[Fleet] Update template and packaging code for fleet packages (elastic#1280)

* Update template and packaging code for fleet packages
* Fix linting

Author: rw-access

NOTICE.txt

@@ -1,15 +1,15 @@
 Detection Rules
-Copyright 2020 Elasticsearch B.V.
+Copyright 2021 Elasticsearch B.V.
 
 ---
 This product bundles rules based on https://github.com/BlueTeamLabs/sentinel-attack
-which is available under a "MIT" license. The files based on this license are:
+which is available under a "MIT" license. The rules based on this license are:
 
-- defense_evasion_via_filter_manager
-- discovery_process_discovery_via_tasklist_command
-- persistence_priv_escalation_via_accessibility_features
-- persistence_via_application_shimming
-- defense_evasion_execution_via_trusted_developer_utilities
+- "Potential Evasion via Filter Manager" (06dceabf-adca-48af-ac79-ffdf4c3b1e9a)
+- "Process Discovery via Tasklist" (cc16f774-59f9-462d-8b98-d27ccd4519ec)
+- "Potential Modification of Accessibility Binaries" (7405ddf1-6c8e-41ce-818f-48bea6bcaed8)
+- "Potential Application Shimming via Sdbinst" (fd4a992d-6130-4802-9ff8-829b89ae801f)
+- "Trusted Developer Application Usage" (9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1)
 
 MIT License
 
@@ -35,9 +35,9 @@ SOFTWARE.
 
 ---
 This product bundles rules based on https://github.com/FSecureLABS/leonidas
-which is available under a "MIT" license. The files based on this license are:
+which is available under a "MIT" license. The rules based on this license are:
 
-- credential_access_secretsmanager_getsecretvalue.toml
+- "AWS Access Secret in Secrets Manager" (a00681e3-9ed6-447c-ab2c-be648821c622)
 
 MIT License
 

detection_rules/packaging.py

@@ -10,6 +10,7 @@
 import json
 import os
 import shutil
+import textwrap
 from collections import defaultdict, OrderedDict
 from pathlib import Path
 from typing import List, Optional, Tuple
@@ -27,6 +28,7 @@
 RELEASE_DIR = get_path("releases")
 PACKAGE_FILE = get_etc_path('packages.yml')
 NOTICE_FILE = get_path('NOTICE.txt')
+FLEET_PKG_LOGO = get_etc_path("security-logo-color-64px.svg")
 
 
 # CHANGELOG_FILE = Path(get_etc_path('rules-changelog.json'))
@@ -476,30 +478,44 @@ def _generate_registry_package(self, save_dir):
 
         manifest = RegistryPackageManifest.from_dict(self.registry_data)
 
-        package_dir = Path(save_dir).joinpath(manifest.version)
+        package_dir = Path(save_dir) / 'fleet' / manifest.version
         docs_dir = package_dir / 'docs'
         rules_dir = package_dir / 'kibana' / definitions.ASSET_TYPE
 
         docs_dir.mkdir(parents=True)
         rules_dir.mkdir(parents=True)
 
-        manifest_file = package_dir.joinpath('manifest.yml')
-        readme_file = docs_dir.joinpath('README.md')
-        notice_file = package_dir.joinpath('NOTICE.txt')
+        manifest_file = package_dir / 'manifest.yml'
+        readme_file = docs_dir / 'README.md'
+        notice_file = package_dir / 'NOTICE.txt'
+        logo_file = package_dir / 'img' / 'security-logo-color-64px.png'
 
         manifest_file.write_text(yaml.safe_dump(manifest.asdict()))
+
+        logo_file.parent.mkdir(parents=True)
+        shutil.copyfile(FLEET_PKG_LOGO, logo_file)
         # shutil.copyfile(CHANGELOG_FILE, str(rules_dir.joinpath('CHANGELOG.json')))
 
         for rule in self.rules:
-            asset_path = rules_dir / f'rule-{rule.id}.json'
+            asset_path = rules_dir / f'{rule.id}.json'
             asset_path.write_text(json.dumps(rule.get_asset(), indent=4, sort_keys=True), encoding="utf-8")
 
-        readme_text = ('# Detection rules\n\n'
-                       'The detection rules package stores all the security rules '
-                       'for the detection engine within the Elastic Security application.\n\n')
+        notice_contents = Path(NOTICE_FILE).read_text()
+        readme_text = textwrap.dedent("""
+        # Detection rules
+
+        The detection rules package stores the prebuilt security rules for the Elastic Security [detection engine](https://www.elastic.co/guide/en/security/7.13/detection-engine-overview.html).
+
+        To download or update the rules, click **Settings** > **Install Prebuilt Security Detection Rules assets**.
+        Then [import](https://www.elastic.co/guide/en/security/master/rules-ui-management.html#load-prebuilt-rules)
+        the rules into the Detection engine.
+
+        ## License Notice
+
+        """) + textwrap.indent(notice_contents, prefix="    ")  # noqa: E501
 
         readme_file.write_text(readme_text)
-        notice_file.write_text(Path(NOTICE_FILE).read_text())
+        notice_file.write_text(notice_contents)
 
     def bump_versions(self, save_changes=False, current_versions=None):
         """Bump the versions of all production rules included in a release and optionally save changes."""

detection_rules/schemas/registry_package.py

@@ -6,9 +6,9 @@
 """Definitions for packages destined for the registry."""
 
 from dataclasses import dataclass, field
-from typing import Dict, List, Type
+from typing import Dict, List, Optional, Type
 
-from marshmallow import Schema, validate
+from marshmallow import Schema
 from marshmallow_dataclass import class_schema
 
 from .definitions import ConditionSemVer, SemVer
@@ -18,22 +18,22 @@
 class RegistryPackageManifest:
     """Base class for registry packages."""
 
+    categories: List[str]
     conditions: Dict[str, ConditionSemVer]
+    description: str
+    format_version: SemVer
+    icons: list
+    license: str
+    name: str
+    owner: Dict[str, str]
+    release: str
+    title: str
+    type: str
     version: SemVer
 
-    categories: List[str] = field(default_factory=lambda: ['security'])
-    description: str = 'Rules for the detection engine in the Security application.'
-    format_version: SemVer = field(metadata=dict(validate=validate.Equal('1.0.0')), default='1.0.0')
-    icons: list = field(default_factory=list)
-    internal: bool = True
-    license: str = 'basic'
-    name: str = 'detection_rules'
-    owner: Dict[str, str] = field(default_factory=lambda: dict(github='elastic/protections'))
+    internal: Optional[bool] = None
     policy_templates: list = field(default_factory=list)
-    release: str = 'experimental'
     screenshots: list = field(default_factory=list)
-    title: str = 'Detection rules'
-    type: str = 'integration'
 
     @classmethod
     def get_schema(cls) -> Type[Schema]:

etc/packages.yml

@@ -24,9 +24,20 @@ package:
 
   # elastic/integrations
   registry_data:
-    # integration package schema version
-    format_version: "1.0.0"
+    categories: ["security"]
     conditions:
       kibana_version: "^7.13.0"
-    # this determines the version for the package-storage generated artifact
-    version: "0.0.1-dev.3"
+    description: "Prebuilt detection rules for Elastic Security"
+    format_version: "1.0.0"
+    icons:
+    - src: "/img/security-logo-color-64px.svg"
+      size: "16x16"
+      type: "image/svg+xml"
+    license: basic
+    name: "detection_rules"
+    owner:
+      github: elastic/protections
+    release: "beta"
+    title: "Prebuilt Security Detection Rules"
+    type: "integration"
+    version: "0.13.0"