Merge branch '2.4/dev' into jertel/wip

.github/DISCUSSION_TEMPLATE/2-4.yml

@@ -22,6 +22,7 @@ body:
         - 2.4.90
         - 2.4.100
         - 2.4.110
+        - 2.4.120
         - Other (please provide detail below)
     validations:
       required: true

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,17 +1,17 @@
-### 2.4.100-20240903 ISO image released on 2024/09/03
+### 2.4.110-20241010 ISO image released on 2024/10/10
 
 
 ### Download and Verify
 
-2.4.100-20240903 ISO image:  
+2.4.110-20241010 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.100-20240903.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.110-20241010.iso
  
-MD5: 856BBB4F0764C0A479D8949725FC096B  
+MD5: A8003DEBC4510D538F06238D9DBB86C0  
-SHA1: B3FCFB8F1031EB8AA833A90C6C5BB61328A73842  
+SHA1: 441DE90A192C8FE8BEBAB9ACE1A3CC18F71A2B1F  
-SHA256: 0103EB9D78970396BB47CBD18DA1FFE64524F5C1C559487A1B2D293E1882B265  
+SHA256: B087A0D12FC2CA3CCD02BD52E52421F4F60DC09BF826337A057E05A04D114CCE  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.100-20240903.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.110-20241010.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.100-20240903.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.110-20241010.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.100-20240903.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.110-20241010.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.100-20240903.iso.sig securityonion-2.4.100-20240903.iso
+gpg --verify securityonion-2.4.110-20241010.iso.sig securityonion-2.4.110-20241010.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Sat 31 Aug 2024 05:05:05 PM EDT using RSA key ID FE507013
+gpg: Signature made Thu 10 Oct 2024 07:05:30 AM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.4.110
+2.4.120

salt/elasticfleet/tools/sbin/so-elastic-fleet-common

@@ -102,6 +102,14 @@ elastic_fleet_package_is_installed() {
     curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.status'
 }
 
+elastic_fleet_agent_policy_ids() {
+    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq -r .items[].id
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to retrieve agent policies."
+        exit 1
+    fi
+}
+
 elastic_fleet_agent_policy_names() {
     curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq -r .items[].name
     if [ $? -ne 0 ]; then

salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-upgrade

@@ -13,7 +13,7 @@ if [ $? -ne 0 ]; then
 fi
 
 IFS=$'\n'
-agent_policies=$(elastic_fleet_agent_policy_names)
+agent_policies=$(elastic_fleet_agent_policy_ids)
 if [ $? -ne 0 ]; then
     echo "Error: Failed to retrieve agent policies."
     exit 1

salt/manager/tools/sbin/soup

@@ -19,6 +19,8 @@ SOUP_LOG=/root/soup.log
 WHATWOULDYOUSAYYAHDOHERE=soup
 whiptail_title='Security Onion UPdater'
 NOTIFYCUSTOMELASTICCONFIG=false
+TOPFILE=/opt/so/saltstack/default/salt/top.sls
+BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup
 # used to display messages to the user at the end of soup
 declare -a FINAL_MESSAGE_QUEUE=()
 
@@ -32,10 +34,7 @@ check_err() {
   if [[ $exit_code -ne 0 ]]; then
 
     set +e
-    systemctl_func "start" "$cron_service_name"
+    failed_soup_restore_items
-    systemctl_func "start" "salt-master"
-    systemctl_func "start" "salt-minion"
-    enable_highstate
 
     printf '%s' "Soup failed with error $exit_code: "
     case $exit_code in
@@ -347,8 +346,6 @@ highstate() {
 
 masterlock() {
   echo "Locking Salt Master"
-  TOPFILE=/opt/so/saltstack/default/salt/top.sls
-  BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup
   mv -v $TOPFILE $BACKUPTOPFILE
   echo "base:" > $TOPFILE
   echo "  $MINIONID:" >> $TOPFILE
@@ -358,8 +355,12 @@ masterlock() {
 }
 
 masterunlock() {
+  if [ -f $BACKUPTOPFILE ]; then
     echo "Unlocking Salt Master"
     mv -v $BACKUPTOPFILE $TOPFILE
+  else
+    echo "Salt Master does not need unlocked."
+  fi
 }
 
 phases_pillar_2_4_80() {
@@ -402,6 +403,7 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.4.70 ]] && up_to_2.4.80
     [[ "$INSTALLEDVERSION" == 2.4.80 ]] && up_to_2.4.90
     [[ "$INSTALLEDVERSION" == 2.4.90 ]] && up_to_2.4.100
+    [[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110
     true
 }
 
@@ -422,6 +424,7 @@ postupgrade_changes() {
     [[ "$POSTVERSION"  == 2.4.70 ]] && post_to_2.4.80
     [[ "$POSTVERSION"  == 2.4.80 ]] && post_to_2.4.90
     [[ "$POSTVERSION"  == 2.4.90 ]] && post_to_2.4.100
+    [[ "$POSTVERSION"  == 2.4.100 ]] && post_to_2.4.110
     true
 }
 
@@ -509,6 +512,11 @@ post_to_2.4.100() {
   POSTVERSION=2.4.100
 }
 
+post_to_2.4.110() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.110
+}
+
 repo_sync() {
   echo "Sync the local repo."
   su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -691,6 +699,11 @@ up_to_2.4.100() {
   determine_elastic_agent_upgrade
   INSTALLEDVERSION=2.4.100
 }
+up_to_2.4.110() {
+  echo "Nothing to do for 2.4.110"
+
+  INSTALLEDVERSION=2.4.110
+}
 
 add_detection_test_pillars() {
   if [[ -n "$SOUP_INTERNAL_TESTING" ]]; then
@@ -1079,6 +1092,16 @@ apply_hotfix() {
   fi
 }
 
+failed_soup_restore_items() {
+  local services=("$cron_service_name" "salt-master" "salt-minion")
+  for SERVICE_NAME in "${services[@]}"; do
+    if ! systemctl is-active --quiet "$SERVICE_NAME"; then
+      systemctl_func "start" "$SERVICE_NAME"
+    fi
+  done
+  enable_highstate
+  masterunlock
+}
 
 #upgrade salt to 3004.1
 #2_3_10_hotfix_1() {
@@ -1118,6 +1141,8 @@ main() {
   echo ""
   require_manager
 
+  failed_soup_restore_items
+
   check_pillar_items
 
   echo "Checking to see if this is an airgap install."

salt/soc/defaults.yaml

@@ -2271,6 +2271,7 @@ soc:
               query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled"
               description: Show Detections that have Overrides
         detection:
+          showUnreviewedAiSummaries: false
           presets:
             severity:
                 customEnabled: false

salt/soc/soc_soc.yaml

@@ -463,6 +463,9 @@ soc:
         dashboards: *appSettings
         detections: *appSettings
         detection:
+          showUnreviewedAiSummaries:
+            description: Show AI summaries in detections even if they have not yet been reviewed by a human.
+            global: True
           templateDetections:
             suricata:
               description: The template used when creating a new Suricata detection. [publicId] will be replaced with an unused Public Id.