Merge branch 'dev' into feature/setup-idempotency

.github/ISSUE_TEMPLATE

@@ -0,0 +1,12 @@
+PLEASE STOP AND READ THIS INFORMATION!
+
+If you are creating an issue just to ask a question, you will likely get faster and better responses by posting to our discussions forum instead:
+https://securityonion.net/discuss
+
+If you think you have found a possible bug or are observing a behavior that you weren't expecting, use the discussion forum to start a conversation about it instead of creating an issue.
+
+If you are very familiar with the latest version of the product and are confident you have found a bug in Security Onion, you can continue with creating an issue here, but please make sure you have done the following:
+- duplicated the issue on a fresh installation of the latest version
+- provide information about your system and how you installed Security Onion
+- include relevant log files
+- include reproduction steps

README.md

@@ -2,6 +2,13 @@
 
 Security Onion 2.3.2 is here!
 
+## Screenshots
+
+Alerts
+![Alerts](https://raw.githubusercontent.com/security-onion-solutions/securityonion/master/screenshots/alerts-1.png)
+
+Hunt
+![Hunt](https://raw.githubusercontent.com/security-onion-solutions/securityonion/master/screenshots/hunt-1.png)
 
 ### Release Notes
 

salt/elasticsearch/files/ingest/strelka.file

@@ -6,16 +6,16 @@
     { "rename":         { "field": "message2.scan",        "target_field": "scan",          "ignore_missing": true  } },
     { "rename":         { "field": "message2.request",        "target_field": "request",          "ignore_missing": true  } },
     { "rename":         { "field": "scan.hash",        "target_field": "hash",          "ignore_missing": true  } },
-
+    { "rename":         { "field": "scan.exiftool",        "target_field": "exiftool",          "ignore_missing": true  } },
     { "grok":           { "if": "ctx.request?.attributes?.filename != null",   "field": "request.attributes.filename",       "patterns": ["-%{WORD:log.id.fuid}-"], "ignore_failure": true } },
     { "foreach":
       {
-        "if": "ctx.scan?.exiftool?.keys !=null",
+        "if": "ctx.exiftool?.keys !=null",
-          "field": "scan.exiftool.keys",
+          "field": "exiftool.keys",
           "processor":{
-            "set": {
+            "append": {
-              "field": "scan.exiftool.{{_ingest._value.key}}",
+              "field": "scan.exiftool",
-              "value": "{{_ingest._value.value}}"
+              "value": "{{_ingest._value.key}}={{_ingest._value.value}}"
             }
           }
       }
@@ -42,7 +42,8 @@
     { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89",   "field": "event.severity", "value": 3, "override": true }  },
     { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90",   "field": "event.severity", "value": 4, "override": true }  },
     { "set":         { "field": "observer.name",        "value": "{{agent.name}}" }},
-    { "remove":         { "field": ["host", "path", "message", "scan.exiftool.keys", "scan.yara.meta"],                                         "ignore_missing": true  } },
+    { "convert" :    { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
+    { "remove":         { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"],                                         "ignore_missing": true  } },
     { "pipeline":       { "name": "common"                                                                                   } }
   ]
 }

salt/elasticsearch/templates/so/so-common-template.json

@@ -379,9 +379,14 @@
             }
           }
         },
-	      "scan":{
+	"scan":{
           "type":"object",
-          "dynamic": true
+          "dynamic": true,
+	  "properties":{
+            "exiftool":{
+              "type":"text"
+             }
+          }
         },
         "server":{
           "type":"object",

salt/idstools/init.sls

@@ -58,11 +58,12 @@ rulesdir:
     - makedirs: True
 
 synclocalnidsrules:
-  file.managed:
+  file.recurse:
-    - name: /opt/so/rules/nids/local.rules
+    - name: /opt/so/rules/nids/
-    - source: salt://idstools/local.rules
+    - source: salt://idstools/
     - user: 939
     - group: 939
+    - include_pat: 'E@.rules'
 
 so-idstools:
   docker_container.running:
@@ -81,4 +82,4 @@ idstools_state_not_allowed:
   test.fail_without_changes:
     - name: idstools_state_not_allowed
 
-{% endif%}
+{% endif%}

salt/nginx/etc/nginx.conf

@@ -379,7 +379,7 @@ http {
 
 		location @error401 {
 			add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
-			return        302 /auth/self-service/browser/flows/login;
+			return        302 /auth/self-service/login/browser;
 		}
 
 		error_page 500 502 503 504 /50x.html;

salt/soc/files/kratos/kratos.yaml

@@ -2,7 +2,7 @@
 {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%}
 
 selfservice:
-  strategies:
+  methods:
     password:
       enabled: true
 

salt/thehive/etc/cortex-application.conf

@@ -6,6 +6,7 @@
 # WARNING: If you deploy your application on several servers, make sure to use the same key.
 play.http.secret.key="{{ CORTEXPLAYSECRET }}"
 play.http.context=/cortex/
+pidfile.path = "/dev/null"
 search.uri = "http://{{ MANAGERIP }}:9400"
 
 # Elasticsearch

salt/wazuh/files/agent/wazuh-register-agent

@@ -47,6 +47,10 @@ cat <<HELP_USAGE
 HELP_USAGE
 }
 
+cleanup_creds() {
+  /usr/sbin/so-wazuh-user-remove $USER
+}
+
 register_agent() {
   # Adding agent and getting Id from manager
   echo ""
@@ -57,27 +61,25 @@ register_agent() {
 
   if [ "$?" != "0" ]; then
     echo -e $API_RESULT | sed -rn 's/.*"message":"(.+)".*/\1/p'
-    exit 0
+  else
+    # Get agent id and agent key
+    AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1)
+    AGENT_KEY=$(echo $API_RESULT | cut -d':' -f 5 | cut -d '}' -f 1)
+
+    echo "Agent '$AGENT_NAME' with ID '$AGENT_ID' added."
+    echo "Key for agent '$AGENT_ID' received."
+
+    # Importing key
+    echo ""
+    echo "Importing authentication key:"
+    echo "y" | /var/ossec/bin/manage_agents -i $AGENT_KEY
+
+    # Restarting agent
+    echo ""
+    echo "Restarting:"
+    echo ""
+    /var/ossec/bin/ossec-control restart
   fi
-  # Get agent id and agent key
-  AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1)
-  AGENT_KEY=$(echo $API_RESULT | cut -d':' -f 5 | cut -d '}' -f 1)
-
-  echo "Agent '$AGENT_NAME' with ID '$AGENT_ID' added."
-  echo "Key for agent '$AGENT_ID' received."
-
-  # Importing key
-  echo ""
-  echo "Importing authentication key:"
-  echo "y" | /var/ossec/bin/manage_agents -i $AGENT_KEY
-
-  # Restarting agent
-  echo ""
-  echo "Restarting:"
-  echo ""
-  /var/ossec/bin/ossec-control restart
-
-  exit 0
 }
 
 remove_agent() {
@@ -135,11 +137,15 @@ shift $(($OPTIND - 1))
 #  fi
 
 # Default action -> try to register the agent
+echo "Waiting before registering agent..."
 sleep 30s
-STATUS=$(curl -s -k -u $USER:$PASSWORD -L $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g')
+if [ -f /opt/so/conf/wazuh/initial_agent_registration.log ]; then
-if [[ $STATUS == "Active" ]]; then
   echo "Agent $AGENT_ID already registered!"
+  exit 0
 else
   register_agent
+  cleanup_creds
+  echo "Initial agent $AGENT_ID with IP $AGENT_IP registered on $DATE." > /opt/so/conf/wazuh/initial_agent_registration.log
+  exit 0
 fi
 #remove_agent

salt/zeek/policy/intel/intel.dat

@@ -0,0 +1,5 @@
+#fields	indicator	indicator_type	meta.source	meta.do_notice
+# EXAMPLES:
+#66.32.119.38	Intel::ADDR	Test Address	T
+#www.honeynet.org	Intel::DOMAIN	Test Domain	T
+#4285358dd748ef74cb8161108e11cb73	Intel::FILE_HASH	Test MD5	T

setup/so-functions

@@ -431,8 +431,6 @@ configure_minion() {
 
 	{
 		systemctl restart salt-minion;
-		printf '%s\n'  '----';
-		cat "$minion_config";
 	} >> "$setup_log" 2>&1
 }
 
@@ -748,7 +746,7 @@ detect_os() {
 
 disable_auto_start() {
 	
-	if crontab -l 2>&1 | grep so-setup > /dev/null 2>&1; then
+	if crontab -l -u $INSTALLUSERNAME 2>&1 | grep so-setup > /dev/null 2>&1; then
 		# Remove the automated setup script from crontab, if it exists
 		logCmd "crontab -u $INSTALLUSERNAME -r"
 	fi
@@ -1664,12 +1662,17 @@ salt_checkin() {
 				done
 
 				echo " Confirming existence of the CA certificate"
-				cat /etc/pki/ca.crt
+				openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates
 				echo " Applyng a mine hack";
 				salt "$MINION_ID" mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt;
 				salt "$MINION_ID" mine.update;
-				echo " Confirming salt mine now contain the certificate";
+				echo "Confirming salt mine now contains the certificate";
-				salt "$MINION_ID" mine.get '*' x509.get_pem_entries;
+				salt "$MINION_ID" mine.get '*' x509.get_pem_entries | grep -E 'BEGIN CERTIFICATE|END CERTIFICATE';
+				if [ $? -eq 0 ]; then
+					echo "CA in mine"
+				else
+					echo "CA not in mine"
+				fi
 				echo " Applying SSL state";
 				salt-call state.apply ssl;
 			} >> "$setup_log" 2>&1
@@ -1722,10 +1725,12 @@ setup_salt_master_dirs() {
 	if [ "$setup_type" = 'iso' ]; then
 		rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
 		rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
+		mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1
 		cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
 	else
 		cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
 		cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
+		mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1
 		cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
 	fi