CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into ui/firewall

Browse Source
This commit is contained in:
m0duspwnens
2023-05-02 12:21:09 -04:00
parent 80b40503fb b46a5c4b2a
commit 61f9573ace
10 changed files with 54 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -1,6 +1,6 @@
## Security Onion 2.4
## Security Onion 2.4 Beta 2
Security Onion 2.4 is here!
Security Onion 2.4 Beta 2 is here!
## Screenshots

53
VERIFY_ISO.md
View File

@@ -1,52 +1 @@
### 2.3.120-20220425 ISO image built on 2022/04/25
### Download and Verify
2.3.120-20220425 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.3.120-20220425.iso
MD5: C99729E452B064C471BEF04532F28556
SHA1: 60BF07D5347C24568C7B793BFA9792E98479CFBF
SHA256: CD17D0D7CABE21D45FA45E1CF91C5F24EB9608C79FF88480134E5592AFDD696E
Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.120-20220425.iso.sig
Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS
For example, here are the steps you can use on most Linux distributions to download and verify our Security Onion ISO image.
Download and import the signing key:
```
wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -O - | gpg --import -
```
Download the signature file for the ISO:
```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.120-20220425.iso.sig
```
Download the ISO image:
```
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.120-20220425.iso
```
Verify the downloaded ISO image using the signature file:
```
gpg --verify securityonion-2.3.120-20220425.iso.sig securityonion-2.3.120-20220425.iso
```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
```
gpg: Signature made Mon 25 Apr 2022 08:20:40 AM EDT using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C804 A93D 36BE 0C73 3EA1 9644 7C10 60B7 FE50 7013
```
Once you've verified the ISO image, you're ready to proceed to our Installation guide:
https://docs.securityonion.net/en/2.3/installation.html
### An ISO will be available starting in RC1.

2
VERSION
View File

@@ -1 +1 @@
2.4.1
2.4.2

3
pillar/top.sls
View File

@@ -18,7 +18,8 @@ base:
'*_eval or *_heavynode or *_sensor or *_standalone or *_import':
- match: compound
- zeek
- zeek.soc_zeek
- zeek.adv_zeek
- bpf.soc_bpf
- bpf.adv_bpf

22
salt/idstools/soc_idstools.yaml
View File

@@ -1,12 +1,14 @@
idstools:
config:
oinkcode:
description: Enter your registration code for paid rulesets.
description: Enter your registration/oink code for paid NIDS rulesets.
title: registraion code
global: True
helpLink: rules.html
ruleset:
description: Define the ruleset you want to run. Options are ETOPEN or ETPRO.
description: Defines the ruleset you want to run. Options are ETOPEN or ETPRO.
global: True
regex: ETPRO\b|ETOPEN\b
helpLink: rules.html
urls:
description: This is a list of additional rule download locations.
@@ -14,20 +16,28 @@ idstools:
helpLink: rules.html
sids:
disabled:
description: List of SIDS that you want to disable.
description: Contains the list of NIDS rules manually disabled across the grid. To disable a rule, add its signature ID (SID) to the Current Grid Value box, one entry per line. To disable multiple rules, you can use regular expressions.
global: True
multiline: True
forcedType: "[]string"
regex: \d*|re:.*
helpLink: managing-alerts.html
enabled:
description: List of SIDS that are disabled by the rule source that you want to enable.
description: Contains the list of NIDS rules manually enabled across the grid. To enable a rule, add its signature ID (SID) to the Current Grid Value box, one entry per line. To enable multiple rules, you can use regular expressions.
global: True
multiline: True
forcedType: "[]string"
regex: \d*|re:.*
helpLink: managing-alerts.html
modify:
description: List of SIDS that you want to modify.
description: Contains the list of NIDS rules that were modified from their default values. Entries must adhere to the following format - SID "REGEX_SEARCH_TERM" "REGEX_REPLACE_TERM"
global: True
multiline: True
forcedType: "[]string"
helpLink: managing-alerts.html
rules:
local__rules:
description: This is where custom Suricata rules are entered.
description: Contains the list of custom NIDS rules applied to the grid. To add custom NIDS rules to the grid, enter one rule per line in the Current Grid Value box.
file: True
global: True
advanced: True

1
salt/kratos/defaults.yaml
View File

@@ -16,6 +16,7 @@ kratos:
issuer: Security Onion
flows:
settings:
privileged_session_max_age: 5m
ui_url: https://URL_BASE/?r=/settings
required_aal: highest_available
verification:

5
salt/kratos/soc_kratos.yaml
View File

@@ -23,7 +23,6 @@ kratos:
haveibeenpwned_enabled:
description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
global: True
advanced: True
helpLink: kratos.html
totp:
enabled:
@@ -39,6 +38,10 @@ kratos:
helpLink: kratos.html
flows:
settings:
privileged_session_max_age:
description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change.
global: True
helpLink: kratos.html
ui_url:
description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation.
global: True

6
salt/zeek/files/node.cfg.jinja
View File

@@ -16,10 +16,10 @@ type=worker
host=localhost
interface=af_packet::{{ NODE.interface }}
lb_method=custom
{%- if NODE.lb_procs %}
lb_procs={{ NODE.lb_procs }}
{%- else %}
{%- if NODE.pins %}
lb_procs={{ NODE.pins | length }}
{%- else %}
lb_procs={{ NODE.lb_procs }}
{%- endif %}
{%- if NODE.pins %}
pin_cpus={{ NODE.pins | join(", ") }}

18
salt/zeek/soc_zeek.yaml
View File

@@ -6,30 +6,36 @@ zeek:
config:
local:
load:
description: List of Zeek policies to load
description: Contains a list of policies and scripts loaded by Zeek. Values in the Current Grid Value dialog box apply to every instance of Zeek. Values in a dialog box for a specific node will only apply to that node.
forcedType: "[]string"
helpLink: zeek.html
load-sigs:
description: List of Zeek signatures to load
description: Contains a list of signatures loaded by Zeek. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
forcedType: "[]string"
helpLink: zeek.html
redef:
description: List of Zeek variables to redefine
description: List of Zeek variables to redefine. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
forcedType: "[]string"
advanced: True
helpLink: zeek.html
node:
lb_procs:
description: This is the number of CPUs to use for Zeek. This setting is ignored if you are using pins.
description: Contains the number of CPU cores or workers used by Zeek. This setting should only be applied to individual nodes and will be ignored if CPU affinity is enabled.
title: workers
helpLink: zeek.html
node: True
pins_enabled:
description: Enabling this setting allows you to pin Zeek to specific CPUs.
title: cpu affinity enabled
forcedType: bool
helpLink: zeek.html
node: True
advanced: True
pins:
description: This is a list of CPUs you want to pin Zeek to.
description: Contains a list of specific CPU cores pinned to Zeek workers. To set the CPU affinity, enter the processor ID number in the dialog box for the desired node. To retrieve the processor ID numbers, run the command "cat /proc/cpuinfo | grep processor" on the desired node. Please note that this setting should only be applied to individual nodes.
title: cpu affinity
multiline: True
forcedType: "[]string"
helpLink: zeek.html
node: True
advanced: True
@@ -47,5 +53,5 @@ zeek:
global: True
advanced: True
file_extraction:
description: This is a list of MIME types that Zeek will extract from the network streams.
description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENTION"}
helpLink: zeek.html

14
setup/so-functions
View File

@@ -917,9 +917,19 @@ create_repo() {
logCmd "createrepo /nsm/repo"
}
detect_cloud() {
info "Testing if setup is running on a cloud instance..."
if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null) || [ -f /var/log/waagent.log ]; then info "Detected a cloud installation..." && export is_cloud="true"; fi
info "Testing if setup is running on a cloud instance..."
if dmidecode -s bios-version | grep -q amazon || \
dmidecode -s bios-vendor | grep -q Amazon || \
dmidecode -s bios-vendor | grep -q Google || \
[ -f /var/log/waagent.log ]; then
info "Detected a cloud installation..."
export is_cloud="true"
else
info "This does not appear to be a cloud installation."
fi
}
detect_os() {