diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index dca40818a..273430e7d 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -30,6 +30,7 @@ body: - 2.4.150 - 2.4.160 - 2.4.170 + - 2.4.180 - Other (please provide detail below) validations: required: true diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index 2e0b2aa5d..6b966957c 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.160-20250625 ISO image released on 2025/06/25 +### 2.4.170-20250812 ISO image released on 2025/08/12 ### Download and Verify -2.4.160-20250625 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.160-20250625.iso +2.4.170-20250812 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.170-20250812.iso -MD5: 78CF5602EFFAB84174C56AD2826E6E4E -SHA1: FC7EEC3EC95D97D3337501BAA7CA8CAE7C0E15EA -SHA256: 0ED965E8BEC80EE16AE90A0F0F96A3046CEF2D92720A587278DDDE3B656C01C2 +MD5: 50ECAAD05736298452DECEAE074FA773 +SHA1: 1B1EB520DE61ECC4BF34E512DAFE307317D7666A +SHA256: 87D176A48A58BAD1C2D57196F999BED23DE9B526226E3754F0C166C866CCDC1A Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.160-20250625.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.170-20250812.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.160-20250625.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.170-20250812.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.160-20250625.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.170-20250812.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.160-20250625.iso.sig securityonion-2.4.160-20250625.iso +gpg --verify securityonion-2.4.170-20250812.iso.sig securityonion-2.4.170-20250812.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Wed 25 Jun 2025 10:13:33 AM EDT using RSA key ID FE507013 +gpg: Signature made Fri 08 Aug 2025 06:24:56 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/VERSION b/VERSION index 032d0bb01..1ff799fad 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.170 +2.4.180 diff --git a/salt/_runners/setup_hypervisor.py b/salt/_runners/setup_hypervisor.py index 9d7116d59..929801783 100644 --- a/salt/_runners/setup_hypervisor.py +++ b/salt/_runners/setup_hypervisor.py @@ -38,7 +38,7 @@ Examples: Notes: - Verifies Security Onion license - Downloads and validates Oracle Linux KVM image if needed - - Generates Ed25519 SSH keys if not present + - Generates ECDSA SSH keys if not present - Creates/recreates VM based on environment changes - Forces hypervisor configuration via highstate after successful setup (when minion_id provided) @@ -46,7 +46,7 @@ Examples: The setup process includes: 1. License validation 2. Oracle Linux KVM image download and checksum verification - 3. SSH key generation for secure VM access + 3. ECDSA SSH key generation for secure VM access 4. Cloud-init configuration for VM provisioning 5. VM creation with specified disk size 6. Hypervisor configuration via highstate (when minion_id provided and setup successful) @@ -74,7 +74,7 @@ import sys import time import yaml from cryptography.hazmat.primitives import serialization -from cryptography.hazmat.primitives.asymmetric import ed25519 +from cryptography.hazmat.primitives.asymmetric import ec # Configure logging log = logging.getLogger(__name__) log.setLevel(logging.DEBUG) @@ -232,7 +232,7 @@ def _check_ssh_keys_exist(): bool: True if both private and public keys exist, False otherwise """ key_dir = '/etc/ssh/auth_keys/soqemussh' - key_path = f'{key_dir}/id_ed25519' + key_path = f'{key_dir}/id_ecdsa' pub_key_path = f'{key_path}.pub' dest_dir = '/opt/so/saltstack/local/salt/libvirt/ssh/keys' dest_path = os.path.join(dest_dir, os.path.basename(pub_key_path)) @@ -250,7 +250,7 @@ def _setup_ssh_keys(): """ try: key_dir = '/etc/ssh/auth_keys/soqemussh' - key_path = f'{key_dir}/id_ed25519' + key_path = f'{key_dir}/id_ecdsa' pub_key_path = f'{key_path}.pub' # Check if keys already exist @@ -266,9 +266,9 @@ def _setup_ssh_keys(): os.makedirs(key_dir, exist_ok=True) os.chmod(key_dir, 0o700) - # Generate new ed25519 key pair + # Generate new ECDSA key pair using SECP256R1 curve log.info("Generating new SSH keys") - private_key = ed25519.Ed25519PrivateKey.generate() + private_key = ec.generate_private_key(ec.SECP256R1()) public_key = private_key.public_key() # Serialize private key @@ -540,7 +540,7 @@ def setup_environment(vm_name: str = 'sool9', disk_size: str = '220G', minion_id Notes: - Verifies Security Onion license - Downloads and validates Oracle Linux KVM image if needed - - Generates Ed25519 SSH keys if not present + - Generates ECDSA SSH keys if not present - Creates/recreates VM based on environment changes - Forces hypervisor configuration via highstate after successful setup (when minion_id is provided) @@ -765,7 +765,7 @@ def create_vm(vm_name: str, disk_size: str = '220G'): _set_ownership_and_perms(vm_dir, mode=0o750) # Read the SSH public key - pub_key_path = '/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ed25519.pub' + pub_key_path = '/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ecdsa.pub' try: with salt.utils.files.fopen(pub_key_path, 'r') as f: ssh_pub_key = f.read().strip() @@ -844,7 +844,7 @@ output: all: ">> /var/log/cloud-init.log" # configure interaction with ssh server -ssh_genkeytypes: ['ed25519', 'rsa'] +ssh_genkeytypes: ['ecdsa', 'rsa'] # set timezone for VM timezone: UTC @@ -1038,7 +1038,7 @@ def regenerate_ssh_keys(): Notes: - Validates Security Onion license - Removes existing keys if present - - Generates new Ed25519 key pair + - Generates new ECDSA key pair - Sets secure permissions (600 for private, 644 for public) - Distributes public key to required locations @@ -1048,7 +1048,7 @@ def regenerate_ssh_keys(): 2. Checks for existing SSH keys 3. Removes old keys if present 4. Creates required directories with secure permissions - 5. Generates new Ed25519 key pair + 5. Generates new ECDSA key pair 6. Sets appropriate file permissions 7. Distributes public key to required locations @@ -1067,7 +1067,7 @@ def regenerate_ssh_keys(): # Remove existing keys key_dir = '/etc/ssh/auth_keys/soqemussh' - key_path = f'{key_dir}/id_ed25519' + key_path = f'{key_dir}/id_ecdsa' pub_key_path = f'{key_path}.pub' dest_dir = '/opt/so/saltstack/local/salt/libvirt/ssh/keys' dest_path = os.path.join(dest_dir, os.path.basename(pub_key_path)) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 9caaf725a..0c43b8c0b 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -909,6 +909,15 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + hypervisor: + portgroups: + - yum + - docker_registry + - influxdb + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update + - sensoroni customhostgroup0: portgroups: [] customhostgroup1: @@ -961,6 +970,9 @@ firewall: desktop: portgroups: - salt_manager + hypervisor: + portgroups: + - salt_manager self: portgroups: - syslog @@ -1113,6 +1125,15 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + hypervisor: + portgroups: + - yum + - docker_registry + - influxdb + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update + - sensoroni customhostgroup0: portgroups: [] customhostgroup1: @@ -1168,6 +1189,9 @@ firewall: desktop: portgroups: - salt_manager + hypervisor: + portgroups: + - salt_manager self: portgroups: - syslog diff --git a/salt/libvirt/ssh/files/config b/salt/libvirt/ssh/files/config index de6cb7b34..9b8f89442 100644 --- a/salt/libvirt/ssh/files/config +++ b/salt/libvirt/ssh/files/config @@ -1,2 +1,2 @@ Match user soqemussh - IdentityFile /etc/ssh/auth_keys/soqemussh/id_ed25519 + IdentityFile /etc/ssh/auth_keys/soqemussh/id_ecdsa diff --git a/salt/libvirt/ssh/users.sls b/salt/libvirt/ssh/users.sls index 173a3e095..8bbf2ca7e 100644 --- a/salt/libvirt/ssh/users.sls +++ b/salt/libvirt/ssh/users.sls @@ -46,7 +46,7 @@ create_soqemussh_user: soqemussh_pub_key: ssh_auth.present: - user: soqemussh - - source: salt://libvirt/ssh/keys/id_ed25519.pub + - source: salt://libvirt/ssh/keys/id_ecdsa.pub {% endif %} diff --git a/salt/manager/hypervisor.sls b/salt/manager/hypervisor.sls index 315775446..080d0699c 100644 --- a/salt/manager/hypervisor.sls +++ b/salt/manager/hypervisor.sls @@ -16,9 +16,9 @@ # Check if hypervisor environment has been set up {% set ssh_user_exists = salt['user.info']('soqemussh') %} -{% set ssh_keys_exist = salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ed25519') and - salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ed25519.pub') and - salt['file.file_exists']('/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ed25519.pub') %} +{% set ssh_keys_exist = salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ecdsa') and + salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ecdsa.pub') and + salt['file.file_exists']('/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ecdsa.pub') %} {% set base_image_exists = salt['file.file_exists']('/nsm/libvirt/boot/OL9U5_x86_64-kvm-b253.qcow2') %} {% set vm_files_exist = salt['file.directory_exists']('/opt/so/saltstack/local/salt/libvirt/images/sool9') and salt['file.file_exists']('/opt/so/saltstack/local/salt/libvirt/images/sool9/sool9.qcow2') and diff --git a/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja index 94cc85117..025e23d89 100644 --- a/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja +++ b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja @@ -11,7 +11,7 @@ sool9_{{host}}: base_domain: sool9 ip_source: qemu-agent ssh_username: soqemussh - private_key: /etc/ssh/auth_keys/soqemussh/id_ed25519 + private_key: /etc/ssh/auth_keys/soqemussh/id_ecdsa sudo: True deploy_command: sh /tmp/.saltcloud-*/deploy.sh script_args: -r -F -x python3 stable 3006.9 diff --git a/setup/so-setup b/setup/so-setup index f955917bc..347a7165c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -755,7 +755,7 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-key -ya $MINION_ID" logCmd "salt-call saltutil.sync_all" # we need to sync the runner and generate the soqemussh user keys so that first highstate after license created - # doesnt have a state failure for soqemussh_pub_key source for id_ed25519.pub missing + # doesnt have a state failure for soqemussh_pub_key source for id_ecdsa.pub missing if [[ $is_manager || $is_managerhype ]]; then logCmd "salt-run saltutil.sync_all" logCmd "salt-run setup_hypervisor.regenerate_ssh_keys" diff --git a/setup/so-whiptail b/setup/so-whiptail index 57bd10b8c..4c92f6a48 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -654,10 +654,9 @@ whiptail_install_type_dist_new() { Note: MANAGER is the recommended option for most users. MANAGERSEARCH should only be used in very specific situations. EOM - install_type=$(whiptail --title "$whiptail_title" --menu "$mngr_msg" 20 75 3 \ + install_type=$(whiptail --title "$whiptail_title" --menu "$mngr_msg" 20 75 2 \ "MANAGER" "New grid, requires separate search node(s) " \ "MANAGERSEARCH" "New grid, separate search node(s) are optional " \ - "MANAGERHYPE" "Manager with hypervisor - Security Onion Pro required " \ 3>&1 1>&2 2>&3 ) diff --git a/sigs/securityonion-2.4.170-20250812.iso.sig b/sigs/securityonion-2.4.170-20250812.iso.sig new file mode 100644 index 000000000..df29c07b5 Binary files /dev/null and b/sigs/securityonion-2.4.170-20250812.iso.sig differ