Merge branch '2.4/dev' into desktop

salt/elasticsearch/files/ingest/suricata.common

@@ -1,20 +1,21 @@
 {
   "description" : "suricata.common",
   "processors" : [
-    { "json":	{ "field": "message",			"target_field": "message2",		"ignore_failure": true  } },
-    { "rename":	{ "field": "message2.proto",		"target_field": "network.transport",	"ignore_failure": true 	} },
-    { "rename":	{ "field": "message2.flow_id",		"target_field": "log.id.uid",		"ignore_failure": true 	} },
-    { "rename":	{ "field": "message2.src_ip",		"target_field": "source.ip",		"ignore_failure": true  } },
-    { "rename":	{ "field": "message2.src_port",		"target_field": "source.port",		"ignore_failure": true  } },
-    { "rename":	{ "field": "message2.dest_ip",		"target_field": "destination.ip",	"ignore_failure": true  } },
-    { "rename":	{ "field": "message2.dest_port",	"target_field": "destination.port",	"ignore_failure": true  } },
-    { "rename":	{ "field": "message2.vlan",		"target_field": "network.vlan.id",	"ignore_failure": true  } },
-    { "rename":	{ "field": "message2.community_id",	"target_field": "network.community_id",	"ignore_missing": true  } },
-    { "set":	{ "field": "event.dataset",		"value": "{{ message2.event_type }}"  				} },
-    { "set":	{ "field": "observer.name",		"value": "{{agent.name}}"  					} },
-    { "set":	{ "field": "event.ingested",		"value": "{{@timestamp}}"  					} },
+    { "json":   { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
+    { "rename": { "field": "message2.proto",            "target_field": "network.transport",    "ignore_failure": true  } },
+    { "rename": { "field": "message2.flow_id",          "target_field": "log.id.uid",           "ignore_failure": true  } },
+    { "rename": { "field": "message2.src_ip",           "target_field": "source.ip",            "ignore_failure": true  } },
+    { "rename": { "field": "message2.src_port",         "target_field": "source.port",          "ignore_failure": true  } },
+    { "rename": { "field": "message2.dest_ip",          "target_field": "destination.ip",       "ignore_failure": true  } },
+    { "rename": { "field": "message2.dest_port",        "target_field": "destination.port",     "ignore_failure": true  } },
+    { "rename": { "field": "message2.vlan",             "target_field": "network.vlan.id",      "ignore_failure": true  } },
+    { "rename": { "field": "message2.community_id",     "target_field": "network.community_id", "ignore_missing": true  } },
+    { "rename": { "field": "message2.xff",              "target_field": "xff.ip",               "ignore_missing": true  } },
+    { "set":    { "field": "event.dataset",             "value": "{{ message2.event_type }}"                            } },
+    { "set":    { "field": "observer.name",             "value": "{{agent.name}}"                                       } },
+    { "set":    { "field": "event.ingested",            "value": "{{@timestamp}}"                                       } },
     { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } },
-    { "remove":{ "field": "agent", 								"ignore_failure": true	} },
+    { "remove":{ "field": "agent",                                                              "ignore_failure": true  } },
     { "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}" } }
   ]
 }

salt/repo/client/files/rocky/yum.conf.jinja

@@ -12,6 +12,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
 bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
 distroverpkg=centos-release
 clean_requirements_on_remove=1
-{% if proxy -%}
+{%- if proxy %}
 proxy={{ proxy }}
-{% endif %}
+{%- endif %}

salt/repo/client/map.jinja

@@ -11,6 +11,10 @@
          'Rocky-Sources.repo',
          'Rocky-Vault.repo',
          'Rocky-x86_64-kernel.repo',
+         'rocky-addons.repo',
+         'rocky-devel.repo',
+         'rocky-extras.repo',
+         'rocky.repo',
          'docker-ce.repo',
          'epel.repo',
          'epel-testing.repo',

salt/soc/defaults.yaml

@@ -1006,6 +1006,7 @@ soc:
       baseUrl: /
       maxPacketCount: 5000
       htmlDir: html
+      importUploadDir: /nsm/soc/uploads
       airgapEnabled: false
       modules:
         cases: soc

salt/soc/enabled.sls

@@ -23,6 +23,7 @@ so-soc:
         - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
     - binds:
       - /nsm/soc/jobs:/opt/sensoroni/jobs:rw
+      - /nsm/soc/uploads:/nsm/soc/uploads:rw
       - /opt/so/log/soc/:/opt/sensoroni/logs/:rw
       - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
       - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro

salt/soc/files/bin/salt-relay.sh

@@ -4,6 +4,8 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
+. /usr/sbin/so-common
+
 PIPE_OWNER=${PIPE_OWNER:-socore}
 PIPE_GROUP=${PIPE_GROUP:-socore}
 SOC_PIPE=${SOC_PIPE:-/opt/so/conf/soc/salt/pipe}
@@ -185,7 +187,9 @@ function send_file() {
   log "Cleanup: $cleanup"
 
   log "encrypting..."
-  gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from"
+  password=$(lookup_pillar_secret import_pass)
+  response=$(gpg --passphrase "$password" --batch --symmetric --cipher-algo AES256 "$from")
+  log Response:$'\n'"$response"
 
   fromgpg="$from.gpg"
   filename=$(basename "$fromgpg")
@@ -228,18 +232,23 @@ function import_file() {
   filegpg="$file.gpg"
 
   log "decrypting..."
-  $CMD_PREFIX "salt '$node' cmd.run 'gpg --passphrase \"infected\" --batch --decrypt \"$filegpg\" > \"$file\"'"
+  password=$(lookup_pillar_secret import_pass)
+  decrypt_cmd="gpg --passphrase $password -o $file.tmp --batch --decrypt $filegpg"
+  $CMD_PREFIX salt "$node" cmd.run "\"$decrypt_cmd\""
   decrypt_code=$?
 
   if [[ $decrypt_code -eq 0 ]]; then
+    mv "$file.tmp" "$file"
     log "importing..."
     case $importer in
       pcap)
-        response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'")
+        import_cmd="so-import-pcap $file --json"
+        response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"")
         exit_code=$?
         ;;
       evtx)
-        response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'")
+        import_cmd="so-import-evtx $file --json"
+        response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"")
         exit_code=$?
         ;;
       *)

setup/so-functions

@@ -1296,6 +1296,7 @@ generate_passwords(){
   KRATOSKEY=$(get_random_value)
   REDISPASS=$(get_random_value)
   SOCSRVKEY=$(get_random_value 64)
+  IMPORTPASS=$(get_random_value)
 }
 
 generate_interface_vars() {
@@ -2102,6 +2103,7 @@ secrets_pillar(){
 		"  playbook_admin: $PLAYBOOKADMINPASS"\
 		"  playbook_automation: $PLAYBOOKAUTOMATIONPASS"\
 		"  playbook_automation_api_key: "\
+		"  import_pass: $IMPORTPASS"\
 		"  influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls
   fi
 }
@@ -2402,7 +2404,12 @@ update_sudoers_for_testing() {
 update_packages() {
 	if [[ $is_rocky ]]; then
 		logCmd "dnf repolist"
-		logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*"
+		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
+		RMREPOFILES=("rocky-addons.repo" "rocky-devel.repo" "rocky-extras.repo" "rocky.repo")
+		info "Removing repo files added by rocky-repos package update"
+		for FILE in ${RMREPOFILES[@]}; do
+			logCmd "rm -f /etc/yum.repos.d/$FILE"
+		done
 	else
 		info "Running apt-get update"
 		retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup