From 3c16218c5a084fa7287b27d9b27c7976cc6471a7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 27 Jul 2023 15:45:18 -0400 Subject: [PATCH 01/17] map services,pkg,config for firewall state --- salt/firewall/init.sls | 24 +++++++++++++++++++----- salt/firewall/ipt.map.jinja | 14 ++++++++++++++ 2 files changed, 33 insertions(+), 5 deletions(-) create mode 100644 salt/firewall/ipt.map.jinja diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 5ab028989..929016e63 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -1,15 +1,29 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'firewall/ipt.map.jinja' import iptmap %} + +install_iptables: + pkg.installed: + - name: {{ iptmap.iptpkg }} + +iptables_persist: + pkg.installed: + - name: {{ iptmap.persistpkg }} + +iptables_service: + service.running: + - name: {{ iptmap.service }} + - enabled: True create_sysconfig_iptables: file.touch: - - name: /etc/sysconfig/iptables + - name: {{ iptmap.configfile }} - makedirs: True - - unless: 'ls /etc/sysconfig/iptables' + - unless: 'ls {{ iptmap.configfile }}' iptables_config: file.managed: - - name: /etc/sysconfig/iptables + - name: {{ iptmap.configfile }} - source: salt://firewall/iptables.jinja - template: jinja @@ -24,11 +38,11 @@ disable_firewalld: iptables_restore: cmd.run: - - name: iptables-restore < /etc/sysconfig/iptables + - name: iptables-restore < {{ iptmap.configfile }} - require: - file: iptables_config - onlyif: - - iptables-restore --test /etc/sysconfig/iptables + - iptables-restore --test {{ iptmap.configfile }} {% if grains.os_family == 'RedHat' %} enable_firewalld: diff --git a/salt/firewall/ipt.map.jinja b/salt/firewall/ipt.map.jinja new file mode 100644 index 000000000..245bbac8a --- /dev/null +++ b/salt/firewall/ipt.map.jinja @@ -0,0 +1,14 @@ +{% set iptmap = salt['grains.filter_by']({ + 'Debian': { + 'service': 'netfilter-persistent', + 'iptpkg': 'iptables', + 'persistpkg': 'iptables-persistent', + 'configfile': '/etc/iptables/rules.v4' + }, + 'RedHat': { + 'service': 'iptables', + 'iptpkg': 'iptables', + 'persistpkg': 'iptables-services', + 'configfile': '/etc/sysconfig/iptables' + }, +}) %} From 54080c42fe9902e7b29f244df4c7b34aa0ece5af Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 27 Jul 2023 17:01:19 -0400 Subject: [PATCH 02/17] enable, not enabled --- salt/firewall/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 929016e63..cf7ae01a6 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -13,7 +13,7 @@ iptables_persist: iptables_service: service.running: - name: {{ iptmap.service }} - - enabled: True + - enable: True create_sysconfig_iptables: file.touch: From 3a22ef8e86b518640670ff338aa111fadac47b38 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jul 2023 08:40:32 -0400 Subject: [PATCH 03/17] change iptables package name for redhat fam --- salt/firewall/ipt.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/ipt.map.jinja b/salt/firewall/ipt.map.jinja index 245bbac8a..8559f9a08 100644 --- a/salt/firewall/ipt.map.jinja +++ b/salt/firewall/ipt.map.jinja @@ -7,7 +7,7 @@ }, 'RedHat': { 'service': 'iptables', - 'iptpkg': 'iptables', + 'iptpkg': 'iptables-nft', 'persistpkg': 'iptables-services', 'configfile': '/etc/sysconfig/iptables' }, From 4c8373452d10c558687844e680ca84221175644b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jul 2023 11:35:34 -0400 Subject: [PATCH 04/17] change to iptables-nft-services --- salt/firewall/ipt.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/ipt.map.jinja b/salt/firewall/ipt.map.jinja index 8559f9a08..629c1bdd8 100644 --- a/salt/firewall/ipt.map.jinja +++ b/salt/firewall/ipt.map.jinja @@ -8,7 +8,7 @@ 'RedHat': { 'service': 'iptables', 'iptpkg': 'iptables-nft', - 'persistpkg': 'iptables-services', + 'persistpkg': 'iptables-nft-services', 'configfile': '/etc/sysconfig/iptables' }, }) %} From aa56085758c2db021961a7f591b920a4e0dc7433 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 25 Jul 2023 14:44:02 -0600 Subject: [PATCH 05/17] New Action "Add to Case" --- salt/soc/defaults.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index a8e1a0bb4..53db2c838 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -10,6 +10,14 @@ soc: target: links: - '/#/hunt?q="{value|escape}" | groupby event.module* event.dataset' + - name: actionAddToCase + description: actionAddToCaseHelp + icon: fa-briefcase + jsCall: openAddToCaseDialog + categories: + - hunt + - alerts + - dashboards - name: actionCorrelate description: actionCorrelateHelp icon: fab fa-searchengin From 2a282a29c32c48774a9278a48ba50bed3903eade Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 28 Jul 2023 14:49:50 -0400 Subject: [PATCH 06/17] 2.4.4 --- DOWNLOAD_AND_VERIFY_ISO.md | 20 ++++++++++---------- sigs | Bin 566 -> 566 bytes 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index 9466c9bba..c1594b954 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.4.3-20230711 ISO image built on 2023/07/11 +### 2.4.4-20230728 ISO image built on 2023/07/28 ### Download and Verify -2.4.3-20230711 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.3-20230711.iso +2.4.4-20230728 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.4-20230728.iso -MD5: F481ED39E02A5AF05EB50D319D97A6C7 -SHA1: 20F9BAA8F73A44C21A8DFE81F36247BCF33CEDA6 -SHA256: D805522E02CD4941641385F6FF86FAAC240DA6C5FD98F78460348632C7C631B0 +MD5: F63E76245F3E745B5BDE9E6E647A7CB6 +SHA1: 6CE4E4A3399CD282D4F8592FB19D510388AB3EEA +SHA256: BF8FEB91B1D94B67C3D4A79D209B068F4A46FEC7C15EEF65B0FCE9851D7E6C9F Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.3-20230711.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.4-20230728.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -26,17 +26,17 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.3-20230711.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.4-20230728.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.3-20230711.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.4-20230728.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.3-20230711.iso.sig securityonion-2.4.3-20230711.iso +gpg --verify securityonion-2.4.4-20230728.iso.sig securityonion-2.4.4-20230728.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: diff --git a/sigs b/sigs index 34c6a9eeebf5281b2173684f36290e56bb8a4e6c..75a14e1a124888e706fa4e8a2cb8c950e0df7217 100644 GIT binary patch delta 542 zcmV+(0^$9(1hxc_BY(s2r~nEH5PT3|xBgIY6IR&||9=cs@>p+WKyMXEHkdmM@nnrOxF1wCOG%^>?M&TJ|xXVRkJ-MD5W@+o3x g*U>?v{uhh(M#Jj5bTOQNtyAg9srzf(VL^Z*kUZ@Vw*UYD delta 542 zcmV+(0^$9(1hxc_BY&;dX#ffd5PT3|xBgIY6ZifP|8m2*fJvxBZ&oLt(^fhdf7k46 zjaM>6mnpG#;;x;p{HNfXi1wyGH6 zdF6OA^SZD4PRbP{-8#_;xe}c;6Tr5)?(mzU;%aZ13|-)mryQipvdH8Ne26Gth&mzspy2YUlx#348-lwG zVaUMV0ffl9AJTE|!U423`EGz#{2%l24?!f49LIj}>99~OwY8JRbLhgSk6rf>X(Bh< zHg{zU+1foT1b=tIV7vWDrm-(+Y(v_5xB@Or6R*U5_Y@ zyID6`>>|_E1-q3%B4hst8h)oYY~%z(igo+ zQk_}{a^ Date: Fri, 28 Jul 2023 16:08:01 -0400 Subject: [PATCH 07/17] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 79a614418..59aa62c1f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.4 +2.4.5 From 1ca78fd297bc8a9275d5576b46f525805b8e84c4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 28 Jul 2023 16:29:46 -0400 Subject: [PATCH 08/17] Update README.md to 2.4 RC2 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3ab976bb5..aa3aa6ddf 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.4 Release Candidate 1 (RC1) +## Security Onion 2.4 Release Candidate 2 (RC2) -Security Onion 2.4 Release Candidate 1 (RC1) is here! +Security Onion 2.4 Release Candidate 2 (RC2) is here! ## Screenshots From 5a59975cb88abeeaed460c7f00780a8d0fc5b774 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 10:14:31 -0400 Subject: [PATCH 09/17] Update so-yara-download --- salt/strelka/tools/sbin_jinja/so-yara-download | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/strelka/tools/sbin_jinja/so-yara-download b/salt/strelka/tools/sbin_jinja/so-yara-download index 9ec6fa41f..a8087173c 100644 --- a/salt/strelka/tools/sbin_jinja/so-yara-download +++ b/salt/strelka/tools/sbin_jinja/so-yara-download @@ -8,7 +8,7 @@ NOROOT=1 {%- if proxy %} export http_proxy={{ proxy }} export https_proxy={{ proxy }} -export no_proxy= salt['pillar.get']('manager:no_proxy') +export no_proxy=salt['pillar.get']('manager:no_proxy') {%- endif %} mkdir -p /tmp/yara From 4939447764c085c94fe82884b78690cce6e38c78 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 10:16:37 -0400 Subject: [PATCH 10/17] Update so-yara-download --- salt/manager/tools/sbin_jinja/so-yara-download | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin_jinja/so-yara-download b/salt/manager/tools/sbin_jinja/so-yara-download index adfb8c529..e9b991b6c 100644 --- a/salt/manager/tools/sbin_jinja/so-yara-download +++ b/salt/manager/tools/sbin_jinja/so-yara-download @@ -8,7 +8,7 @@ NOROOT=1 {%- if proxy %} export http_proxy={{ proxy }} export https_proxy={{ proxy }} -export no_proxy= salt['pillar.get']('manager:no_proxy') +export no_proxy=salt['pillar.get']('manager:no_proxy') {%- endif %} repos="/opt/so/conf/strelka/repos.txt" From f867be9e04ec246951f953d9538f22d049d45138 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 10:19:51 -0400 Subject: [PATCH 11/17] Fix no_proxy --- salt/idstools/tools/sbin_jinja/so-rule-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/idstools/tools/sbin_jinja/so-rule-update b/salt/idstools/tools/sbin_jinja/so-rule-update index 6a5976a1c..3e4b382e6 100755 --- a/salt/idstools/tools/sbin_jinja/so-rule-update +++ b/salt/idstools/tools/sbin_jinja/so-rule-update @@ -12,7 +12,7 @@ chown -R socore:socore /nsm/rules/suricata {%- if proxy %} export http_proxy={{ proxy }} export https_proxy={{ proxy }} -export no_proxy= salt['pillar.get']('manager:no_proxy') +export no_proxy=salt['pillar.get']('manager:no_proxy') {%- endif %} {%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %} docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force From 1c42d70d3097ba0969c28f65973c68020941a869 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 10:36:00 -0400 Subject: [PATCH 12/17] Update soc_sensor.yaml --- salt/sensor/soc_sensor.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/sensor/soc_sensor.yaml b/salt/sensor/soc_sensor.yaml index 61466b2b1..0774e9bcf 100644 --- a/salt/sensor/soc_sensor.yaml +++ b/salt/sensor/soc_sensor.yaml @@ -1,7 +1,9 @@ sensor: interface: description: Main sensor monitoring interface. - helpLink: sensor.html + helpLink: sensor.html + readonly: True mtu: description: Main IP address of the grid host. - helpLink: host.html \ No newline at end of file + helpLink: host.html + readonly: True From 16217912db2b05e3578d9f8b729038bd8b0661ee Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 13:04:33 -0400 Subject: [PATCH 13/17] Update Soup --- salt/manager/tools/sbin/soup | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 4f113fab7..8497cf902 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -391,6 +391,8 @@ preupgrade_changes() { echo "Checking to see if changes are needed." [[ "$INSTALLEDVERSION" == 2.4.2 ]] && up_to_2.4.3 + [[ "$INSTALLEDVERSION" == 2.4.3]] && up_to_2.4.4 + [[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5 true } @@ -399,6 +401,8 @@ postupgrade_changes() { echo "Running post upgrade processes." [[ "$POSTVERSION" == 2.4.2 ]] && post_to_2.4.3 + [[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4 + [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 true @@ -409,6 +413,15 @@ post_to_2.4.3() { POSTVERSION=2.4.3 } +post_to_2.4.4() { + echo "Nothing to apply" + POSTVERSION=2.4.4 +} + +post_to_2.4.5() { + echo "Nothing to apply" + POSTVERSION=2.4.5 +} stop_salt_master() { # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts @@ -455,7 +468,19 @@ stop_salt_minion() { up_to_2.4.3() { echo "Nothing to do for 2.4.3" ## - INSTALLEDVERSION=2.3.140 + INSTALLEDVERSION=2.4.3 +} + +up_to_2.4.4() { + echo "Nothing to do for 2.4.4" + ## + INSTALLEDVERSION=2.4.4 +} + +up_to_2.4.5() { + echo "Nothing to do for 2.4.5" + ## + INSTALLEDVERSION=2.4.5 } verify_upgradespace() { From e78e6b74ed367a986b62b6f084ab004c1826f22e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 13:07:29 -0400 Subject: [PATCH 14/17] Update Soup --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 8497cf902..e0724503d 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -346,7 +346,7 @@ clone_to_tmp() { # Make a temp location for the files mkdir -p /tmp/sogh cd /tmp/sogh - SOUP_BRANCH="" + SOUP_BRANCH="-b 2.4/main" if [ -n "$BRANCH" ]; then SOUP_BRANCH="-b $BRANCH" fi From 77101fec1264f9f4a75c4bab12362c8308434eae Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 13:12:32 -0400 Subject: [PATCH 15/17] Update Soup --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index e0724503d..31f1d0fea 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -391,7 +391,7 @@ preupgrade_changes() { echo "Checking to see if changes are needed." [[ "$INSTALLEDVERSION" == 2.4.2 ]] && up_to_2.4.3 - [[ "$INSTALLEDVERSION" == 2.4.3]] && up_to_2.4.4 + [[ "$INSTALLEDVERSION" == 2.4.3 ]] && up_to_2.4.4 [[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5 true } From 95581f505a84074ae1bbfd9fed83bdda477a6049 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 31 Jul 2023 13:18:57 -0400 Subject: [PATCH 16/17] import DOCKER in idh.enabled --- salt/idh/enabled.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index 480e7eedc..7ef0ebb46 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -6,6 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} include: - idh.config From 57562ad5e366a00f2d1d0d6f8af03fe8992c7de5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 31 Jul 2023 13:34:08 -0400 Subject: [PATCH 17/17] add managersearch and standlone fw rules for searchnode --- salt/firewall/defaults.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 57446a5c2..20b966e48 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -866,6 +866,14 @@ firewall: portgroups: - elasticsearch_node - elasticsearch_rest + managersearch: + portgroups: + - elasticsearch_node + - elasticsearch_rest + standalone: + portgroups: + - elasticsearch_node + - elasticsearch_rest dockernet: portgroups: - elasticsearch_node