From 1de768c18238f4af25438378d1e8443b69fd9c94 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 6 May 2021 12:02:05 -0400 Subject: [PATCH 01/24] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index b0bdf03a0..364d0a6a8 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -GRIDFIX \ No newline at end of file +GRIDFIX ZEEKFIX From 90b3462eadfc67fe08b62f92d71f86011e1a0e95 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 6 May 2021 13:29:15 -0400 Subject: [PATCH 02/24] No recurse for you --- salt/zeek/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index fe6478464..02c1cc1ba 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -78,6 +78,7 @@ zeekspoolownership: file.directory: - name: /nsm/zeek/spool - user: 937 + - max_depth: 0 - recurse: - user From a49f2e2d98ae87ea0bcaa1c1fa5f5f33393836fc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 6 May 2021 13:38:16 -0400 Subject: [PATCH 03/24] change log_level_logfile to error for /opt/so/log/salt/minion --- salt/salt/minion.sls | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 1a172d851..20a6aaac7 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -43,12 +43,18 @@ hold_salt_packages: {% endfor %} {% endif %} +remove_info_log_level_logfile: + file.line: + - name: /etc/salt/minion + - match: "log_level_logfile: info" + - mode: delete + set_log_levels: file.append: - name: /etc/salt/minion - text: - "log_level: info" - - "log_level_logfile: info" + - "log_level_logfile: error" - listen_in: - service: salt_minion_service From fb986b5cff14fe0a7937373397a829e2eab85358 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 6 May 2021 14:55:14 -0400 Subject: [PATCH 04/24] set both log levels to error --- salt/salt/minion.sls | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 20a6aaac7..f5770621b 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -49,11 +49,17 @@ remove_info_log_level_logfile: - match: "log_level_logfile: info" - mode: delete +remove_info_log_level: + file.line: + - name: /etc/salt/minion + - match: "log_level: info" + - mode: delete + set_log_levels: file.append: - name: /etc/salt/minion - text: - - "log_level: info" + - "log_level: error" - "log_level_logfile: error" - listen_in: - service: salt_minion_service From b39c8c1f1f19cf9a62a5a3a54438817d84b84853 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 7 May 2021 11:02:23 -0400 Subject: [PATCH 05/24] exit after 50 tries if manager cant connect to iteself via salt --- salt/common/tools/sbin/soup | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 77a2b6018..620737c16 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -802,7 +802,7 @@ else systemctl start salt-master # Testing that that salt-master is up by checking that is it connected to itself - retry 50 10 "salt-call state.show_top -l error" + retry 50 10 "salt-call state.show_top -l error" || exit 1 echo "" echo "Ensuring python modules for Salt are installed and patched." @@ -834,6 +834,10 @@ else echo "" echo "Starting Salt Master service." systemctl start salt-master + + # Testing that that salt-master is up by checking that is it connected to itself + retry 50 10 "salt-call state.show_top -l error" || exit 1 + echo "Running a highstate. This could take several minutes." salt-call state.highstate -l info queue=True postupgrade_changes From 4c7cee4ebcb9bcf3395ee4bb62eb36b5c858890e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 17 May 2021 15:55:49 -0400 Subject: [PATCH 06/24] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 58e1f4fa9..a986af08b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.50 +2.3.51 From d001597e52c6b03d5138b1360e7cc465ed77b78f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 17 May 2021 15:56:46 -0400 Subject: [PATCH 07/24] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 353e51866..d71e83575 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.50 +## Security Onion 2.3.51 -Security Onion 2.3.50 is here! +Security Onion 2.3.51 is here! ## Screenshots From e50002e0ca5f5764212b28c3ee9bc3919984b6bc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 17 May 2021 16:26:12 -0400 Subject: [PATCH 08/24] influx and grafana default for manager nodes - https://github.com/Security-Onion-Solutions/securityonion/issues/4207 --- salt/grafana/init.sls | 2 +- salt/influxdb/init.sls | 2 +- salt/soc/files/soc/soc.json | 2 +- setup/so-whiptail | 12 ++++++++++++ 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 4a0cc7b08..b6e20bb9d 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -11,7 +11,7 @@ {% set GRAFANA_SETTINGS = salt['grains.filter_by'](default_settings, default='grafana', merge=salt['pillar.get']('grafana', {})) %} -{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %} # Grafana all the things grafanadir: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index aace4e827..485cc951b 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -6,7 +6,7 @@ {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %} # Influx DB influxconfdir: diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 6f1c3a6da..266b602aa 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -54,7 +54,7 @@ "verifyCert": false }, "influxdb": { -{%- if grains['role'] in ['so-import'] %} +{%- if grains['role'] in ['so-import'] or GRAFANA == 0 %} "hostUrl": "", {%- else %} "hostUrl": "https://{{ MANAGERIP }}:8086", diff --git a/setup/so-whiptail b/setup/so-whiptail index 09346828f..5eca2d39a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -408,6 +408,7 @@ whiptail_enable_components() { PLAYBOOK=0 STRELKA=0 +if [[ $is_eval ]]; then COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \ "Select Components to install:" 20 75 8 \ GRAFANA "Enable Grafana for system monitoring" ON \ @@ -416,6 +417,17 @@ whiptail_enable_components() { THEHIVE "Enable TheHive" ON \ PLAYBOOK "Enable Playbook" ON \ STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3) +else + COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \ + "Select Components to install:" 20 75 7 \ + OSQUERY "Enable Fleet with osquery" ON \ + WAZUH "Enable Wazuh" ON \ + THEHIVE "Enable TheHive" ON \ + PLAYBOOK "Enable Playbook" ON \ + STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3) + export "GRAFANA=1" +fi + local exitstatus=$? whiptail_check_exitstatus $exitstatus From ef32bff302a8781e68bbf55ceb9fcaa079125fba Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 17 May 2021 18:29:27 -0400 Subject: [PATCH 09/24] fix up soc.json --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 266b602aa..5dfd364d2 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -54,7 +54,7 @@ "verifyCert": false }, "influxdb": { -{%- if grains['role'] in ['so-import'] or GRAFANA == 0 %} +{%- if grains['role'] in ['so-import'] or (grains['role'] == 'so-eval' and GRAFANA == 0) %} "hostUrl": "", {%- else %} "hostUrl": "https://{{ MANAGERIP }}:8086", From 0de1c9a6696144f8e46eca2a6a420649690ba55b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 18 May 2021 07:57:00 -0400 Subject: [PATCH 10/24] removing unreference pillar file docker/config.sls --- pillar/docker/config.sls | 208 --------------------------------------- 1 file changed, 208 deletions(-) delete mode 100644 pillar/docker/config.sls diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls deleted file mode 100644 index da6fac83a..000000000 --- a/pillar/docker/config.sls +++ /dev/null @@ -1,208 +0,0 @@ -{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%} -{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%} -{% set WAZUH = salt['pillar.get']('manager:wazuh', '0') %} -{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %} -{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} -{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} -{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} -{% set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %} -{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} - -eval: - containers: - - so-nginx - - so-telegraf - {% if GRAFANA == '1' %} - - so-influxdb - - so-grafana - {% endif %} - - so-dockerregistry - - so-soc - - so-kratos - - so-idstools - {% if FLEETMANAGER %} - - so-mysql - - so-fleet - - so-redis - {% endif %} - - so-elasticsearch - - so-logstash - - so-kibana - - so-steno - - so-suricata - - so-zeek - - so-curator - - so-elastalert - {% if WAZUH != '0' %} - - so-wazuh - {% endif %} - - so-soctopus - {% if THEHIVE != '0' %} - - so-thehive - - so-thehive-es - - so-cortex - {% endif %} - {% if PLAYBOOK != '0' %} - - so-playbook - {% endif %} - {% if FREQSERVER != '0' %} - - so-freqserver - {% endif %} - {% if DOMAINSTATS != '0' %} - - so-domainstats - {% endif %} -heavy_node: - containers: - - so-nginx - - so-telegraf - - so-redis - - so-logstash - - so-elasticsearch - - so-curator - - so-steno - - so-suricata - - so-wazuh - - so-filebeat - {% if ZEEKVER != 'SURICATA' %} - - so-zeek - {% endif %} -helix: - containers: - - so-nginx - - so-telegraf - - so-idstools - - so-steno - - so-zeek - - so-redis - - so-logstash - - so-filebeat -hot_node: - containers: - - so-nginx - - so-telegraf - - so-logstash - - so-elasticsearch - - so-curator -manager_search: - containers: - - so-nginx - - so-telegraf - - so-soc - - so-kratos - - so-acng - - so-idstools - - so-redis - - so-logstash - - so-elasticsearch - - so-curator - - so-kibana - - so-elastalert - - so-filebeat - - so-soctopus - {% if FLEETMANAGER %} - - so-mysql - - so-fleet - - so-redis - {% endif %} - {% if WAZUH != '0' %} - - so-wazuh - {% endif %} - - so-soctopus - {% if THEHIVE != '0' %} - - so-thehive - - so-thehive-es - - so-cortex - {% endif %} - {% if PLAYBOOK != '0' %} - - so-playbook - {% endif %} - {% if FREQSERVER != '0' %} - - so-freqserver - {% endif %} - {% if DOMAINSTATS != '0' %} - - so-domainstats - {% endif %} -manager: - containers: - - so-dockerregistry - - so-nginx - - so-telegraf - {% if GRAFANA == '1' %} - - so-influxdb - - so-grafana - {% endif %} - - so-soc - - so-kratos - - so-acng - - so-idstools - - so-redis - - so-elasticsearch - - so-logstash - - so-kibana - - so-elastalert - - so-filebeat - {% if FLEETMANAGER %} - - so-mysql - - so-fleet - - so-redis - {% endif %} - {% if WAZUH != '0' %} - - so-wazuh - {% endif %} - - so-soctopus - {% if THEHIVE != '0' %} - - so-thehive - - so-thehive-es - - so-cortex - {% endif %} - {% if PLAYBOOK != '0' %} - - so-playbook - {% endif %} - {% if FREQSERVER != '0' %} - - so-freqserver - {% endif %} - {% if DOMAINSTATS != '0' %} - - so-domainstats - {% endif %} -parser_node: - containers: - - so-nginx - - so-telegraf - - so-logstash -search_node: - containers: - - so-nginx - - so-telegraf - - so-logstash - - so-elasticsearch - - so-curator - - so-filebeat - {% if WAZUH != '0' %} - - so-wazuh - {% endif %} -sensor: - containers: - - so-nginx - - so-telegraf - - so-steno - - so-suricata - {% if ZEEKVER != 'SURICATA' %} - - so-zeek - {% endif %} - - so-wazuh - - so-filebeat -warm_node: - containers: - - so-nginx - - so-telegraf - - so-elasticsearch -fleet: - containers: - {% if FLEETNODE %} - - so-mysql - - so-fleet - - so-redis - - so-filebeat - - so-nginx - - so-telegraf - {% endif %} \ No newline at end of file From fe155222c24c3ca01769c659e20a25f01a178cfb Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 May 2021 09:51:54 -0400 Subject: [PATCH 11/24] Introduce mixed-case sensor into distributed test --- setup/automation/distributed-iso-sensor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor index 955019bd8..90be8ccd5 100644 --- a/setup/automation/distributed-iso-sensor +++ b/setup/automation/distributed-iso-sensor @@ -34,7 +34,7 @@ ZEEKVERSION=ZEEK # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit -HOSTNAME=distributed-sensor +HOSTNAME=Distributed-Sensor install_type=SENSOR # LSINPUTBATCHCOUNT= # LSINPUTTHREADS= From 25e2edc6d238fceccdf6e6d3e48bf883bd35f6ba Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 May 2021 12:31:33 -0400 Subject: [PATCH 12/24] Reset HOTFIX with new release --- HOTFIX | 1 - 1 file changed, 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 364d0a6a8..e69de29bb 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +0,0 @@ -GRIDFIX ZEEKFIX From b440f733366c6eb946f4a7852207ad59a70ae283 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 19 May 2021 18:37:08 -0400 Subject: [PATCH 13/24] Truncate wait_for_web_response.log before each wait invocation --- salt/common/tools/sbin/so-common | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 22c7543ea..56123f418 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -487,6 +487,7 @@ wait_for_web_response() { expected=$2 maxAttempts=${3:-300} logfile=/root/wait_for_web_response.log + truncate -s 0 "$logfile" attempt=0 while [[ $attempt -lt $maxAttempts ]]; do attempt=$((attempt+1)) From 7aed01658fe25e821e9542e9947665d2972a6fd4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 20 May 2021 22:10:36 -0400 Subject: [PATCH 14/24] Sig file for 2.3.51 --- VERIFY_ISO.md | 22 +++++++++++----------- sigs/securityonion-2.3.51.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.51.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 2b97521dd..018d9e916 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.3.50 ISO image built on 2021/04/27 +### 2.3.51 ISO image built on 2021/04/27 ### Download and Verify -2.3.50 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso +2.3.51 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.51.iso -MD5: C39CEA68B5A8AFC5CFFB2481797C0374 -SHA1: 00AD9F29ABE3AB495136989E62EBB8FA00DA82C6 -SHA256: D77AE370D7863837A989F6735413D1DD46B866D8D135A4C363B0633E3990387E +MD5: 7CFB525BEFC0A9F2ED148F5831E387FA +SHA1: 8CC34FCCC36822B309B8168AA706B3D1EC7F3BFD +SHA256: 9892C2546C9AE5A48015160F379B070F0BE30C89693B97F3F1E1592DDCE1DEE0 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.51.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.51.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.51.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.50.iso.sig securityonion-2.3.50.iso +gpg --verify securityonion-2.3.51.iso.sig securityonion-2.3.51.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 27 Apr 2021 02:17:25 PM EDT using RSA key ID FE507013 +gpg: Signature made Thu 20 May 2021 07:49:57 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.51.iso.sig b/sigs/securityonion-2.3.51.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..80137a352152bb142a0ae0d7926ac00aff4b0357 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;8EOyvLy2@re`V7LBIa1%&k5C2n+tWPThb0s2 zN5K+$mR8o|yx}I|O-OsnamJ#p&1!`3iX*IDpTyXuf8hx7^*Mx;#+8b5@IkzIu^S7t zubXL$t0%IHQ!0^Pt$2s;cvlCAxW??=O3#4`i@DTuTc_tm*}+iNodb~MhRI|d-7s-_ zRtSk={KP|UGUfHV%G z8+S&nNnv4jm}<^1etZC{v}TLvI2!{w=wjc1E*=nu%|OFkP)q{t$W+qxldpv|BguU$ zwd5eMir&G8VS4vhh!r5wD4>c&Nhn6pVPNao_5G3?n}KLn)tSjpD0tg1;xnn8q_Vbp zSpYprNxdL|n+Ol~FhWIupF2ELwoq&m3PBW0Sfra18PlSt0f%l2 ztVaFaGx?;kjP{C`Ln< z4@d%!)Q~Z_NPCkH*8Y(aY%ajD8jB#hVTkFPrpc2&4c2 literal 0 HcmV?d00001 From c1dd4dafe47001101e949d5a8fbefaca0d97f987 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 21 May 2021 12:41:10 -0400 Subject: [PATCH 15/24] Fix influx state --- salt/influxdb/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index bafcbd53b..346d971fd 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -3,7 +3,7 @@ {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} -{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %} {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} From 71032150c5a08c6889e828b6500c79a3cd86929f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 21 May 2021 17:27:00 -0400 Subject: [PATCH 16/24] Add secure HTTP headers to all SO application responses to reduce exposure to browser and other HTTP-related vulnerabilities --- salt/nginx/etc/nginx.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index ea820442b..e9f67e065 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -149,6 +149,12 @@ http { root /opt/socore/html; index index.html; + add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:; frame-ancestors 'self'"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; From 0572ea4095b7388d7d88c8e4740be18a56fb73ab Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 21 May 2021 17:27:11 -0400 Subject: [PATCH 17/24] Fail curl command if a failing status code is returned by the remote server --- salt/common/tools/sbin/so-image-common | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index be5a327f0..47b04f241 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -128,7 +128,7 @@ update_docker_containers() { mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 # Let's make sure we have the public key - retry 50 10 "curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" >> "$LOG_FILE" 2>&1 + retry 50 10 "curl -f -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" >> "$LOG_FILE" 2>&1 result=$? if [[ $result -eq 0 ]]; then cat $SIGNPATH/KEYS | gpg --import - >> "$LOG_FILE" 2>&1 @@ -151,7 +151,7 @@ update_docker_containers() { retry 50 10 "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" >> "$LOG_FILE" 2>&1 # Get signature - retry 50 10 "curl -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" >> "$LOG_FILE" 2>&1 + retry 50 10 "curl -f -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" >> "$LOG_FILE" 2>&1 if [[ $? -ne 0 ]]; then echo "Unable to pull signature file for $image" >> "$LOG_FILE" 2>&1 exit 1 From 915b7aa2df48ce83b6bd5c6543d4f924d15b8268 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 24 May 2021 10:52:54 -0400 Subject: [PATCH 18/24] Switch Kratos config from argon2 to bcrypt12 --- salt/soc/files/kratos/kratos.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/salt/soc/files/kratos/kratos.yaml b/salt/soc/files/kratos/kratos.yaml index c26aeec3f..a0a72b3ab 100644 --- a/salt/soc/files/kratos/kratos.yaml +++ b/salt/soc/files/kratos/kratos.yaml @@ -41,12 +41,8 @@ serve: base_url: https://{{ WEBACCESS }}/kratos/ hashers: - argon2: - parallelism: 2 - memory: 16384 - iterations: 3 - salt_length: 16 - key_length: 32 + bcrypt: + cost: 12 identity: default_schema_url: file:///kratos-conf/schema.json From 409eea677ddc6f57bc77ecbbbe6610f7b9cb5f7c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 24 May 2021 11:50:53 -0400 Subject: [PATCH 19/24] Continue removal of argon hashing --- salt/common/init.sls | 2 -- salt/common/tools/sbin/so-user | 11 ++++------- setup/so-functions | 4 ++-- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 33a8b9984..79a7c5300 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -95,7 +95,6 @@ commonpkgs: - netcat - python3-mysqldb - sqlite3 - - argon2 - libssl-dev - python3-dateutil - python3-m2crypto @@ -128,7 +127,6 @@ commonpkgs: - net-tools - curl - sqlite - - argon2 - mariadb-devel - nmap-ncat - python3 diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index b97cc8a8b..edfa4b303 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -39,10 +39,7 @@ email=$2 kratosUrl=${KRATOS_URL:-http://127.0.0.1:4434} databasePath=${KRATOS_DB_PATH:-/opt/so/conf/kratos/db/db.sqlite} -argon2Iterations=${ARGON2_ITERATIONS:-3} -argon2Memory=${ARGON2_MEMORY:-14} -argon2Parallelism=${ARGON2_PARALLELISM:-2} -argon2HashSize=${ARGON2_HASH_SIZE:-32} +bcryptRounds=${BCRYPT_ROUNDS:-12} function fail() { msg=$1 @@ -58,7 +55,7 @@ function require() { # Verify this environment is capable of running this script function verifyEnvironment() { - require "argon2" + require "htpasswd" require "jq" require "curl" require "openssl" @@ -111,8 +108,8 @@ function updatePassword() { if [[ -n $identityId ]]; then # Generate password hash - salt=$(openssl rand -hex 8) - passwordHash=$(echo "${password}" | argon2 ${salt} -id -t $argon2Iterations -m $argon2Memory -p $argon2Parallelism -l $argon2HashSize -e) + passwordHash=$(echo "${password}" | htpasswd -niBC $bcryptRounds SOUSER) | cut -c 11- + passwordHash="\$2a${passwordHash} # Update DB with new hash echo "update identity_credentials set config=CAST('{\"hashed_password\":\"${passwordHash}\"}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath" diff --git a/setup/so-functions b/setup/so-functions index 5ce3d6dee..33e0514fc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2079,7 +2079,7 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') reserve_group_ids >> "$setup_log" 2>&1 if [[ ! $is_iso ]]; then - logCmd "yum -y install sqlite argon2 curl mariadb-devel" + logCmd "yum -y install sqlite curl mariadb-devel" fi # Download Ubuntu Keys in case manager updates = 1 mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 @@ -2175,7 +2175,7 @@ saltify() { retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || exit 1 set_progress_str 6 'Installing various dependencies' - retry 50 10 "apt-get -y install sqlite3 argon2 libssl-dev" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' retry 50 10 "apt-get -y install salt-master=3003+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 From 8c6489a49a945ee08c2906bd9955bc858bbb489b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 24 May 2021 15:48:05 -0400 Subject: [PATCH 20/24] Initial pass at synchronizing users file --- salt/common/tools/sbin/so-user | 21 ++++++++++++++++++--- salt/elasticsearch/init.sls | 2 ++ 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index edfa4b303..dbd755bc4 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -40,6 +40,7 @@ email=$2 kratosUrl=${KRATOS_URL:-http://127.0.0.1:4434} databasePath=${KRATOS_DB_PATH:-/opt/so/conf/kratos/db/db.sqlite} bcryptRounds=${BCRYPT_ROUNDS:-12} +extractedHashFile=${EXTRACTED_HASH_FILE:-/opt/so/conf/elasticsearch/users} function fail() { msg=$1 @@ -108,15 +109,19 @@ function updatePassword() { if [[ -n $identityId ]]; then # Generate password hash - passwordHash=$(echo "${password}" | htpasswd -niBC $bcryptRounds SOUSER) | cut -c 11- - passwordHash="\$2a${passwordHash} - + passwordHash=$(echo "${password}" | htpasswd -niBC $bcryptRounds SOUSER) + passwordHash=$(echo "$passwordHash" | cut -c 11-) + passwordHash="\$2a${passwordHash}" # Update DB with new hash echo "update identity_credentials set config=CAST('{\"hashed_password\":\"${passwordHash}\"}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath" [[ $? != 0 ]] && fail "Unable to update password" fi } +function extractHashes() { + echo "select ici.identifier || ':' || json_extract(ic.config, '$.hashed_password') from identity_credential_identifiers ici, identity_credentials ic where ici.identity_credential_id=ic.id and json_extract(ic.config, '$.hashed_password') is not null order by ici.identifier" | sqlite3 "$databasePath" > "$extractedHashFile" +} + function listUsers() { response=$(curl -Ss -L ${kratosUrl}/identities) [[ $? != 0 ]] && fail "Unable to communicate with Kratos" @@ -208,6 +213,7 @@ case "${operation}" in validateEmail "$email" updatePassword createUser "$email" + extractHashes echo "Successfully added new user to SOC" check_container thehive && echo $password | so-thehive-user-add "$email" check_container fleet && echo $password | so-fleet-user-add "$email" @@ -223,6 +229,7 @@ case "${operation}" in [[ "$email" == "" ]] && fail "Email address must be provided" updateUser "$email" + extractHashes echo "Successfully updated user" ;; @@ -231,6 +238,7 @@ case "${operation}" in [[ "$email" == "" ]] && fail "Email address must be provided" updateStatus "$email" 'active' + extractHashes echo "Successfully enabled user" check_container thehive && so-thehive-user-enable "$email" true check_container fleet && so-fleet-user-enable "$email" true @@ -241,6 +249,7 @@ case "${operation}" in [[ "$email" == "" ]] && fail "Email address must be provided" updateStatus "$email" 'locked' + extractHashes echo "Successfully disabled user" check_container thehive && so-thehive-user-enable "$email" false check_container fleet && so-fleet-user-enable "$email" false @@ -251,11 +260,17 @@ case "${operation}" in [[ "$email" == "" ]] && fail "Email address must be provided" deleteUser "$email" + extractHashes echo "Successfully deleted user" check_container thehive && so-thehive-user-enable "$email" false check_container fleet && so-fleet-user-enable "$email" false ;; + "sync") + extractHashes + echo "Synchronization complete" + ;; + "validate") validateEmail "$email" updatePassword diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index df297986a..c6ac600ef 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -202,6 +202,8 @@ so-elasticsearch: - binds: - /opt/so/conf/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro + - /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro + - /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro From ec2f8fe6c88527d0a4b1cc322b17115c930ba69d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 25 May 2021 17:16:05 -0400 Subject: [PATCH 21/24] Synchronize SOC passwords with Elastic --- salt/common/tools/sbin/so-user | 74 ++++++++++++++++++++++++++++------ 1 file changed, 61 insertions(+), 13 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index dbd755bc4..b516cf6ad 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -40,7 +40,8 @@ email=$2 kratosUrl=${KRATOS_URL:-http://127.0.0.1:4434} databasePath=${KRATOS_DB_PATH:-/opt/so/conf/kratos/db/db.sqlite} bcryptRounds=${BCRYPT_ROUNDS:-12} -extractedHashFile=${EXTRACTED_HASH_FILE:-/opt/so/conf/elasticsearch/users} +elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/conf/elasticsearch/users} +elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/conf/elasticsearch/users_roles} function fail() { msg=$1 @@ -93,6 +94,16 @@ function validateEmail() { fi } +function hashPassword() { + password=$1 + + passwordHash=$(echo "${password}" | htpasswd -niBC $bcryptRounds SOUSER) + passwordHash=$(echo "$passwordHash" | cut -c 11-) + passwordHash="\$2a${passwordHash}" # still waiting for https://github.com/elastic/elasticsearch/issues/51132 + echo "$passwordHash" +} + + function updatePassword() { identityId=$1 @@ -109,17 +120,54 @@ function updatePassword() { if [[ -n $identityId ]]; then # Generate password hash - passwordHash=$(echo "${password}" | htpasswd -niBC $bcryptRounds SOUSER) - passwordHash=$(echo "$passwordHash" | cut -c 11-) - passwordHash="\$2a${passwordHash}" + passwordHash=$(hashPassword "$password") # Update DB with new hash - echo "update identity_credentials set config=CAST('{\"hashed_password\":\"${passwordHash}\"}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath" + echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath" [[ $? != 0 ]] && fail "Unable to update password" fi } -function extractHashes() { - echo "select ici.identifier || ':' || json_extract(ic.config, '$.hashed_password') from identity_credential_identifiers ici, identity_credentials ic where ici.identity_credential_id=ic.id and json_extract(ic.config, '$.hashed_password') is not null order by ici.identifier" | sqlite3 "$databasePath" > "$extractedHashFile" +function createElasticTmpFile() { + filename=$1 + tmpFile=${filename}.tmp + truncate -s 0 "$tmpFile" + chmod 600 "$tmpFile" + chown elasticsearch:elasticsearch "$tmpFile" + echo "$tmpFile" +} + +function syncElastic() { + usersFileTmp=$(createElasticTmpFile "${elasticUsersFile}") + rolesFileTmp=$(createElasticTmpFile "${elasticRolesFile}") + + sysUser=$(lookup_pillar "auth:user" "elasticsearch") + sysPass=$(lookup_pillar "auth:pass" "elasticsearch") + sysHash=$(hashPassword "$sysPass") + + # Generate the new users file + echo "${sysUser}:${sysHash}" >> "$usersFileTmp" + echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \ + "from identity_credential_identifiers ici, identity_credentials ic " \ + "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \ + "order by ici.identifier;" | \ + sqlite3 "$databasePath" | \ + jq -r '.user + ":" + .data.hashed_password' \ + >> "$usersFileTmp" + mv -f "$usersFileTmp" "$elasticUsersFile" + + # Generate the new users_roles file + echo "superuser:${sysUser}" >> "$rolesFileTmp" + echo "select 'superuser:' || ici.identifier " \ + "from identity_credential_identifiers ici, identity_credentials ic " \ + "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \ + "order by ici.identifier;" | \ + sqlite3 "$databasePath" \ + >> "$rolesFileTmp" + mv -f "$rolesFileTmp" "$elasticRolesFile" +} + +function syncAll() { + syncElastic } function listUsers() { @@ -213,7 +261,7 @@ case "${operation}" in validateEmail "$email" updatePassword createUser "$email" - extractHashes + syncAll echo "Successfully added new user to SOC" check_container thehive && echo $password | so-thehive-user-add "$email" check_container fleet && echo $password | so-fleet-user-add "$email" @@ -229,7 +277,7 @@ case "${operation}" in [[ "$email" == "" ]] && fail "Email address must be provided" updateUser "$email" - extractHashes + syncAll echo "Successfully updated user" ;; @@ -238,7 +286,7 @@ case "${operation}" in [[ "$email" == "" ]] && fail "Email address must be provided" updateStatus "$email" 'active' - extractHashes + syncAll echo "Successfully enabled user" check_container thehive && so-thehive-user-enable "$email" true check_container fleet && so-fleet-user-enable "$email" true @@ -249,7 +297,7 @@ case "${operation}" in [[ "$email" == "" ]] && fail "Email address must be provided" updateStatus "$email" 'locked' - extractHashes + syncAll echo "Successfully disabled user" check_container thehive && so-thehive-user-enable "$email" false check_container fleet && so-fleet-user-enable "$email" false @@ -260,14 +308,14 @@ case "${operation}" in [[ "$email" == "" ]] && fail "Email address must be provided" deleteUser "$email" - extractHashes + syncAll echo "Successfully deleted user" check_container thehive && so-thehive-user-enable "$email" false check_container fleet && so-fleet-user-enable "$email" false ;; "sync") - extractHashes + syncAll echo "Synchronization complete" ;; From a6a4c03029567d8d008e82c60dbb44f2fb6d9049 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 26 May 2021 12:08:10 -0400 Subject: [PATCH 22/24] Improve error scenarios for user sync; Ensure user sync runs before Elastic container starts --- salt/common/tools/sbin/so-user | 5 +++++ salt/elasticsearch/init.sls | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index b516cf6ad..7362c94a2 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -142,6 +142,7 @@ function syncElastic() { sysUser=$(lookup_pillar "auth:user" "elasticsearch") sysPass=$(lookup_pillar "auth:pass" "elasticsearch") + [[ -z "$sysUser" || -z "$sysPass" ]] && fail "Elastic auth credentials for system user are missing" sysHash=$(hashPassword "$sysPass") # Generate the new users file @@ -153,7 +154,9 @@ function syncElastic() { sqlite3 "$databasePath" | \ jq -r '.user + ":" + .data.hashed_password' \ >> "$usersFileTmp" + [[ $? != 0 ]] && fail "Unable to read credential hashes from database" mv -f "$usersFileTmp" "$elasticUsersFile" + [[ $? != 0 ]] && fail "Unable to create users file: $elasticUsersFile" # Generate the new users_roles file echo "superuser:${sysUser}" >> "$rolesFileTmp" @@ -163,7 +166,9 @@ function syncElastic() { "order by ici.identifier;" | \ sqlite3 "$databasePath" \ >> "$rolesFileTmp" + [[ $? != 0 ]] && fail "Unable to read credential IDs from database" mv -f "$rolesFileTmp" "$elasticRolesFile" + [[ $? != 0 ]] && fail "Unable to create users file: $elasticRolesFile" } function syncAll() { diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index c6ac600ef..dd4af7696 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -169,6 +169,14 @@ eslogdir: - group: 939 - makedirs: True +# Must run before elasticsearch docker container is started! +syncesusers: + cmd.run: + - name: so-user sync + - creates: + - /opt/so/conf/elasticsearch/users + - /opt/so/conf/elasticsearch/users_roles + so-elasticsearch: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} From c531ef0773df174d92dd2ce2ae5b9504442749bd Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 26 May 2021 13:44:30 -0400 Subject: [PATCH 23/24] Move user sync'd files to saltstack for grid propagation --- salt/common/tools/sbin/so-user | 4 ++-- salt/elasticsearch/init.sls | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 7362c94a2..23034a6e9 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -40,8 +40,8 @@ email=$2 kratosUrl=${KRATOS_URL:-http://127.0.0.1:4434} databasePath=${KRATOS_DB_PATH:-/opt/so/conf/kratos/db/db.sqlite} bcryptRounds=${BCRYPT_ROUNDS:-12} -elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/conf/elasticsearch/users} -elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/conf/elasticsearch/users_roles} +elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users} +elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users_roles} function fail() { msg=$1 diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index dd4af7696..5ee936f1c 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -174,8 +174,8 @@ syncesusers: cmd.run: - name: so-user sync - creates: - - /opt/so/conf/elasticsearch/users - - /opt/so/conf/elasticsearch/users_roles + - /opt/so/saltstack/local/salt/elasticsearch/files/users + - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles so-elasticsearch: docker_container.running: From b43e6c5d6bb0721bdbb0418e2cdeb93700e375c6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 26 May 2021 13:51:24 -0400 Subject: [PATCH 24/24] Salt will handle auto-sync --- salt/common/tools/sbin/so-user | 5 ----- 1 file changed, 5 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 23034a6e9..1ff637d23 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -266,7 +266,6 @@ case "${operation}" in validateEmail "$email" updatePassword createUser "$email" - syncAll echo "Successfully added new user to SOC" check_container thehive && echo $password | so-thehive-user-add "$email" check_container fleet && echo $password | so-fleet-user-add "$email" @@ -282,7 +281,6 @@ case "${operation}" in [[ "$email" == "" ]] && fail "Email address must be provided" updateUser "$email" - syncAll echo "Successfully updated user" ;; @@ -291,7 +289,6 @@ case "${operation}" in [[ "$email" == "" ]] && fail "Email address must be provided" updateStatus "$email" 'active' - syncAll echo "Successfully enabled user" check_container thehive && so-thehive-user-enable "$email" true check_container fleet && so-fleet-user-enable "$email" true @@ -302,7 +299,6 @@ case "${operation}" in [[ "$email" == "" ]] && fail "Email address must be provided" updateStatus "$email" 'locked' - syncAll echo "Successfully disabled user" check_container thehive && so-thehive-user-enable "$email" false check_container fleet && so-fleet-user-enable "$email" false @@ -313,7 +309,6 @@ case "${operation}" in [[ "$email" == "" ]] && fail "Email address must be provided" deleteUser "$email" - syncAll echo "Successfully deleted user" check_container thehive && so-thehive-user-enable "$email" false check_container fleet && so-fleet-user-enable "$email" false