Merge remote-tracking branch 'origin/2.4/dev' into minechanges

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.4.10-20230821 ISO image released on 2023/08/21
+### 2.4.20-20231006 ISO image released on 2023/10/06
 
 
 
 ### Download and Verify
 
-2.4.10-20230821 ISO image:  
+2.4.20-20231006 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso
  
-MD5: 353EB36F807DC947F08F79B3DCFA420E  
+MD5: 269F00308C53976BF0EAE788D1DB29DB  
-SHA1: B25E3BEDB81BBEF319DC710267E6D78422F39C56  
+SHA1: 3F7C2324AE1271112F3B752BA4724AF36688FC27  
-SHA256: 3D369E92FEB65D14E1A981E99FA223DA52C92057A037C243AD6332B6B9A6D9BC  
+SHA256: 542B8B3F4F75AD24DC78007F8FE0857E00DC4CC9F4870154DCB8D5D0C4144B65  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.10-20230821.iso.sig securityonion-2.4.10-20230821.iso
+gpg --verify securityonion-2.4.20-20231006.iso.sig securityonion-2.4.20-20231006.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 21 Aug 2023 09:47:50 AM EDT using RSA key ID FE507013
+gpg: Signature made Tue 03 Oct 2023 11:40:51 AM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

salt/common/packages.sls

@@ -46,10 +46,16 @@ python-rich:
 {% endif %}
 
 {% if GLOBALS.os_family == 'RedHat' %}
+
+remove_mariadb:
+  pkg.removed:
+    - name: mariadb-devel
+
 commonpkgs:
   pkg.installed:
     - skip_suggestions: True
     - pkgs:
+      - python3-dnf-plugin-versionlock
       - curl
       - device-mapper-persistent-data
       - fuse
@@ -62,12 +68,9 @@ commonpkgs:
       - httpd-tools
       - jq
       - lvm2
-      - mariadb-devel
       - net-tools
       - nmap-ncat
-      - openssl
       - procps-ng
-      - python3-dnf-plugin-versionlock
       - python3-docker
       - python3-m2crypto
       - python3-packaging
@@ -79,4 +82,5 @@ commonpkgs:
       - unzip
       - wget
       - yum-utils
+
 {% endif %}

salt/common/tools/sbin/so-common

@@ -240,7 +240,7 @@ gpg_rpm_import() {
 	    else
 	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	    fi
-		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY')
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 		for RPMKEY in "${RPMKEYS[@]}"; do
     	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"

salt/common/tools/sbin/so-log-check

@@ -105,6 +105,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing shards"               # server not yet ready
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to send metrics"       # server not yet ready
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|broken pipe"                  # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status: 502"                  # server not yet ready (nginx waiting on upstream)
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout exceeded"             # server not yet ready (telegraf waiting on elasticsearch)
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|influxsize kbytes"            # server not yet ready (telegraf waiting on influx)
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|expected field at"            # server not yet ready (telegraf waiting on health data)
@@ -117,7 +118,7 @@ fi
 
 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_status_error"      # false positive
-    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_error.json"        # false positive
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_error"             # false positive
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error: '0'"                   # false positive
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|errors_index"                 # false positive
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noerror"                      # false positive
@@ -153,6 +154,9 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|generating elastalert config" # playbook expected error
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|activerecord"                 # playbook expected error
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics"           # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf"            # known issue with reposync on pre-2.4.20 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record"      # stenographer corrupt index
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field."                   # known ingest type collisions issue with earlier versions of SO
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|iteration"
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|communication packets"
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|use of closed"

salt/firewall/iptables.jinja

@@ -89,7 +89,6 @@ COMMIT
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -m conntrack --ctstate INVALID -j DROP
--A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -j LOGGING
 -A FORWARD -j DOCKER-USER
@@ -103,6 +102,7 @@ COMMIT
 -A FORWARD -m conntrack --ctstate INVALID -j DROP
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 -A OUTPUT -o lo -j ACCEPT
+# block icmp timestamp reply
 -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
 
 {%- for rule in D2 %}

salt/mysql/config.sls

@@ -9,7 +9,7 @@
 
 # MySQL Setup
 mysqlpkgs:
-  pkg.installed:
+  pkg.removed:
     - skip_suggestions: False
     - pkgs:
       {% if grains['os_family'] != 'RedHat' %}

setup/so-functions

@@ -2088,7 +2088,7 @@ saltify() {
 		if [[ $waitforstate ]]; then
 			retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION salt-master=$SALTVERSION" || fail_setup
 			retry 150 20 "apt-mark hold salt-minion salt-common salt-master" || fail_setup
-			retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1
+			retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1
 		else
 			retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION" || fail_setup
 			retry 150 20 "apt-mark hold salt-minion salt-common" || fail_setup