diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index 8e2592071..9c897d2bd 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -11,7 +11,6 @@ body: description: Which version of Security Onion 2.4.x are you asking about? options: - - - 2.4 Pre-release (Beta, Release Candidate) - 2.4.10 - 2.4.20 - 2.4.30 @@ -22,6 +21,7 @@ body: - 2.4.80 - 2.4.90 - 2.4.100 + - 2.4.110 - Other (please provide detail below) validations: required: true @@ -32,9 +32,10 @@ body: options: - - Security Onion ISO image - - Network installation on Red Hat derivative like Oracle, Rocky, Alma, etc. - - Network installation on Ubuntu - - Network installation on Debian + - Cloud image (Amazon, Azure, Google) + - Network installation on Red Hat derivative like Oracle, Rocky, Alma, etc. (unsupported) + - Network installation on Ubuntu (unsupported) + - Network installation on Debian (unsupported) - Other (please provide detail below) validations: required: true diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index df8904e0a..ffeb0fe32 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.90-20240729 ISO image released on 2024/07/29 +### 2.4.100-20240903 ISO image released on 2024/09/03 ### Download and Verify -2.4.90-20240729 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.90-20240729.iso +2.4.100-20240903 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.100-20240903.iso -MD5: 9A7714F5922EE555F08675D25E6237D5 -SHA1: D3B331452627DB716906BA9F3922574DFA3852DC -SHA256: 5B0CE32543944DBC50C4E906857384211E1BE83EF409619778F18FC62017E0E0 +MD5: 856BBB4F0764C0A479D8949725FC096B +SHA1: B3FCFB8F1031EB8AA833A90C6C5BB61328A73842 +SHA256: 0103EB9D78970396BB47CBD18DA1FFE64524F5C1C559487A1B2D293E1882B265 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.90-20240729.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.100-20240903.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.90-20240729.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.100-20240903.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.90-20240729.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.100-20240903.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.90-20240729.iso.sig securityonion-2.4.90-20240729.iso +gpg --verify securityonion-2.4.100-20240903.iso.sig securityonion-2.4.100-20240903.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 25 Jul 2024 06:51:11 PM EDT using RSA key ID FE507013 +gpg: Signature made Sat 31 Aug 2024 05:05:05 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/VERSION b/VERSION index fd912cb25..3cda1f5a4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.100 +2.4.110 diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 902aabaa3..6ae35324f 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -8,12 +8,6 @@ # Elastic agent is not managed by salt. Because of this we must store this base information in a # script that accompanies the soup system. Since so-common is one of those special soup files, # and since this same logic is required during installation, it's included in this file. -ELASTIC_AGENT_TARBALL_VERSION="8.14.3" -ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" -ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" -ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" -ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" -ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" @@ -174,6 +168,46 @@ check_salt_minion_status() { return $status } +# Compare es versions and return the highest version +compare_es_versions() { + # Save the original IFS + local OLD_IFS="$IFS" + + IFS=. + local i ver1=($1) ver2=($2) + + # Restore the original IFS + IFS="$OLD_IFS" + + # Determine the maximum length between the two version arrays + local max_len=${#ver1[@]} + if [[ ${#ver2[@]} -gt $max_len ]]; then + max_len=${#ver2[@]} + fi + + # Compare each segment of the versions + for ((i=0; i 10#${ver2[i]})); then + echo "$1" + return 0 + fi + if ((10#${ver1[i]} < 10#${ver2[i]})); then + echo "$2" + return 0 + fi + done + + echo "$1" # If versions are equal, return either + return 0 +} + copy_new_files() { # Copy new files over to the salt dir cd $UPDATE_DIR @@ -263,11 +297,6 @@ fail() { exit 1 } -get_random_value() { - length=${1:-20} - head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 -} - get_agent_count() { if [ -f /opt/so/log/agents/agentstatus.log ]; then AGENTCOUNT=$(cat /opt/so/log/agents/agentstatus.log | grep -wF active | awk '{print $2}') @@ -276,6 +305,27 @@ get_agent_count() { fi } +get_elastic_agent_vars() { + local path="${1:-/opt/so/saltstack/default}" + local defaultsfile="${path}/salt/elasticsearch/defaults.yaml" + + if [ -f "$defaultsfile" ]; then + ELASTIC_AGENT_TARBALL_VERSION=$(egrep " +version: " $defaultsfile | awk -F: '{print $2}' | tr -d '[:space:]') + ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" + ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" + ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" + ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" + ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent + else + fail "Could not find salt/elasticsearch/defaults.yaml" + fi +} + +get_random_value() { + length=${1:-20} + head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 +} + gpg_rpm_import() { if [[ $is_oracle ]]; then if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then @@ -627,6 +677,8 @@ has_uppercase() { } update_elastic_agent() { + local path="${1:-/opt/so/saltstack/default}" + get_elastic_agent_vars "$path" echo "Checking if Elastic Agent update is necessary..." download_and_verify "$ELASTIC_AGENT_URL" "$ELASTIC_AGENT_MD5_URL" "$ELASTIC_AGENT_FILE" "$ELASTIC_AGENT_MD5" "$ELASTIC_AGENT_EXPANSION_DIR" } diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 03051cb5f..bb827c0af 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -112,6 +112,10 @@ update_docker_containers() { container_list fi + # all the images using ELASTICSEARCHDEFAULTS.elasticsearch.version + # does not include so-elastic-fleet since that container uses so-elastic-agent image + local IMAGES_USING_ES_VERSION=("so-elasticsearch") + rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 @@ -139,15 +143,34 @@ update_docker_containers() { $PROGRESS_CALLBACK $i fi + if [[ " ${IMAGES_USING_ES_VERSION[*]} " =~ [[:space:]]${i}[[:space:]] ]]; then + # this is an es container so use version defined in elasticsearch defaults.yaml + local UPDATE_DIR='/tmp/sogh/securityonion' + if [ ! -d "$UPDATE_DIR" ]; then + UPDATE_DIR=/securityonion + fi + local v1=0 + local v2=0 + if [[ -f "$UPDATE_DIR/salt/elasticsearch/defaults.yaml" ]]; then + v1=$(egrep " +version: " "$UPDATE_DIR/salt/elasticsearch/defaults.yaml" | awk -F: '{print $2}' | tr -d '[:space:]') + fi + if [[ -f "$DEFAULT_SALT_DIR/salt/elasticsearch/defaults.yaml" ]]; then + v2=$(egrep " +version: " "$DEFAULT_SALT_DIR/salt/elasticsearch/defaults.yaml" | awk -F: '{print $2}' | tr -d '[:space:]') + fi + local highest_es_version=$(compare_es_versions "$v1" "$v2") + local image=$i:$highest_es_version$IMAGE_TAG_SUFFIX + else + # this is not an es container so use the so version for the version + local image=$i:$VERSION$IMAGE_TAG_SUFFIX + fi # Pull down the trusted docker image - local image=$i:$VERSION$IMAGE_TAG_SUFFIX run_check_net_err \ "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" \ "Could not pull $image, please ensure connectivity to $CONTAINER_REGISTRY" >> "$LOG_FILE" 2>&1 # Get signature run_check_net_err \ - "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" \ + "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$image.sig --output $SIGNPATH/$image.sig" \ "Could not pull signature file for $image, please ensure connectivity to https://sigs.securityonion.net " \ noretry >> "$LOG_FILE" 2>&1 # Dump our hash values diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 1e37364bc..5a0d1f61a 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -20,41 +20,41 @@ dockergroup: dockerheldpackages: pkg.installed: - pkgs: - - containerd.io: 1.6.33-1 - - docker-ce: 5:26.1.4-1~debian.12~bookworm - - docker-ce-cli: 5:26.1.4-1~debian.12~bookworm - - docker-ce-rootless-extras: 5:26.1.4-1~debian.12~bookworm + - containerd.io: 1.7.21-1 + - docker-ce: 5:27.2.0-1~debian.12~bookworm + - docker-ce-cli: 5:27.2.0-1~debian.12~bookworm + - docker-ce-rootless-extras: 5:27.2.0-1~debian.12~bookworm - hold: True - update_holds: True {% elif grains.oscodename == 'jammy' %} dockerheldpackages: pkg.installed: - pkgs: - - containerd.io: 1.6.33-1 - - docker-ce: 5:26.1.4-1~ubuntu.22.04~jammy - - docker-ce-cli: 5:26.1.4-1~ubuntu.22.04~jammy - - docker-ce-rootless-extras: 5:26.1.4-1~ubuntu.22.04~jammy + - containerd.io: 1.7.21-1 + - docker-ce: 5:27.2.0-1~ubuntu.22.04~jammy + - docker-ce-cli: 5:27.2.0-1~ubuntu.22.04~jammy + - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.22.04~jammy - hold: True - update_holds: True {% else %} dockerheldpackages: pkg.installed: - pkgs: - - containerd.io: 1.6.33-1 - - docker-ce: 5:26.1.4-1~ubuntu.20.04~focal - - docker-ce-cli: 5:26.1.4-1~ubuntu.20.04~focal - - docker-ce-rootless-extras: 5:26.1.4-1~ubuntu.20.04~focal + - containerd.io: 1.7.21-1 + - docker-ce: 5:27.2.0-1~ubuntu.20.04~focal + - docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal + - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal - hold: True - update_holds: True -{% endif %} +{% endif %} {% else %} dockerheldpackages: pkg.installed: - pkgs: - - containerd.io: 1.6.33-3.1.el9 - - docker-ce: 3:26.1.4-1.el9 - - docker-ce-cli: 1:26.1.4-1.el9 - - docker-ce-rootless-extras: 26.1.4-1.el9 + - containerd.io: 1.7.21-3.1.el9 + - docker-ce: 3:27.2.0-1.el9 + - docker-ce-cli: 1:27.2.0-1.el9 + - docker-ce-rootless-extras: 27.2.0-1.el9 - hold: True - update_holds: True {% endif %} diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index 7d0f401e9..3c20c916f 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -8,7 +8,6 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} - include: - elasticagent.config - elasticagent.sostatus diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index 1ade49e44..e2b7d734b 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -13,6 +13,9 @@ LOG="/opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log" +# get the variables needed such as ELASTIC_AGENT_TARBALL_VERSION +get_elastic_agent_vars + # Check to see if we are already running NUM_RUNNING=$(pgrep -cf "/bin/bash /sbin/so-elastic-agent-gen-installers") [ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING gen installers script processes running...exiting." >>$LOG && exit 0 @@ -36,6 +39,7 @@ printf "\n### Creating a temp directory at /nsm/elastic-agent-workspace\n" rm -rf /nsm/elastic-agent-workspace mkdir -p /nsm/elastic-agent-workspace + printf "\n### Extracting outer tarball and then each individual tarball/zip\n" tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-agent-workspace/ unzip -q /nsm/elastic-agent-workspace/elastic-agent-*.zip -d /nsm/elastic-agent-workspace/ diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade index b911f5896..1ce379c1c 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade @@ -5,6 +5,7 @@ # this file except in compliance with the Elastic License 2.0. . /usr/sbin/so-common +{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} # Only run on Managers if ! is_manager_node; then @@ -27,14 +28,14 @@ OUTDATED_LIST=$(jq -r '.items | map(.id) | (tojson)' <<< "$RAW_JSON") if [ "$OUTDATED_LIST" != '[]' ]; then AGENTNUMBERS=$(jq -r '.total' <<< "$RAW_JSON") - printf "Initiating upgrades for $AGENTNUMBERS Agents to Elastic $ELASTIC_AGENT_TARBALL_VERSION...\n\n" + printf "Initiating upgrades for $AGENTNUMBERS Agents to Elastic {{ELASTICSEARCHDEFAULTS.elasticsearch.version}}...\n\n" # Generate updated JSON payload - JSON_STRING=$(jq -n --arg ELASTICVERSION $ELASTIC_AGENT_TARBALL_VERSION --arg UPDATELIST $OUTDATED_LIST '{"version": $ELASTICVERSION,"agents": $UPDATELIST }') + JSON_STRING=$(jq -n --arg ELASTICVERSION {{ELASTICSEARCHDEFAULTS.elasticsearch.version}} --arg UPDATELIST $OUTDATED_LIST '{"version": $ELASTICVERSION,"agents": $UPDATELIST }') # Update Node Agents curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "http://localhost:5601/api/fleet/agents/bulk_upgrade" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" else printf "No Agents need updates... Exiting\n\n" exit 0 -fi \ No newline at end of file +fi diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 7201df25e..15df57f4c 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,5 +1,6 @@ elasticsearch: enabled: false + version: 8.14.3 index_clean: true config: action: @@ -9054,6 +9055,7 @@ elasticsearch: - logs-system.application@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + - so-system-mappings data_stream: allow_custom_routing: false hidden: false @@ -9149,6 +9151,7 @@ elasticsearch: - logs-system.security@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + - so-system-mappings data_stream: allow_custom_routing: false hidden: false @@ -9244,6 +9247,7 @@ elasticsearch: - logs-system.system@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + - so-system-mappings data_stream: allow_custom_routing: false hidden: false diff --git a/salt/elasticsearch/download.sls b/salt/elasticsearch/download.sls index f74c7059a..c7891dcdc 100644 --- a/salt/elasticsearch/download.sls +++ b/salt/elasticsearch/download.sls @@ -6,10 +6,11 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} so-elasticsearch_image: docker_image.present: - - name: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} + - name: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} {% else %} diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 383fd1cb4..48280c506 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -19,7 +19,7 @@ include: so-elasticsearch: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ ELASTICSEARCHMERGED.version }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index d30706837..a4c350254 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -2,6 +2,11 @@ elasticsearch: enabled: description: You can enable or disable Elasticsearch. helpLink: elasticsearch.html + version: + description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure." + readonly: True + global: True + advanced: True esheap: description: Specify the memory heap size in (m)egabytes for Elasticsearch. helpLink: elasticsearch.html diff --git a/salt/elasticsearch/templates/component/so/so-system-mappings.json b/salt/elasticsearch/templates/component/so/so-system-mappings.json index f86c427a6..17319ab9f 100644 --- a/salt/elasticsearch/templates/component/so/so-system-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-system-mappings.json @@ -16,6 +16,13 @@ } } }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, "source": { "properties":{ "ip": { diff --git a/salt/elasticsearch/tools/sbin_jinja/so-catrust b/salt/elasticsearch/tools/sbin_jinja/so-catrust index fe4ff58bc..16fd3ffdb 100644 --- a/salt/elasticsearch/tools/sbin_jinja/so-catrust +++ b/salt/elasticsearch/tools/sbin_jinja/so-catrust @@ -6,13 +6,14 @@ # Elastic License 2.0. . /usr/sbin/so-common +get_elastic_agent_vars # Exit on errors, since all lines must succeed set -e # Check to see if we have extracted the ca cert. if [ ! -f /opt/so/saltstack/local/salt/elasticsearch/cacerts ]; then - docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt + docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:$ELASTIC_AGENT_TARBALL_VERSION -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem docker rm so-elasticsearchca diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson deleted file mode 100644 index c52b5cb44..000000000 --- a/salt/kibana/files/config_saved_objects.ndjson +++ /dev/null @@ -1,2 +0,0 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.14.3","id": "8.14.3","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} - diff --git a/salt/kibana/files/config_saved_objects.ndjson.jinja b/salt/kibana/files/config_saved_objects.ndjson.jinja new file mode 100644 index 000000000..4902a1445 --- /dev/null +++ b/salt/kibana/files/config_saved_objects.ndjson.jinja @@ -0,0 +1,3 @@ +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS -%} + +{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }}","id": "{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }}","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} diff --git a/salt/kibana/so_config_load.sls b/salt/kibana/so_config_load.sls index a443e960b..85f97a10a 100644 --- a/salt/kibana/so_config_load.sls +++ b/salt/kibana/so_config_load.sls @@ -9,7 +9,8 @@ include: config_saved_objects: file.managed: - name: /opt/so/conf/kibana/config_saved_objects.ndjson.template - - source: salt://kibana/files/config_saved_objects.ndjson + - source: salt://kibana/files/config_saved_objects.ndjson.jinja + - template: jinja - user: 932 - group: 939 diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-config-load b/salt/kibana/tools/sbin_jinja/so-kibana-config-load index 8177adb5c..921416790 100644 --- a/salt/kibana/tools/sbin_jinja/so-kibana-config-load +++ b/salt/kibana/tools/sbin_jinja/so-kibana-config-load @@ -5,6 +5,8 @@ # Elastic License 2.0. {%- set ENDGAMEHOST = salt['pillar.get']('global:endgamehost', 'ENDGAMEHOST') %} +{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} + . /usr/sbin/so-common check_file() { @@ -63,7 +65,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.14.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index c74edf1eb..7807c9884 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -837,11 +837,13 @@ determine_elastic_agent_upgrade() { if [[ $is_airgap -eq 0 ]]; then update_elastic_agent_airgap else - update_elastic_agent + # the new elasticsearch defaults.yaml file is not yet placed in /opt/so/saltstack/default/salt/elasticsearch yet + update_elastic_agent "$UPDATE_DIR" fi } update_elastic_agent_airgap() { + get_elastic_agent_vars "/tmp/soagupdate/SecurityOnion" rsync -av /tmp/soagupdate/fleet/* /nsm/elastic-fleet/artifacts/ tar -xf "$ELASTIC_AGENT_FILE" -C "$ELASTIC_AGENT_EXPANSION_DIR" } diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index 3e015d100..34e9f2e4c 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -57,7 +57,6 @@ so-suricata: - watch: - file: suriconfig - file: surithresholding - - file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/bpf - file: suriclassifications - require: @@ -66,6 +65,14 @@ so-suricata: - file: suribpf - file: suriclassifications +surirulereload: + cmd.run: + - name: /usr/sbin/so-suricata-reload-rules >> /opt/so/log/suricata/reload.log 2>&1 + - onchanges: + - file: surirulesync + - require: + - docker_container: so-suricata + delete_so-suricata_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/suricata/tools/sbin/so-suricata-reload-rules b/salt/suricata/tools/sbin/so-suricata-reload-rules new file mode 100644 index 000000000..2d60c3422 --- /dev/null +++ b/salt/suricata/tools/sbin/so-suricata-reload-rules @@ -0,0 +1,11 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +retry 60 3 'docker exec so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' || fail "The Suricata container was not ready in time." +retry 60 3 'docker exec so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' || fail "The Suricata container was not ready in time." diff --git a/setup/so-setup b/setup/so-setup index bd8a8c6ba..cb4e7ebf0 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -759,8 +759,8 @@ if ! [[ -f $install_opt_file ]]; then title "Downloading IDS Rules" logCmd "so-rule-update" if [[ $monints || $is_import ]]; then - title "Restarting Suricata to pick up the new rules" - logCmd "so-suricata-restart" + title "Applying the Suricata state to load the new rules" + logCmd "salt-call state.apply suricata -l info" fi fi title "Setting up Kibana Default Space" diff --git a/sigs/securityonion-2.4.100-20240829.iso.sig b/sigs/securityonion-2.4.100-20240829.iso.sig new file mode 100644 index 000000000..39db1a63d Binary files /dev/null and b/sigs/securityonion-2.4.100-20240829.iso.sig differ diff --git a/sigs/securityonion-2.4.100-20240903.iso.sig b/sigs/securityonion-2.4.100-20240903.iso.sig new file mode 100644 index 000000000..74f0ecfd7 Binary files /dev/null and b/sigs/securityonion-2.4.100-20240903.iso.sig differ