From bbc65c32b630dae0387aedf8c623bd51c1698f4b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 7 Oct 2024 09:55:54 -0400 Subject: [PATCH 01/14] 2.4.110 --- DOWNLOAD_AND_VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.4.110-20241004.iso.sig | Bin 0 -> 566 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.4.110-20241004.iso.sig diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index ffeb0fe32..bb4dfd672 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.100-20240903 ISO image released on 2024/09/03 +### 2.4.110-20241004 ISO image released on 2024/10/07 ### Download and Verify -2.4.100-20240903 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.100-20240903.iso +2.4.110-20241004 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.110-20241004.iso -MD5: 856BBB4F0764C0A479D8949725FC096B -SHA1: B3FCFB8F1031EB8AA833A90C6C5BB61328A73842 -SHA256: 0103EB9D78970396BB47CBD18DA1FFE64524F5C1C559487A1B2D293E1882B265 +MD5: 1641E4AFD65DB1C218BFAD22E33909C6 +SHA1: 131E1115F7CA76302F72625CD80A212B91608114 +SHA256: 8598EB03E52B332EF5445520445AD205C68A99BC030F8497F6EBDE1249B8B576 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.100-20240903.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.110-20241004.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.100-20240903.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.110-20241004.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.100-20240903.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.110-20241004.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.100-20240903.iso.sig securityonion-2.4.100-20240903.iso +gpg --verify securityonion-2.4.110-20241004.iso.sig securityonion-2.4.110-20241004.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Sat 31 Aug 2024 05:05:05 PM EDT using RSA key ID FE507013 +gpg: Signature made Sat 05 Oct 2024 09:31:57 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.4.110-20241004.iso.sig b/sigs/securityonion-2.4.110-20241004.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..40bc093e276ee5ceb1f2dfc5d54e06404231fd9b GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%rj~%>W7s5PT3| zxBgIY6B6DK0JvtudFEy7>3{fv0?jN;AWVZ_s%u7%>ji}tqU7}yN}uH^hJbixmf$Fl z{u~27f(Gk-mZs6Yx&rVX^}G&0!MvQ#sW`Oyaq`fnu3fycAR=)NDUr-s6c3+dx1vBr zwx*eYV_s8aSrtJ7-BbV{2fD*`hxzAW;Pu69q4!qVaya}e$Ljs@$|r`1lY<4yB461>;DR*;3_DyU=bUGP;;Ef?mH6Np`{~d(zzpEu!5!%unm%2Qd10l!>{L(5!q^S|DFeEI+C7 zWZgL~6RPq?=Mi^dko^I8eC_|6s*6#;Yo5a9kj5#XZ0mXN;{$l+A!m?^``O%=LG{x7 zHT)RSd_Un+3X>i~S^OSRY#jY14Y5*AT`Yeb3L8Xj0iqKasri2|UV~l&AmUmXH-vr= zlkuMSk7w Date: Mon, 7 Oct 2024 15:30:49 -0400 Subject: [PATCH 02/14] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 3cda1f5a4..b47ca7775 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.110 +2.4.120 From ba4fbb9953770be8683eff344459288957a49872 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 7 Oct 2024 16:05:45 -0400 Subject: [PATCH 03/14] Update 2-4.yml --- .github/DISCUSSION_TEMPLATE/2-4.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index 9c897d2bd..af5fa3a84 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -22,6 +22,7 @@ body: - 2.4.90 - 2.4.100 - 2.4.110 + - 2.4.120 - Other (please provide detail below) validations: required: true From 69857b6b5c6ea662ea8086c5911f37d8264b41a0 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 8 Oct 2024 10:54:54 -0400 Subject: [PATCH 04/14] Use ID instead of name --- salt/elasticfleet/tools/sbin/so-elastic-fleet-common | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common index fadf18b5f..296e578fc 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -102,6 +102,14 @@ elastic_fleet_package_is_installed() { curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.status' } +elastic_fleet_agent_policy_ids() { + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq -r .items[].id + if [ $? -ne 0 ]; then + echo "Error: Failed to retrieve agent policies." + exit 1 + fi +} + elastic_fleet_agent_policy_names() { curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq -r .items[].name if [ $? -ne 0 ]; then From c58ed45cf034e5db2c6f7c1afbc13790efba2a22 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 8 Oct 2024 10:55:16 -0400 Subject: [PATCH 05/14] Use ID instead of name --- .../tools/sbin/so-elastic-fleet-integration-upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-upgrade b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-upgrade index bdf93bad3..baad389eb 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-upgrade +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-upgrade @@ -13,7 +13,7 @@ if [ $? -ne 0 ]; then fi IFS=$'\n' -agent_policies=$(elastic_fleet_agent_policy_names) +agent_policies=$(elastic_fleet_agent_policy_ids) if [ $? -ne 0 ]; then echo "Error: Failed to retrieve agent policies." exit 1 From e2da31c2b708b0181e9ea0b0b6a082c9d345b000 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Oct 2024 14:15:43 -0400 Subject: [PATCH 06/14] Update soup --- salt/manager/tools/sbin/soup | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 091e471d4..5e3deff15 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -402,6 +402,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.70 ]] && up_to_2.4.80 [[ "$INSTALLEDVERSION" == 2.4.80 ]] && up_to_2.4.90 [[ "$INSTALLEDVERSION" == 2.4.90 ]] && up_to_2.4.100 + [[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110 true } @@ -422,6 +423,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.70 ]] && post_to_2.4.80 [[ "$POSTVERSION" == 2.4.80 ]] && post_to_2.4.90 [[ "$POSTVERSION" == 2.4.90 ]] && post_to_2.4.100 + [[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110 true } @@ -509,6 +511,11 @@ post_to_2.4.100() { POSTVERSION=2.4.100 } +post_to_2.4.110() { + echo "Nothing to apply" + POSTVERSION=2.4.110 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -691,6 +698,11 @@ up_to_2.4.100() { determine_elastic_agent_upgrade INSTALLEDVERSION=2.4.100 } +up_to_2.4.110() { + echo "Nothing to do for 2.4.110" + + INSTALLEDVERSION=2.4.110 +} add_detection_test_pillars() { if [[ -n "$SOUP_INTERNAL_TESTING" ]]; then From 787336725c0616b5142fc6099b4290966f586ef8 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 10 Oct 2024 06:25:59 -0400 Subject: [PATCH 07/14] 2.4.110 hotfix --- HOTFIX | 1 + 1 file changed, 1 insertion(+) diff --git a/HOTFIX b/HOTFIX index e69de29bb..7f0f80c64 100644 --- a/HOTFIX +++ b/HOTFIX @@ -0,0 +1 @@ +20241010 From 404f9a4eb3be4d06f810a99be5eca37618744715 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 10 Oct 2024 10:37:12 -0400 Subject: [PATCH 08/14] 2.4.110 Hotfix --- DOWNLOAD_AND_VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.4.110-20241010.iso.sig | Bin 0 -> 566 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.4.110-20241010.iso.sig diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index bb4dfd672..18a38a91c 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.110-20241004 ISO image released on 2024/10/07 +### 2.4.110-20241010 ISO image released on 2024/10/10 ### Download and Verify -2.4.110-20241004 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.110-20241004.iso +2.4.110-20241010 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.110-20241010.iso -MD5: 1641E4AFD65DB1C218BFAD22E33909C6 -SHA1: 131E1115F7CA76302F72625CD80A212B91608114 -SHA256: 8598EB03E52B332EF5445520445AD205C68A99BC030F8497F6EBDE1249B8B576 +MD5: A8003DEBC4510D538F06238D9DBB86C0 +SHA1: 441DE90A192C8FE8BEBAB9ACE1A3CC18F71A2B1F +SHA256: B087A0D12FC2CA3CCD02BD52E52421F4F60DC09BF826337A057E05A04D114CCE Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.110-20241004.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.110-20241010.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.110-20241004.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.110-20241010.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.110-20241004.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.110-20241010.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.110-20241004.iso.sig securityonion-2.4.110-20241004.iso +gpg --verify securityonion-2.4.110-20241010.iso.sig securityonion-2.4.110-20241010.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Sat 05 Oct 2024 09:31:57 AM EDT using RSA key ID FE507013 +gpg: Signature made Thu 10 Oct 2024 07:05:30 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.4.110-20241010.iso.sig b/sigs/securityonion-2.4.110-20241010.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..90849a7b68afe29d504e56b29870860d6f9d77ee GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%r%b`TzV@U5+K}={y6*!?hr$z^nk87TJ4t@3mNI92_L5`?A{~nVnLX(j z`J`G)Zw|U2QckI`J{*LBa*$2NokO9Jaie4mLDi7keu|Qm$oc($9B%W2g~RsV-P?Y& zn5hJs-Q8@5=UC4v)Df|qQb|sm%<57z80titJ|6^*0EbeSny^o1HqilJUb?KrPQ-{K zPxW^)XeY=vD26+E>`FQX`WJ<|!H4s)MoLn$IKV^%^oI77nsH0|tKiIUft66#@ zhgIFcg)Y@?`c42F+qVEfp>62H(7ESy+8R?VZBS>p#@*V?(|8XIGRiOP#>a@7i1T-} z+1Tn7E5f@Ib!^xQbweVO?JR?zWtq!=nd|4&+*+wt71 z&VKYzXAgLKGwmrH09Mvm5MvU1e_PuODW(2_2#GL)g*$Ud#kz}Uo{DW;^jCYa)L!T9 z_im^`*MlW*eh8_uD}BlYD;!rAw)g1iO(M+N4pW)KOV literal 0 HcmV?d00001 From ec7fa5e24ad01e37447736814bf1ac0f9d159267 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 10 Oct 2024 11:24:10 -0400 Subject: [PATCH 09/14] clear hotfix file --- HOTFIX | 1 - 1 file changed, 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 7f0f80c64..e69de29bb 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +0,0 @@ -20241010 From d2bd9c0e26c23b1140a9ae11a0aa12c12e26a1e8 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 8 Aug 2024 12:03:54 -0600 Subject: [PATCH 10/14] Changes to allow reviews to start showing --- salt/soc/defaults.yaml | 1 + salt/soc/soc_soc.yaml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 2d2a26c9a..00c45e5c5 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2264,6 +2264,7 @@ soc: query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled" description: Show Detections that have Overrides detection: + showUnreviewedAiSummaries: false presets: severity: customEnabled: false diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 8087fe2c3..af4668fc2 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -463,6 +463,9 @@ soc: dashboards: *appSettings detections: *appSettings detection: + showUnreviewedAiSummaries: + description: Show AI summaries in detections even if they have not yet been reviewed by a human. + global: True templateDetections: suricata: description: The template used when creating a new Suricata detection. [publicId] will be replaced with an unused Public Id. From cc19b601462df1b3e95adc5d22cfb91bb5bf8f22 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Oct 2024 09:32:14 -0400 Subject: [PATCH 11/14] restore services/top at start of soup --- salt/manager/tools/sbin/soup | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 091e471d4..6826bde2f 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -32,10 +32,7 @@ check_err() { if [[ $exit_code -ne 0 ]]; then set +e - systemctl_func "start" "$cron_service_name" - systemctl_func "start" "salt-master" - systemctl_func "start" "salt-minion" - enable_highstate + failed_soup_restore_items printf '%s' "Soup failed with error $exit_code: " case $exit_code in @@ -358,8 +355,12 @@ masterlock() { } masterunlock() { - echo "Unlocking Salt Master" - mv -v $BACKUPTOPFILE $TOPFILE + if [ -f $BACKUPTOPFILE ]; then + echo "Unlocking Salt Master" + mv -v $BACKUPTOPFILE $TOPFILE + else + echo "Salt Master does not need unlocked." + fi } phases_pillar_2_4_80() { @@ -1079,6 +1080,13 @@ apply_hotfix() { fi } +failed_soup_restore_items() { + systemctl_func "start" "$cron_service_name" + systemctl_func "start" "salt-master" + systemctl_func "start" "salt-minion" + enable_highstate + masterunlock +} #upgrade salt to 3004.1 #2_3_10_hotfix_1() { @@ -1118,6 +1126,8 @@ main() { echo "" require_manager + failed_soup_restore_items + check_pillar_items echo "Checking to see if this is an airgap install." From ac6637c6ab324a26d254e235346df33984cddd1c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Oct 2024 09:56:50 -0400 Subject: [PATCH 12/14] set vars global --- salt/manager/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 6826bde2f..912d8ecdb 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -19,6 +19,8 @@ SOUP_LOG=/root/soup.log WHATWOULDYOUSAYYAHDOHERE=soup whiptail_title='Security Onion UPdater' NOTIFYCUSTOMELASTICCONFIG=false +TOPFILE=/opt/so/saltstack/default/salt/top.sls +BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup # used to display messages to the user at the end of soup declare -a FINAL_MESSAGE_QUEUE=() @@ -344,8 +346,6 @@ highstate() { masterlock() { echo "Locking Salt Master" - TOPFILE=/opt/so/saltstack/default/salt/top.sls - BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup mv -v $TOPFILE $BACKUPTOPFILE echo "base:" > $TOPFILE echo " $MINIONID:" >> $TOPFILE From c46fb7e74c7366e7da02d5b60079cdee0b3fd862 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Oct 2024 11:46:09 -0400 Subject: [PATCH 13/14] check if service is running before trying to start it --- salt/manager/tools/sbin/soup | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 912d8ecdb..70245d618 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -1081,9 +1081,12 @@ apply_hotfix() { } failed_soup_restore_items() { - systemctl_func "start" "$cron_service_name" - systemctl_func "start" "salt-master" - systemctl_func "start" "salt-minion" + local services=("$cron_service_name", "salt-master", "salt-minion") + for SERVICE_NAME in "${services[@]}"; do + if ! systemctl is-active --quiet "$SERVICE_NAME"; then + systemctl_func "start" "$SERVICE_NAME" + fi + done enable_highstate masterunlock } From c2e46932eed53b61c84312e07514210290e587e6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Oct 2024 12:01:53 -0400 Subject: [PATCH 14/14] fix array def --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 70245d618..22cf98558 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -1081,7 +1081,7 @@ apply_hotfix() { } failed_soup_restore_items() { - local services=("$cron_service_name", "salt-master", "salt-minion") + local services=("$cron_service_name" "salt-master" "salt-minion") for SERVICE_NAME in "${services[@]}"; do if ! systemctl is-active --quiet "$SERVICE_NAME"; then systemctl_func "start" "$SERVICE_NAME"