CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8571 from Security-Onion-Solutions/dev

Browse Source 
2.3.150
This commit is contained in:
Mike Reeves
2022-08-22 15:22:43 -04:00
committed by GitHub
parent 9f2b920454 c337145b2c
commit 4b1ad1910d
18 changed files with 118 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
HOTFIX
View File

@@ -1 +0,0 @@
20220719 20220812

4
README.md
View File

@@ -1,6 +1,6 @@
## Security Onion 2.3.140 ## Security Onion 2.3.150
Security Onion 2.3.140 is here! Security Onion 2.3.150 is here!
## Screenshots ## Screenshots

22
VERIFY_ISO.md
View File

@@ -1,18 +1,18 @@
### 2.3.140-20220812 ISO image built on 2022/08/12 ### 2.3.150-20220820 ISO image built on 2022/08/20
### Download and Verify ### Download and Verify
2.3.140-20220812 ISO image: 2.3.150-20220820 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220812.iso https://download.securityonion.net/file/securityonion/securityonion-2.3.150-20220820.iso
MD5: 13D4A5D663B5A36D045B980E5F33E6BC MD5: D2C0B67F19C18F0AB6FD1EC9B1E4034A
SHA1: 85DC36B7E96575259DFD080BC860F6508D5F5899 SHA1: F14BF42C6C634BDECA654B169FE6815BB6798F70
SHA256: DE5D0F82732B81456180AA40C124E5C82688611941EEAF03D85986806631588C SHA256: 9E37E5CCCBD209486EB79E8F991DE83F64E2208D32E5B56F8E0A6C3933EB42AC
Signature for ISO image: Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220812.iso.sig https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.150-20220820.iso.sig
Signing key: Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
Download the signature file for the ISO: Download the signature file for the ISO:
``` ```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220812.iso.sig wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.150-20220820.iso.sig
``` ```
Download the ISO image: Download the ISO image:
``` ```
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220812.iso wget https://download.securityonion.net/file/securityonion/securityonion-2.3.150-20220820.iso
``` ```
Verify the downloaded ISO image using the signature file: Verify the downloaded ISO image using the signature file:
``` ```
gpg --verify securityonion-2.3.140-20220812.iso.sig securityonion-2.3.140-20220812.iso gpg --verify securityonion-2.3.150-20220820.iso.sig securityonion-2.3.150-20220820.iso
``` ```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below: The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
``` ```
gpg: Signature made Fri 12 Aug 2022 03:59:11 PM EDT using RSA key ID FE507013 gpg: Signature made Sat 20 Aug 2022 08:07:10 PM EDT using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>" gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature! gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. gpg: There is no indication that the signature belongs to the owner.

2
VERSION
View File

@@ -1 +1 @@
2.3.140 2.3.150

117
salt/common/tools/sbin/soup
View File

@@ -203,7 +203,7 @@ check_airgap() {
check_local_mods() { check_local_mods() {
local salt_local=/opt/so/saltstack/local local salt_local=/opt/so/saltstack/local
local_ignore_arr=("/opt/so/saltstack/local/salt/zeek/policy/intel/intel.dat")
local_mod_arr=() local_mod_arr=()
while IFS= read -r -d '' local_file; do while IFS= read -r -d '' local_file; do
@@ -211,8 +211,10 @@ check_local_mods() {
default_file="${DEFAULT_SALT_DIR}${stripped_path}" default_file="${DEFAULT_SALT_DIR}${stripped_path}"
if [[ -f $default_file ]]; then if [[ -f $default_file ]]; then
file_diff=$(diff "$default_file" "$local_file" ) file_diff=$(diff "$default_file" "$local_file" )
if [[ $(echo "$file_diff" | grep -c "^<") -gt 0 ]]; then if [[ ! " ${local_ignore_arr[*]} " =~ " ${local_file} " ]]; then
local_mod_arr+=( "$local_file" ) if [[ $(echo "$file_diff" | grep -c "^<") -gt 0 ]]; then
local_mod_arr+=( "$local_file" )
fi
fi fi
fi fi
done< <(find $salt_local -type f -print0) done< <(find $salt_local -type f -print0)
@@ -223,11 +225,24 @@ check_local_mods() {
echo " $file_str" echo " $file_str"
done done
echo "" echo ""
echo "To reference this list later, check $SOUP_LOG" echo "To reference this list later, check $SOUP_LOG".
sleep 10 echo
if [[ -z $UNATTENDED ]] && ! [[ "${1}" == "skip-prompt" ]]; then
while true; do
read -p "Please review the local modifications shown above as they may cause problems during or after the update.
Would you like to proceed with the update anyway?
If so, type 'YES'. Otherwise, type anything else to exit SOUP. " yn
case $yn in
[yY][eE][sS] ) echo "Local modifications accepted. Continuing..."; break;;
* ) exit 0;;
esac
done
fi
fi fi
} }
# {% endraw %} # {% endraw %}
check_pillar_items() { check_pillar_items() {
@@ -372,12 +387,7 @@ clone_to_tmp() {
} }
elastalert_indices_check() { elastalert_indices_check() {
echo "Checking Elastalert indices for compatibility..."
# Stop Elastalert to prevent Elastalert indices from being re-created
if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
so-elastalert-stop || true
fi
# Wait for ElasticSearch to initialize # Wait for ElasticSearch to initialize
echo -n "Waiting for ElasticSearch..." echo -n "Waiting for ElasticSearch..."
COUNT=0 COUNT=0
@@ -394,8 +404,8 @@ elastalert_indices_check() {
echo -n "." echo -n "."
fi fi
done done
# Unable to connect to Elasticsearch # Unable to connect to Elasticsearch
if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
echo echo
echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'"
@@ -403,39 +413,51 @@ elastalert_indices_check() {
exit 1 exit 1
fi fi
# Check Elastalert indices MAJOR_ES_VERSION=$(so-elasticsearch-query / | jq -r .version.number | cut -d '.' -f1)
echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." if [[ "$MAJOR_ES_VERSION" -lt "8" ]]; then
CHECK_COUNT=0
while [[ "$CHECK_COUNT" -le 2 ]]; do # Stop Elastalert to prevent Elastalert indices from being re-created
# Delete Elastalert indices if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elastalert-stop || true
so-elasticsearch-query $i -XDELETE; fi
# Check Elastalert indices
echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..."
CHECK_COUNT=0
while [[ "$CHECK_COUNT" -le 2 ]]; do
# Delete Elastalert indices
for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do
so-elasticsearch-query $i -XDELETE;
done
# Check to ensure Elastalert indices are deleted
COUNT=0
ELASTALERT_INDICES_DELETED="no"
while [[ "$COUNT" -le 240 ]]; do
RESPONSE=$(so-elasticsearch-query "elastalert*")
if [[ "$RESPONSE" == "{}" ]]; then
ELASTALERT_INDICES_DELETED="yes"
break
else
((COUNT+=1))
sleep 1
echo -n "."
fi
done
((CHECK_COUNT+=1))
done done
# Check to ensure Elastalert indices are deleted # If we were unable to delete the Elastalert indices, exit the script
COUNT=0 if [ "$ELASTALERT_INDICES_DELETED" == "yes" ]; then
ELASTALERT_INDICES_DELETED="no" echo "Elastalert indices successfully deleted."
while [[ "$COUNT" -le 240 ]]; do else
RESPONSE=$(so-elasticsearch-query elastalert*) echo
if [[ "$RESPONSE" == "{}" ]]; then echo -e "Unable to connect to delete Elastalert indices. Exiting."
ELASTALERT_INDICES_DELETED="yes" echo
echo "Elastalert indices successfully deleted." exit 1
break fi
else else
((COUNT+=1)) echo "Major Elasticsearch version is 8 or greater...skipping Elastalert index maintenance."
sleep 1
echo -n "."
fi
done
((CHECK_COUNT+=1))
done
# If we were unable to delete the Elastalert indices, exit the script
if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then
echo
echo -e "Unable to connect to delete Elastalert indices. Exiting."
echo
exit 1
fi fi
} }
@@ -448,7 +470,7 @@ enable_highstate() {
es_version_check() { es_version_check() {
CHECK_ES=$(echo $INSTALLEDVERSION | awk -F. '{print $3}') CHECK_ES=$(echo $INSTALLEDVERSION | awk -F. '{print $3}')
if [ "$CHECK_ES" -lt "110" ]; then if [[ "$CHECK_ES" -lt "110" ]]; then
echo "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version 2.3.130 before updating to 2.3.140 or higher." echo "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version 2.3.130 before updating to 2.3.140 or higher."
echo "" echo ""
echo "If your deployment has Internet access, you can use the following command to update to 2.3.130:" echo "If your deployment has Internet access, you can use the following command to update to 2.3.130:"
@@ -1218,6 +1240,7 @@ main() {
set_palette set_palette
check_elastic_license check_elastic_license
echo "" echo ""
check_local_mods
check_os_updates check_os_updates
echo "Generating new repo archive" echo "Generating new repo archive"
@@ -1382,7 +1405,7 @@ main() {
fi fi
echo "Checking for local modifications." echo "Checking for local modifications."
check_local_mods check_local_mods skip-prompt
echo "Checking sudoers file." echo "Checking sudoers file."
check_sudoers check_sudoers

4
salt/elasticsearch/defaults.yaml
View File

@@ -55,6 +55,10 @@ elasticsearch:
indices: indices:
id_field_data: id_field_data:
enabled: false enabled: false
ingest:
geoip:
downloader:
enabled: false
logger: logger:
org: org:
elasticsearch: elasticsearch:

12
salt/grafana/defaults.yaml
View File

@@ -3085,12 +3085,6 @@ grafana:
y: 16 y: 16
h: 8 h: 8
w: 24 w: 24
elasticsearch_pipeline_time_nontc_graph:
gridPos:
x: 0
y: 24
h: 8
w: 24
pipeline_overview_tc: pipeline_overview_tc:
@@ -3140,9 +3134,3 @@ grafana:
y: 16 y: 16
h: 8 h: 8
w: 24 w: 24
elasticsearch_pipeline_time_tc_graph:
gridPos:
x: 0
y: 24
h: 8
w: 24

4
salt/idstools/etc/rulecat.conf
View File

@@ -31,11 +31,11 @@
{%- elif RULESET == 'ETPRO' %} {%- elif RULESET == 'ETPRO' %}
--etpro={{ OINKCODE }} --etpro={{ OINKCODE }}
{%- elif RULESET == 'TALOS' %} {%- elif RULESET == 'TALOS' %}
--url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} --url=https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode={{ OINKCODE }}
{%- endif %} {%- endif %}
{%- endif %} {%- endif %}
{%- if URLS != None %} {%- if URLS != None %}
{%- for URL in URLS %} {%- for URL in URLS %}
--url={{ URL }} --url={{ URL }}
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}

2
salt/kibana/bin/so-kibana-config-load
View File

@@ -59,7 +59,7 @@ update() {
IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))'
for i in "${LINES[@]}"; do for i in "${LINES[@]}"; do
RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
done done

2
salt/kibana/files/config_saved_objects.ndjson
View File

@@ -1 +1 @@
{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.2","id": "8.3.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} {"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.3","id": "8.3.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}

17
salt/salt/minion.sls
View File

@@ -81,11 +81,20 @@ set_log_levels:
- "log_level: error" - "log_level: error"
- "log_level_logfile: error" - "log_level_logfile: error"
salt_minion_service_unit_file: delete_pre_150_start_delay:
file.managed: file.line:
- name: {{ SYSTEMD_UNIT_FILE }} - name: {{ SYSTEMD_UNIT_FILE }}
- source: salt://salt/service/salt-minion.service.jinja - match: ^ExecStartPre=*
- mode: delete
- onchanges_in:
- module: systemd_reload
salt_minion_service_start_delay:
file.managed:
- name: /etc/systemd/system/salt-minion.service.d/start-delay.conf
- source: salt://salt/service/start-delay.conf.jinja
- template: jinja - template: jinja
- makedirs: True
- defaults: - defaults:
service_start_delay: {{ service_start_delay }} service_start_delay: {{ service_start_delay }}
- onchanges_in: - onchanges_in:
@@ -109,7 +118,7 @@ salt_minion_service:
- file: mine_functions - file: mine_functions
{% if INSTALLEDSALTVERSION|string == SALTVERSION|string %} {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
- file: set_log_levels - file: set_log_levels
- file: salt_minion_service_unit_file - file: salt_minion_service_start_delay
{% endif %} {% endif %}
- order: last - order: last

15
salt/salt/service/salt-minion.service.jinja
View File

@@ -1,15 +0,0 @@
[Unit]
Description=The Salt Minion
Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html
After=network.target salt-master.service
[Service]
KillMode=process
Type=notify
NotifyAccess=all
LimitNOFILE=8192
ExecStart=/usr/bin/salt-minion
ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }}
[Install]
WantedBy=multi-user.target

2
salt/salt/service/start-delay.conf.jinja Normal file
View File

@@ -0,0 +1,2 @@
[Service]
ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }}

2
salt/soc/files/soc/menu.actions.json
View File

@@ -19,7 +19,7 @@
"/joblookup?esid={:soc_id}&time={:@timestamp}", "/joblookup?esid={:soc_id}&time={:@timestamp}",
"/joblookup?ncid={:network.community_id}&time={:@timestamp}" "/joblookup?ncid={:network.community_id}&time={:@timestamp}"
], ],
"categories": ["hunt", "alerts"]}, "categories": ["hunt", "alerts", "dashboards"]},
{ "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank", { "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank",
"links": [ "links": [
"/cyberchef/#input={value|base64}" "/cyberchef/#input={value|base64}"

2
salt/soc/files/soc/presets.pap.json
View File

@@ -6,4 +6,4 @@
"red" "red"
], ],
"customEnabled": false "customEnabled": false
} }

5
salt/soc/files/soc/presets.tlp.json
View File

@@ -1,9 +1,10 @@
{ {
"labels": [ "labels": [
"white", "clear",
"green", "green",
"amber", "amber",
"amber+strict",
"red" "red"
], ],
"customEnabled": false "customEnabled": false
} }

6
salt/top.sls
View File

@@ -84,7 +84,9 @@ base:
{%- if STRELKA %} {%- if STRELKA %}
- strelka - strelka
{%- endif %} {%- endif %}
{%- if FILEBEAT %}
- filebeat - filebeat
{%- endif %}
{%- if FLEETMANAGER or FLEETNODE %} {%- if FLEETMANAGER or FLEETNODE %}
- fleet.install_package - fleet.install_package
{%- endif %} {%- endif %}
@@ -433,7 +435,9 @@ base:
- redis - redis
- fleet - fleet
- fleet.install_package - fleet.install_package
{%- if FILEBEAT %}
- filebeat - filebeat
{%- endif %}
- schedule - schedule
- docker_clean - docker_clean
@@ -507,7 +511,9 @@ base:
{%- endif %} {%- endif %}
- schedule - schedule
- docker_clean - docker_clean
{%- if FILEBEAT %}
- filebeat - filebeat
{%- endif %}
- idh - idh
'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )': 'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )':

BIN
sigs/securityonion-2.3.150-20220820.iso.sig Normal file
View File

Binary file not shown.