From d8d429c71a0ea7c372e3067fe5d49e862584312c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 23 Nov 2021 09:19:41 -0500 Subject: [PATCH 01/15] Update HOTFIX --- HOTFIX | 1 + 1 file changed, 1 insertion(+) diff --git a/HOTFIX b/HOTFIX index e69de29bb..f6989f3fe 100644 --- a/HOTFIX +++ b/HOTFIX @@ -0,0 +1 @@ +WAZUH From 4672b0c15c1d077c7cb85eef6b47db525489e03c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Nov 2021 10:06:14 -0500 Subject: [PATCH 02/15] Fix #6317 - Do not attempt to whitelist when wazuh isn't enabled --- salt/common/tools/sbin/so-allow | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index 769dcc1e9..6a66876e7 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -79,10 +79,10 @@ def ip_prompt() -> str: def wazuh_enabled() -> bool: - for file in os.listdir(f'{LOCAL_SALT_DIR}/pillar'): - with open(file, 'r') as pillar: - if 'wazuh: 1' in pillar.read(): - return True + file = f'{LOCAL_SALT_DIR}/pillar/global.sls' + with open(file, 'r') as pillar: + if 'wazuh: 1' in pillar.read(): + return True return False @@ -124,7 +124,7 @@ def apply(role: str, ip: str) -> int: else: return cmd.returncode if cmd.returncode == 0: - if wazuh_enabled and role=='analyst': + if wazuh_enabled() and role=='analyst': try: add_wl(ip) print(f'Added whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr) From af4c04be5970388da7bdf272e728f5d7306cfef6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Nov 2021 10:57:21 -0500 Subject: [PATCH 03/15] Fix #6325 - Prevent XML header from outputting to ossec.conf --- salt/common/tools/sbin/so-allow | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index 6a66876e7..6aa20df1e 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -23,7 +23,6 @@ import sys import argparse import re from lxml import etree as ET -from xml.dom import minidom from datetime import datetime as dt from datetime import timezone as tz @@ -87,12 +86,7 @@ def wazuh_enabled() -> bool: def root_to_str(root: ET.ElementTree) -> str: - xml_str = ET.tostring(root, encoding='unicode', method='xml').replace('\n', '') - xml_str = re.sub(r'(?:(?<=>) *)', '', xml_str) - xml_str = re.sub(r' -', '', xml_str) - xml_str = re.sub(r' -->', ' -->', xml_str) - dom = minidom.parseString(xml_str) - return dom.toprettyxml(indent=" ") + return ET.tostring(root, encoding='unicode', method='xml', xml_declaration=False, pretty_print=True) def add_wl(ip): From c67b2b693650e6a35c6146c9dae8f6aaf22c91d7 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 23 Nov 2021 11:14:10 -0500 Subject: [PATCH 04/15] Update soup only check if salt was upgraded if upgrade_salt function was called --- salt/common/tools/sbin/soup | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 55efde5a9..b497d9c24 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -933,21 +933,21 @@ main() { echo "Upgrading Salt" # Update the repo files so it can actually upgrade upgrade_salt - fi - - echo "Checking if Salt was upgraded." - echo "" - # Check that Salt was upgraded - SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}') - if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then - echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." - echo "Once the issue is resolved, run soup again." - echo "Exiting." - echo "" - exit 0 - else - echo "Salt upgrade success." + + echo "Checking if Salt was upgraded." echo "" + # Check that Salt was upgraded + SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}') + if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then + echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." + echo "Once the issue is resolved, run soup again." + echo "Exiting." + echo "" + exit 0 + else + echo "Salt upgrade success." + echo "" + fi fi preupgrade_changes From 0dd251e2a9c24efbaefd5bf7837614aed3190d83 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Nov 2021 11:19:53 -0500 Subject: [PATCH 05/15] Fix typo in whiptail prompt --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 5a0b7a819..c49e7396a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -753,7 +753,7 @@ whiptail_install_type_dist() { dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \ "New Deployment " "Create a new Security Onion deployment" \ - "Existing Deployment " "Join to an exisiting Security Onion deployment " \ + "Existing Deployment " "Join to an existing Security Onion deployment " \ 3>&1 1>&2 2>&3 ) local exitstatus=$? From 7627d37386a80c2334087f58c48aa3049a3d0d46 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Nov 2021 12:21:28 -0500 Subject: [PATCH 06/15] Add 2.3.90 WAZUH hotfix corrective function --- salt/common/tools/sbin/soup | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index b497d9c24..8f1e77d7f 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -837,6 +837,21 @@ verify_latest_update_script() { fi } +apply_hotfix() { + if [[ "$INSTALLEDVERSION" == "2.3.90" && "$HOTFIXVERSION" == "WAZUH" ]] ; then + FILE="/nsm/wazuh/etc/ossec.conf" + echo "Detecting if ossec.conf needs corrected..." + WAZUHHEADER=$(head -1 $FILE | grep "xml version") + if [[ ! -z "$WAZUHHEADER" ]]; then + echo "$FILE has an XML header; removing" + sed -i 1d $FILE + else + echo "$FILE does not have an XML header, so no changes are necessary." + fi + fi +} + + main() { trap 'check_err $?' EXIT @@ -893,6 +908,7 @@ main() { if [ "$is_hotfix" == "true" ]; then echo "Applying $HOTFIXVERSION" copy_new_files + apply_hotfix echo "" update_version salt-call state.highstate -l info queue=True From 3c37bd61abd6b578faca6467dd629babccd05479 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Nov 2021 12:46:59 -0500 Subject: [PATCH 07/15] Add debug logging --- salt/common/tools/sbin/soup | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 8f1e77d7f..ed2836de2 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -838,7 +838,7 @@ verify_latest_update_script() { } apply_hotfix() { - if [[ "$INSTALLEDVERSION" == "2.3.90" && "$HOTFIXVERSION" == "WAZUH" ]] ; then + if [[ "$INSTALLEDVERSION" == "2.3.90" && "$HOTFIXVERSION" == "WAZUH" ]]; then FILE="/nsm/wazuh/etc/ossec.conf" echo "Detecting if ossec.conf needs corrected..." WAZUHHEADER=$(head -1 $FILE | grep "xml version") @@ -848,6 +848,8 @@ apply_hotfix() { else echo "$FILE does not have an XML header, so no changes are necessary." fi + else + echo "Skipping ossec.conf check ($INSTALLEDVERSION/$HOTFIXVERSION)" fi } @@ -906,10 +908,10 @@ main() { set -e if [ "$is_hotfix" == "true" ]; then - echo "Applying $HOTFIXVERSION" + echo "Applying $HOTFIXVERSION hotfix" copy_new_files apply_hotfix - echo "" + echo "Hotfix applied" update_version salt-call state.highstate -l info queue=True else From 01ceded223b6595cef1c4989f4681255fc9346e7 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Nov 2021 13:03:40 -0500 Subject: [PATCH 08/15] Handle CRs in hotfix --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index ed2836de2..015d57ab6 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -838,7 +838,7 @@ verify_latest_update_script() { } apply_hotfix() { - if [[ "$INSTALLEDVERSION" == "2.3.90" && "$HOTFIXVERSION" == "WAZUH" ]]; then + if [[ "$INSTALLEDVERSION" == "2.3.90" && "$HOTFIXVERSION" =~ "WAZUH" ]]; then FILE="/nsm/wazuh/etc/ossec.conf" echo "Detecting if ossec.conf needs corrected..." WAZUHHEADER=$(head -1 $FILE | grep "xml version") From bd59d65f02b4e2b789ed3eaba02c53e6c0449fbd Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Nov 2021 13:12:27 -0500 Subject: [PATCH 09/15] Strip trailing newlines from version and hotfix files --- salt/common/tools/sbin/soup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 015d57ab6..b471e6eca 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -715,9 +715,9 @@ update_version() { upgrade_check() { # Let's make sure we actually need to update. - NEWVERSION=$(cat $UPDATE_DIR/VERSION) - HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX) - [[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix) + NEWVERSION=$(cat $UPDATE_DIR/VERSION | tr -d '\n') + HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX | tr -d '\n') + [[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix | tr -d '\n') if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then echo "Checking to see if there are hotfixes needed" if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then @@ -838,7 +838,7 @@ verify_latest_update_script() { } apply_hotfix() { - if [[ "$INSTALLEDVERSION" == "2.3.90" && "$HOTFIXVERSION" =~ "WAZUH" ]]; then + if [[ "$INSTALLEDVERSION" == "2.3.90" && "$HOTFIXVERSION" == "WAZUH" ]] ; then FILE="/nsm/wazuh/etc/ossec.conf" echo "Detecting if ossec.conf needs corrected..." WAZUHHEADER=$(head -1 $FILE | grep "xml version") From 52ffa27eda73ee0026f413f1302fecd85b73f6f8 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Nov 2021 13:22:47 -0500 Subject: [PATCH 10/15] Update hotfix file --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index f6989f3fe..0f3ca3c28 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -WAZUH +WAZUH From 59fc122eecbf09385b7f195d8b3729a60acf3597 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Nov 2021 13:29:04 -0500 Subject: [PATCH 11/15] Force restart of wazuh since conf file is changing --- salt/common/tools/sbin/soup | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index b471e6eca..2aefc67bb 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -715,9 +715,9 @@ update_version() { upgrade_check() { # Let's make sure we actually need to update. - NEWVERSION=$(cat $UPDATE_DIR/VERSION | tr -d '\n') - HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX | tr -d '\n') - [[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix | tr -d '\n') + NEWVERSION=$(cat $UPDATE_DIR/VERSION) + HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX) + [[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix) if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then echo "Checking to see if there are hotfixes needed" if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then @@ -845,6 +845,7 @@ apply_hotfix() { if [[ ! -z "$WAZUHHEADER" ]]; then echo "$FILE has an XML header; removing" sed -i 1d $FILE + so-wazuh-restart else echo "$FILE does not have an XML header, so no changes are necessary." fi From 801d42ed20698c7fcce30a030028a8f72f062797 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Nov 2021 14:51:06 -0500 Subject: [PATCH 12/15] Correct if check to inline the command instead of checking for emptiness of a variable --- salt/common/tools/sbin/soup | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 2aefc67bb..fc6694ec2 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -841,8 +841,7 @@ apply_hotfix() { if [[ "$INSTALLEDVERSION" == "2.3.90" && "$HOTFIXVERSION" == "WAZUH" ]] ; then FILE="/nsm/wazuh/etc/ossec.conf" echo "Detecting if ossec.conf needs corrected..." - WAZUHHEADER=$(head -1 $FILE | grep "xml version") - if [[ ! -z "$WAZUHHEADER" ]]; then + if head -1 $FILE | grep "xml version"; then echo "$FILE has an XML header; removing" sed -i 1d $FILE so-wazuh-restart From 4f283c2d8660b4649f29b6861872dcbd797a7f8a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Nov 2021 14:52:40 -0500 Subject: [PATCH 13/15] Suppres grep output --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index fc6694ec2..2244f2735 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -841,7 +841,7 @@ apply_hotfix() { if [[ "$INSTALLEDVERSION" == "2.3.90" && "$HOTFIXVERSION" == "WAZUH" ]] ; then FILE="/nsm/wazuh/etc/ossec.conf" echo "Detecting if ossec.conf needs corrected..." - if head -1 $FILE | grep "xml version"; then + if head -1 $FILE | grep -q "xml version"; then echo "$FILE has an XML header; removing" sed -i 1d $FILE so-wazuh-restart From c536e1138303ce08bfd7ff8345894d9568aa731a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 23 Nov 2021 15:32:41 -0500 Subject: [PATCH 14/15] 2.3.90 hotfix soup --- README.md | 4 ++-- VERIFY_ISO.md | 20 ++++++++++---------- sigs/securityonion-2.3.90-WAZUH.iso.sig | Bin 0 -> 543 bytes 3 files changed, 12 insertions(+), 12 deletions(-) create mode 100644 sigs/securityonion-2.3.90-WAZUH.iso.sig diff --git a/README.md b/README.md index 4956a2e4e..b07bae8ca 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.90 +## Security Onion 2.3.90-WAZUH -Security Onion 2.3.90 is here! +Security Onion 2.3.90-WAZUH is here! ## Screenshots diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 36d8b1e04..0a9044aa3 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.90 ISO image built on 2021/11/19 +### 2.3.90-WAZUH ISO image built on 2021/11/23 ### Download and Verify -2.3.90 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.90.iso +2.3.90-WAZUH ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.90-WAZUH.iso -MD5: F214ECE9F32A6F881D9A735DEAF90E46 -SHA1: 0B04FAA0FEC704CF6AD2030AA7A4AE80D9379AFA -SHA256: BE0E1516D83D7782AEAE9D52449FED45A45D72981515672C761C2A17B7AA613C +MD5: B7141C8627CDB45F4A8741B2ADE4A9F3 +SHA1: 16087B385CA651659EC98F139AFDF90922430FB6 +SHA256: 667AF11BBCFE3248AF59E45043703B55A543E059899AE387FF55EB8077304F04 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90-WAZUH.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,17 +26,17 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90-WAZUH.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.90.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.90-WAZUH.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.90.iso.sig securityonion-2.3.90.iso +gpg --verify securityonion-2.3.90-WAZUH.iso.sig securityonion-2.3.90-WAZUH.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: diff --git a/sigs/securityonion-2.3.90-WAZUH.iso.sig b/sigs/securityonion-2.3.90-WAZUH.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..aa9539e05974f00e5d92d210c37375268af6c0c9 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;B6OuPUJ2@re`V7LBIa1$I;5C2J0Ady$S0^;=%|8pG_ z6cQJYi_qok{!Dnx#-XL+O7`M$4X7TAfU}qm<5a|>5_q?>t13xY67X5}$Qm`=aFlG5 z{p-of_6h^&R?wUUhumA6yHKC{(~UgL`GfD%gd?_CRjY|;Qce{pe`T8;-wWIFzfL(! z($(FiKo#-_v3~FQ-K(gPy2_dTw7RYd#4FN$67o|l+TLU1( zLr|={SH;hfG(*QzzK9_M6^4La7f^<){toA-Gq`U1C#dA>BF304mC$lN-%(ev=Hj52q?bNBE{ h&RiSb@$GyC=b8=J!EBg=+7kO|Cg|L2suPVCU&7(^3FQC) literal 0 HcmV?d00001 From 1f9dc0db1f586717f1e06609a0bf1e5ca14f6cf7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 23 Nov 2021 15:40:04 -0500 Subject: [PATCH 15/15] 2.3.90 hotfix soup --- VERIFY_ISO.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 0a9044aa3..502a44a9b 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -41,7 +41,7 @@ gpg --verify securityonion-2.3.90-WAZUH.iso.sig securityonion-2.3.90-WAZUH.iso The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Fri 19 Nov 2021 05:15:29 PM EST using RSA key ID FE507013 +gpg: Signature made Tue 23 Nov 2021 03:19:08 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.