CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into reyesj2/ol9stg

Browse Source
This commit is contained in:
reyesj2
2025-08-13 12:50:24 -05:00
parent a19b99268d 482847187c
commit 42874fb0d0
12 changed files with 58 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/DISCUSSION_TEMPLATE/2-4.yml vendored
View File

@@ -30,6 +30,7 @@ body:
- 2.4.150
- 2.4.160
- 2.4.170
- 2.4.180
- Other (please provide detail below)
validations:
required: true

22
DOWNLOAD_AND_VERIFY_ISO.md
View File

@@ -1,17 +1,17 @@
### 2.4.160-20250625 ISO image released on 2025/06/25
### 2.4.170-20250812 ISO image released on 2025/08/12
### Download and Verify
2.4.160-20250625 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.160-20250625.iso
2.4.170-20250812 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.170-20250812.iso
MD5: 78CF5602EFFAB84174C56AD2826E6E4E
SHA1: FC7EEC3EC95D97D3337501BAA7CA8CAE7C0E15EA
SHA256: 0ED965E8BEC80EE16AE90A0F0F96A3046CEF2D92720A587278DDDE3B656C01C2
MD5: 50ECAAD05736298452DECEAE074FA773
SHA1: 1B1EB520DE61ECC4BF34E512DAFE307317D7666A
SHA256: 87D176A48A58BAD1C2D57196F999BED23DE9B526226E3754F0C166C866CCDC1A
Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.160-20250625.iso.sig
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.170-20250812.iso.sig
Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
Download the signature file for the ISO:
```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.160-20250625.iso.sig
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.170-20250812.iso.sig
```
Download the ISO image:
```
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.160-20250625.iso
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.170-20250812.iso
```
Verify the downloaded ISO image using the signature file:
```
gpg --verify securityonion-2.4.160-20250625.iso.sig securityonion-2.4.160-20250625.iso
gpg --verify securityonion-2.4.170-20250812.iso.sig securityonion-2.4.170-20250812.iso
```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
```
gpg: Signature made Wed 25 Jun 2025 10:13:33 AM EDT using RSA key ID FE507013
gpg: Signature made Fri 08 Aug 2025 06:24:56 PM EDT using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

2
VERSION
View File

@@ -1 +1 @@
2.4.170
2.4.180

26
salt/_runners/setup_hypervisor.py
View File

@@ -38,7 +38,7 @@ Examples:
Notes:
- Verifies Security Onion license
- Downloads and validates Oracle Linux KVM image if needed
- Generates Ed25519 SSH keys if not present
- Generates ECDSA SSH keys if not present
- Creates/recreates VM based on environment changes
- Forces hypervisor configuration via highstate after successful setup (when minion_id provided)
@@ -46,7 +46,7 @@ Examples:
The setup process includes:
1. License validation
2. Oracle Linux KVM image download and checksum verification
3. SSH key generation for secure VM access
3. ECDSA SSH key generation for secure VM access
4. Cloud-init configuration for VM provisioning
5. VM creation with specified disk size
6. Hypervisor configuration via highstate (when minion_id provided and setup successful)
@@ -74,7 +74,7 @@ import sys
import time
import yaml
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ed25519
from cryptography.hazmat.primitives.asymmetric import ec
# Configure logging
log = logging.getLogger(__name__)
log.setLevel(logging.DEBUG)
@@ -232,7 +232,7 @@ def _check_ssh_keys_exist():
bool: True if both private and public keys exist, False otherwise
"""
key_dir = '/etc/ssh/auth_keys/soqemussh'
key_path = f'{key_dir}/id_ed25519'
key_path = f'{key_dir}/id_ecdsa'
pub_key_path = f'{key_path}.pub'
dest_dir = '/opt/so/saltstack/local/salt/libvirt/ssh/keys'
dest_path = os.path.join(dest_dir, os.path.basename(pub_key_path))
@@ -250,7 +250,7 @@ def _setup_ssh_keys():
"""
try:
key_dir = '/etc/ssh/auth_keys/soqemussh'
key_path = f'{key_dir}/id_ed25519'
key_path = f'{key_dir}/id_ecdsa'
pub_key_path = f'{key_path}.pub'
# Check if keys already exist
@@ -266,9 +266,9 @@ def _setup_ssh_keys():
os.makedirs(key_dir, exist_ok=True)
os.chmod(key_dir, 0o700)
# Generate new ed25519 key pair
# Generate new ECDSA key pair using SECP256R1 curve
log.info("Generating new SSH keys")
private_key = ed25519.Ed25519PrivateKey.generate()
private_key = ec.generate_private_key(ec.SECP256R1())
public_key = private_key.public_key()
# Serialize private key
@@ -540,7 +540,7 @@ def setup_environment(vm_name: str = 'sool9', disk_size: str = '220G', minion_id
Notes:
- Verifies Security Onion license
- Downloads and validates Oracle Linux KVM image if needed
- Generates Ed25519 SSH keys if not present
- Generates ECDSA SSH keys if not present
- Creates/recreates VM based on environment changes
- Forces hypervisor configuration via highstate after successful setup
(when minion_id is provided)
@@ -765,7 +765,7 @@ def create_vm(vm_name: str, disk_size: str = '220G'):
_set_ownership_and_perms(vm_dir, mode=0o750)
# Read the SSH public key
pub_key_path = '/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ed25519.pub'
pub_key_path = '/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ecdsa.pub'
try:
with salt.utils.files.fopen(pub_key_path, 'r') as f:
ssh_pub_key = f.read().strip()
@@ -844,7 +844,7 @@ output:
all: ">> /var/log/cloud-init.log"
# configure interaction with ssh server
ssh_genkeytypes: ['ed25519', 'rsa']
ssh_genkeytypes: ['ecdsa', 'rsa']
# set timezone for VM
timezone: UTC
@@ -1038,7 +1038,7 @@ def regenerate_ssh_keys():
Notes:
- Validates Security Onion license
- Removes existing keys if present
- Generates new Ed25519 key pair
- Generates new ECDSA key pair
- Sets secure permissions (600 for private, 644 for public)
- Distributes public key to required locations
@@ -1048,7 +1048,7 @@ def regenerate_ssh_keys():
2. Checks for existing SSH keys
3. Removes old keys if present
4. Creates required directories with secure permissions
5. Generates new Ed25519 key pair
5. Generates new ECDSA key pair
6. Sets appropriate file permissions
7. Distributes public key to required locations
@@ -1067,7 +1067,7 @@ def regenerate_ssh_keys():
# Remove existing keys
key_dir = '/etc/ssh/auth_keys/soqemussh'
key_path = f'{key_dir}/id_ed25519'
key_path = f'{key_dir}/id_ecdsa'
pub_key_path = f'{key_path}.pub'
dest_dir = '/opt/so/saltstack/local/salt/libvirt/ssh/keys'
dest_path = os.path.join(dest_dir, os.path.basename(pub_key_path))

24
salt/firewall/defaults.yaml
View File

@@ -909,6 +909,15 @@ firewall:
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
hypervisor:
portgroups:
- yum
- docker_registry
- influxdb
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
- sensoroni
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -961,6 +970,9 @@ firewall:
desktop:
portgroups:
- salt_manager
hypervisor:
portgroups:
- salt_manager
self:
portgroups:
- syslog
@@ -1113,6 +1125,15 @@ firewall:
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
hypervisor:
portgroups:
- yum
- docker_registry
- influxdb
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
- sensoroni
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -1168,6 +1189,9 @@ firewall:
desktop:
portgroups:
- salt_manager
hypervisor:
portgroups:
- salt_manager
self:
portgroups:
- syslog

2
salt/libvirt/ssh/files/config
View File

@@ -1,2 +1,2 @@
Match user soqemussh
IdentityFile /etc/ssh/auth_keys/soqemussh/id_ed25519
IdentityFile /etc/ssh/auth_keys/soqemussh/id_ecdsa

2
salt/libvirt/ssh/users.sls
View File

@@ -46,7 +46,7 @@ create_soqemussh_user:
soqemussh_pub_key:
ssh_auth.present:
- user: soqemussh
- source: salt://libvirt/ssh/keys/id_ed25519.pub
- source: salt://libvirt/ssh/keys/id_ecdsa.pub
{% endif %}

6
salt/manager/hypervisor.sls
View File

@@ -16,9 +16,9 @@
# Check if hypervisor environment has been set up
{% set ssh_user_exists = salt['user.info']('soqemussh') %}
{% set ssh_keys_exist = salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ed25519') and
salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ed25519.pub') and
salt['file.file_exists']('/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ed25519.pub') %}
{% set ssh_keys_exist = salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ecdsa') and
salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ecdsa.pub') and
salt['file.file_exists']('/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ecdsa.pub') %}
{% set base_image_exists = salt['file.file_exists']('/nsm/libvirt/boot/OL9U5_x86_64-kvm-b253.qcow2') %}
{% set vm_files_exist = salt['file.directory_exists']('/opt/so/saltstack/local/salt/libvirt/images/sool9') and
salt['file.file_exists']('/opt/so/saltstack/local/salt/libvirt/images/sool9/sool9.qcow2') and

2
salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja
View File

@@ -11,7 +11,7 @@ sool9_{{host}}:
base_domain: sool9
ip_source: qemu-agent
ssh_username: soqemussh
private_key: /etc/ssh/auth_keys/soqemussh/id_ed25519
private_key: /etc/ssh/auth_keys/soqemussh/id_ecdsa
sudo: True
deploy_command: sh /tmp/.saltcloud-*/deploy.sh
script_args: -r -F -x python3 stable 3006.9

2
setup/so-setup
View File

@@ -755,7 +755,7 @@ if ! [[ -f $install_opt_file ]]; then
logCmd "salt-key -ya $MINION_ID"
logCmd "salt-call saltutil.sync_all"
# we need to sync the runner and generate the soqemussh user keys so that first highstate after license created
# doesnt have a state failure for soqemussh_pub_key source for id_ed25519.pub missing
# doesnt have a state failure for soqemussh_pub_key source for id_ecdsa.pub missing
if [[ $is_manager || $is_managerhype ]]; then
logCmd "salt-run saltutil.sync_all"
logCmd "salt-run setup_hypervisor.regenerate_ssh_keys"

3
setup/so-whiptail
View File

@@ -654,10 +654,9 @@ whiptail_install_type_dist_new() {
Note: MANAGER is the recommended option for most users. MANAGERSEARCH should only be used in very specific situations.
EOM
install_type=$(whiptail --title "$whiptail_title" --menu "$mngr_msg" 20 75 3 \
install_type=$(whiptail --title "$whiptail_title" --menu "$mngr_msg" 20 75 2 \
"MANAGER" "New grid, requires separate search node(s) " \
"MANAGERSEARCH" "New grid, separate search node(s) are optional " \
"MANAGERHYPE" "Manager with hypervisor - Security Onion Pro required " \
3>&1 1>&2 2>&3
)

BIN
sigs/securityonion-2.4.170-20250812.iso.sig Normal file
View File

Binary file not shown.