From 82894d88b6d9ffa36715e8854225b4e30a1b1d39 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 7 Aug 2025 14:40:58 -0400 Subject: [PATCH 1/8] ecdsa instead of ed25519 --- salt/_runners/setup_hypervisor.py | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/salt/_runners/setup_hypervisor.py b/salt/_runners/setup_hypervisor.py index 9d7116d59..929801783 100644 --- a/salt/_runners/setup_hypervisor.py +++ b/salt/_runners/setup_hypervisor.py @@ -38,7 +38,7 @@ Examples: Notes: - Verifies Security Onion license - Downloads and validates Oracle Linux KVM image if needed - - Generates Ed25519 SSH keys if not present + - Generates ECDSA SSH keys if not present - Creates/recreates VM based on environment changes - Forces hypervisor configuration via highstate after successful setup (when minion_id provided) @@ -46,7 +46,7 @@ Examples: The setup process includes: 1. License validation 2. Oracle Linux KVM image download and checksum verification - 3. SSH key generation for secure VM access + 3. ECDSA SSH key generation for secure VM access 4. Cloud-init configuration for VM provisioning 5. VM creation with specified disk size 6. Hypervisor configuration via highstate (when minion_id provided and setup successful) @@ -74,7 +74,7 @@ import sys import time import yaml from cryptography.hazmat.primitives import serialization -from cryptography.hazmat.primitives.asymmetric import ed25519 +from cryptography.hazmat.primitives.asymmetric import ec # Configure logging log = logging.getLogger(__name__) log.setLevel(logging.DEBUG) @@ -232,7 +232,7 @@ def _check_ssh_keys_exist(): bool: True if both private and public keys exist, False otherwise """ key_dir = '/etc/ssh/auth_keys/soqemussh' - key_path = f'{key_dir}/id_ed25519' + key_path = f'{key_dir}/id_ecdsa' pub_key_path = f'{key_path}.pub' dest_dir = '/opt/so/saltstack/local/salt/libvirt/ssh/keys' dest_path = os.path.join(dest_dir, os.path.basename(pub_key_path)) @@ -250,7 +250,7 @@ def _setup_ssh_keys(): """ try: key_dir = '/etc/ssh/auth_keys/soqemussh' - key_path = f'{key_dir}/id_ed25519' + key_path = f'{key_dir}/id_ecdsa' pub_key_path = f'{key_path}.pub' # Check if keys already exist @@ -266,9 +266,9 @@ def _setup_ssh_keys(): os.makedirs(key_dir, exist_ok=True) os.chmod(key_dir, 0o700) - # Generate new ed25519 key pair + # Generate new ECDSA key pair using SECP256R1 curve log.info("Generating new SSH keys") - private_key = ed25519.Ed25519PrivateKey.generate() + private_key = ec.generate_private_key(ec.SECP256R1()) public_key = private_key.public_key() # Serialize private key @@ -540,7 +540,7 @@ def setup_environment(vm_name: str = 'sool9', disk_size: str = '220G', minion_id Notes: - Verifies Security Onion license - Downloads and validates Oracle Linux KVM image if needed - - Generates Ed25519 SSH keys if not present + - Generates ECDSA SSH keys if not present - Creates/recreates VM based on environment changes - Forces hypervisor configuration via highstate after successful setup (when minion_id is provided) @@ -765,7 +765,7 @@ def create_vm(vm_name: str, disk_size: str = '220G'): _set_ownership_and_perms(vm_dir, mode=0o750) # Read the SSH public key - pub_key_path = '/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ed25519.pub' + pub_key_path = '/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ecdsa.pub' try: with salt.utils.files.fopen(pub_key_path, 'r') as f: ssh_pub_key = f.read().strip() @@ -844,7 +844,7 @@ output: all: ">> /var/log/cloud-init.log" # configure interaction with ssh server -ssh_genkeytypes: ['ed25519', 'rsa'] +ssh_genkeytypes: ['ecdsa', 'rsa'] # set timezone for VM timezone: UTC @@ -1038,7 +1038,7 @@ def regenerate_ssh_keys(): Notes: - Validates Security Onion license - Removes existing keys if present - - Generates new Ed25519 key pair + - Generates new ECDSA key pair - Sets secure permissions (600 for private, 644 for public) - Distributes public key to required locations @@ -1048,7 +1048,7 @@ def regenerate_ssh_keys(): 2. Checks for existing SSH keys 3. Removes old keys if present 4. Creates required directories with secure permissions - 5. Generates new Ed25519 key pair + 5. Generates new ECDSA key pair 6. Sets appropriate file permissions 7. Distributes public key to required locations @@ -1067,7 +1067,7 @@ def regenerate_ssh_keys(): # Remove existing keys key_dir = '/etc/ssh/auth_keys/soqemussh' - key_path = f'{key_dir}/id_ed25519' + key_path = f'{key_dir}/id_ecdsa' pub_key_path = f'{key_path}.pub' dest_dir = '/opt/so/saltstack/local/salt/libvirt/ssh/keys' dest_path = os.path.join(dest_dir, os.path.basename(pub_key_path)) From c5db0a7195ced047e89bd54f33ce896dd6e13cd8 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 7 Aug 2025 15:02:45 -0400 Subject: [PATCH 2/8] more ed25519 to ecdsa --- salt/libvirt/ssh/files/config | 2 +- salt/libvirt/ssh/users.sls | 2 +- salt/manager/hypervisor.sls | 6 +++--- salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja | 2 +- setup/so-setup | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/libvirt/ssh/files/config b/salt/libvirt/ssh/files/config index de6cb7b34..9b8f89442 100644 --- a/salt/libvirt/ssh/files/config +++ b/salt/libvirt/ssh/files/config @@ -1,2 +1,2 @@ Match user soqemussh - IdentityFile /etc/ssh/auth_keys/soqemussh/id_ed25519 + IdentityFile /etc/ssh/auth_keys/soqemussh/id_ecdsa diff --git a/salt/libvirt/ssh/users.sls b/salt/libvirt/ssh/users.sls index 173a3e095..8bbf2ca7e 100644 --- a/salt/libvirt/ssh/users.sls +++ b/salt/libvirt/ssh/users.sls @@ -46,7 +46,7 @@ create_soqemussh_user: soqemussh_pub_key: ssh_auth.present: - user: soqemussh - - source: salt://libvirt/ssh/keys/id_ed25519.pub + - source: salt://libvirt/ssh/keys/id_ecdsa.pub {% endif %} diff --git a/salt/manager/hypervisor.sls b/salt/manager/hypervisor.sls index 315775446..080d0699c 100644 --- a/salt/manager/hypervisor.sls +++ b/salt/manager/hypervisor.sls @@ -16,9 +16,9 @@ # Check if hypervisor environment has been set up {% set ssh_user_exists = salt['user.info']('soqemussh') %} -{% set ssh_keys_exist = salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ed25519') and - salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ed25519.pub') and - salt['file.file_exists']('/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ed25519.pub') %} +{% set ssh_keys_exist = salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ecdsa') and + salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ecdsa.pub') and + salt['file.file_exists']('/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ecdsa.pub') %} {% set base_image_exists = salt['file.file_exists']('/nsm/libvirt/boot/OL9U5_x86_64-kvm-b253.qcow2') %} {% set vm_files_exist = salt['file.directory_exists']('/opt/so/saltstack/local/salt/libvirt/images/sool9') and salt['file.file_exists']('/opt/so/saltstack/local/salt/libvirt/images/sool9/sool9.qcow2') and diff --git a/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja index 94cc85117..025e23d89 100644 --- a/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja +++ b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja @@ -11,7 +11,7 @@ sool9_{{host}}: base_domain: sool9 ip_source: qemu-agent ssh_username: soqemussh - private_key: /etc/ssh/auth_keys/soqemussh/id_ed25519 + private_key: /etc/ssh/auth_keys/soqemussh/id_ecdsa sudo: True deploy_command: sh /tmp/.saltcloud-*/deploy.sh script_args: -r -F -x python3 stable 3006.9 diff --git a/setup/so-setup b/setup/so-setup index f955917bc..347a7165c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -755,7 +755,7 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-key -ya $MINION_ID" logCmd "salt-call saltutil.sync_all" # we need to sync the runner and generate the soqemussh user keys so that first highstate after license created - # doesnt have a state failure for soqemussh_pub_key source for id_ed25519.pub missing + # doesnt have a state failure for soqemussh_pub_key source for id_ecdsa.pub missing if [[ $is_manager || $is_managerhype ]]; then logCmd "salt-run saltutil.sync_all" logCmd "salt-run setup_hypervisor.regenerate_ssh_keys" From 9617da1791507d64302bf2e7b9a638832a8d3109 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 7 Aug 2025 16:13:59 -0400 Subject: [PATCH 3/8] remove managerhype from whiptail --- setup/so-whiptail | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 57bd10b8c..4c92f6a48 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -654,10 +654,9 @@ whiptail_install_type_dist_new() { Note: MANAGER is the recommended option for most users. MANAGERSEARCH should only be used in very specific situations. EOM - install_type=$(whiptail --title "$whiptail_title" --menu "$mngr_msg" 20 75 3 \ + install_type=$(whiptail --title "$whiptail_title" --menu "$mngr_msg" 20 75 2 \ "MANAGER" "New grid, requires separate search node(s) " \ "MANAGERSEARCH" "New grid, separate search node(s) are optional " \ - "MANAGERHYPE" "Manager with hypervisor - Security Onion Pro required " \ 3>&1 1>&2 2>&3 ) From ae0ffc4977eb560685022328d30564fc83320257 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 12 Aug 2025 09:32:42 -0400 Subject: [PATCH 4/8] 2.4.170 --- DOWNLOAD_AND_VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.4.170-20250812.iso.sig | Bin 0 -> 566 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.4.170-20250812.iso.sig diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index 2e0b2aa5d..e05cf651c 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.160-20250625 ISO image released on 2025/06/25 +### 2.4.170-20250812 ISO image released on 2025/06/25 ### Download and Verify -2.4.160-20250625 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.160-20250625.iso +2.4.170-20250812 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.170-20250812.iso -MD5: 78CF5602EFFAB84174C56AD2826E6E4E -SHA1: FC7EEC3EC95D97D3337501BAA7CA8CAE7C0E15EA -SHA256: 0ED965E8BEC80EE16AE90A0F0F96A3046CEF2D92720A587278DDDE3B656C01C2 +MD5: 50ECAAD05736298452DECEAE074FA773 +SHA1: 1B1EB520DE61ECC4BF34E512DAFE307317D7666A +SHA256: 87D176A48A58BAD1C2D57196F999BED23DE9B526226E3754F0C166C866CCDC1A Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.160-20250625.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.170-20250812.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.160-20250625.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.170-20250812.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.160-20250625.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.170-20250812.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.160-20250625.iso.sig securityonion-2.4.160-20250625.iso +gpg --verify securityonion-2.4.170-20250812.iso.sig securityonion-2.4.170-20250812.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Wed 25 Jun 2025 10:13:33 AM EDT using RSA key ID FE507013 +gpg: Signature made Fri 08 Aug 2025 06:24:56 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.4.170-20250812.iso.sig b/sigs/securityonion-2.4.170-20250812.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..df29c07b52de66ebd153c31a66ed6f44888ed7f0 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%(?bH~5PT3| zxBgIY6OMZi|9c42+U)G%bR9qJ+x;7VidQ}2%)OCKP;{%ny8AXNqr#E^ z{z+v02l;K>WQ%rt!yQ<`*L1LfATKOPXvrJhkaVa{#4BvQ8ze%F(X(Jec zjsF(|lLOTUVf zLs#JgYHT~~pGp`UerUeTH}OfPWT2dD)&F-pa+nsu=T03t3R6YehVjO&ji2wIS?RN< zsDOkfs@!CZpJu?IQas<&k*!#uY=F zrt=PAT3}yFD#g4qzPnwHr0EWq6kBB;?r+4VUNxe&nhs6LB4_6m&9A+WiCY_Nu}rv8 z4Nm#=2vq30npWr6^ilaoYZA*ux)b}p2a9?4ls9| Date: Tue, 12 Aug 2025 09:40:18 -0400 Subject: [PATCH 5/8] 2.4.170 --- DOWNLOAD_AND_VERIFY_ISO.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index e05cf651c..6b966957c 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,4 +1,4 @@ -### 2.4.170-20250812 ISO image released on 2025/06/25 +### 2.4.170-20250812 ISO image released on 2025/08/12 ### Download and Verify From 6381444fdc3cb37e1ad9d5bb92b5dec049270e8d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 12 Aug 2025 10:58:11 -0400 Subject: [PATCH 6/8] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 032d0bb01..1ff799fad 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.170 +2.4.180 From d02093295b8ca8306376d2a80a4824e559a06d00 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 12 Aug 2025 10:59:17 -0400 Subject: [PATCH 7/8] Update 2-4.yml --- .github/DISCUSSION_TEMPLATE/2-4.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index dca40818a..273430e7d 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -30,6 +30,7 @@ body: - 2.4.150 - 2.4.160 - 2.4.170 + - 2.4.180 - Other (please provide detail below) validations: required: true From baf0f7ba95dfdfc41187d818bd1ceecea82ef877 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 12 Aug 2025 14:08:15 -0400 Subject: [PATCH 8/8] firewall allow hypervisor for managersearch and standalone --- salt/firewall/defaults.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 9caaf725a..0c43b8c0b 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -909,6 +909,15 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + hypervisor: + portgroups: + - yum + - docker_registry + - influxdb + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update + - sensoroni customhostgroup0: portgroups: [] customhostgroup1: @@ -961,6 +970,9 @@ firewall: desktop: portgroups: - salt_manager + hypervisor: + portgroups: + - salt_manager self: portgroups: - syslog @@ -1113,6 +1125,15 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + hypervisor: + portgroups: + - yum + - docker_registry + - influxdb + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update + - sensoroni customhostgroup0: portgroups: [] customhostgroup1: @@ -1168,6 +1189,9 @@ firewall: desktop: portgroups: - salt_manager + hypervisor: + portgroups: + - salt_manager self: portgroups: - syslog