Merge branch 'dev' into feature/docker-prune-rework

salt/common/tools/sbin/so-analyst-install

@@ -84,7 +84,7 @@ while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do
     echo "##                                       ##"
     echo "##    Installing the Security Onion      ##"
     echo "##   analyst node on this device will    ##"
-    echo "##      make permanenet changes to       ##"
+    echo "##       make permanent changes to       ##"
     echo "##              the system.              ##"
     echo "##                                       ##"
     echo "###########################################"

salt/soc/files/soc/changes.json

@@ -5,6 +5,7 @@
 		{ "summary": "CyberChef is now at version 9.27.2." },
 		{ "summary": "Elastic components are now at version 7.10.2. This is the last version that uses the Apache license." },
 		{ "summary": "Suricata is now at version 6.0.1." },
+		{ "summary": "Salt is now at version 3002.5." },
 		{ "summary": "Suricata metadata parsing is now vastly improved." },
 		{ "summary": "If you choose Suricata for metadata parsing, it will now extract files from the network and send them to Strelka. You can add additional mime types <a href='https://github.com/Security-Onion-Solutions/securityonion/blob/dev/salt/idstools/sorules/extraction.rules'>here</a>." },
 		{ "summary": "It is now possible to filter Suricata events from being written to the logs. This is a new Suricata 6 feature. We have included some examples <a href='https://github.com/Security-Onion-Solutions/securityonion/blob/dev/salt/idstools/sorules/filters.rules'>here</a>." },
@@ -12,6 +13,7 @@
 		{ "summary": "Network configuration is now more compatible with manually configured OpenVPN or Wireguard VPN interfaces." },
 		{ "summary": "<code>so-sensor-clean</code> will no longer spawn multiple instances." },
 		{ "summary": "Suricata eve.json logs will now be cleaned up after 7 days. This can be changed via the pillar setting." },
+		{ "summary": "Fixed a security issue where the backup directory had improper file permissions." },
 		{ "summary": "The automated backup script on the manager now backs up all keys along with the salt configurations. Backup retention is now set to 7 days." },
 		{ "summary": "Strelka logs are now being rotated properly." },
 		{ "summary": "Elastalert can now be customized via a pillar." },
@@ -43,6 +45,8 @@
 		{ "summary": "Changes to the <i>.security</i> analyzer yields more accurate query results when using Playbook." },
 		{ "summary": "Several Hunt queries have been updated." },
 		{ "summary": "The pfSense firewall log parser has been updated to improve compatibility." },
-		{ "summary": "Kibana dashboard hyperlinks have been updated for faster navigation." }
+		{ "summary": "Kibana dashboard hyperlinks have been updated for faster navigation." },
+		{ "summary": "Added a new <code>so-rule</code> script to make it easier to disable, enable, and modify SIDs." },
+		{ "summary": "ISO now gives the option to just configure the network during setup." }
   ]
 }

salt/telegraf/etc/telegraf.conf

@@ -684,8 +684,10 @@
       "/scripts/stenoloss.sh",
       "/scripts/suriloss.sh",
       "/scripts/checkfiles.sh",
+  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
       "/scripts/zeekloss.sh",
       "/scripts/zeekcaptureloss.sh",
+  {% endif %}
       "/scripts/oldpcap.sh",
       "/scripts/raid.sh"
    ]
@@ -697,8 +699,10 @@
       "/scripts/stenoloss.sh",
       "/scripts/suriloss.sh",
       "/scripts/checkfiles.sh",
+  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
       "/scripts/zeekloss.sh",
       "/scripts/zeekcaptureloss.sh",
+  {% endif %}
       "/scripts/oldpcap.sh",
       "/scripts/eps.sh",
       "/scripts/raid.sh"
@@ -713,8 +717,10 @@
       "/scripts/stenoloss.sh",
       "/scripts/suriloss.sh",
       "/scripts/checkfiles.sh",
+  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
       "/scripts/zeekloss.sh",
       "/scripts/zeekcaptureloss.sh",
+  {% endif %}
       "/scripts/oldpcap.sh",
       "/scripts/eps.sh",
       "/scripts/raid.sh"
@@ -728,8 +734,10 @@
       "/scripts/stenoloss.sh",
       "/scripts/suriloss.sh",
       "/scripts/checkfiles.sh",
+  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
       "/scripts/zeekloss.sh",
       "/scripts/zeekcaptureloss.sh",
+  {% endif %}
       "/scripts/oldpcap.sh",
       "/scripts/influxdbsize.sh",
       "/scripts/raid.sh"
@@ -742,8 +750,10 @@
     "/scripts/stenoloss.sh",
     "/scripts/suriloss.sh",
     "/scripts/checkfiles.sh",
+  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
     "/scripts/zeekloss.sh",
     "/scripts/zeekcaptureloss.sh",
+  {% endif %}
     "/scripts/oldpcap.sh",
     "/scripts/helixeps.sh"
   ]

salt/telegraf/init.sls

@@ -29,6 +29,9 @@ tgrafsyncscripts:
     - file_mode: 700
     - template: jinja
     - source: salt://telegraf/scripts
+{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'SURICATA' %}
+    - exclude_pat: zeekcaptureloss.sh
+{% endif %}
 
 tgrafconf:
   file.managed: