avoid rare false positive when dasbhoard load completes during setup

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.4.3-20230711 ISO image built on 2023/07/11
+### 2.4.4-20230728 ISO image built on 2023/07/28
 
 
 
 ### Download and Verify
 
-2.4.3-20230711 ISO image:  
+2.4.4-20230728 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.3-20230711.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.4-20230728.iso
 
-MD5: F481ED39E02A5AF05EB50D319D97A6C7  
+MD5: F63E76245F3E745B5BDE9E6E647A7CB6  
-SHA1: 20F9BAA8F73A44C21A8DFE81F36247BCF33CEDA6  
+SHA1: 6CE4E4A3399CD282D4F8592FB19D510388AB3EEA  
-SHA256: D805522E02CD4941641385F6FF86FAAC240DA6C5FD98F78460348632C7C631B0 
+SHA256: BF8FEB91B1D94B67C3D4A79D209B068F4A46FEC7C15EEF65B0FCE9851D7E6C9F 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.3-20230711.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.4-20230728.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,17 +26,17 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.3-20230711.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.4-20230728.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.3-20230711.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.4-20230728.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.3-20230711.iso.sig securityonion-2.4.3-20230711.iso
+gpg --verify securityonion-2.4.4-20230728.iso.sig securityonion-2.4.4-20230728.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:

README.md

@@ -1,6 +1,6 @@
-## Security Onion 2.4 Release Candidate 1 (RC1)
+## Security Onion 2.4 Release Candidate 2 (RC2)
 
-Security Onion 2.4 Release Candidate 1 (RC1) is here!
+Security Onion 2.4 Release Candidate 2 (RC2) is here!
 
 ## Screenshots
 

VERSION

@@ -1 +1 @@
-2.4.0-kilo
+2.4.0-kilo

salt/firewall/defaults.yaml

@@ -866,6 +866,14 @@ firewall:
               portgroups:
                 - elasticsearch_node
                 - elasticsearch_rest
+            managersearch:
+              portgroups:
+                - elasticsearch_node
+                - elasticsearch_rest
+            standalone:
+              portgroups:
+                - elasticsearch_node
+                - elasticsearch_rest
             dockernet:
               portgroups:
                 - elasticsearch_node

salt/firewall/init.sls

@@ -1,15 +1,29 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
+{%   from 'firewall/ipt.map.jinja' import iptmap %}
+
+install_iptables:
+  pkg.installed:
+    - name: {{ iptmap.iptpkg }}
+
+iptables_persist:
+  pkg.installed:
+    - name: {{ iptmap.persistpkg }}
+
+iptables_service:
+  service.running:
+    - name: {{ iptmap.service }}
+    - enable: True
 
 create_sysconfig_iptables:
   file.touch:
-    - name: /etc/sysconfig/iptables
+    - name: {{ iptmap.configfile }}
     - makedirs: True
-    - unless: 'ls /etc/sysconfig/iptables'
+    - unless: 'ls {{ iptmap.configfile }}'
 
 iptables_config:
   file.managed:
-    - name: /etc/sysconfig/iptables
+    - name: {{ iptmap.configfile }}
     - source: salt://firewall/iptables.jinja
     - template: jinja
 
@@ -24,11 +38,11 @@ disable_firewalld:
 
 iptables_restore:
   cmd.run:
-    - name: iptables-restore < /etc/sysconfig/iptables
+    - name: iptables-restore < {{ iptmap.configfile }}
     - require:
       - file: iptables_config
     - onlyif:
-      - iptables-restore --test /etc/sysconfig/iptables
+      - iptables-restore --test {{ iptmap.configfile }}
 
 {%   if grains.os_family == 'RedHat' %}
 enable_firewalld:

salt/firewall/ipt.map.jinja

@@ -0,0 +1,14 @@
+{% set iptmap = salt['grains.filter_by']({
+    'Debian': {
+        'service': 'netfilter-persistent',
+        'iptpkg': 'iptables',
+        'persistpkg': 'iptables-persistent',
+        'configfile': '/etc/iptables/rules.v4'
+    },
+    'RedHat': {
+        'service': 'iptables',
+        'iptpkg': 'iptables-nft',
+        'persistpkg': 'iptables-nft-services',
+        'configfile': '/etc/sysconfig/iptables'
+    },
+}) %}

salt/idh/enabled.sls

@@ -6,6 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 
 include:
   - idh.config

salt/idstools/tools/sbin_jinja/so-rule-update

@@ -12,7 +12,7 @@ chown -R socore:socore /nsm/rules/suricata
 {%- if proxy %}
 export http_proxy={{ proxy }} 
 export https_proxy={{ proxy }} 
-export no_proxy= salt['pillar.get']('manager:no_proxy') 
+export no_proxy=salt['pillar.get']('manager:no_proxy') 
 {%- endif %}
 {%-   if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %}
 docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force

salt/manager/tools/sbin/soup

@@ -346,7 +346,7 @@ clone_to_tmp() {
   # Make a temp location for the files
   mkdir -p /tmp/sogh
   cd /tmp/sogh
-  SOUP_BRANCH=""
+  SOUP_BRANCH="-b 2.4/main"
   if [ -n "$BRANCH" ]; then
     SOUP_BRANCH="-b $BRANCH"
   fi
@@ -391,6 +391,8 @@ preupgrade_changes() {
     echo "Checking to see if changes are needed."
 
     [[ "$INSTALLEDVERSION" == 2.4.2 ]] && up_to_2.4.3
+    [[ "$INSTALLEDVERSION" == 2.4.3 ]] && up_to_2.4.4
+    [[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5
     true
 }
 
@@ -399,6 +401,8 @@ postupgrade_changes() {
     echo "Running post upgrade processes."
     
     [[ "$POSTVERSION" == 2.4.2 ]] && post_to_2.4.3
+    [[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4
+    [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5
     
 
     true
@@ -409,6 +413,15 @@ post_to_2.4.3() {
   POSTVERSION=2.4.3
 }
 
+post_to_2.4.4() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.4
+}
+
+post_to_2.4.5() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.5
+}
 
 stop_salt_master() {
     # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
@@ -455,7 +468,19 @@ stop_salt_minion() {
 up_to_2.4.3() {
    echo "Nothing to do for 2.4.3"
    ##
-   INSTALLEDVERSION=2.3.140
+   INSTALLEDVERSION=2.4.3
+}
+
+up_to_2.4.4() {
+   echo "Nothing to do for 2.4.4"
+   ##
+   INSTALLEDVERSION=2.4.4
+}
+
+up_to_2.4.5() {
+   echo "Nothing to do for 2.4.5"
+   ##
+   INSTALLEDVERSION=2.4.5
 }
 
 verify_upgradespace() {

salt/manager/tools/sbin_jinja/so-yara-download

@@ -8,7 +8,7 @@ NOROOT=1
 {%- if proxy %}
 export http_proxy={{ proxy }} 
 export https_proxy={{ proxy }} 
-export no_proxy= salt['pillar.get']('manager:no_proxy') 
+export no_proxy=salt['pillar.get']('manager:no_proxy') 
 {%- endif %}
 
 repos="/opt/so/conf/strelka/repos.txt"

salt/sensor/soc_sensor.yaml

@@ -1,7 +1,9 @@
 sensor:
   interface:
     description: Main sensor monitoring interface.
-    helpLink: sensor.html    
+    helpLink: sensor.html
+    readonly: True
   mtu:
     description: Main IP address of the grid host.
-    helpLink: host.html
+    helpLink: host.html
+    readonly: True

salt/soc/defaults.yaml

@@ -10,6 +10,14 @@ soc:
         target:
         links:
           - '/#/hunt?q="{value|escape}" | groupby event.module* event.dataset'
+      - name: actionAddToCase
+        description: actionAddToCaseHelp
+        icon: fa-briefcase
+        jsCall: openAddToCaseDialog
+        categories:
+          - hunt
+          - alerts
+          - dashboards
       - name: actionCorrelate
         description: actionCorrelateHelp
         icon: fab fa-searchengin

salt/strelka/tools/sbin_jinja/so-yara-download

@@ -8,7 +8,7 @@ NOROOT=1
 {%- if proxy %}
 export http_proxy={{ proxy }} 
 export https_proxy={{ proxy }} 
-export no_proxy= salt['pillar.get']('manager:no_proxy') 
+export no_proxy=salt['pillar.get']('manager:no_proxy') 
 {%- endif %}
 
 mkdir -p /tmp/yara

setup/so-verify

@@ -51,6 +51,7 @@ log_has_errors() {
         grep -vE "/nsm/rules/sigma*" | \
         grep -vE "/nsm/rules/yara*" | \
         grep -vE "Failed to restart snapd" | \
+        grep -vE "Login Failed Details" | \
         grep -vE "Running scope as unit" &> "$error_log"
     
     if [[ $? -eq 0 ]]; then