From 1de768c18238f4af25438378d1e8443b69fd9c94 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 6 May 2021 12:02:05 -0400 Subject: [PATCH 01/22] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index b0bdf03a0..364d0a6a8 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -GRIDFIX \ No newline at end of file +GRIDFIX ZEEKFIX From 90b3462eadfc67fe08b62f92d71f86011e1a0e95 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 6 May 2021 13:29:15 -0400 Subject: [PATCH 02/22] No recurse for you --- salt/zeek/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index fe6478464..02c1cc1ba 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -78,6 +78,7 @@ zeekspoolownership: file.directory: - name: /nsm/zeek/spool - user: 937 + - max_depth: 0 - recurse: - user From a49f2e2d98ae87ea0bcaa1c1fa5f5f33393836fc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 6 May 2021 13:38:16 -0400 Subject: [PATCH 03/22] change log_level_logfile to error for /opt/so/log/salt/minion --- salt/salt/minion.sls | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 1a172d851..20a6aaac7 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -43,12 +43,18 @@ hold_salt_packages: {% endfor %} {% endif %} +remove_info_log_level_logfile: + file.line: + - name: /etc/salt/minion + - match: "log_level_logfile: info" + - mode: delete + set_log_levels: file.append: - name: /etc/salt/minion - text: - "log_level: info" - - "log_level_logfile: info" + - "log_level_logfile: error" - listen_in: - service: salt_minion_service From fb986b5cff14fe0a7937373397a829e2eab85358 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 6 May 2021 14:55:14 -0400 Subject: [PATCH 04/22] set both log levels to error --- salt/salt/minion.sls | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 20a6aaac7..f5770621b 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -49,11 +49,17 @@ remove_info_log_level_logfile: - match: "log_level_logfile: info" - mode: delete +remove_info_log_level: + file.line: + - name: /etc/salt/minion + - match: "log_level: info" + - mode: delete + set_log_levels: file.append: - name: /etc/salt/minion - text: - - "log_level: info" + - "log_level: error" - "log_level_logfile: error" - listen_in: - service: salt_minion_service From 74f2a61b25c3697908283660c73ab7b463bfb0e5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 13 May 2021 09:06:47 -0400 Subject: [PATCH 05/22] install influxdb and grafana during setup prior to final highstate --- salt/influxdb/init.sls | 4 ++-- setup/so-setup | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index c6120d292..9ef9aaae2 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,6 +1,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} + {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} @@ -11,8 +13,6 @@ {% from 'salt/map.jinja' import PYTHONINFLUXVERSION with context %} {% set PYTHONINFLUXVERSIONINSTALLED = salt['cmd.run']("python3 -c 'import influxdb; print (influxdb.__version__)'", python_shell=True) %} -{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} - include: - salt.minion - salt.python3-influxdb diff --git a/setup/so-setup b/setup/so-setup index 1d8eba9ed..4573da330 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -837,6 +837,13 @@ echo "1" > /root/accept_changes set_progress_str 73 "Update playbook rules" so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & fi + + if [[ "$GRAFANA" = 1 ]]; then + set_progress_str 74 "Installing InfluxDB and Grafana" + salt-call state.apply -l info influxdb >> $setup_log 2>&1 + salt-call state.apply -l info grafana >> $setup_log 2>&1 + fi + fi if [[ "$OSQUERY" = 1 ]]; then From d3af06e7a4a47d3ff902690834a1f2ec6da7cccc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 13 May 2021 11:00:42 -0400 Subject: [PATCH 06/22] handle exception if influxdb module doesnt exist --- salt/influxdb/init.sls | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 9ef9aaae2..3a309db47 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,9 +1,10 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} + {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} -{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -11,7 +12,7 @@ {% set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %} {% from 'salt/map.jinja' import PYTHON3INFLUX with context %} {% from 'salt/map.jinja' import PYTHONINFLUXVERSION with context %} -{% set PYTHONINFLUXVERSIONINSTALLED = salt['cmd.run']("python3 -c 'import influxdb; print (influxdb.__version__)'", python_shell=True) %} +{% set PYTHONINFLUXVERSIONINSTALLED = salt['cmd.run']("python3 -c \"exec('try:import influxdb; print (influxdb.__version__)\\nexcept:print(\\'Module Not Found\\')')\"", python_shell=True) %} include: - salt.minion From 3859f6464ab0ab6b418c2d39561196a848e28df5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 14 May 2021 08:56:42 -0400 Subject: [PATCH 07/22] dont be quiet on first grep --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 4573da330..4c364ded6 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -926,7 +926,7 @@ if [[ $success != 0 ]]; then SO_ERROR=1; fi # Check entire setup log for errors or unexpected salt states and ensure cron jobs are not reporting errors to root's mailbox # Ignore "Status .* was not found" due to output from salt http.query or http.wait_for_successful_query states used with retry -if grep -q -E "ERROR|Result: False" $setup_log | grep -qvE "Status .* was not found" || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then +if grep -E "ERROR|Result: False" $setup_log | grep -qvE "Status .* was not found" || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then SO_ERROR=1 grep --color=never "ERROR" "$setup_log" | grep -qvE "Status .* was not found" > "$error_log" From 231e07dbbda9a33091be927c70965ddcab26cec7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 14 May 2021 15:19:45 -0400 Subject: [PATCH 08/22] circumvent file.patch putting ERROR in log if patch doesnt need applied --- salt/salt/python3-influxdb.sls | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/salt/salt/python3-influxdb.sls b/salt/salt/python3-influxdb.sls index acadf2161..055390a27 100644 --- a/salt/salt/python3-influxdb.sls +++ b/salt/salt/python3-influxdb.sls @@ -15,6 +15,9 @@ python3_influxdb: {{PYTHONINSTALLER}}.installed: - name: {{ PYTHON3INFLUX }} +# We circumvent the file.patch state putting ERROR in the log by using the unless and file.touch below +# https://github.com/saltstack/salt/pull/47010 and https://github.com/saltstack/salt/issues/52329 + #https://github.com/saltstack/salt/issues/59766 influxdb_continuous_query.present_patch: file.patch: @@ -23,8 +26,15 @@ influxdb_continuous_query.present_patch: - require: - {{PYTHONINSTALLER}}: python3_influxdb - pkg: patch_package + - unless: ls /opt/so/state/influxdb_continuous_query.py.patched -#https://github.com/saltstack/salt/issues/59761 +influxdb_continuous_query.py.patched: + file.touch: + - name: /opt/so/state/influxdb_continuous_query.py.patched + - onchanges: + - file: influxdb_continuous_query.present_patch + + #https://github.com/saltstack/salt/issues/59761 influxdb_retention_policy.present_patch: file.patch: - name: {{ SALT_STATE_CODE_PATH }}/influxdb_retention_policy.py @@ -32,6 +42,13 @@ influxdb_retention_policy.present_patch: - require: - {{PYTHONINSTALLER}}: python3_influxdb - pkg: patch_package + - unless: ls /opt/so/state/influxdb_retention_policy.py.patched + +influxdb_retention_policy.py.patched: + file.touch: + - name: /opt/so/state/influxdb_retention_policy.py.patched + - onchanges: + - file: influxdb_retention_policy.present_patch # We should be able to set reload_modules: True in this state in order to tell salt to reload its python modules due to us possibly installing # and possibly modifying modules in this state. This is bugged according to https://github.com/saltstack/salt/issues/24925 @@ -41,4 +58,13 @@ influxdbmod.py_shard_duration_patch: - source: salt://salt/files/influxdbmod.py.patch - require: - {{PYTHONINSTALLER}}: python3_influxdb - - pkg: patch_package \ No newline at end of file + - pkg: patch_package + - unless: ls /opt/so/state/influxdbmod.py.patched + +influxdbmod.py.patched: + file.touch: + - name: /opt/so/state/influxdbmod.py.patched + - onchanges: + - file: influxdbmod.py_shard_duration_patch + + From 54f9e3ff9df127d1ddd2706db5109f414dc4bd4c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 14 May 2021 16:24:16 -0400 Subject: [PATCH 09/22] remove leading space on comment line --- salt/salt/python3-influxdb.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/python3-influxdb.sls b/salt/salt/python3-influxdb.sls index 055390a27..7a59c4303 100644 --- a/salt/salt/python3-influxdb.sls +++ b/salt/salt/python3-influxdb.sls @@ -34,7 +34,7 @@ influxdb_continuous_query.py.patched: - onchanges: - file: influxdb_continuous_query.present_patch - #https://github.com/saltstack/salt/issues/59761 +#https://github.com/saltstack/salt/issues/59761 influxdb_retention_policy.present_patch: file.patch: - name: {{ SALT_STATE_CODE_PATH }}/influxdb_retention_policy.py From 4c7cee4ebcb9bcf3395ee4bb62eb36b5c858890e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 17 May 2021 15:55:49 -0400 Subject: [PATCH 10/22] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 58e1f4fa9..a986af08b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.50 +2.3.51 From d001597e52c6b03d5138b1360e7cc465ed77b78f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 17 May 2021 15:56:46 -0400 Subject: [PATCH 11/22] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 353e51866..d71e83575 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.50 +## Security Onion 2.3.51 -Security Onion 2.3.50 is here! +Security Onion 2.3.51 is here! ## Screenshots From e50002e0ca5f5764212b28c3ee9bc3919984b6bc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 17 May 2021 16:26:12 -0400 Subject: [PATCH 12/22] influx and grafana default for manager nodes - https://github.com/Security-Onion-Solutions/securityonion/issues/4207 --- salt/grafana/init.sls | 2 +- salt/influxdb/init.sls | 2 +- salt/soc/files/soc/soc.json | 2 +- setup/so-whiptail | 12 ++++++++++++ 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 4a0cc7b08..b6e20bb9d 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -11,7 +11,7 @@ {% set GRAFANA_SETTINGS = salt['grains.filter_by'](default_settings, default='grafana', merge=salt['pillar.get']('grafana', {})) %} -{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %} # Grafana all the things grafanadir: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index aace4e827..485cc951b 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -6,7 +6,7 @@ {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %} # Influx DB influxconfdir: diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 6f1c3a6da..266b602aa 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -54,7 +54,7 @@ "verifyCert": false }, "influxdb": { -{%- if grains['role'] in ['so-import'] %} +{%- if grains['role'] in ['so-import'] or GRAFANA == 0 %} "hostUrl": "", {%- else %} "hostUrl": "https://{{ MANAGERIP }}:8086", diff --git a/setup/so-whiptail b/setup/so-whiptail index 09346828f..5eca2d39a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -408,6 +408,7 @@ whiptail_enable_components() { PLAYBOOK=0 STRELKA=0 +if [[ $is_eval ]]; then COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \ "Select Components to install:" 20 75 8 \ GRAFANA "Enable Grafana for system monitoring" ON \ @@ -416,6 +417,17 @@ whiptail_enable_components() { THEHIVE "Enable TheHive" ON \ PLAYBOOK "Enable Playbook" ON \ STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3) +else + COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \ + "Select Components to install:" 20 75 7 \ + OSQUERY "Enable Fleet with osquery" ON \ + WAZUH "Enable Wazuh" ON \ + THEHIVE "Enable TheHive" ON \ + PLAYBOOK "Enable Playbook" ON \ + STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3) + export "GRAFANA=1" +fi + local exitstatus=$? whiptail_check_exitstatus $exitstatus From ef32bff302a8781e68bbf55ceb9fcaa079125fba Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 17 May 2021 18:29:27 -0400 Subject: [PATCH 13/22] fix up soc.json --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 266b602aa..5dfd364d2 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -54,7 +54,7 @@ "verifyCert": false }, "influxdb": { -{%- if grains['role'] in ['so-import'] or GRAFANA == 0 %} +{%- if grains['role'] in ['so-import'] or (grains['role'] == 'so-eval' and GRAFANA == 0) %} "hostUrl": "", {%- else %} "hostUrl": "https://{{ MANAGERIP }}:8086", From 0de1c9a6696144f8e46eca2a6a420649690ba55b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 18 May 2021 07:57:00 -0400 Subject: [PATCH 14/22] removing unreference pillar file docker/config.sls --- pillar/docker/config.sls | 208 --------------------------------------- 1 file changed, 208 deletions(-) delete mode 100644 pillar/docker/config.sls diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls deleted file mode 100644 index da6fac83a..000000000 --- a/pillar/docker/config.sls +++ /dev/null @@ -1,208 +0,0 @@ -{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%} -{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%} -{% set WAZUH = salt['pillar.get']('manager:wazuh', '0') %} -{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %} -{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} -{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} -{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} -{% set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %} -{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} - -eval: - containers: - - so-nginx - - so-telegraf - {% if GRAFANA == '1' %} - - so-influxdb - - so-grafana - {% endif %} - - so-dockerregistry - - so-soc - - so-kratos - - so-idstools - {% if FLEETMANAGER %} - - so-mysql - - so-fleet - - so-redis - {% endif %} - - so-elasticsearch - - so-logstash - - so-kibana - - so-steno - - so-suricata - - so-zeek - - so-curator - - so-elastalert - {% if WAZUH != '0' %} - - so-wazuh - {% endif %} - - so-soctopus - {% if THEHIVE != '0' %} - - so-thehive - - so-thehive-es - - so-cortex - {% endif %} - {% if PLAYBOOK != '0' %} - - so-playbook - {% endif %} - {% if FREQSERVER != '0' %} - - so-freqserver - {% endif %} - {% if DOMAINSTATS != '0' %} - - so-domainstats - {% endif %} -heavy_node: - containers: - - so-nginx - - so-telegraf - - so-redis - - so-logstash - - so-elasticsearch - - so-curator - - so-steno - - so-suricata - - so-wazuh - - so-filebeat - {% if ZEEKVER != 'SURICATA' %} - - so-zeek - {% endif %} -helix: - containers: - - so-nginx - - so-telegraf - - so-idstools - - so-steno - - so-zeek - - so-redis - - so-logstash - - so-filebeat -hot_node: - containers: - - so-nginx - - so-telegraf - - so-logstash - - so-elasticsearch - - so-curator -manager_search: - containers: - - so-nginx - - so-telegraf - - so-soc - - so-kratos - - so-acng - - so-idstools - - so-redis - - so-logstash - - so-elasticsearch - - so-curator - - so-kibana - - so-elastalert - - so-filebeat - - so-soctopus - {% if FLEETMANAGER %} - - so-mysql - - so-fleet - - so-redis - {% endif %} - {% if WAZUH != '0' %} - - so-wazuh - {% endif %} - - so-soctopus - {% if THEHIVE != '0' %} - - so-thehive - - so-thehive-es - - so-cortex - {% endif %} - {% if PLAYBOOK != '0' %} - - so-playbook - {% endif %} - {% if FREQSERVER != '0' %} - - so-freqserver - {% endif %} - {% if DOMAINSTATS != '0' %} - - so-domainstats - {% endif %} -manager: - containers: - - so-dockerregistry - - so-nginx - - so-telegraf - {% if GRAFANA == '1' %} - - so-influxdb - - so-grafana - {% endif %} - - so-soc - - so-kratos - - so-acng - - so-idstools - - so-redis - - so-elasticsearch - - so-logstash - - so-kibana - - so-elastalert - - so-filebeat - {% if FLEETMANAGER %} - - so-mysql - - so-fleet - - so-redis - {% endif %} - {% if WAZUH != '0' %} - - so-wazuh - {% endif %} - - so-soctopus - {% if THEHIVE != '0' %} - - so-thehive - - so-thehive-es - - so-cortex - {% endif %} - {% if PLAYBOOK != '0' %} - - so-playbook - {% endif %} - {% if FREQSERVER != '0' %} - - so-freqserver - {% endif %} - {% if DOMAINSTATS != '0' %} - - so-domainstats - {% endif %} -parser_node: - containers: - - so-nginx - - so-telegraf - - so-logstash -search_node: - containers: - - so-nginx - - so-telegraf - - so-logstash - - so-elasticsearch - - so-curator - - so-filebeat - {% if WAZUH != '0' %} - - so-wazuh - {% endif %} -sensor: - containers: - - so-nginx - - so-telegraf - - so-steno - - so-suricata - {% if ZEEKVER != 'SURICATA' %} - - so-zeek - {% endif %} - - so-wazuh - - so-filebeat -warm_node: - containers: - - so-nginx - - so-telegraf - - so-elasticsearch -fleet: - containers: - {% if FLEETNODE %} - - so-mysql - - so-fleet - - so-redis - - so-filebeat - - so-nginx - - so-telegraf - {% endif %} \ No newline at end of file From fe155222c24c3ca01769c659e20a25f01a178cfb Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 May 2021 09:51:54 -0400 Subject: [PATCH 15/22] Introduce mixed-case sensor into distributed test --- setup/automation/distributed-iso-sensor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor index 955019bd8..90be8ccd5 100644 --- a/setup/automation/distributed-iso-sensor +++ b/setup/automation/distributed-iso-sensor @@ -34,7 +34,7 @@ ZEEKVERSION=ZEEK # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit -HOSTNAME=distributed-sensor +HOSTNAME=Distributed-Sensor install_type=SENSOR # LSINPUTBATCHCOUNT= # LSINPUTTHREADS= From 25e2edc6d238fceccdf6e6d3e48bf883bd35f6ba Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 May 2021 12:31:33 -0400 Subject: [PATCH 16/22] Reset HOTFIX with new release --- HOTFIX | 1 - 1 file changed, 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 364d0a6a8..e69de29bb 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +0,0 @@ -GRIDFIX ZEEKFIX From ac42cba50b6e4679d5dd976bfb1f11fa8428eec6 Mon Sep 17 00:00:00 2001 From: Masaya-A <68965261+Masaya-A@users.noreply.github.com> Date: Wed, 19 May 2021 09:06:02 +0900 Subject: [PATCH 17/22] Adding MAC Address for NIC List --- setup/so-functions | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index dfe79f674..bc5d9d1ca 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1348,15 +1348,16 @@ filter_unused_nics() { nic_list=() for nic in "${filtered_nics[@]}"; do + local nic_mac=$(cat "/sys/class/net/${nic}/address") case $(cat "/sys/class/net/${nic}/carrier" 2>/dev/null) in 1) - nic_list+=("$nic" "Link UP " "OFF") + nic_list+=("$nic" "$nic_mac" "Link UP " "OFF") ;; 0) - nic_list+=("$nic" "Link DOWN " "OFF") + nic_list+=("$nic" "$nic_mac" "Link DOWN " "OFF") ;; *) - nic_list+=("$nic" "Link UNKNOWN " "OFF") + nic_list+=("$nic" "$nic_mac" "Link UNKNOWN " "OFF") ;; esac done From 6af126b87200e616864e5788798790919928b84a Mon Sep 17 00:00:00 2001 From: Masaya-A <68965261+Masaya-A@users.noreply.github.com> Date: Wed, 19 May 2021 10:02:19 +0900 Subject: [PATCH 18/22] Fix array --- setup/so-functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index bc5d9d1ca..8cdbc2596 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1351,13 +1351,13 @@ filter_unused_nics() { local nic_mac=$(cat "/sys/class/net/${nic}/address") case $(cat "/sys/class/net/${nic}/carrier" 2>/dev/null) in 1) - nic_list+=("$nic" "$nic_mac" "Link UP " "OFF") + nic_list+=("$nic" "$nic_mac Link UP " "OFF") ;; 0) - nic_list+=("$nic" "$nic_mac" "Link DOWN " "OFF") + nic_list+=("$nic" "$nic_mac Link DOWN " "OFF") ;; *) - nic_list+=("$nic" "$nic_mac" "Link UNKNOWN " "OFF") + nic_list+=("$nic" "$nic_mac Link UNKNOWN " "OFF") ;; esac done From b440f733366c6eb946f4a7852207ad59a70ae283 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 19 May 2021 18:37:08 -0400 Subject: [PATCH 19/22] Truncate wait_for_web_response.log before each wait invocation --- salt/common/tools/sbin/so-common | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 22c7543ea..56123f418 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -487,6 +487,7 @@ wait_for_web_response() { expected=$2 maxAttempts=${3:-300} logfile=/root/wait_for_web_response.log + truncate -s 0 "$logfile" attempt=0 while [[ $attempt -lt $maxAttempts ]]; do attempt=$((attempt+1)) From 3450219bc7073fb692259ed185fc88eca2dd516e Mon Sep 17 00:00:00 2001 From: Masaya-A <68965261+Masaya-A@users.noreply.github.com> Date: Thu, 20 May 2021 09:33:14 +0900 Subject: [PATCH 20/22] Drop error to /dev/null --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 8cdbc2596..5ce3d6dee 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1348,7 +1348,7 @@ filter_unused_nics() { nic_list=() for nic in "${filtered_nics[@]}"; do - local nic_mac=$(cat "/sys/class/net/${nic}/address") + local nic_mac=$(cat "/sys/class/net/${nic}/address" 2>/dev/null) case $(cat "/sys/class/net/${nic}/carrier" 2>/dev/null) in 1) nic_list+=("$nic" "$nic_mac Link UP " "OFF") From 7aed01658fe25e821e9542e9947665d2972a6fd4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 20 May 2021 22:10:36 -0400 Subject: [PATCH 21/22] Sig file for 2.3.51 --- VERIFY_ISO.md | 22 +++++++++++----------- sigs/securityonion-2.3.51.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.51.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 2b97521dd..018d9e916 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.3.50 ISO image built on 2021/04/27 +### 2.3.51 ISO image built on 2021/04/27 ### Download and Verify -2.3.50 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso +2.3.51 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.51.iso -MD5: C39CEA68B5A8AFC5CFFB2481797C0374 -SHA1: 00AD9F29ABE3AB495136989E62EBB8FA00DA82C6 -SHA256: D77AE370D7863837A989F6735413D1DD46B866D8D135A4C363B0633E3990387E +MD5: 7CFB525BEFC0A9F2ED148F5831E387FA +SHA1: 8CC34FCCC36822B309B8168AA706B3D1EC7F3BFD +SHA256: 9892C2546C9AE5A48015160F379B070F0BE30C89693B97F3F1E1592DDCE1DEE0 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.51.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.51.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.51.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.50.iso.sig securityonion-2.3.50.iso +gpg --verify securityonion-2.3.51.iso.sig securityonion-2.3.51.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 27 Apr 2021 02:17:25 PM EDT using RSA key ID FE507013 +gpg: Signature made Thu 20 May 2021 07:49:57 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.51.iso.sig b/sigs/securityonion-2.3.51.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..80137a352152bb142a0ae0d7926ac00aff4b0357 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;8EOyvLy2@re`V7LBIa1%&k5C2n+tWPThb0s2 zN5K+$mR8o|yx}I|O-OsnamJ#p&1!`3iX*IDpTyXuf8hx7^*Mx;#+8b5@IkzIu^S7t zubXL$t0%IHQ!0^Pt$2s;cvlCAxW??=O3#4`i@DTuTc_tm*}+iNodb~MhRI|d-7s-_ zRtSk={KP|UGUfHV%G z8+S&nNnv4jm}<^1etZC{v}TLvI2!{w=wjc1E*=nu%|OFkP)q{t$W+qxldpv|BguU$ zwd5eMir&G8VS4vhh!r5wD4>c&Nhn6pVPNao_5G3?n}KLn)tSjpD0tg1;xnn8q_Vbp zSpYprNxdL|n+Ol~FhWIupF2ELwoq&m3PBW0Sfra18PlSt0f%l2 ztVaFaGx?;kjP{C`Ln< z4@d%!)Q~Z_NPCkH*8Y(aY%ajD8jB#hVTkFPrpc2&4c2 literal 0 HcmV?d00001 From c1dd4dafe47001101e949d5a8fbefaca0d97f987 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 21 May 2021 12:41:10 -0400 Subject: [PATCH 22/22] Fix influx state --- salt/influxdb/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index bafcbd53b..346d971fd 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -3,7 +3,7 @@ {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} -{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %} {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}