docker/sample_events/meraki-mx-ndjson.log | 5 +++-- packages/cisco_meraki/changelog.yml | 5 +++++ .../events/_dev/test/system/test-meraki-http-config.yml | 2 ++ .../events/_dev/test/system/test-meraki-https-config.yml | 2 ++ .../data_stream/events/agent/stream/http_endpoint.yml.hbs | 6 ++++-- .../events/elasticsearch/ingest_pipeline/default.yml | 7 +++++-- packages/cisco_meraki/data_stream/events/manifest.yml | 2 +- .../log/_dev/test/system/test-logfile-config.yml | 2 ++ .../data_stream/log/_dev/test/system/test-tcp-config.yml | 2 ++ .../data_stream/log/_dev/test/system/test-udp-config.yml | 2 ++ packages/cisco_meraki/manifest.yml | 2 +- 12 files changed, 29 insertions(+), 10 deletions(-) diff --git a/packages/cisco_meraki/_dev/deploy/docker/docker-compose.yml b/packages/cisco_meraki/_dev/deploy/docker/docker-compose.yml index 7714b7408618..9886cc233b46 100644 --- a/packages/cisco_meraki/_dev/deploy/docker/docker-compose.yml +++ b/packages/cisco_meraki/_dev/deploy/docker/docker-compose.yml @@ -7,7 +7,6 @@ services: environment: - STREAM_PROTOCOL=webhook - STREAM_ADDR=http://elastic-agent:8686/meraki/events - - STREAM_WEBHOOK_HEADER=Authorization=abc123 command: log --start-signal=SIGHUP --delay=5s /sample_events/meraki-mx-ndjson.log meraki-webhook-https: image: docker.elastic.co/observability/stream:v0.6.2 @@ -16,7 +15,6 @@ services: environment: - STREAM_PROTOCOL=webhook - STREAM_ADDR=https://elastic-agent:8686/meraki/events - - STREAM_WEBHOOK_HEADER=Authorization=abc123 - STREAM_INSECURE=true command: log --start-signal=SIGHUP --delay=5s /sample_events/meraki-mx-ndjson.log cisco_meraki-log-logfile: diff --git a/packages/cisco_meraki/_dev/deploy/docker/sample_events/meraki-mx-ndjson.log b/packages/cisco_meraki/_dev/deploy/docker/sample_events/meraki-mx-ndjson.log index efed345fcabf..42e9cbee1306 100644 --- a/packages/cisco_meraki/_dev/deploy/docker/sample_events/meraki-mx-ndjson.log +++ b/packages/cisco_meraki/_dev/deploy/docker/sample_events/meraki-mx-ndjson.log @@ -1,2 +1,3 @@ -{ "version": "0.1", "sharedSecret": "secret", "sentAt": "2021-10-07T08:42:00.926325Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "My appliance", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "MX", "alertId": "0000000000000000", "alertType": "Cellular came up", "alertTypeId": "cellular_up", "alertLevel": "informational", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": { "provider": "Purview Wireless", "model": "UML290VW", "local": "192.168.1.2", "remote": "1.2.3.5", "connection": "LTE" } } -{ "version": "0.1", "sharedSecret": "secret", "sentAt": "2021-10-07T08:42:00.927486Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "", "alertId": "0000000000000000", "alertType": "Insight Alert", "alertTypeId": "mi_alert", "alertLevel": "warning", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": {} } +{ "version": "0.1", "sharedSecret": "abc123", "sentAt": "2021-10-07T08:42:00.926325Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "My appliance", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "MX", "alertId": "0000000000000000", "alertType": "Cellular came up", "alertTypeId": "cellular_up", "alertLevel": "informational", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": { "provider": "Purview Wireless", "model": "UML290VW", "local": "192.168.1.2", "remote": "1.2.3.5", "connection": "LTE" } } +{ "version": "0.1", "sharedSecret": "abc123", "sentAt": "2021-10-07T08:42:00.927486Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "", "alertId": "0000000000000000", "alertType": "Insight Alert", "alertTypeId": "mi_alert", "alertLevel": "warning", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": {} } +{ "version": "0.1", "sharedSecret": "wrongsecret", "sentAt": "2021-10-09T08:42:00.926325Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "My appliance", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "MX", "alertId": "0000000000000000", "alertType": "Cellular came up", "alertTypeId": "cellular_up", "alertLevel": "informational", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": { "provider": "Purview Wireless", "model": "UML290VW", "local": "192.168.1.2", "remote": "1.2.3.5", "connection": "LTE" } } diff --git a/packages/cisco_meraki/changelog.yml b/packages/cisco_meraki/changelog.yml index fe8169c78d54..1d4bbd4c310b 100644 --- a/packages/cisco_meraki/changelog.yml +++ b/packages/cisco_meraki/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.21.2" + changes: + - description: Fix webhook shared secret configuration and behavior. + type: bugfix + link: https://github.com/elastic/integrations/pull/9415 - version: "1.21.1" changes: - description: Fix url processing. diff --git a/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-http-config.yml b/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-http-config.yml index 8d1477c15e5f..78f38d6c8228 100644 --- a/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-http-config.yml +++ b/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-http-config.yml @@ -9,3 +9,5 @@ data_stream: url: /meraki/events secret_value: abc123 preserve_original_event: true +assert: + hit_count: 2 diff --git a/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml b/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml index 1bec59a6396f..062f0400af8e 100644 --- a/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml +++ b/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml @@ -60,3 +60,5 @@ data_stream: Iqi7is4z2mP8pbcIIlmloogE -----END PRIVATE KEY----- verification_mode: none +assert: + hit_count: 2 \ No newline at end of file diff --git a/packages/cisco_meraki/data_stream/events/agent/stream/http_endpoint.yml.hbs b/packages/cisco_meraki/data_stream/events/agent/stream/http_endpoint.yml.hbs index 1203728f1459..e0d65604e3ea 100644 --- a/packages/cisco_meraki/data_stream/events/agent/stream/http_endpoint.yml.hbs +++ b/packages/cisco_meraki/data_stream/events/agent/stream/http_endpoint.yml.hbs @@ -13,8 +13,10 @@ url: {{url}} {{/if}} {{#if secret_value}} -secret.header: Authorization -secret.value: "{{secret_value}}" +fields_under_root: true +fields: + _conf: + secret: "{{secret_value}}" {{/if}} {{#if ssl}} diff --git a/packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml index 9dcc7e2fc327..79bf9a4ce3b8 100644 --- a/packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -1,6 +1,8 @@ --- description: Pipeline for processing Cisco Meraki events processors: +- drop: + if: ctx.json?.sharedSecret != null && ctx.json.sharedSecret != '' && ctx._conf?.secret != ctx.json.sharedSecret - set: field: ecs.version value: '8.11.0' @@ -15,7 +17,7 @@ processors: - append: field: observer.mac value: '{{{_tmp.observer.mac}}}' - if: ctx?._tmp?.observer?.mac != null + if: ctx._tmp?.observer?.mac != null - set: field: observer.name copy_from: json.deviceName @@ -267,10 +269,11 @@ processors: - cisco_meraki.event.alertType - cisco_meraki.event.alertLevel - _tmp + - _conf ignore_missing: true - remove: field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" ignore_failure: true ignore_missing: true - script: diff --git a/packages/cisco_meraki/data_stream/events/manifest.yml b/packages/cisco_meraki/data_stream/events/manifest.yml index 33ad60deb9da..9d1aea4f7c35 100644 --- a/packages/cisco_meraki/data_stream/events/manifest.yml +++ b/packages/cisco_meraki/data_stream/events/manifest.yml @@ -32,7 +32,7 @@ streams: default: /meraki/events - name: secret_value type: password - description: Authorization token + description: Shared secret used for selecting events that can be ingested. multi: false required: false show_user: true diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-logfile-config.yml index 075ff2cfb2c7..0d8dcb81f8ce 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -5,3 +5,5 @@ data_stream: paths: - "{{SERVICE_LOGS_DIR}}/cisco-meraki*.log" preserve_original_event: true +assert: + hit_count: 204 diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-tcp-config.yml index 1a0939ace909..f85ea451cf62 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -6,3 +6,5 @@ data_stream: listen_address: 0.0.0.0 listen_port: 8685 preserve_original_event: true +assert: + hit_count: 204 diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml index 5699b412d515..d2cf3ea36162 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml @@ -6,3 +6,5 @@ data_stream: listen_address: 0.0.0.0 listen_port: 8685 preserve_original_event: true +assert: + hit_count: 204 \ No newline at end of file diff --git a/packages/cisco_meraki/manifest.yml b/packages/cisco_meraki/manifest.yml index 5c802388aac5..fb4e45580f24 100644 --- a/packages/cisco_meraki/manifest.yml +++ b/packages/cisco_meraki/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_meraki title: Cisco Meraki -version: "1.21.1" +version: "1.21.2" description: Collect logs from Cisco Meraki with Elastic Agent. type: integration categories: