diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index e28513cef..bc8793798 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,16 +1,16 @@ -### 2.3.20 ISO image built on 2020/12/20 +### 2.3.30 ISO image built on 2021/03/01 ### Download and Verify -2.3.20 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso +2.3.30 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.30.iso -MD5: E348FA65A46FD3FBA0D574D9C1A0582D -SHA1: 4A6E6D4E0B31ECA1B72E642E3DB2C186B59009D6 -SHA256: 25DE77097903640771533FA13094D0720A032B70223875F8C77A92F5C44CA687 +MD5: 65202BA0F7661A5E27087F097B8E571E +SHA1: 14E842E39EDBB55A104263281CF25BF88A2E9D67 +SHA256: 210B37B9E3DFC827AFE2940E2C87B175ADA968EDD04298A5926F63D9269847B7 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.30.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.30.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.30.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.20.iso.sig securityonion-2.3.20.iso +gpg --verify securityonion-2.3.30.iso.sig securityonion-2.3.30.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Sun 20 Dec 2020 11:11:28 AM EST using RSA key ID FE507013 +gpg: Signature made Mon 01 Mar 2021 02:15:28 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/VERSION b/VERSION index ad0b729ff..0f1c3e555 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.30 +2.3.40 diff --git a/salt/common/tools/sbin/so-analyst-install b/salt/common/tools/sbin/so-analyst-install index e97aca0df..a76fd4784 100755 --- a/salt/common/tools/sbin/so-analyst-install +++ b/salt/common/tools/sbin/so-analyst-install @@ -84,7 +84,7 @@ while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do echo "## ##" echo "## Installing the Security Onion ##" echo "## analyst node on this device will ##" - echo "## make permanenet changes to ##" + echo "## make permanent changes to ##" echo "## the system. ##" echo "## ##" echo "###########################################" diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 0d2bc29b6..3e302c0e6 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -5,6 +5,7 @@ { "summary": "CyberChef is now at version 9.27.2." }, { "summary": "Elastic components are now at version 7.10.2. This is the last version that uses the Apache license." }, { "summary": "Suricata is now at version 6.0.1." }, + { "summary": "Salt is now at version 3002.5." }, { "summary": "Suricata metadata parsing is now vastly improved." }, { "summary": "If you choose Suricata for metadata parsing, it will now extract files from the network and send them to Strelka. You can add additional mime types here." }, { "summary": "It is now possible to filter Suricata events from being written to the logs. This is a new Suricata 6 feature. We have included some examples here." }, @@ -12,6 +13,7 @@ { "summary": "Network configuration is now more compatible with manually configured OpenVPN or Wireguard VPN interfaces." }, { "summary": "so-sensor-clean will no longer spawn multiple instances." }, { "summary": "Suricata eve.json logs will now be cleaned up after 7 days. This can be changed via the pillar setting." }, + { "summary": "Fixed a security issue where the backup directory had improper file permissions." }, { "summary": "The automated backup script on the manager now backs up all keys along with the salt configurations. Backup retention is now set to 7 days." }, { "summary": "Strelka logs are now being rotated properly." }, { "summary": "Elastalert can now be customized via a pillar." }, @@ -43,6 +45,8 @@ { "summary": "Changes to the .security analyzer yields more accurate query results when using Playbook." }, { "summary": "Several Hunt queries have been updated." }, { "summary": "The pfSense firewall log parser has been updated to improve compatibility." }, - { "summary": "Kibana dashboard hyperlinks have been updated for faster navigation." } + { "summary": "Kibana dashboard hyperlinks have been updated for faster navigation." }, + { "summary": "Added a new so-rule script to make it easier to disable, enable, and modify SIDs." }, + { "summary": "ISO now gives the option to just configure the network during setup." } ] } diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 31be621a0..0c447172f 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -684,8 +684,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", + {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", + {% endif %} "/scripts/oldpcap.sh", "/scripts/raid.sh" ] @@ -697,8 +699,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", + {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", + {% endif %} "/scripts/oldpcap.sh", "/scripts/eps.sh", "/scripts/raid.sh" @@ -713,8 +717,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", + {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", + {% endif %} "/scripts/oldpcap.sh", "/scripts/eps.sh", "/scripts/raid.sh" @@ -728,8 +734,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", + {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", + {% endif %} "/scripts/oldpcap.sh", "/scripts/influxdbsize.sh", "/scripts/raid.sh" @@ -742,8 +750,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", + {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", + {% endif %} "/scripts/oldpcap.sh", "/scripts/helixeps.sh" ] diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 81513eee2..2814eb159 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -29,6 +29,9 @@ tgrafsyncscripts: - file_mode: 700 - template: jinja - source: salt://telegraf/scripts +{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'SURICATA' %} + - exclude_pat: zeekcaptureloss.sh +{% endif %} tgrafconf: file.managed: diff --git a/setup/automation/distributed-iso-search b/setup/automation/distributed-iso-search index d95d7ff44..cb5721055 100644 --- a/setup/automation/distributed-iso-search +++ b/setup/automation/distributed-iso-search @@ -55,7 +55,7 @@ MSRVIP=10.66.166.42 # NODE_ES_HEAP_SIZE= # NODE_LS_HEAP_SIZE= NODESETUP=NODEBASIC -NSMSETUP=BASIC +NSMSETUP=ADVANCED NODEUPDATES=MANAGER # OINKCODE= # OSQUERY=1 diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor index f932c80b4..5df368336 100644 --- a/setup/automation/distributed-iso-sensor +++ b/setup/automation/distributed-iso-sensor @@ -55,7 +55,7 @@ MSRVIP=10.66.166.42 # NODE_ES_HEAP_SIZE= # NODE_LS_HEAP_SIZE= # NODESETUP=NODEBASIC -NSMSETUP=BASIC +NSMSETUP=ADVANCED NODEUPDATES=MANAGER # OINKCODE= # OSQUERY=1 diff --git a/setup/automation/distributed-net-ubuntu-suricata-search b/setup/automation/distributed-net-ubuntu-suricata-search index 3914a6d1c..010ddcef3 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-search +++ b/setup/automation/distributed-net-ubuntu-suricata-search @@ -55,7 +55,7 @@ MSRVIP=10.66.166.66 # NODE_ES_HEAP_SIZE= # NODE_LS_HEAP_SIZE= NODESETUP=NODEBASIC -NSMSETUP=BASIC +NSMSETUP=ADVANCED NODEUPDATES=MANAGER # OINKCODE= # OSQUERY=1 diff --git a/setup/automation/distributed-net-ubuntu-suricata-sensor b/setup/automation/distributed-net-ubuntu-suricata-sensor index 2d5e15f15..6aa32c03d 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-sensor +++ b/setup/automation/distributed-net-ubuntu-suricata-sensor @@ -27,7 +27,7 @@ BASICZEEK=2 BASICSURI=2 # BLOGS= BNICS=ens19 -ZEEKVERSION=ZEEK +ZEEKVERSION=SURICATA # CURCLOSEDAYS= # EVALADVANCED=BASIC # GRAFANA=1 @@ -55,7 +55,7 @@ MSRVIP=10.66.166.66 # NODE_ES_HEAP_SIZE= # NODE_LS_HEAP_SIZE= # NODESETUP=NODEBASIC -NSMSETUP=BASIC +NSMSETUP=ADVANCED NODEUPDATES=MANAGER # OINKCODE= # OSQUERY=1 diff --git a/setup/so-functions b/setup/so-functions index e0c8fac38..fe4cf6b39 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -744,23 +744,19 @@ compare_main_nic_ip() { if ! [[ $MNIC =~ ^(tun|wg|vpn).*$ ]]; then if [[ "$MAINIP" != "$MNIC_IP" ]]; then read -r -d '' message <<- EOM - The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). + The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). - This has been known to cause installs to fail in some scenarios. - - Please select whether to continue the install or exit setup to remediate any potential issues. - EOM - whiptail --title "Security Onion Setup" \ - --yesno "$message" 10 75 \ - --yes-button "Continue" --no-button "Exit" --defaultno - - kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 - fi + This is not a supported configuration, please remediate and rerun setup. + EOM + whiptail --title "Security Onion Setup" --msgbox "$message" 10 75 + kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 + fi else # Setup uses MAINIP, but since we ignore the equality condition when using a VPN # just set the variable to the IP of the VPN interface MAINIP=$MNIC_IP fi + } compare_versions() { diff --git a/sigs/securityonion-2.3.21.iso.sig b/sigs/securityonion-2.3.21.iso.sig new file mode 100644 index 000000000..6c49a9391 Binary files /dev/null and b/sigs/securityonion-2.3.21.iso.sig differ diff --git a/sigs/securityonion-2.3.30.iso.sig b/sigs/securityonion-2.3.30.iso.sig new file mode 100644 index 000000000..b89b2364a Binary files /dev/null and b/sigs/securityonion-2.3.30.iso.sig differ