From 3d61897522264a689075ea2f33736f42badfc228 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Aug 2024 08:51:35 -0400 Subject: [PATCH 01/41] ref es version from defaults for kibana --- salt/elasticsearch/defaults.yaml | 1 + salt/kibana/files/config_saved_objects.ndjson | 2 -- salt/kibana/files/config_saved_objects.ndjson.jinja | 3 +++ salt/kibana/so_config_load.sls | 3 ++- salt/kibana/tools/sbin_jinja/so-kibana-config-load | 4 +++- 5 files changed, 9 insertions(+), 4 deletions(-) delete mode 100644 salt/kibana/files/config_saved_objects.ndjson create mode 100644 salt/kibana/files/config_saved_objects.ndjson.jinja diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index b18ab5a67..767911cf4 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,5 +1,6 @@ elasticsearch: enabled: false + version: 8.14.3 index_clean: true config: action: diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson deleted file mode 100644 index c52b5cb44..000000000 --- a/salt/kibana/files/config_saved_objects.ndjson +++ /dev/null @@ -1,2 +0,0 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.14.3","id": "8.14.3","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} - diff --git a/salt/kibana/files/config_saved_objects.ndjson.jinja b/salt/kibana/files/config_saved_objects.ndjson.jinja new file mode 100644 index 000000000..4902a1445 --- /dev/null +++ b/salt/kibana/files/config_saved_objects.ndjson.jinja @@ -0,0 +1,3 @@ +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS -%} + +{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }}","id": "{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }}","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} diff --git a/salt/kibana/so_config_load.sls b/salt/kibana/so_config_load.sls index a443e960b..85f97a10a 100644 --- a/salt/kibana/so_config_load.sls +++ b/salt/kibana/so_config_load.sls @@ -9,7 +9,8 @@ include: config_saved_objects: file.managed: - name: /opt/so/conf/kibana/config_saved_objects.ndjson.template - - source: salt://kibana/files/config_saved_objects.ndjson + - source: salt://kibana/files/config_saved_objects.ndjson.jinja + - template: jinja - user: 932 - group: 939 diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-config-load b/salt/kibana/tools/sbin_jinja/so-kibana-config-load index 8177adb5c..921416790 100644 --- a/salt/kibana/tools/sbin_jinja/so-kibana-config-load +++ b/salt/kibana/tools/sbin_jinja/so-kibana-config-load @@ -5,6 +5,8 @@ # Elastic License 2.0. {%- set ENDGAMEHOST = salt['pillar.get']('global:endgamehost', 'ENDGAMEHOST') %} +{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} + . /usr/sbin/so-common check_file() { @@ -63,7 +65,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.14.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From da1671fdf1586adc117d95e5f34207251d9d089c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Aug 2024 11:25:33 -0400 Subject: [PATCH 02/41] add get_elastic_agent_vars function --- salt/common/tools/sbin/so-common | 32 +++++++++++++++++++++----------- salt/manager/tools/sbin/soup | 1 + 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 902aabaa3..57b86b1f4 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -8,12 +8,6 @@ # Elastic agent is not managed by salt. Because of this we must store this base information in a # script that accompanies the soup system. Since so-common is one of those special soup files, # and since this same logic is required during installation, it's included in this file. -ELASTIC_AGENT_TARBALL_VERSION="8.14.3" -ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" -ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" -ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" -ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" -ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" @@ -263,11 +257,6 @@ fail() { exit 1 } -get_random_value() { - length=${1:-20} - head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 -} - get_agent_count() { if [ -f /opt/so/log/agents/agentstatus.log ]; then AGENTCOUNT=$(cat /opt/so/log/agents/agentstatus.log | grep -wF active | awk '{print $2}') @@ -276,6 +265,26 @@ get_agent_count() { fi } +get_elastic_agent_vars() { + local path="${1:-/opt/so/saltstack/default}" + local defaultsfile="${path}/salt/elasticsearch/defaults.yaml" + + if [ -f "$defaultsfile" ]; then + ELASTIC_AGENT_TARBALL_VERSION=$(egrep " +version: " $defaultsfile | awk -F: {'print $2'} | tr -d '[:space:]') + ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" + ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" + ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" + ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" + ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent + fi + +} + +get_random_value() { + length=${1:-20} + head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 +} + gpg_rpm_import() { if [[ $is_oracle ]]; then if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then @@ -627,6 +636,7 @@ has_uppercase() { } update_elastic_agent() { + get_elastic_agent_vars echo "Checking if Elastic Agent update is necessary..." download_and_verify "$ELASTIC_AGENT_URL" "$ELASTIC_AGENT_MD5_URL" "$ELASTIC_AGENT_FILE" "$ELASTIC_AGENT_MD5" "$ELASTIC_AGENT_EXPANSION_DIR" } diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 72fda32aa..88ecec9d0 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -854,6 +854,7 @@ determine_elastic_agent_upgrade() { } update_elastic_agent_airgap() { + get_elastic_agent_vars rsync -av /tmp/soagupdate/fleet/* /nsm/elastic-fleet/artifacts/ tar -xf "$ELASTIC_AGENT_FILE" -C "$ELASTIC_AGENT_EXPANSION_DIR" } From cd9c9a25d35160f3aa48cee40aed74ffa9663010 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Aug 2024 11:25:56 -0400 Subject: [PATCH 03/41] reference elastic versions from defaults --- salt/elastic-fleet-package-registry/enabled.sls | 3 ++- salt/elasticagent/enabled.sls | 4 ++-- salt/elasticfleet/enabled.sls | 3 ++- .../tools/sbin_jinja/so-elastic-agent-gen-installers | 3 ++- .../tools/sbin_jinja/so-elastic-agent-grid-upgrade | 7 ++++--- salt/elasticsearch/enabled.sls | 2 +- salt/kibana/enabled.sls | 3 ++- salt/logstash/enabled.sls | 3 ++- 8 files changed, 17 insertions(+), 11 deletions(-) diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index 3cd90ba87..640844fe7 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -7,6 +7,7 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} include: - elastic-fleet-package-registry.config @@ -14,7 +15,7 @@ include: so-elastic-fleet-package-registry: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} - name: so-elastic-fleet-package-registry - hostname: Fleet-package-reg-{{ GLOBALS.hostname }} - detach: True diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index 7d0f401e9..f579a7ff9 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -7,7 +7,7 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} - +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} include: - elasticagent.config @@ -15,7 +15,7 @@ include: so-elastic-agent: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} - name: so-elastic-agent - hostname: {{ GLOBALS.hostname }} - detach: True diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index af5e552eb..8a251b709 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -8,6 +8,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} {# This value is generated during node install and stored in minion pillar #} {% set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %} @@ -71,7 +72,7 @@ elasticagent_syncartifacts: {% if SERVICETOKEN != '' %} so-elastic-fleet: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} - name: so-elastic-fleet - hostname: FleetServer-{{ GLOBALS.hostname }} - detach: True diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index 1ade49e44..e09ce7b67 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -7,6 +7,7 @@ #so-elastic-agent-gen-installers $FleetHostURLs $EnrollmentToken {% from 'vars/globals.map.jinja' import GLOBALS %} +{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS -%} . /usr/sbin/so-common . /usr/sbin/so-elastic-fleet-common @@ -37,7 +38,7 @@ rm -rf /nsm/elastic-agent-workspace mkdir -p /nsm/elastic-agent-workspace printf "\n### Extracting outer tarball and then each individual tarball/zip\n" -tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-agent-workspace/ +tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}.tar.gz -C /nsm/elastic-agent-workspace/ unzip -q /nsm/elastic-agent-workspace/elastic-agent-*.zip -d /nsm/elastic-agent-workspace/ for archive in /nsm/elastic-agent-workspace/*.tar.gz do diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade index b911f5896..360aa2cf8 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade @@ -5,6 +5,7 @@ # this file except in compliance with the Elastic License 2.0. . /usr/sbin/so-common +{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS -%} # Only run on Managers if ! is_manager_node; then @@ -27,14 +28,14 @@ OUTDATED_LIST=$(jq -r '.items | map(.id) | (tojson)' <<< "$RAW_JSON") if [ "$OUTDATED_LIST" != '[]' ]; then AGENTNUMBERS=$(jq -r '.total' <<< "$RAW_JSON") - printf "Initiating upgrades for $AGENTNUMBERS Agents to Elastic $ELASTIC_AGENT_TARBALL_VERSION...\n\n" + printf "Initiating upgrades for $AGENTNUMBERS Agents to Elastic {{ELASTICSEARCHDEFAULTS.elasticsearch.version}}...\n\n" # Generate updated JSON payload - JSON_STRING=$(jq -n --arg ELASTICVERSION $ELASTIC_AGENT_TARBALL_VERSION --arg UPDATELIST $OUTDATED_LIST '{"version": $ELASTICVERSION,"agents": $UPDATELIST }') + JSON_STRING=$(jq -n --arg ELASTICVERSION {{ELASTICSEARCHDEFAULTS.elasticsearch.version}} --arg UPDATELIST $OUTDATED_LIST '{"version": $ELASTICVERSION,"agents": $UPDATELIST }') # Update Node Agents curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "http://localhost:5601/api/fleet/agents/bulk_upgrade" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" else printf "No Agents need updates... Exiting\n\n" exit 0 -fi \ No newline at end of file +fi diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 383fd1cb4..92fa30705 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -19,7 +19,7 @@ include: so-elasticsearch: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ ELASTICSEARCHMERGED.elasticsearch.version }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index 56aac26cc..62317b3e6 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -7,6 +7,7 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} include: - kibana.config @@ -15,7 +16,7 @@ include: # Start the kibana docker so-kibana: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} - hostname: kibana - user: kibana - networks: diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 0f44a3767..5c5102546 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -10,6 +10,7 @@ {% from 'logstash/map.jinja' import LOGSTASH_MERGED %} {% from 'logstash/map.jinja' import LOGSTASH_NODES %} {% set lsheap = LOGSTASH_MERGED.settings.lsheap %} +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} include: {% if GLOBALS.role not in ['so-receiver','so-fleet'] %} @@ -26,7 +27,7 @@ include: so-logstash: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} - hostname: so-logstash - name: so-logstash - networks: From 7fbf448b22c574657caa69697351e453bbf6aa03 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Aug 2024 11:36:06 -0400 Subject: [PATCH 04/41] fail if no defaults file --- salt/common/tools/sbin/so-common | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 57b86b1f4..0be5693ed 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -276,8 +276,9 @@ get_elastic_agent_vars() { ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent + else + fail "Could not find salt/elasticsearch/defaults.yaml" fi - } get_random_value() { From 4c10282f40af0c7bddab6b845bc8b0a82c5bb21a Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 26 Aug 2024 09:37:19 -0400 Subject: [PATCH 05/41] add es version to annotation --- salt/elasticsearch/soc_elasticsearch.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 085aab7f0..f59b0c22b 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -2,6 +2,11 @@ elasticsearch: enabled: description: You can enable or disable Elasticsearch. helpLink: elasticsearch.html + version: + description: The version of Elasticsearch + readonly: True + global: True + advanced: True esheap: description: Specify the memory heap size in (m)egabytes for Elasticsearch. helpLink: elasticsearch.html From edce5186b95eb570c8f37defdf9a2eb210c2f053 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 29 Aug 2024 12:55:06 -0400 Subject: [PATCH 06/41] Add support to relaod rules instead of restart --- salt/suricata/enabled.sls | 7 ++++++- salt/suricata/tools/sbin/so-suricata-reload-rules | 12 ++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 salt/suricata/tools/sbin/so-suricata-reload-rules diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index 3e015d100..b148e952a 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -57,7 +57,6 @@ so-suricata: - watch: - file: suriconfig - file: surithresholding - - file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/bpf - file: suriclassifications - require: @@ -66,6 +65,12 @@ so-suricata: - file: suribpf - file: suriclassifications +surirulereload: + cmd.run: + - name: /usr/sbin/so-suricata-reload-rules + - watch: + - onchanges: surirulesync + delete_so-suricata_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/suricata/tools/sbin/so-suricata-reload-rules b/salt/suricata/tools/sbin/so-suricata-reload-rules new file mode 100644 index 000000000..05301a4fc --- /dev/null +++ b/salt/suricata/tools/sbin/so-suricata-reload-rules @@ -0,0 +1,12 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + + +. /usr/sbin/so-common + +docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket >> /opt/so/log/suricata/reload.log 2>&1 \ No newline at end of file From f69137b38df493867f8251880b09c8289fdfc89a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 29 Aug 2024 15:43:42 -0400 Subject: [PATCH 07/41] 2.4.100 --- DOWNLOAD_AND_VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.4.100-20240829.iso.sig | Bin 0 -> 566 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.4.100-20240829.iso.sig diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index df8904e0a..f815bb7cf 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.90-20240729 ISO image released on 2024/07/29 +### 2.4.100-20240829 ISO image released on 2024/08/29 ### Download and Verify -2.4.90-20240729 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.90-20240729.iso +2.4.100-20240829 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.100-20240829.iso -MD5: 9A7714F5922EE555F08675D25E6237D5 -SHA1: D3B331452627DB716906BA9F3922574DFA3852DC -SHA256: 5B0CE32543944DBC50C4E906857384211E1BE83EF409619778F18FC62017E0E0 +MD5: 377586C143FABD662DB414DEA49D46B7 +SHA1: 69D4B94522789AF47075A9FF1354B069679AC366 +SHA256: 52FBA5C8762B8DCF2945AD2837B3A19E63ADCC209AB510D7FD0F86AE713AA153 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.90-20240729.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.100-20240829.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.90-20240729.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.100-20240829.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.90-20240729.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.100-20240829.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.90-20240729.iso.sig securityonion-2.4.90-20240729.iso +gpg --verify securityonion-2.4.100-20240829.iso.sig securityonion-2.4.100-20240829.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 25 Jul 2024 06:51:11 PM EDT using RSA key ID FE507013 +gpg: Signature made Thu 29 Aug 2024 12:02:55 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.4.100-20240829.iso.sig b/sigs/securityonion-2.4.100-20240829.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..39db1a63d8d8592cb97e8de2a8d339e7c4fdefeb GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%p*guK)@O5PT3| zxBgIY6O3dJ|3RUXiBd$gJnIT0HT)C>PbdTEKtsV;lg1{%YtIEHCEg9^@jP-tJZ_A=%Wa`^Ey#ux${2ZY5x8oNrMXpn z9>I_&NgnEwIZ_l_Crm{trRu*^_#A}(JOYBkKx=Sq4MREo0x`N02e5`e2oqir)oX`yXFqW2Y zvAgZP$dhpF>K%|;&ao|#uYJuS#{K6Z_$R570v&7>Tv4=+SOROd(5({k&7MavO6W@9%N?_nQ(@IjH{ z4u;%@v-_Kpw`w!Jj~j-$>%Y}mf_J!J$c$({M;Pgtum`s|&{T`i&>81oWZIs2J?U=t z)ahft+K>a9M+4%8**kGA!M$|TRA=CpY2GjdVCI!8gF{I*J!GEzHQSvLr*f{H!8Ml5 EW~(3%J^%m! literal 0 HcmV?d00001 From 121a64ba57f9c08f1d453e0f57e31066d1910360 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 29 Aug 2024 16:31:43 -0400 Subject: [PATCH 08/41] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index fd912cb25..3cda1f5a4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.100 +2.4.110 From b9f817201c63249a04e4da32e9463cef6bb2defc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 30 Aug 2024 09:15:25 -0400 Subject: [PATCH 09/41] Add thresholds to the reload list --- salt/suricata/enabled.sls | 11 +++++------ salt/suricata/tools/sbin/so-suricata-reload-rules | 2 +- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index b148e952a..cd2f38951 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -56,24 +56,23 @@ so-suricata: {% endif %} - watch: - file: suriconfig - - file: surithresholding - file: /opt/so/conf/suricata/bpf - file: suriclassifications - require: - file: suriconfig - - file: surithresholding - file: suribpf - file: suriclassifications surirulereload: cmd.run: - - name: /usr/sbin/so-suricata-reload-rules - - watch: - - onchanges: surirulesync + - name: /usr/sbin/so-suricata-reload-rules >> /opt/so/log/suricata/reload.log 2>&1 + - onchanges: + - surirulesync + - surithresholding delete_so-suricata_so-status.disabled: file.uncomment: - - name: /opt/so/conf/so-status/so-status.conf + - name: /opt/so/conf/so-status/so-status.conf - regex: ^so-suricata$ # Add eve clean cron diff --git a/salt/suricata/tools/sbin/so-suricata-reload-rules b/salt/suricata/tools/sbin/so-suricata-reload-rules index 05301a4fc..ed0fd145c 100644 --- a/salt/suricata/tools/sbin/so-suricata-reload-rules +++ b/salt/suricata/tools/sbin/so-suricata-reload-rules @@ -9,4 +9,4 @@ . /usr/sbin/so-common -docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket >> /opt/so/log/suricata/reload.log 2>&1 \ No newline at end of file +docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket \ No newline at end of file From afcb30be0383b353b80f5b6985934adbb1bb252a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 30 Aug 2024 09:43:35 -0400 Subject: [PATCH 10/41] Threhsolds require a restart --- salt/suricata/enabled.sls | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index cd2f38951..3f1469f0f 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -56,10 +56,12 @@ so-suricata: {% endif %} - watch: - file: suriconfig + - file: surithresholding - file: /opt/so/conf/suricata/bpf - file: suriclassifications - require: - file: suriconfig + - file: surithresholding - file: suribpf - file: suriclassifications @@ -68,11 +70,10 @@ surirulereload: - name: /usr/sbin/so-suricata-reload-rules >> /opt/so/log/suricata/reload.log 2>&1 - onchanges: - surirulesync - - surithresholding delete_so-suricata_so-status.disabled: file.uncomment: - - name: /opt/so/conf/so-status/so-status.conf + - name: /opt/so/conf/so-status/so-status.conf - regex: ^so-suricata$ # Add eve clean cron From 9eb76a95ca731af65d4f073f198b1e82f15e1ba2 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 30 Aug 2024 11:25:51 -0400 Subject: [PATCH 11/41] Update 2-4.yml --- .github/DISCUSSION_TEMPLATE/2-4.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index 8e2592071..9c897d2bd 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -11,7 +11,6 @@ body: description: Which version of Security Onion 2.4.x are you asking about? options: - - - 2.4 Pre-release (Beta, Release Candidate) - 2.4.10 - 2.4.20 - 2.4.30 @@ -22,6 +21,7 @@ body: - 2.4.80 - 2.4.90 - 2.4.100 + - 2.4.110 - Other (please provide detail below) validations: required: true @@ -32,9 +32,10 @@ body: options: - - Security Onion ISO image - - Network installation on Red Hat derivative like Oracle, Rocky, Alma, etc. - - Network installation on Ubuntu - - Network installation on Debian + - Cloud image (Amazon, Azure, Google) + - Network installation on Red Hat derivative like Oracle, Rocky, Alma, etc. (unsupported) + - Network installation on Ubuntu (unsupported) + - Network installation on Debian (unsupported) - Other (please provide detail below) validations: required: true From a7de6993f91eda33065456581ffaf2f9217e81e5 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 30 Aug 2024 16:11:41 -0400 Subject: [PATCH 12/41] Add so-system-mappings --- salt/elasticsearch/defaults.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 7201df25e..97f4baa1f 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -9054,6 +9054,7 @@ elasticsearch: - logs-system.application@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + - so-system-mappings data_stream: allow_custom_routing: false hidden: false @@ -9149,6 +9150,7 @@ elasticsearch: - logs-system.security@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + - so-system-mappings data_stream: allow_custom_routing: false hidden: false @@ -9244,6 +9246,7 @@ elasticsearch: - logs-system.system@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + - so-system-mappings data_stream: allow_custom_routing: false hidden: false From 5be17330d1639ae1c1e9285603206f8991b657da Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 30 Aug 2024 16:14:42 -0400 Subject: [PATCH 13/41] Update HOTFIX --- HOTFIX | 1 + 1 file changed, 1 insertion(+) diff --git a/HOTFIX b/HOTFIX index e69de29bb..53611e22c 100644 --- a/HOTFIX +++ b/HOTFIX @@ -0,0 +1 @@ +20240903 From 5811ee589740b8cb4b0967441bf14a7d1aee0ca3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 1 Sep 2024 10:39:42 -0400 Subject: [PATCH 14/41] Update so-suricata-reload-rules --- salt/suricata/tools/sbin/so-suricata-reload-rules | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/suricata/tools/sbin/so-suricata-reload-rules b/salt/suricata/tools/sbin/so-suricata-reload-rules index ed0fd145c..ea5f636cc 100644 --- a/salt/suricata/tools/sbin/so-suricata-reload-rules +++ b/salt/suricata/tools/sbin/so-suricata-reload-rules @@ -9,4 +9,5 @@ . /usr/sbin/so-common -docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket \ No newline at end of file +docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket +docker exec -it so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket From f6cfd2349b480bd90d1fdbc6594d79f72a13d325 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 3 Sep 2024 10:29:14 -0400 Subject: [PATCH 15/41] 2.4.100 hotfix --- DOWNLOAD_AND_VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.4.100-20240903.iso.sig | Bin 0 -> 566 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.4.100-20240903.iso.sig diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index f815bb7cf..ffeb0fe32 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.100-20240829 ISO image released on 2024/08/29 +### 2.4.100-20240903 ISO image released on 2024/09/03 ### Download and Verify -2.4.100-20240829 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.100-20240829.iso +2.4.100-20240903 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.100-20240903.iso -MD5: 377586C143FABD662DB414DEA49D46B7 -SHA1: 69D4B94522789AF47075A9FF1354B069679AC366 -SHA256: 52FBA5C8762B8DCF2945AD2837B3A19E63ADCC209AB510D7FD0F86AE713AA153 +MD5: 856BBB4F0764C0A479D8949725FC096B +SHA1: B3FCFB8F1031EB8AA833A90C6C5BB61328A73842 +SHA256: 0103EB9D78970396BB47CBD18DA1FFE64524F5C1C559487A1B2D293E1882B265 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.100-20240829.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.100-20240903.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.100-20240829.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.100-20240903.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.100-20240829.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.100-20240903.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.100-20240829.iso.sig securityonion-2.4.100-20240829.iso +gpg --verify securityonion-2.4.100-20240903.iso.sig securityonion-2.4.100-20240903.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 29 Aug 2024 12:02:55 PM EDT using RSA key ID FE507013 +gpg: Signature made Sat 31 Aug 2024 05:05:05 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.4.100-20240903.iso.sig b/sigs/securityonion-2.4.100-20240903.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..74f0ecfd790e6252d17afc78d1dbe4f6d9db9ea5 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%p^NfdC2#5PT3| zxBgIY6El$y|4BM>;Qu>{nQ*=aT;&@RrC9%QNlm3mHgelwbscc#$1)p*TnlIi`iv}1)YwS{62W5jTI1{YeI-k@(FApF{`)*n18IOlxiU)`=a0Rxxm*)B6`9X&U!>FQ}Wh_ zHP=yW0?}%YHjC5>B?B*mkDR$j?UfH(3sCU=Q$azuZ^G$~(fcxILTS}h_sUA~cykfa z9tz6e>C#%mJ!QjF`=I{O$fsUJ2m#to1!&}4I$fgPiZX$8Vrtj|og3R^EX=HudcS|| z`pOVDVvy1kZIN`vxit=5m56?!2RyB0nPnjtX5i#M$sZ{&|r;>dDMC``DVu-)vvTA7jAXET9i z#@oHC;FF>hhl3*k`gf!_bl&qo_|h8B1HV2;o1yUb$I`5x6=wjExsbNO EhG<+7fdBvi literal 0 HcmV?d00001 From 529844eb36398d2a93476bfc04b7879e5059b5b8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 3 Sep 2024 12:36:03 -0400 Subject: [PATCH 16/41] update so-image-common to use es version for es containers --- salt/common/tools/sbin/so-common | 30 ++++++++++++++++++++++++++ salt/common/tools/sbin/so-image-common | 21 +++++++++++++++++- 2 files changed, 50 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 0be5693ed..5b787e8f5 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -168,6 +168,36 @@ check_salt_minion_status() { return $status } +# compare es versions and return the highest version +compare_es_versions() { + # Save the original IFS + local OLD_IFS="$IFS" + + IFS=. + local i ver1=($1) ver2=($2) + + # Restore the original IFS + IFS="$OLD_IFS" + + # Compare each segment of the versions + for ((i=0; i<${#ver1[@]}; i++)); do + if [[ -z ${ver2[i]} ]]; then + ver2[i]=0 + fi + if ((10#${ver1[i]} > 10#${ver2[i]})); then + echo "$1" + return 0 + fi + if ((10#${ver1[i]} < 10#${ver2[i]})); then + echo "$2" + return 0 + fi + done + + echo "$1" # If versions are equal, return either + return 0 +} + copy_new_files() { # Copy new files over to the salt dir cd $UPDATE_DIR diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 03051cb5f..6846c3e00 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -112,6 +112,9 @@ update_docker_containers() { container_list fi + # all the containers using ELASTICSEARCHDEFAULTS.elasticsearch.version + local CONTAINERS_USING_ES_VERSION=("so-elastic-fleet-package-registry","so-elastic-agent","so-kibana","so-logstash","so-elasticsearch") + rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 @@ -139,8 +142,24 @@ update_docker_containers() { $PROGRESS_CALLBACK $i fi + # use version defined in elasticsearch defaults.yaml if an es container + if [[ ${CONTAINERS_USING_ES_VERSION[*]} =~ (^|[[:space:]])"$i"($|[[:space:]]) ]]; then + local UPDATE_DIR='/tmp/sogh/securityonion' + local v1=0 + local v2=0 + if [[ -f "$UPDATE_DIR/salt/elasticsearch.defaults.yaml" ]]; then + v1=$(egrep " +version: " "$UPDATE_DIR/salt/elasticsearch.defaults.yaml" | awk -F: {'print $2'} | tr -d '[:space:]') + fi + if [[ -f "$DEFAULT_SALT_DIR/salt/elasticsearch.defaults.yaml"]]; then + v2=$(egrep " +version: " "$DEFAULT_SALT_DIR/salt/elasticsearch.defaults.yaml" | awk -F: {'print $2'} | tr -d '[:space:]') + fi + local highest_es_version=$(compare_es_versions "$v1" "$v2") + local image=$i:$highest_es_version$IMAGE_TAG_SUFFIX + # use the so version for the version + else + local image=$i:$VERSION$IMAGE_TAG_SUFFIX + fi # Pull down the trusted docker image - local image=$i:$VERSION$IMAGE_TAG_SUFFIX run_check_net_err \ "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" \ "Could not pull $image, please ensure connectivity to $CONTAINER_REGISTRY" >> "$LOG_FILE" 2>&1 From a920adcf7fa7ba46b36eb95c968000a2732ad178 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 3 Sep 2024 12:53:53 -0400 Subject: [PATCH 17/41] handle ver1 missing segment --- salt/common/tools/sbin/so-common | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 5b787e8f5..fcc669fe2 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -181,6 +181,10 @@ compare_es_versions() { # Compare each segment of the versions for ((i=0; i<${#ver1[@]}; i++)); do + # if a segment in ver1 or ver2 is missing, set it to 0 + if [[ -z ${ver1[i]} ]]; then + ver1[i]=0 + fi if [[ -z ${ver2[i]} ]]; then ver2[i]=0 fi From 6d7b76115f1e6f033f6e9348e3480ddb11ecde78 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 3 Sep 2024 13:00:37 -0400 Subject: [PATCH 18/41] use the version that is longest for the loop --- salt/common/tools/sbin/so-common | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index fcc669fe2..8795e6828 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -168,7 +168,7 @@ check_salt_minion_status() { return $status } -# compare es versions and return the highest version +# Compare es versions and return the highest version compare_es_versions() { # Save the original IFS local OLD_IFS="$IFS" @@ -179,9 +179,15 @@ compare_es_versions() { # Restore the original IFS IFS="$OLD_IFS" + # Determine the maximum length between the two version arrays + local max_len=${#ver1[@]} + if [[ ${#ver2[@]} -gt $max_len ]]; then + max_len=${#ver2[@]} + fi + # Compare each segment of the versions - for ((i=0; i<${#ver1[@]}; i++)); do - # if a segment in ver1 or ver2 is missing, set it to 0 + for ((i=0; i Date: Tue, 3 Sep 2024 15:20:49 -0400 Subject: [PATCH 19/41] fix if and awk --- salt/common/tools/sbin/so-image-common | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 6846c3e00..9aac116cd 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -148,10 +148,10 @@ update_docker_containers() { local v1=0 local v2=0 if [[ -f "$UPDATE_DIR/salt/elasticsearch.defaults.yaml" ]]; then - v1=$(egrep " +version: " "$UPDATE_DIR/salt/elasticsearch.defaults.yaml" | awk -F: {'print $2'} | tr -d '[:space:]') + v1=$(egrep " +version: " "$UPDATE_DIR/salt/elasticsearch.defaults.yaml" | awk -F: '{print $2}' | tr -d '[:space:]') fi - if [[ -f "$DEFAULT_SALT_DIR/salt/elasticsearch.defaults.yaml"]]; then - v2=$(egrep " +version: " "$DEFAULT_SALT_DIR/salt/elasticsearch.defaults.yaml" | awk -F: {'print $2'} | tr -d '[:space:]') + if [[ -f "$DEFAULT_SALT_DIR/salt/elasticsearch.defaults.yaml" ]]; then + v2=$(egrep " +version: " "$DEFAULT_SALT_DIR/salt/elasticsearch.defaults.yaml" | awk -F: '{print $2}' | tr -d '[:space:]') fi local highest_es_version=$(compare_es_versions "$v1" "$v2") local image=$i:$highest_es_version$IMAGE_TAG_SUFFIX From 83aa4c9a53c01d03c4ef85303156619186a99798 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 3 Sep 2024 15:22:25 -0400 Subject: [PATCH 20/41] fix awk --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 8795e6828..68288791d 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -310,7 +310,7 @@ get_elastic_agent_vars() { local defaultsfile="${path}/salt/elasticsearch/defaults.yaml" if [ -f "$defaultsfile" ]; then - ELASTIC_AGENT_TARBALL_VERSION=$(egrep " +version: " $defaultsfile | awk -F: {'print $2'} | tr -d '[:space:]') + ELASTIC_AGENT_TARBALL_VERSION=$(egrep " +version: " $defaultsfile | awk -F: '{print $2}' | tr -d '[:space:]') ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" From cfdc8ede90bd92580d7e619ec4bd1e619f243125 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 3 Sep 2024 16:49:39 -0400 Subject: [PATCH 21/41] fix es version logic --- salt/common/tools/sbin/so-image-common | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 9aac116cd..63d034608 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -113,7 +113,7 @@ update_docker_containers() { fi # all the containers using ELASTICSEARCHDEFAULTS.elasticsearch.version - local CONTAINERS_USING_ES_VERSION=("so-elastic-fleet-package-registry","so-elastic-agent","so-kibana","so-logstash","so-elasticsearch") + local CONTAINERS_USING_ES_VERSION=("so-elastic-fleet-package-registry" "so-elastic-agent" "so-kibana" "so-logstash" "so-elasticsearch") rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 @@ -143,15 +143,15 @@ update_docker_containers() { fi # use version defined in elasticsearch defaults.yaml if an es container - if [[ ${CONTAINERS_USING_ES_VERSION[*]} =~ (^|[[:space:]])"$i"($|[[:space:]]) ]]; then + if [[ " ${CONTAINERS_USING_ES_VERSION[*]} " =~ [[:space:]]${i}[[:space:]] ]]; then local UPDATE_DIR='/tmp/sogh/securityonion' local v1=0 local v2=0 - if [[ -f "$UPDATE_DIR/salt/elasticsearch.defaults.yaml" ]]; then - v1=$(egrep " +version: " "$UPDATE_DIR/salt/elasticsearch.defaults.yaml" | awk -F: '{print $2}' | tr -d '[:space:]') + if [[ -f "$UPDATE_DIR/salt/elasticsearch/defaults.yaml" ]]; then + v1=$(egrep " +version: " "$UPDATE_DIR/salt/elasticsearch/defaults.yaml" | awk -F: '{print $2}' | tr -d '[:space:]') fi - if [[ -f "$DEFAULT_SALT_DIR/salt/elasticsearch.defaults.yaml" ]]; then - v2=$(egrep " +version: " "$DEFAULT_SALT_DIR/salt/elasticsearch.defaults.yaml" | awk -F: '{print $2}' | tr -d '[:space:]') + if [[ -f "$DEFAULT_SALT_DIR/salt/elasticsearch/defaults.yaml" ]]; then + v2=$(egrep " +version: " "$DEFAULT_SALT_DIR/salt/elasticsearch/defaults.yaml" | awk -F: '{print $2}' | tr -d '[:space:]') fi local highest_es_version=$(compare_es_versions "$v1" "$v2") local image=$i:$highest_es_version$IMAGE_TAG_SUFFIX From 2394488c92f31501d3977750825dba9899a6d1e8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 4 Sep 2024 09:38:17 -0400 Subject: [PATCH 22/41] update docker 27.2.0-1 and containerd.io 1.7.21 --- salt/docker/init.sls | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 1e37364bc..5a0d1f61a 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -20,41 +20,41 @@ dockergroup: dockerheldpackages: pkg.installed: - pkgs: - - containerd.io: 1.6.33-1 - - docker-ce: 5:26.1.4-1~debian.12~bookworm - - docker-ce-cli: 5:26.1.4-1~debian.12~bookworm - - docker-ce-rootless-extras: 5:26.1.4-1~debian.12~bookworm + - containerd.io: 1.7.21-1 + - docker-ce: 5:27.2.0-1~debian.12~bookworm + - docker-ce-cli: 5:27.2.0-1~debian.12~bookworm + - docker-ce-rootless-extras: 5:27.2.0-1~debian.12~bookworm - hold: True - update_holds: True {% elif grains.oscodename == 'jammy' %} dockerheldpackages: pkg.installed: - pkgs: - - containerd.io: 1.6.33-1 - - docker-ce: 5:26.1.4-1~ubuntu.22.04~jammy - - docker-ce-cli: 5:26.1.4-1~ubuntu.22.04~jammy - - docker-ce-rootless-extras: 5:26.1.4-1~ubuntu.22.04~jammy + - containerd.io: 1.7.21-1 + - docker-ce: 5:27.2.0-1~ubuntu.22.04~jammy + - docker-ce-cli: 5:27.2.0-1~ubuntu.22.04~jammy + - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.22.04~jammy - hold: True - update_holds: True {% else %} dockerheldpackages: pkg.installed: - pkgs: - - containerd.io: 1.6.33-1 - - docker-ce: 5:26.1.4-1~ubuntu.20.04~focal - - docker-ce-cli: 5:26.1.4-1~ubuntu.20.04~focal - - docker-ce-rootless-extras: 5:26.1.4-1~ubuntu.20.04~focal + - containerd.io: 1.7.21-1 + - docker-ce: 5:27.2.0-1~ubuntu.20.04~focal + - docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal + - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal - hold: True - update_holds: True -{% endif %} +{% endif %} {% else %} dockerheldpackages: pkg.installed: - pkgs: - - containerd.io: 1.6.33-3.1.el9 - - docker-ce: 3:26.1.4-1.el9 - - docker-ce-cli: 1:26.1.4-1.el9 - - docker-ce-rootless-extras: 26.1.4-1.el9 + - containerd.io: 1.7.21-3.1.el9 + - docker-ce: 3:27.2.0-1.el9 + - docker-ce-cli: 1:27.2.0-1.el9 + - docker-ce-rootless-extras: 27.2.0-1.el9 - hold: True - update_holds: True {% endif %} From 0af2e85f91c76d811b69c648986d9953dc776790 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 4 Sep 2024 10:32:11 -0400 Subject: [PATCH 23/41] update annotation. --- salt/common/tools/sbin/so-image-common | 5 +++-- salt/elasticsearch/soc_elasticsearch.yaml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 63d034608..c3ec07148 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -113,7 +113,8 @@ update_docker_containers() { fi # all the containers using ELASTICSEARCHDEFAULTS.elasticsearch.version - local CONTAINERS_USING_ES_VERSION=("so-elastic-fleet-package-registry" "so-elastic-agent" "so-kibana" "so-logstash" "so-elasticsearch") + # does not include so-elastic-fleet since that container uses so-elastic-agent image + local IMAGES_USING_ES_VERSION=("so-elastic-fleet-package-registry" "so-elastic-agent" "so-kibana" "so-logstash" "so-elasticsearch") rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 @@ -143,7 +144,7 @@ update_docker_containers() { fi # use version defined in elasticsearch defaults.yaml if an es container - if [[ " ${CONTAINERS_USING_ES_VERSION[*]} " =~ [[:space:]]${i}[[:space:]] ]]; then + if [[ " ${IMAGES_USING_ES_VERSION[*]} " =~ [[:space:]]${i}[[:space:]] ]]; then local UPDATE_DIR='/tmp/sogh/securityonion' local v1=0 local v2=0 diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index f59b0c22b..3a177f255 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -3,7 +3,7 @@ elasticsearch: description: You can enable or disable Elasticsearch. helpLink: elasticsearch.html version: - description: The version of Elasticsearch + description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure." readonly: True global: True advanced: True From 2b807c24095be3b5ebc6c37837ad9930fe9a32bd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 4 Sep 2024 10:33:14 -0400 Subject: [PATCH 24/41] update comment --- salt/common/tools/sbin/so-image-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index c3ec07148..243f5f187 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -112,7 +112,7 @@ update_docker_containers() { container_list fi - # all the containers using ELASTICSEARCHDEFAULTS.elasticsearch.version + # all the images using ELASTICSEARCHDEFAULTS.elasticsearch.version # does not include so-elastic-fleet since that container uses so-elastic-agent image local IMAGES_USING_ES_VERSION=("so-elastic-fleet-package-registry" "so-elastic-agent" "so-kibana" "so-logstash" "so-elasticsearch") From 94e9772cf6ea9e604067bd927c167077574934d6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 4 Sep 2024 13:25:45 -0400 Subject: [PATCH 25/41] remove hotfix from dev branch --- HOTFIX | 1 - 1 file changed, 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 53611e22c..e69de29bb 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +0,0 @@ -20240903 From 7d9b3b1f28ba24800755cddcbb4bf65bfd55a671 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 4 Sep 2024 15:36:17 -0400 Subject: [PATCH 26/41] use correct sig --- salt/common/tools/sbin/so-image-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 243f5f187..b99beac24 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -167,7 +167,7 @@ update_docker_containers() { # Get signature run_check_net_err \ - "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" \ + "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$image.sig --output $SIGNPATH/$image.sig" \ "Could not pull signature file for $image, please ensure connectivity to https://sigs.securityonion.net " \ noretry >> "$LOG_FILE" 2>&1 # Dump our hash values From f106191e723ae04097924f0011c85ac7bbf486aa Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 4 Sep 2024 16:01:24 -0400 Subject: [PATCH 27/41] fix image for so-elasticsearch container --- salt/elasticsearch/enabled.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 92fa30705..48280c506 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -19,7 +19,7 @@ include: so-elasticsearch: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ ELASTICSEARCHMERGED.elasticsearch.version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ ELASTICSEARCHMERGED.version }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch From 72f3eaa8f616408fc90c07e0a6722f811345bf35 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 4 Sep 2024 16:42:19 -0400 Subject: [PATCH 28/41] should not have changed this, so changing it back --- .../tools/sbin_jinja/so-elastic-agent-gen-installers | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index e09ce7b67..be83963ad 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -7,13 +7,15 @@ #so-elastic-agent-gen-installers $FleetHostURLs $EnrollmentToken {% from 'vars/globals.map.jinja' import GLOBALS %} -{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS -%} . /usr/sbin/so-common . /usr/sbin/so-elastic-fleet-common LOG="/opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log" +# get the variables needed such as ELASTIC_AGENT_TARBALL_VERSION +get_elastic_agent_vars() + # Check to see if we are already running NUM_RUNNING=$(pgrep -cf "/bin/bash /sbin/so-elastic-agent-gen-installers") [ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING gen installers script processes running...exiting." >>$LOG && exit 0 @@ -37,8 +39,9 @@ printf "\n### Creating a temp directory at /nsm/elastic-agent-workspace\n" rm -rf /nsm/elastic-agent-workspace mkdir -p /nsm/elastic-agent-workspace + printf "\n### Extracting outer tarball and then each individual tarball/zip\n" -tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}.tar.gz -C /nsm/elastic-agent-workspace/ +tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-agent-workspace/ unzip -q /nsm/elastic-agent-workspace/elastic-agent-*.zip -d /nsm/elastic-agent-workspace/ for archive in /nsm/elastic-agent-workspace/*.tar.gz do From df14cbad448e12ea596da9a300bb4702a6382a69 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 4 Sep 2024 17:43:49 -0400 Subject: [PATCH 29/41] fix calls to get_elastic_agent_vars --- .../tools/sbin_jinja/so-elastic-agent-gen-installers | 2 +- salt/elasticsearch/tools/sbin_jinja/so-catrust | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index be83963ad..e2b7d734b 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -14,7 +14,7 @@ LOG="/opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log" # get the variables needed such as ELASTIC_AGENT_TARBALL_VERSION -get_elastic_agent_vars() +get_elastic_agent_vars # Check to see if we are already running NUM_RUNNING=$(pgrep -cf "/bin/bash /sbin/so-elastic-agent-gen-installers") diff --git a/salt/elasticsearch/tools/sbin_jinja/so-catrust b/salt/elasticsearch/tools/sbin_jinja/so-catrust index fe4ff58bc..16fd3ffdb 100644 --- a/salt/elasticsearch/tools/sbin_jinja/so-catrust +++ b/salt/elasticsearch/tools/sbin_jinja/so-catrust @@ -6,13 +6,14 @@ # Elastic License 2.0. . /usr/sbin/so-common +get_elastic_agent_vars # Exit on errors, since all lines must succeed set -e # Check to see if we have extracted the ca cert. if [ ! -f /opt/so/saltstack/local/salt/elasticsearch/cacerts ]; then - docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt + docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:$ELASTIC_AGENT_TARBALL_VERSION -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem docker rm so-elasticsearchca From 658197950698ab3fd105cba1807ecd4c7356e984 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 5 Sep 2024 07:33:56 -0400 Subject: [PATCH 30/41] retry suricata rule reload --- salt/suricata/tools/sbin/so-suricata-reload-rules | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/salt/suricata/tools/sbin/so-suricata-reload-rules b/salt/suricata/tools/sbin/so-suricata-reload-rules index ea5f636cc..099cd2f7c 100644 --- a/salt/suricata/tools/sbin/so-suricata-reload-rules +++ b/salt/suricata/tools/sbin/so-suricata-reload-rules @@ -5,9 +5,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - - . /usr/sbin/so-common -docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket -docker exec -it so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket +retry 40 3 'docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' +retry 40 3 'docker exec -it so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' From 5a1d61a042378f5b45bf58c01c432352113ed22a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 5 Sep 2024 08:45:44 -0400 Subject: [PATCH 31/41] ref es version --- salt/elasticsearch/download.sls | 3 ++- salt/logstash/download.sls | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/download.sls b/salt/elasticsearch/download.sls index f74c7059a..c7891dcdc 100644 --- a/salt/elasticsearch/download.sls +++ b/salt/elasticsearch/download.sls @@ -6,10 +6,11 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} so-elasticsearch_image: docker_image.present: - - name: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} + - name: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} {% else %} diff --git a/salt/logstash/download.sls b/salt/logstash/download.sls index cf1c6176c..9706f31ad 100644 --- a/salt/logstash/download.sls +++ b/salt/logstash/download.sls @@ -6,10 +6,11 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} so-logstash_image: docker_image.present: - - name: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} + - name: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} {% else %} From c85e5643db96375240129e6e8c3effca27bf0e5f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 5 Sep 2024 13:14:45 -0400 Subject: [PATCH 32/41] es version shift --- salt/common/tools/sbin/so-image-common | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index b99beac24..0d4783ca6 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -143,9 +143,12 @@ update_docker_containers() { $PROGRESS_CALLBACK $i fi - # use version defined in elasticsearch defaults.yaml if an es container if [[ " ${IMAGES_USING_ES_VERSION[*]} " =~ [[:space:]]${i}[[:space:]] ]]; then + # use version defined in elasticsearch defaults.yaml if an es container local UPDATE_DIR='/tmp/sogh/securityonion' + if [ ! -d "$UPDATE_DIR" ]; then + UPDATE_DIR=/securityonion + fi local v1=0 local v2=0 if [[ -f "$UPDATE_DIR/salt/elasticsearch/defaults.yaml" ]]; then @@ -156,8 +159,8 @@ update_docker_containers() { fi local highest_es_version=$(compare_es_versions "$v1" "$v2") local image=$i:$highest_es_version$IMAGE_TAG_SUFFIX - # use the so version for the version else + # use the so version for the version local image=$i:$VERSION$IMAGE_TAG_SUFFIX fi # Pull down the trusted docker image From 5625771ffb85ca5a22827e321126341baa355138 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 5 Sep 2024 13:16:28 -0400 Subject: [PATCH 33/41] es version shift --- salt/common/tools/sbin/so-image-common | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 0d4783ca6..2bf2d773d 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -144,7 +144,7 @@ update_docker_containers() { fi if [[ " ${IMAGES_USING_ES_VERSION[*]} " =~ [[:space:]]${i}[[:space:]] ]]; then - # use version defined in elasticsearch defaults.yaml if an es container + # this is an es container so use version defined in elasticsearch defaults.yaml local UPDATE_DIR='/tmp/sogh/securityonion' if [ ! -d "$UPDATE_DIR" ]; then UPDATE_DIR=/securityonion @@ -160,7 +160,7 @@ update_docker_containers() { local highest_es_version=$(compare_es_versions "$v1" "$v2") local image=$i:$highest_es_version$IMAGE_TAG_SUFFIX else - # use the so version for the version + # this is not an es container so use the so version for the version local image=$i:$VERSION$IMAGE_TAG_SUFFIX fi # Pull down the trusted docker image From 576d218cd9334beaaad706d96bbfba096dd7f7a3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 6 Sep 2024 08:10:59 -0400 Subject: [PATCH 34/41] dont restart suricata during setup. retry rule reload for 3 minutes --- salt/suricata/tools/sbin/so-suricata-reload-rules | 4 ++-- setup/so-setup | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/suricata/tools/sbin/so-suricata-reload-rules b/salt/suricata/tools/sbin/so-suricata-reload-rules index 099cd2f7c..e09474b6e 100644 --- a/salt/suricata/tools/sbin/so-suricata-reload-rules +++ b/salt/suricata/tools/sbin/so-suricata-reload-rules @@ -7,5 +7,5 @@ . /usr/sbin/so-common -retry 40 3 'docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' -retry 40 3 'docker exec -it so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' +retry 60 3 'docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' || fail "The Suricata container was not ready in time." +retry 60 3 'docker exec -it so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' || fail "The Suricata container was not ready in time." diff --git a/setup/so-setup b/setup/so-setup index bd8a8c6ba..cb4e7ebf0 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -759,8 +759,8 @@ if ! [[ -f $install_opt_file ]]; then title "Downloading IDS Rules" logCmd "so-rule-update" if [[ $monints || $is_import ]]; then - title "Restarting Suricata to pick up the new rules" - logCmd "so-suricata-restart" + title "Applying the Suricata state to load the new rules" + logCmd "salt-call state.apply suricata -l info" fi fi title "Setting up Kibana Default Space" From fc25bfe0dfc161a859a96ad04be389bd3d6a8829 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 6 Sep 2024 09:04:43 -0400 Subject: [PATCH 35/41] grab es version from defaults during soup --- salt/common/tools/sbin/so-common | 3 ++- salt/manager/tools/sbin/soup | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 68288791d..6ae35324f 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -677,7 +677,8 @@ has_uppercase() { } update_elastic_agent() { - get_elastic_agent_vars + local path="${1:-/opt/so/saltstack/default}" + get_elastic_agent_vars "$path" echo "Checking if Elastic Agent update is necessary..." download_and_verify "$ELASTIC_AGENT_URL" "$ELASTIC_AGENT_MD5_URL" "$ELASTIC_AGENT_FILE" "$ELASTIC_AGENT_MD5" "$ELASTIC_AGENT_EXPANSION_DIR" } diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 6725814c6..6b6b4d64a 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -837,7 +837,8 @@ determine_elastic_agent_upgrade() { if [[ $is_airgap -eq 0 ]]; then update_elastic_agent_airgap else - update_elastic_agent + # the new elasticsearch defaults.yaml file is not yet placed in /opt/so/saltstack/default/salt/elasticsearch yet + update_elastic_agent "$UPDATE_DIR" fi } From 331f63eadd10adf31009d7bea3259c0fcb6279fe Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 6 Sep 2024 10:30:22 -0400 Subject: [PATCH 36/41] pass path for airgap --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 6b6b4d64a..7807c9884 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -843,7 +843,7 @@ determine_elastic_agent_upgrade() { } update_elastic_agent_airgap() { - get_elastic_agent_vars + get_elastic_agent_vars "/tmp/soagupdate/SecurityOnion" rsync -av /tmp/soagupdate/fleet/* /nsm/elastic-fleet/artifacts/ tar -xf "$ELASTIC_AGENT_FILE" -C "$ELASTIC_AGENT_EXPANSION_DIR" } From 2e379dd29c34957acc6caced0e1674b5a78c7191 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 6 Sep 2024 10:44:35 -0400 Subject: [PATCH 37/41] fix line delete causing issues sourcing so-common and es agent grid upgrade --- .../elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade index 360aa2cf8..1ce379c1c 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade @@ -5,7 +5,7 @@ # this file except in compliance with the Elastic License 2.0. . /usr/sbin/so-common -{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS -%} +{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} # Only run on Managers if ! is_manager_node; then From ba24c5b219d22dc68544bdc40e50f232bdb886e1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 6 Sep 2024 12:26:55 -0400 Subject: [PATCH 38/41] remove -it --- salt/suricata/tools/sbin/so-suricata-reload-rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/suricata/tools/sbin/so-suricata-reload-rules b/salt/suricata/tools/sbin/so-suricata-reload-rules index e09474b6e..2d60c3422 100644 --- a/salt/suricata/tools/sbin/so-suricata-reload-rules +++ b/salt/suricata/tools/sbin/so-suricata-reload-rules @@ -7,5 +7,5 @@ . /usr/sbin/so-common -retry 60 3 'docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' || fail "The Suricata container was not ready in time." -retry 60 3 'docker exec -it so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' || fail "The Suricata container was not ready in time." +retry 60 3 'docker exec so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' || fail "The Suricata container was not ready in time." +retry 60 3 'docker exec so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' || fail "The Suricata container was not ready in time." From 7123c62876041e4130dfbb68c7579351a14f4cc7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 9 Sep 2024 11:13:28 -0400 Subject: [PATCH 39/41] add so-suricata container req for rule reload --- salt/suricata/enabled.sls | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index 3f1469f0f..34e9f2e4c 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -69,7 +69,9 @@ surirulereload: cmd.run: - name: /usr/sbin/so-suricata-reload-rules >> /opt/so/log/suricata/reload.log 2>&1 - onchanges: - - surirulesync + - file: surirulesync + - require: + - docker_container: so-suricata delete_so-suricata_so-status.disabled: file.uncomment: From 25a9fb9b5c94a81af1820e01cde00b963ede83d9 Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 9 Sep 2024 20:16:23 +0000 Subject: [PATCH 40/41] Add destination IP for so-system --- .../templates/component/so/so-system-mappings.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/elasticsearch/templates/component/so/so-system-mappings.json b/salt/elasticsearch/templates/component/so/so-system-mappings.json index f86c427a6..17319ab9f 100644 --- a/salt/elasticsearch/templates/component/so/so-system-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-system-mappings.json @@ -16,6 +16,13 @@ } } }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, "source": { "properties":{ "ip": { From 8702d9543453192d50d7e5c352d12b49d45ec1c2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 9 Sep 2024 16:38:38 -0400 Subject: [PATCH 41/41] only elasticsearch image uses es version --- salt/common/tools/sbin/so-image-common | 2 +- salt/elastic-fleet-package-registry/enabled.sls | 3 +-- salt/elasticagent/enabled.sls | 3 +-- salt/elasticfleet/enabled.sls | 3 +-- salt/kibana/enabled.sls | 3 +-- salt/logstash/download.sls | 3 +-- salt/logstash/enabled.sls | 3 +-- 7 files changed, 7 insertions(+), 13 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index b99beac24..70098e4f6 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -114,7 +114,7 @@ update_docker_containers() { # all the images using ELASTICSEARCHDEFAULTS.elasticsearch.version # does not include so-elastic-fleet since that container uses so-elastic-agent image - local IMAGES_USING_ES_VERSION=("so-elastic-fleet-package-registry" "so-elastic-agent" "so-kibana" "so-logstash" "so-elasticsearch") + local IMAGES_USING_ES_VERSION=("so-elasticsearch") rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index 640844fe7..3cd90ba87 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -7,7 +7,6 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} -{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} include: - elastic-fleet-package-registry.config @@ -15,7 +14,7 @@ include: so-elastic-fleet-package-registry: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }} - name: so-elastic-fleet-package-registry - hostname: Fleet-package-reg-{{ GLOBALS.hostname }} - detach: True diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index f579a7ff9..3c20c916f 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -7,7 +7,6 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} -{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} include: - elasticagent.config @@ -15,7 +14,7 @@ include: so-elastic-agent: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }} - name: so-elastic-agent - hostname: {{ GLOBALS.hostname }} - detach: True diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 8a251b709..af5e552eb 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -8,7 +8,6 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} -{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} {# This value is generated during node install and stored in minion pillar #} {% set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %} @@ -72,7 +71,7 @@ elasticagent_syncartifacts: {% if SERVICETOKEN != '' %} so-elastic-fleet: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }} - name: so-elastic-fleet - hostname: FleetServer-{{ GLOBALS.hostname }} - detach: True diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index 62317b3e6..56aac26cc 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -7,7 +7,6 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} include: - kibana.config @@ -16,7 +15,7 @@ include: # Start the kibana docker so-kibana: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }} - hostname: kibana - user: kibana - networks: diff --git a/salt/logstash/download.sls b/salt/logstash/download.sls index 9706f31ad..cf1c6176c 100644 --- a/salt/logstash/download.sls +++ b/salt/logstash/download.sls @@ -6,11 +6,10 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} so-logstash_image: docker_image.present: - - name: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} + - name: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} {% else %} diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 5c5102546..0f44a3767 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -10,7 +10,6 @@ {% from 'logstash/map.jinja' import LOGSTASH_MERGED %} {% from 'logstash/map.jinja' import LOGSTASH_NODES %} {% set lsheap = LOGSTASH_MERGED.settings.lsheap %} -{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} include: {% if GLOBALS.role not in ['so-receiver','so-fleet'] %} @@ -27,7 +26,7 @@ include: so-logstash: docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} - hostname: so-logstash - name: so-logstash - networks: