From 025993407e6ce02fb313b5ccf5532f639c8fdf50 Mon Sep 17 00:00:00 2001 From: doug Date: Mon, 13 Jun 2022 08:03:44 -0400 Subject: [PATCH 01/84] FIX: Add event.category field to pfsense firewall logs #8112 --- salt/elasticsearch/files/ingest/filterlog | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/elasticsearch/files/ingest/filterlog b/salt/elasticsearch/files/ingest/filterlog index 3e885fe54..fb197c706 100644 --- a/salt/elasticsearch/files/ingest/filterlog +++ b/salt/elasticsearch/files/ingest/filterlog @@ -51,9 +51,10 @@ }, { "set": { "field": "_index", "value": "so-firewall", "override": true } }, { "set": { "if": "ctx.network?.transport_id == '0'", "field": "network.transport", "value": "icmp", "override": true } }, - {"community_id": {} }, - { "set": { "field": "module", "value": "pfsense", "override": true } }, - { "set": { "field": "dataset", "value": "firewall", "override": true } }, + { "community_id": {} }, + { "set": { "field": "module", "value": "pfsense", "override": true } }, + { "set": { "field": "dataset", "value": "firewall", "override": true } }, + { "set": { "field": "category", "value": "network", "override": true } }, { "remove": { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"], "ignore_failure": true } } ] } From 072cb3cca2b8c74b929eff2b612f0a724a031350 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 15 Jun 2022 11:38:38 -0400 Subject: [PATCH 02/84] Change curator to daily for true cluster --- salt/common/tools/sbin/so-yara-update | 2 +- salt/curator/init.sls | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/so-yara-update b/salt/common/tools/sbin/so-yara-update index c265bbb57..2cf893ba5 100755 --- a/salt/common/tools/sbin/so-yara-update +++ b/salt/common/tools/sbin/so-yara-update @@ -48,7 +48,7 @@ fi {% else %} -gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com) +gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com) clone_dir="/tmp" if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 48403baba..a01a8a292 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -201,8 +201,8 @@ so-curatorclusterclose: cron.present: - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1 - user: root - - minute: '2' - - hour: '*/1' + - minute: '5' + - hour: '1' - daymonth: '*' - month: '*' - dayweek: '*' @@ -211,8 +211,8 @@ so-curatorclusterdelete: cron.present: - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-delete.log 2>&1 - user: root - - minute: '2' - - hour: '*/1' + - minute: '5' + - hour: '1' - daymonth: '*' - month: '*' - dayweek: '*' @@ -221,8 +221,8 @@ so-curatorclusterwarm: cron.present: - name: /usr/sbin/so-curator-cluster-warm > /opt/so/log/curator/cron-warm.log 2>&1 - user: root - - minute: '2' - - hour: '*/1' + - minute: '5' + - hour: '1' - daymonth: '*' - month: '*' - dayweek: '*' From b8ee896f8aee15f15d1b234c899a7eedf12a1e1b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 17 Jun 2022 12:38:54 -0400 Subject: [PATCH 03/84] pin v1.6.0 --- .github/workflows/leaktest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/leaktest.yml b/.github/workflows/leaktest.yml index c2f7f8010..fbe6c56e1 100644 --- a/.github/workflows/leaktest.yml +++ b/.github/workflows/leaktest.yml @@ -12,6 +12,6 @@ jobs: fetch-depth: '0' - name: Gitleaks - uses: zricethezav/gitleaks-action@master + uses: gitleaks/gitleaks-action@v1.6.0 with: config-path: .github/.gitleaks.toml From 94c637449d77f213e1dc1a0a0c0daeceafe59cf5 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 21 Jun 2022 12:53:06 -0400 Subject: [PATCH 04/84] FIX: Improve default dashboards #8136 --- salt/soc/files/soc/dashboards.queries.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index dfa999ac6..7169fd472 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -1,5 +1,5 @@ [ - { "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby event.dataset | groupby -bar event.module | groupby event.module | groupby -pie event.category | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "SOC Auth", "description": "Show all SOC authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, { "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"}, { "name": "Alerts", "description": "Show all alerts", "query": "event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, @@ -16,7 +16,7 @@ { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, { "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip"}, { "name": "FTP", "description": "File Transfer Protocol logs", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "HTTP", "description": "Hyper Text Transport Protocol logs", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "HTTP", "description": "Hyper Text Transport Protocol logs", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, From 776cc30a8e86069d3fb0a3642b7e44ce3b3d100c Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 21 Jun 2022 16:06:01 -0400 Subject: [PATCH 05/84] Update to ES 8.2.3 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index dcb66355f..9de8d1514 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.2.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.2.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From af687fb2b5eafb69a26349f6145ad3e1e28da8e2 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 21 Jun 2022 16:06:28 -0400 Subject: [PATCH 06/84] Update config_saved_objects.ndjson --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 435cedfe0..7fc681f24 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.2.2","id": "8.2.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.2.3","id": "8.2.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From ba6f716e4a5a152a9eff91d6bba8319f9093acc5 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 23 Jun 2022 06:09:04 -0400 Subject: [PATCH 07/84] Avoid failing setup due to retrying while waiting for lock file --- setup/so-setup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 225a01130..12209f2ad 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -1106,9 +1106,9 @@ if [[ $success != 0 ]]; then SO_ERROR=1; fi # Check entire setup log for errors or unexpected salt states and ensure cron jobs are not reporting errors to root's mailbox # Ignore "Status .* was not found" due to output from salt http.query or http.wait_for_successful_query states used with retry # Uncaught exception, closing connection|Exception in callback None - this is seen during influxdb / http.wait_for_successful_query state for ubuntu reinstall -if grep -E "ERROR|Result: False" $setup_log | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100" || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then +if grep -E "ERROR|Result: False" $setup_log | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100|Running scope as unit" || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then SO_ERROR=1 - grep --color=never "ERROR" "$setup_log" | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100" > "$error_log" + grep --color=never "ERROR" "$setup_log" | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100|Running scope as unit" > "$error_log" fi if [[ -n $SO_ERROR ]]; then From 568b43d0af9619e643746e6c9797a6125e6640cb Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 27 Jun 2022 10:10:13 -0400 Subject: [PATCH 08/84] Ensure file_path uses jinja to derive the value(s) from the pillar --- salt/sensoroni/files/analyzers/localfile/localfile.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/sensoroni/files/analyzers/localfile/localfile.yaml b/salt/sensoroni/files/analyzers/localfile/localfile.yaml index 69740c379..8a2a9847c 100644 --- a/salt/sensoroni/files/analyzers/localfile/localfile.yaml +++ b/salt/sensoroni/files/analyzers/localfile/localfile.yaml @@ -1 +1 @@ -file_path: [] +file_path: "{{ salt['pillar.get']('sensoroni:analyzers:localfile:file_path', '') }}" From 85f790b28a433f39bc95984a25ad5c6522bcd6d1 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 27 Jun 2022 10:39:58 -0400 Subject: [PATCH 09/84] Change type from 'log' to 'filestream' to ensure compatibility with Elastic 8 --- salt/filebeat/pillar.example | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/filebeat/pillar.example b/salt/filebeat/pillar.example index e1731b22e..94be16717 100644 --- a/salt/filebeat/pillar.example +++ b/salt/filebeat/pillar.example @@ -1,7 +1,7 @@ filebeat: config: inputs: - - type: log + - type: filestream paths: - /nsm/mylogdir/mylog.log fields: @@ -19,4 +19,4 @@ filebeat: output: file: path: "/tmp/filebeat" - filename: filebeat \ No newline at end of file + filename: filebeat From 675ace21f5a846abebbe4034748afaed28e51643 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 27 Jun 2022 11:11:15 -0400 Subject: [PATCH 10/84] Add gh action for contrib check --- .github/workflows/contrib.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/contrib.yml diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml new file mode 100644 index 000000000..1cb3b773b --- /dev/null +++ b/.github/workflows/contrib.yml @@ -0,0 +1,24 @@ +name: contrib +on: + issue_comment: + types: [created] + pull_request_target: + types: [opened,closed,synchronize] + +jobs: + CLAssistant: + runs-on: ubuntu-latest + steps: + - name: "Contributor Check" + if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' + uses: cla-assistant/github-action@v2.1.3-beta + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PERSONAL_ACCESS_TOKEN : ${{ secrets.PERSONAL_ACCESS_TOKEN }} + with: + path-to-signatures: 'signatures_v1.json' + path-to-document: 'https://securityonionsolutions.com/cla' + allowlist: dependabot[bot],jertel,dougburks,TOoSmOotH,weslambert,defensivedepth,m0duspwnens + remote-organization-name: Security-Onion-Solutions + remote-repository-name: licensing + From 909e87650945a90d70c316765a7521332f71567a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Jun 2022 11:41:49 -0400 Subject: [PATCH 11/84] Update ubuntu.sls --- salt/repo/client/ubuntu.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index 301bdabae..345c9e2dc 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -7,7 +7,7 @@ saltstack.list: file.managed: - name: /etc/apt/sources.list.d/saltstack.list - contents: - - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt/ {{grains.oscodename}} main + - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt3004.2/ {{grains.oscodename}} main apt_update: cmd.run: From 080daee1d82adbf99aaa0d5c81a0c0e63a48ae86 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Jun 2022 11:43:01 -0400 Subject: [PATCH 12/84] Update so-functions --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 61c3985e3..8e966ef91 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2330,7 +2330,7 @@ saltify() { # Add saltstack repo(s) wget -q --inet4-only -O - https://repo.securityonion.net/file/securityonion-repo/ubuntu/"$ubuntu_version"/amd64/salt/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt3004.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 From f36c8da1fec00d0fa57e5262926413c1cdc28a4b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Jun 2022 12:04:33 -0400 Subject: [PATCH 13/84] Update so-functions --- setup/so-functions | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 8e966ef91..d08d289fc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -145,7 +145,7 @@ analyst_salt_local() { securityonion_repo gpg_rpm_import # Install salt - logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" salt-call state.apply workstation --local --file-root=../salt/ -l info 2>&1 | tee -a outfile @@ -2277,7 +2277,7 @@ saltify() { fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004.1" + logCmd "yum -y install salt-master-3004.2" fi logCmd "systemctl enable salt-master" ;; @@ -2290,7 +2290,7 @@ saltify() { fi set_progress_str 8 'Installing salt-minion & python modules' if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi logCmd "systemctl enable salt-minion" @@ -2351,7 +2351,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-master=3004.2+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 ;; *) @@ -2369,7 +2369,7 @@ saltify() { retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3004.1+ds-1 salt-common=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-minion=3004.2+ds-1 salt-common=3004.2+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1 fi From 05e84699d1adf81a322034263d00e939bfd96116 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 27 Jun 2022 12:09:39 -0400 Subject: [PATCH 14/84] Update master.defaults.yaml --- salt/salt/master.defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index a07f22865..3e3510c8c 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3004.1 + version: 3004.2 From fba5592f6217c7eb3ef25ff6d600919675214d02 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 27 Jun 2022 12:10:18 -0400 Subject: [PATCH 15/84] Update minion.defaults.yaml --- salt/salt/minion.defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index 68e044db8..e4ffe5fcb 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,6 +2,6 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3004.1 + version: 3004.2 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default service_start_delay: 30 # in seconds. From 8fccd4598a97b4e9e39eb76d6dfdd309adf4ead4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 27 Jun 2022 16:23:01 -0400 Subject: [PATCH 16/84] update saltstack.list for 3004.2 --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 592c11d98..9e21af55f 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -990,7 +990,7 @@ update_repo() { fi rm -f /etc/apt/sources.list.d/salt.list - echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt $OSVER main" > /etc/apt/sources.list.d/saltstack.list + echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt3004.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list apt-get update fi } From 0ebd95730835d6f4e544396a5b2293e91f94263e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 30 Jun 2022 11:26:03 -0400 Subject: [PATCH 17/84] point to salt3004.2 --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index d08d289fc..c92b643cc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2362,7 +2362,7 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt3004.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac From e86b7bff84872e801ca62ec7bb4cd8e9d9b187cc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 30 Jun 2022 13:29:21 -0400 Subject: [PATCH 18/84] Fix repo location --- .../sbin/so-elasticsearch-templates-load | 69 ------------------- .../client/files/centos/securityonion.repo | 2 +- .../files/centos/securityonioncache.repo | 2 +- 3 files changed, 2 insertions(+), 71 deletions(-) delete mode 100755 salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load deleted file mode 100755 index 93c1c6298..000000000 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -{%- set mainint = salt['pillar.get']('host:mainint') %} -{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} - -default_conf_dir=/opt/so/conf -ELASTICSEARCH_HOST="{{ MYIP }}" -ELASTICSEARCH_PORT=9200 -#ELASTICSEARCH_AUTH="" - -# Define a default directory to load pipelines from -ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/" - -# Wait for ElasticSearch to initialize -echo -n "Waiting for ElasticSearch..." -COUNT=0 -ELASTICSEARCH_CONNECTED="no" -while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query -k --output /dev/null --silent --head --fail - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi -done -if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then - echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" - echo -fi - -cd ${ELASTICSEARCH_TEMPLATES}/component/ecs - -echo "Loading ECS component templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done - -# Load SO-specific component templates -cd ${ELASTICSEARCH_TEMPLATES}/component/so - -echo "Loading Security Onion component templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done -echo - -# Load SO index templates -cd ${ELASTICSEARCH_TEMPLATES}/index - -echo "Loading Security Onion index templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; so-elasticsearch-query _index_template/so-$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done -echo - -cd - >/dev/null diff --git a/salt/repo/client/files/centos/securityonion.repo b/salt/repo/client/files/centos/securityonion.repo index 23b6f8d6f..397cb7530 100644 --- a/salt/repo/client/files/centos/securityonion.repo +++ b/salt/repo/client/files/centos/securityonion.repo @@ -42,7 +42,7 @@ gpgkey=file:///etc/pki/rpm-gpg/docker.pub [saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack/ +baseurl=https://repo.securityonion.net/file/securityonion-repo/salt/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/SALTSTACK-GPG-KEY.pub diff --git a/salt/repo/client/files/centos/securityonioncache.repo b/salt/repo/client/files/centos/securityonioncache.repo index be8f41566..5064fb598 100644 --- a/salt/repo/client/files/centos/securityonioncache.repo +++ b/salt/repo/client/files/centos/securityonioncache.repo @@ -42,7 +42,7 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub [saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack/ +baseurl=http://repocache.securityonion.net/file/securityonion-repo/salt/ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub From 8b3d5e808ed49653367106377291cdb3b5a0a56a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 30 Jun 2022 13:30:56 -0400 Subject: [PATCH 19/84] Fix repo location --- .../sbin/so-elasticsearch-templates-load | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load new file mode 100644 index 000000000..93c1c6298 --- /dev/null +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -0,0 +1,69 @@ +#!/bin/bash +# Copyright 2014-2022 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +{%- set mainint = salt['pillar.get']('host:mainint') %} +{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} + +default_conf_dir=/opt/so/conf +ELASTICSEARCH_HOST="{{ MYIP }}" +ELASTICSEARCH_PORT=9200 +#ELASTICSEARCH_AUTH="" + +# Define a default directory to load pipelines from +ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/" + +# Wait for ElasticSearch to initialize +echo -n "Waiting for ElasticSearch..." +COUNT=0 +ELASTICSEARCH_CONNECTED="no" +while [[ "$COUNT" -le 240 ]]; do + so-elasticsearch-query -k --output /dev/null --silent --head --fail + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi +done +if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo +fi + +cd ${ELASTICSEARCH_TEMPLATES}/component/ecs + +echo "Loading ECS component templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done + +# Load SO-specific component templates +cd ${ELASTICSEARCH_TEMPLATES}/component/so + +echo "Loading Security Onion component templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done +echo + +# Load SO index templates +cd ${ELASTICSEARCH_TEMPLATES}/index + +echo "Loading Security Onion index templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; so-elasticsearch-query _index_template/so-$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done +echo + +cd - >/dev/null From 7524ea2c05546e165c359e62329da5064332e177 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 30 Jun 2022 15:10:13 -0400 Subject: [PATCH 20/84] allow bootstrap-salt to install specific verion even if -r is used --- salt/salt/scripts/bootstrap-salt.sh | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/salt/salt/scripts/bootstrap-salt.sh b/salt/salt/scripts/bootstrap-salt.sh index ee1efcdf1..90070042f 100644 --- a/salt/salt/scripts/bootstrap-salt.sh +++ b/salt/salt/scripts/bootstrap-salt.sh @@ -4216,17 +4216,30 @@ install_centos_stable_deps() { install_centos_stable() { __PACKAGES="" + local cloud='salt-cloud' + local master='salt-master' + local minion='salt-minion' + local syndic='salt-syndic' + + if echo "$STABLE_REV" | grep -q "archive";then + local ver=$(echo "$STABLE_REV"|awk -F/ '{print $2}') + cloud+="-$ver" + master+="-$ver" + minion+="-$ver" + syndic+="-$ver" + fi + if [ "$_INSTALL_CLOUD" -eq $BS_TRUE ];then - __PACKAGES="${__PACKAGES} salt-cloud" + __PACKAGES="${__PACKAGES} $cloud" fi if [ "$_INSTALL_MASTER" -eq $BS_TRUE ];then - __PACKAGES="${__PACKAGES} salt-master" + __PACKAGES="${__PACKAGES} $master" fi if [ "$_INSTALL_MINION" -eq $BS_TRUE ]; then - __PACKAGES="${__PACKAGES} salt-minion" + __PACKAGES="${__PACKAGES} $minion" fi if [ "$_INSTALL_SYNDIC" -eq $BS_TRUE ];then - __PACKAGES="${__PACKAGES} salt-syndic" + __PACKAGES="${__PACKAGES} $syndic" fi # shellcheck disable=SC2086 From f0ff0d51f7858a3270797575e47de5d07119c2e1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 30 Jun 2022 16:59:54 -0400 Subject: [PATCH 21/84] allow bootstrap-salt to install specific verion even if -r is used --- salt/salt/scripts/bootstrap-salt.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/salt/scripts/bootstrap-salt.sh b/salt/salt/scripts/bootstrap-salt.sh index 90070042f..be5477ca4 100644 --- a/salt/salt/scripts/bootstrap-salt.sh +++ b/salt/salt/scripts/bootstrap-salt.sh @@ -4221,8 +4221,13 @@ install_centos_stable() { local minion='salt-minion' local syndic='salt-syndic' - if echo "$STABLE_REV" | grep -q "archive";then - local ver=$(echo "$STABLE_REV"|awk -F/ '{print $2}') + if echo "$STABLE_REV" | grep -q "archive";then # point release being applied + local ver=$(echo "$STABLE_REV"|awk -F/ '{print $2}') # strip archive/ + elif echo "$STABLE_REV" | grep -vq "archive|latest";then # latest or major version(3003, 3004, etc) being applie + local ver=$STABLE_REV + fi + + if [ ! -z $ver ]; then cloud+="-$ver" master+="-$ver" minion+="-$ver" From 5f898ae569b4f141a053bd244d883340dc976cda Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 1 Jul 2022 08:47:46 -0400 Subject: [PATCH 22/84] change to egrep --- salt/salt/scripts/bootstrap-salt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/scripts/bootstrap-salt.sh b/salt/salt/scripts/bootstrap-salt.sh index be5477ca4..47d25949c 100644 --- a/salt/salt/scripts/bootstrap-salt.sh +++ b/salt/salt/scripts/bootstrap-salt.sh @@ -4223,7 +4223,7 @@ install_centos_stable() { if echo "$STABLE_REV" | grep -q "archive";then # point release being applied local ver=$(echo "$STABLE_REV"|awk -F/ '{print $2}') # strip archive/ - elif echo "$STABLE_REV" | grep -vq "archive|latest";then # latest or major version(3003, 3004, etc) being applie + elif echo "$STABLE_REV" | egrep -vq "archive|latest";then # latest or major version(3003, 3004, etc) being applie local ver=$STABLE_REV fi From a1d1779126f86c9df2457bbd8fb155640f980e6e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 5 Jul 2022 09:21:05 -0400 Subject: [PATCH 23/84] Remove unneeded sudo --- salt/common/tools/sbin/so-bpf-compile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-bpf-compile b/salt/common/tools/sbin/so-bpf-compile index 44c5b8249..f1136cd0e 100755 --- a/salt/common/tools/sbin/so-bpf-compile +++ b/salt/common/tools/sbin/so-bpf-compile @@ -29,7 +29,7 @@ fi interface="$1" shift -sudo tcpdump -i $interface -ddd $@ | tail -n+2 | +tcpdump -i $interface -ddd $@ | tail -n+2 | while read line; do cols=( $line ) printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]} From e96206d065a7cb7a23a671f5fab002b4c8d6e811 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 5 Jul 2022 14:25:54 +0000 Subject: [PATCH 24/84] Strip quotes and ensure file_path is typed as a list --- salt/sensoroni/files/analyzers/localfile/localfile.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/sensoroni/files/analyzers/localfile/localfile.py b/salt/sensoroni/files/analyzers/localfile/localfile.py index 5538d6a93..0924a98cc 100755 --- a/salt/sensoroni/files/analyzers/localfile/localfile.py +++ b/salt/sensoroni/files/analyzers/localfile/localfile.py @@ -17,7 +17,7 @@ def searchFile(artifact, csvfiles): dir = os.path.dirname(os.path.realpath(__file__)) found = [] for f in csvfiles: - filename = dir + "/" + f + filename = dir + "/" + f.strip("'") with open(filename, "r") as csvfile: csvdata = csv.DictReader(csvfile) for row in csvdata: @@ -58,7 +58,7 @@ def analyze(conf, input): meta = helpers.loadMetadata(__file__) data = helpers.parseArtifact(input) helpers.checkSupportedType(meta, data["artifactType"]) - search = searchFile(data["value"], conf['file_path']) + search = searchFile(data["value"], conf['file_path'].strip("[]").split(', ')) results = prepareResults(search) return results From 79e88c9ca3077c83354a62eb3c2989e371323f32 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 5 Jul 2022 14:45:30 -0400 Subject: [PATCH 25/84] Update to Kibana 8.3.1 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 9de8d1514..6c1fb1bc1 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.2.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From 2938464501b06f0efde90809516593531623cb23 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 5 Jul 2022 14:46:02 -0400 Subject: [PATCH 26/84] Update to Kibana 8.3.1 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 7fc681f24..625408a49 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.2.3","id": "8.2.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.1","id": "8.3.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From df0a774ffd96191ef5f20457ea5a88ccc8c16964 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Jul 2022 16:17:32 -0400 Subject: [PATCH 27/84] Make soup enforce versions --- salt/common/tools/sbin/soup | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 9e21af55f..b5f6f5b32 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -377,6 +377,18 @@ enable_highstate() { echo "" } +es_version_check() { + CHECK_ES=$(echo $INSTALLEDVERSION | aek -F. '{print $3}' + if [ "$CHECK_ES" -lt "110" ]; then + echo "In order to update to the latest version of Security Onion you need to at least be on version 2.3.110. We recommend installing 2.3.130." + echo "" + echo "To install 2.3.130 via the internet use the following command:" + echo "sudo BRANCH=2.3.130-20220607 soup" + echo "If you are an airgap userplease download 2.3.130 from https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso" + echo "*** YOU WILL NEED TO RUN THE SOUP COMMAND TWICE! ***" + exit 0 +} + generate_and_clean_tarballs() { local new_version new_version=$(cat $UPDATE_DIR/VERSION) @@ -1081,6 +1093,7 @@ main() { echo "" set_os + es_version_check set_cron_service_name if ! check_salt_master_status; then echo "Could not talk to salt master" From f6266b19cc293d28bd8578f97ac47e23f2d5321b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 5 Jul 2022 16:20:15 -0400 Subject: [PATCH 28/84] Fix unit test issues --- salt/sensoroni/files/analyzers/build.sh | 3 ++- .../files/analyzers/localfile/localfile_test.py | 13 ++++++++----- .../malwarehashregistry/malwarehashregistry_test.py | 4 +++- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/salt/sensoroni/files/analyzers/build.sh b/salt/sensoroni/files/analyzers/build.sh index cb7dcbc52..386cc92d5 100755 --- a/salt/sensoroni/files/analyzers/build.sh +++ b/salt/sensoroni/files/analyzers/build.sh @@ -15,8 +15,9 @@ function ci() { exit 1 fi + pip install pytest pytest-cov flake8 "$TARGET_DIR" "--config=${HOME_DIR}/pytest.ini" - pytest "$TARGET_DIR" "--cov-config=${HOME_DIR}/pytest.ini" "--cov=$TARGET_DIR" --doctest-modules --cov-report=term --cov-fail-under=100 + python3 -m pytest "--cov-config=${HOME_DIR}/pytest.ini" "--cov=$TARGET_DIR" --doctest-modules --cov-report=term --cov-fail-under=100 "$TARGET_DIR" } function download() { diff --git a/salt/sensoroni/files/analyzers/localfile/localfile_test.py b/salt/sensoroni/files/analyzers/localfile/localfile_test.py index 30b171f86..154b74cd7 100644 --- a/salt/sensoroni/files/analyzers/localfile/localfile_test.py +++ b/salt/sensoroni/files/analyzers/localfile/localfile_test.py @@ -17,13 +17,16 @@ class TestLocalfileMethods(unittest.TestCase): def test_main_success(self): output = {"foo": "bar"} + conf = {"file_path": ["somefile.csv"]} with patch('sys.stdout', new=StringIO()) as mock_stdout: with patch('localfile.localfile.analyze', new=MagicMock(return_value=output)) as mock: - sys.argv = ["cmd", "input"] - localfile.main() - expected = '{"foo": "bar"}\n' - self.assertEqual(mock_stdout.getvalue(), expected) - mock.assert_called_once() + with patch('helpers.loadConfig', new=MagicMock(return_value=conf)) as lcmock: + sys.argv = ["cmd", "input"] + localfile.main() + expected = '{"foo": "bar"}\n' + self.assertEqual(mock_stdout.getvalue(), expected) + mock.assert_called_once() + lcmock.assert_called_once() def test_checkConfigRequirements_present(self): conf = {"file_path": "['intel.csv']"} diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/malwarehashregistry_test.py b/salt/sensoroni/files/analyzers/malwarehashregistry/malwarehashregistry_test.py index 824949d8b..a4a7d2340 100644 --- a/salt/sensoroni/files/analyzers/malwarehashregistry/malwarehashregistry_test.py +++ b/salt/sensoroni/files/analyzers/malwarehashregistry/malwarehashregistry_test.py @@ -35,7 +35,9 @@ class TestMalwareHashRegistryMethods(unittest.TestCase): response = malwarehashregistry.sendReq(hash) mock.assert_called_once_with(options, hash, flags) self.assertIsNotNone(response) - self.assertEqual(response, {"hash": "84af04b8e69682782607a0c5796ca56999eda6b3", "last_seen": "2019-15-07 03:30:33", "av_detection_percentage": 35}) + self.assertEqual(response["hash"], "84af04b8e69682782607a0c5796ca56999eda6b3") + self.assertRegex(response["last_seen"], r'2019-..-07 ..:..:33') # host running this test won't always use UTC + self.assertEqual(response["av_detection_percentage"], 35) def test_sendReqNoData(self): output = "84af04b8e69682782607a0c5796ca5696b3 NO_DATA" From 9d43b7ec89eb2476838f919eee2f51ebd16d04db Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 5 Jul 2022 16:21:27 -0400 Subject: [PATCH 29/84] Rollback string manipulation in favor of fixed unit tests --- salt/sensoroni/files/analyzers/localfile/localfile.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/sensoroni/files/analyzers/localfile/localfile.py b/salt/sensoroni/files/analyzers/localfile/localfile.py index 0924a98cc..5538d6a93 100755 --- a/salt/sensoroni/files/analyzers/localfile/localfile.py +++ b/salt/sensoroni/files/analyzers/localfile/localfile.py @@ -17,7 +17,7 @@ def searchFile(artifact, csvfiles): dir = os.path.dirname(os.path.realpath(__file__)) found = [] for f in csvfiles: - filename = dir + "/" + f.strip("'") + filename = dir + "/" + f with open(filename, "r") as csvfile: csvdata = csv.DictReader(csvfile) for row in csvdata: @@ -58,7 +58,7 @@ def analyze(conf, input): meta = helpers.loadMetadata(__file__) data = helpers.parseArtifact(input) helpers.checkSupportedType(meta, data["artifactType"]) - search = searchFile(data["value"], conf['file_path'].strip("[]").split(', ')) + search = searchFile(data["value"], conf['file_path']) results = prepareResults(search) return results From c6fac28804f6a97b3f74a94b11b59224f09fde27 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Jul 2022 16:26:44 -0400 Subject: [PATCH 30/84] Update soup --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index b5f6f5b32..936e5f06c 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -378,7 +378,7 @@ enable_highstate() { } es_version_check() { - CHECK_ES=$(echo $INSTALLEDVERSION | aek -F. '{print $3}' + CHECK_ES=$(echo $INSTALLEDVERSION | awk -F. '{print $3}') if [ "$CHECK_ES" -lt "110" ]; then echo "In order to update to the latest version of Security Onion you need to at least be on version 2.3.110. We recommend installing 2.3.130." echo "" From 5f0c3aa7aeafc3c64930352d92c0a9a47a31aa5c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Jul 2022 16:49:20 -0400 Subject: [PATCH 31/84] Update soup --- salt/common/tools/sbin/soup | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 936e5f06c..1aaca5e28 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -378,15 +378,19 @@ enable_highstate() { } es_version_check() { - CHECK_ES=$(echo $INSTALLEDVERSION | awk -F. '{print $3}') - if [ "$CHECK_ES" -lt "110" ]; then - echo "In order to update to the latest version of Security Onion you need to at least be on version 2.3.110. We recommend installing 2.3.130." - echo "" - echo "To install 2.3.130 via the internet use the following command:" - echo "sudo BRANCH=2.3.130-20220607 soup" - echo "If you are an airgap userplease download 2.3.130 from https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso" - echo "*** YOU WILL NEED TO RUN THE SOUP COMMAND TWICE! ***" - exit 0 + CHECK_ES=$(echo $INSTALLEDVERSION | awk -F. '{print $3}') + + if [ "$CHECK_ES" -lt "110" ]; then + echo "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version 2.3.130 before updating to 2.3.140 or higher." + echo "" + echo "If your deployment has Internet access, you can use the following command to update to 2.3.130: +sudo BRANCH=2.3.130-20220607 soup" + echo "" + echo "Otherwise, if your deployment is configured for airgap, you can instead download the 2.3.130 ISO image from https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso." + echo "" + echo "*** Once you have updated to 2.3.130, you can then update to 2.3.140 or higher as you would normally. ***" + exit 0 + fi } generate_and_clean_tarballs() { From f1d188a46d35ffc1ae8ccc7aba5f2c0571bd0e24 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Jul 2022 16:50:20 -0400 Subject: [PATCH 32/84] Update soup --- salt/common/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 1aaca5e28..7799a38ef 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -383,8 +383,8 @@ es_version_check() { if [ "$CHECK_ES" -lt "110" ]; then echo "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version 2.3.130 before updating to 2.3.140 or higher." echo "" - echo "If your deployment has Internet access, you can use the following command to update to 2.3.130: -sudo BRANCH=2.3.130-20220607 soup" + echo "If your deployment has Internet access, you can use the following command to update to 2.3.130:" + echo "sudo BRANCH=2.3.130-20220607 soup" echo "" echo "Otherwise, if your deployment is configured for airgap, you can instead download the 2.3.130 ISO image from https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso." echo "" From 1589107b970e8a69ddb67b304205db70edfbc2d8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Jul 2022 08:59:21 -0400 Subject: [PATCH 33/84] Move soup order --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 7799a38ef..c4b6308f9 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1097,7 +1097,6 @@ main() { echo "" set_os - es_version_check set_cron_service_name if ! check_salt_master_status; then echo "Could not talk to salt master" @@ -1142,6 +1141,7 @@ main() { fi echo "Verifying we have the latest soup script." verify_latest_update_script + es_version_check echo "" set_palette check_elastic_license From c00d33632aa96c3551283ad4c9f7f1a38c7f5dcc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Jul 2022 16:23:02 -0400 Subject: [PATCH 34/84] Update soup --- salt/common/tools/sbin/soup | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index c4b6308f9..79b2970e7 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -779,10 +779,13 @@ up_to_2.3.100() { echo "Adding receiver to assigned_hostgroups.local.map.yaml" grep -qxF " receiver:" /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml || sed -i -e '$a\ receiver:' /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml + + INSTALLEDVERSION=2.3.100 } up_to_2.3.110() { sed -i 's|shards|index_template:\n template:\n settings:\n index:\n number_of_shards|g' /opt/so/saltstack/local/pillar/global.sls + INSTALLEDVERSION=2.3.110 } up_to_2.3.120() { @@ -790,11 +793,13 @@ up_to_2.3.120() { so-thehive-stop so-thehive-es-stop so-cortex-stop + INSTALLEDVERSION=2.3.120 } up_to_2.3.130() { # Remove file for nav update rm -f /opt/so/conf/navigator/layers/nav_layer_playbook.json + INSTALLEDVERSION=2.3.130 } up_to_2.3.140() { @@ -826,6 +831,7 @@ up_to_2.3.140() { # Delete Elastalert indices for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elasticsearch-query $i -XDELETE; done ## + INSTALLEDVERSION=2.3.140 } verify_upgradespace() { From c819d3a558072c457b1126c8df8312e221132eac Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Jul 2022 16:36:57 -0400 Subject: [PATCH 35/84] Update soup --- salt/common/tools/sbin/soup | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 79b2970e7..ce797e6f7 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -456,6 +456,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.100 ]] && post_to_2.3.110 [[ "$POSTVERSION" == 2.3.110 ]] && post_to_2.3.120 [[ "$POSTVERSION" == 2.3.120 ]] && post_to_2.3.130 + [[ "$POSTVERSION" == 2.3.130 ]] && post_to_2.3.140 true @@ -532,6 +533,11 @@ post_to_2.3.130() { POSTVERSION=2.3.130 } +post_to_2.3.140() { + echo "Post Processing for 2.3.140" + POSTVERSION=2.3.140 +} + stop_salt_master() { From 42c96553c517f03e14a020baacac1a7f52f86d0e Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 7 Jul 2022 11:04:43 -0400 Subject: [PATCH 36/84] Update to Kibana 8.3.2 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 6c1fb1bc1..e19f25439 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From ede845ce002abf94e88858b25aec9af6c13ae3fc Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 7 Jul 2022 11:05:44 -0400 Subject: [PATCH 37/84] Update to Kibana 8.3.2 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 625408a49..4ec8f9ca7 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.1","id": "8.3.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.2","id": "8.3.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 85be2f4f99152b6cde4bc9f2b1ca934dcfdae879 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 7 Jul 2022 15:55:44 -0400 Subject: [PATCH 38/84] Force so-user to sync roles to ensure so_kibana role change from superuser to kibana_system --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index ce797e6f7..cb1374033 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -535,6 +535,7 @@ post_to_2.3.130() { post_to_2.3.140() { echo "Post Processing for 2.3.140" + FORCE_SYNC=true so-user sync POSTVERSION=2.3.140 } From 4bbc9018601490cbea7395f3852d025612efc215 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 7 Jul 2022 17:19:02 -0400 Subject: [PATCH 39/84] Restart Kibana in case it times out before being able to read in new role configuration --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index cb1374033..e6b34c39d 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -536,6 +536,7 @@ post_to_2.3.130() { post_to_2.3.140() { echo "Post Processing for 2.3.140" FORCE_SYNC=true so-user sync + so-kibana-restart POSTVERSION=2.3.140 } From b06c16f750fae2ead9f26d02362e9ab8b5b6d5d9 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 8 Jul 2022 15:53:00 +0000 Subject: [PATCH 40/84] Add ingest node pipeline for Kratos --- salt/elasticsearch/files/ingest/kratos | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/kratos diff --git a/salt/elasticsearch/files/ingest/kratos b/salt/elasticsearch/files/ingest/kratos new file mode 100644 index 000000000..dc93e888d --- /dev/null +++ b/salt/elasticsearch/files/ingest/kratos @@ -0,0 +1,13 @@ +{ + "description" : "kratos", + "processors" : [ + { + "set": { + "field": "_index", + "value": "so-kratos", + "override": true + } + }, + { "pipeline": { "name": "common" } } + ] +} From 764e8688b108547158993abebb3972b1f9e6dc51 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 8 Jul 2022 15:53:55 +0000 Subject: [PATCH 41/84] Modify Kratos input to use dedicated index and add filestream ID for all applicable inputs --- salt/filebeat/etc/filebeat.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 04a3351a3..176007bae 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -118,6 +118,7 @@ filebeat.inputs: {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} - type: filestream + id: logscan paths: - /logs/logscan/alerts.log fields: @@ -135,6 +136,7 @@ filebeat.inputs: {%- if ZEEKVER != 'SURICATA' %} {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} - type: filestream + id: zeek-{{ LOGNAME }} paths: - /nsm/zeek/logs/current/{{ LOGNAME }}.log fields: @@ -150,6 +152,7 @@ filebeat.inputs: close_removed: false - type: filestream + id: import-zeek={{ LOGNAME }} paths: - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log fields: @@ -174,6 +177,7 @@ filebeat.inputs: {%- endif %} - type: filestream + id: suricata-eve paths: - /nsm/suricata/eve*.json fields: @@ -190,6 +194,7 @@ filebeat.inputs: close_removed: false - type: filestream + id: import-suricata paths: - /nsm/import/*/suricata/eve*.json fields: @@ -212,6 +217,7 @@ filebeat.inputs: close_removed: false {%- if STRELKAENABLED == 1 %} - type: filestream + id: strelka paths: - /nsm/strelka/log/strelka.log fields: @@ -233,6 +239,7 @@ filebeat.inputs: {%- if WAZUHENABLED == 1 %} - type: filestream + id: wazuh paths: - /wazuh/archives/archives.json fields: @@ -251,6 +258,7 @@ filebeat.inputs: {%- if FLEETMANAGER or FLEETNODE %} - type: filestream + id: osquery paths: - /nsm/osquery/fleet/result.log fields: @@ -321,12 +329,12 @@ filebeat.inputs: {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} - type: filestream + id: kratos paths: - /logs/kratos/kratos.log fields: module: kratos category: host - tags: beat-ext processors: - decode_json_fields: fields: ["message"] @@ -344,6 +352,7 @@ filebeat.inputs: target: '' fields: event.dataset: access + pipeline: "kratos" fields_under_root: true clean_removed: false close_removed: false @@ -351,6 +360,7 @@ filebeat.inputs: {%- if grains.role == 'so-idh' %} - type: filestream + id: idh paths: - /nsm/idh/opencanary.log fields: From 26698cfd07c43b6ba52f5fbc71e1a6e9e16c3dd1 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 8 Jul 2022 15:55:55 +0000 Subject: [PATCH 42/84] Add Logstash output for dedicated Kratos index --- .../config/so/9802_output_kratos.conf.jinja | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja diff --git a/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja b/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja new file mode 100644 index 000000000..c57b16055 --- /dev/null +++ b/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja @@ -0,0 +1,22 @@ +{%- if grains['role'] == 'so-eval' -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} +{%- else %} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} +output { + if [module] =~ "kratos" and "import" not in [tags] { + elasticsearch { + pipeline => "kratos" + hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" +{% endif %} + index => "so-kratos" + ssl => true + ssl_certificate_verification => false + } + } +} From 5c90fce3a1d623efe599e6b80b98e0cfdcb64e6a Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 8 Jul 2022 15:58:00 +0000 Subject: [PATCH 43/84] Add Kratos Logstash output to search pipeline for Logstash --- pillar/logstash/search.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index ebe133056..cd810106d 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -14,4 +14,5 @@ logstash: - so/9700_output_strelka.conf.jinja - so/9800_output_logscan.conf.jinja - so/9801_output_rita.conf.jinja + - so/9802_output_kratos.conf.jinja - so/9900_output_endgame.conf.jinja From a8e6b26406485fe4a856cf6f7979a68722987d71 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 8 Jul 2022 17:07:24 -0400 Subject: [PATCH 44/84] Remove Jinja from yaml files before parsing --- salt/common/tools/sbin/so-firewall | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 409a09fd2..10c773b44 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -16,6 +16,7 @@ # along with this program. If not, see . import os +import re import subprocess import sys import time @@ -71,7 +72,14 @@ def checkApplyOption(options): def loadYaml(filename): file = open(filename, "r") - return yaml.safe_load(file.read()) + content = file.read() + + # Remove Jinja templating + content = content.replace("{{ ssh_port }}", "22") + pattern = r'.*({%|{{|}}|%}).*' + content = re.sub(pattern, "", content) + + return yaml.safe_load(content) def writeYaml(filename, content): file = open(filename, "w") From 4f8bb6049b1b269b8649134deea0bf71d0592214 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 8 Jul 2022 17:30:00 -0400 Subject: [PATCH 45/84] Future proof the jinja check to ensure the script does not silently overwrite jinja templates --- salt/common/tools/sbin/so-firewall | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 10c773b44..2a394fdff 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -27,6 +27,7 @@ hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yam portgroupsFilename = "/opt/so/saltstack/local/salt/firewall/portgroups.local.yaml" defaultPortgroupsFilename = "/opt/so/saltstack/default/salt/firewall/portgroups.yaml" supportedProtocols = ['tcp', 'udp'] +readonly = False def showUsage(options, args): print('Usage: {} [OPTIONS] [ARGS...]'.format(sys.argv[0])) @@ -71,17 +72,26 @@ def checkApplyOption(options): return apply(None, None) def loadYaml(filename): + global readonly + file = open(filename, "r") content = file.read() - # Remove Jinja templating - content = content.replace("{{ ssh_port }}", "22") - pattern = r'.*({%|{{|}}|%}).*' - content = re.sub(pattern, "", content) + # Remove Jinja templating (for read-only operations) + if "{%" in content or "{{" in content: + content = content.replace("{{ ssh_port }}", "22") + pattern = r'.*({%|{{|}}|%}).*' + content = re.sub(pattern, "", content) + readonly = True return yaml.safe_load(content) def writeYaml(filename, content): + global readonly + + if readonly: + raise Exception("Cannot write yaml file that has been flagged as read-only") + file = open(filename, "w") return yaml.dump(content, file) From 09a1d8c54949cbcb6e7eef9ee2b3b97c01512cd1 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 10:06:24 -0400 Subject: [PATCH 46/84] Disable fleetv2 because it is now used to control Fleet visibility and 'fleet' is now used for 'Integrations' --- salt/common/tools/sbin/so-kibana-space-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index 26eba3262..4527beb25 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -12,6 +12,6 @@ echo "Setting up default Space:" {% if HIGHLANDER %} {{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet"]} ' >> /opt/so/log/kibana/misc.log +{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo From 2f729e24d99271263c251686a786212fcafe2b09 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 11 Jul 2022 14:34:10 +0000 Subject: [PATCH 47/84] Add Curator action files for Kratos indices --- salt/curator/files/action/so-kratos-close.yml | 29 +++++++++++++++++++ .../curator/files/action/so-kratos-delete.yml | 29 +++++++++++++++++++ salt/curator/files/action/so-kratos-warm.yml | 24 +++++++++++++++ 3 files changed, 82 insertions(+) create mode 100644 salt/curator/files/action/so-kratos-close.yml create mode 100644 salt/curator/files/action/so-kratos-delete.yml create mode 100644 salt/curator/files/action/so-kratos-warm.yml diff --git a/salt/curator/files/action/so-kratos-close.yml b/salt/curator/files/action/so-kratos-close.yml new file mode 100644 index 000000000..2a47b8070 --- /dev/null +++ b/salt/curator/files/action/so-kratos-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kratos:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close kratos indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-kratos.*|so-kratos.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-kratos-delete.yml b/salt/curator/files/action/so-kratos-delete.yml new file mode 100644 index 000000000..6b4ae8705 --- /dev/null +++ b/salt/curator/files/action/so-kratos-delete.yml @@ -0,0 +1,29 @@ +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:delete', 365) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: delete_indices + description: >- + Delete kratos indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-kratos.*|so-kratos.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + \ No newline at end of file diff --git a/salt/curator/files/action/so-kratos-warm.yml b/salt/curator/files/action/so-kratos-warm.yml new file mode 100644 index 000000000..ace3c8db1 --- /dev/null +++ b/salt/curator/files/action/so-kratos-warm.yml @@ -0,0 +1,24 @@ +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:warm', 7) -%} +actions: + 1: + action: allocation + description: "Apply shard allocation filtering rules to the specified indices" + options: + key: box_type + value: warm + allocation_type: require + wait_for_completion: true + timeout_override: + continue_if_exception: false + disable_action: false + filters: + - filtertype: pattern + kind: prefix + value: so-kratos + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ WARM_DAYS }} + From 0b6219d95f3814471edb33e7ca4a94fa0800a944 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 11 Jul 2022 14:51:33 +0000 Subject: [PATCH 48/84] Adjust Curator close scripts to include Kibana and Kratos indices --- salt/curator/files/action/so-kratos-close.yml | 2 +- salt/curator/files/bin/so-curator-close | 4 +++- salt/curator/files/bin/so-curator-cluster-close | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/curator/files/action/so-kratos-close.yml b/salt/curator/files/action/so-kratos-close.yml index 2a47b8070..9a3b0c5a8 100644 --- a/salt/curator/files/action/so-kratos-close.yml +++ b/salt/curator/files/action/so-kratos-close.yml @@ -18,7 +18,7 @@ actions: disable_action: False filters: - filtertype: pattern - kind: regex + kind: regex value: '^(logstash-kratos.*|so-kratos.*)$' - filtertype: age source: name diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index 25a19c671..5370b1135 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -31,7 +31,9 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kibana-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; diff --git a/salt/curator/files/bin/so-curator-cluster-close b/salt/curator/files/bin/so-curator-cluster-close index 0da245516..ed56e965e 100644 --- a/salt/curator/files/bin/so-curator-cluster-close +++ b/salt/curator/files/bin/so-curator-cluster-close @@ -31,6 +31,7 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; From b611dda14385778b628f696a9965bccba8f78b30 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 11:31:22 -0400 Subject: [PATCH 49/84] Add delete action for Kratos indices --- salt/curator/files/bin/so-curator-cluster-delete | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-cluster-delete b/salt/curator/files/bin/so-curator-cluster-delete index e70c4eb02..829e3431f 100644 --- a/salt/curator/files/bin/so-curator-cluster-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete @@ -31,7 +31,8 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-delete.yml > /dev/null 2>&1; From 8c8ac41b36cb001fde631e54ac2fb72bdbba729d Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 11:32:03 -0400 Subject: [PATCH 50/84] Add action for Kratos indices --- salt/curator/files/bin/so-curator-cluster-warm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-cluster-warm b/salt/curator/files/bin/so-curator-cluster-warm index 7279c6d41..d1f940614 100644 --- a/salt/curator/files/bin/so-curator-cluster-warm +++ b/salt/curator/files/bin/so-curator-cluster-warm @@ -31,7 +31,8 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-warm.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-warm.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-warm.yml > /dev/null 2>&1; From e82b6fcdeca397096ed089c33afb05daec0b69ce Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 11:34:53 -0400 Subject: [PATCH 51/84] Typo - Change 'delete' to 'warm' --- salt/curator/files/bin/so-curator-cluster-warm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-cluster-warm b/salt/curator/files/bin/so-curator-cluster-warm index d1f940614..332db03c8 100644 --- a/salt/curator/files/bin/so-curator-cluster-warm +++ b/salt/curator/files/bin/so-curator-cluster-warm @@ -32,7 +32,7 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-warm.yml > /dev/null 2>&1; From 077053afbda87bde41cfe8374fb0f4e1ec3e89df Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 11 Jul 2022 13:43:41 -0400 Subject: [PATCH 52/84] Add content-type header to PUT request, now required in Kratos 0.10.1 --- salt/common/tools/sbin/so-user | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 05a44a19d..96059968c 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -437,7 +437,7 @@ function updateStatus() { state="inactive" fi body="{ \"schema_id\": \"$schemaId\", \"state\": \"$state\", \"traits\": $traitBlock }" - response=$(curl -fSsL -XPUT "${kratosUrl}/identities/$identityId" -d "$body") + response=$(curl -fSsL -XPUT -H "Content-Type: application/json" "${kratosUrl}/identities/$identityId" -d "$body") [[ $? != 0 ]] && fail "Unable to update user" } From f77edaa5c95ab90cbf999531bf2b9f94f7f2c0d7 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 14:41:23 -0400 Subject: [PATCH 53/84] Run so-kibana-space-defaults to re-establish the default enabled features since Fleet feature name changed --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e6b34c39d..80b36885e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -537,6 +537,7 @@ post_to_2.3.140() { echo "Post Processing for 2.3.140" FORCE_SYNC=true so-user sync so-kibana-restart + so-kibana-space-defaults POSTVERSION=2.3.140 } From bd32394560ce946c771ea753a6113a90f5f06e14 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 16:38:05 -0400 Subject: [PATCH 54/84] Add securitySolutionCases feature to ensure Cases are disabled by default --- salt/common/tools/sbin/so-kibana-space-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index 4527beb25..586cf38c2 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -12,6 +12,6 @@ echo "Setting up default Space:" {% if HIGHLANDER %} {{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2"]} ' >> /opt/so/log/kibana/misc.log +{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo From 11d3ed36b72846dd2772f164cd9d8ea50af79a45 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 17:22:09 -0400 Subject: [PATCH 55/84] Specify outputs for Elasticsearch and Kibana for Eval and Import Mode Add outputs for Elasticsearch and Kibana for Eval/Import Mode, since Logstash is not used in Eval Mode or Import Mode. Otherwise, logs from these inputs end up in a filebeat-prefixed index. --- salt/filebeat/etc/filebeat.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 176007bae..75b45d4e6 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -449,6 +449,12 @@ output.elasticsearch: - index: "so-logscan" when.contains: module: "logscan" + - index: "so-elasticsearch-%{+YYYY.MM.dd}" + when.contains: + event.module: "elasticsearch" + - index: "so-kibana-%{+YYYY.MM.dd}" + when.contains: + event.module: "kibana" setup.template.enabled: false {%- else %} From ec451c19f88c57bf9ea762f5a17a62204f98d7fb Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 12 Jul 2022 15:17:25 -0400 Subject: [PATCH 56/84] move port bindings back under port bindings --- salt/filebeat/init.sls | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index ea04c0311..24a26bd39 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -127,7 +127,14 @@ so-filebeat: - 0.0.0.0:514:514/udp - 0.0.0.0:514:514/tcp - 0.0.0.0:5066:5066/tcp - +{% for module in MODULESMERGED.modules.keys() %} + {% for submodule in MODULESMERGED.modules[module] %} + {% if MODULESMERGED.modules[module][submodule].enabled and MODULESMERGED.modules[module][submodule]["var.syslog_port"] is defined %} + - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/tcp + - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/udp + {% endif %} + {% endfor %} +{% endfor %} - watch: - file: filebeatconf - require: @@ -137,14 +144,7 @@ so-filebeat: - x509: conf_filebeat_crt - x509: conf_filebeat_key - x509: trusttheca -{% for module in MODULESMERGED.modules.keys() %} - {% for submodule in MODULESMERGED.modules[module] %} - {% if MODULESMERGED.modules[module][submodule].enabled and MODULESMERGED.modules[module][submodule]["var.syslog_port"] is defined %} - - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/tcp - - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/udp - {% endif %} - {% endfor %} -{% endfor %} + {% if grains.role in ES_INCLUDED_NODES %} run_module_setup: cmd.run: From 0fc6f7b0229f524d42fe5627506ce8695e1eaa3d Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 12 Jul 2022 15:34:24 -0400 Subject: [PATCH 57/84] Add check for Elasticsearch 6 indices --- salt/common/tools/sbin/soup | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 80b36885e..3188b7dd6 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -393,6 +393,18 @@ es_version_check() { fi } +es_indices_check() { + echo "Checking for unsupported Elasticsearch indices..." + UNSUPPORTED_INDICES=$(for INDEX in $(so-elasticsearch-indices-list | awk '{print $3}'); do so-elasticsearch-query $INDEX/_settings?human |grep '"created_string":"7' | jq -r 'keys'[0]; done) + if [ -z "$UNSUPPORTED_INDICES" ]; then + echo "No unsupported indices found." + else + echo "The following indices were created with Elasticsearch 6, and are not supported when upgrading to Elasticsearch 8. These indices may need to be deleted, migrated, or re-indexed before proceeding with the upgrade. Please see https://docs.securityonion.net/en/2.3/elasticsearch.html for more details." + echo + echo "$UNSUPPORTED_INDICES" + exit 0 +} + generate_and_clean_tarballs() { local new_version new_version=$(cat $UPDATE_DIR/VERSION) @@ -1157,6 +1169,7 @@ main() { echo "Verifying we have the latest soup script." verify_latest_update_script es_version_check + es_indices_check echo "" set_palette check_elastic_license From 4502182b53ba08c5b60bf2c0854b4b46b2197b2b Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 12 Jul 2022 15:35:46 -0400 Subject: [PATCH 58/84] Typo - Ensure Elasticsearch version 6 indices are checked --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 3188b7dd6..a165ddf54 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -395,7 +395,7 @@ es_version_check() { es_indices_check() { echo "Checking for unsupported Elasticsearch indices..." - UNSUPPORTED_INDICES=$(for INDEX in $(so-elasticsearch-indices-list | awk '{print $3}'); do so-elasticsearch-query $INDEX/_settings?human |grep '"created_string":"7' | jq -r 'keys'[0]; done) + UNSUPPORTED_INDICES=$(for INDEX in $(so-elasticsearch-indices-list | awk '{print $3}'); do so-elasticsearch-query $INDEX/_settings?human |grep '"created_string":"6' | jq -r 'keys'[0]; done) if [ -z "$UNSUPPORTED_INDICES" ]; then echo "No unsupported indices found." else From d0a0ca8458e2c12b0153cc284f7a678e9f32ff7f Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 12 Jul 2022 16:15:44 -0400 Subject: [PATCH 59/84] Update exit code for ES checks --- salt/common/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a165ddf54..d900e465a 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -389,7 +389,7 @@ es_version_check() { echo "Otherwise, if your deployment is configured for airgap, you can instead download the 2.3.130 ISO image from https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso." echo "" echo "*** Once you have updated to 2.3.130, you can then update to 2.3.140 or higher as you would normally. ***" - exit 0 + exit 1 fi } @@ -402,7 +402,7 @@ es_indices_check() { echo "The following indices were created with Elasticsearch 6, and are not supported when upgrading to Elasticsearch 8. These indices may need to be deleted, migrated, or re-indexed before proceeding with the upgrade. Please see https://docs.securityonion.net/en/2.3/elasticsearch.html for more details." echo echo "$UNSUPPORTED_INDICES" - exit 0 + exit 1 } generate_and_clean_tarballs() { From 8e92060c293ce882b3e6317f4281303578794462 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 13 Jul 2022 08:38:55 -0400 Subject: [PATCH 60/84] Ensure Elastalert indices are deleted before continuing with SOUP -- if they are not, generate a failure condition --- salt/common/tools/sbin/soup | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d900e465a..44cfd67fc 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -851,6 +851,13 @@ up_to_2.3.140() { # Delete Elastalert indices for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elasticsearch-query $i -XDELETE; done + # Check to ensure Elastalert indices have been deleted + RESPONSE=$(so-elasticsearch-query elastalert*) + if [[ "$RESPONSE" == "{}" ]]; then + echo "Elastalert indices have been deleted." + else + fail "Something went wrong. Could not delete the Elastalert indices. Exiting." + fi ## INSTALLEDVERSION=2.3.140 } From 513c7ae56cce988bdd163e58f13ddc1ce6a5ce00 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 13 Jul 2022 09:13:28 -0400 Subject: [PATCH 61/84] Add missing 'fi' to if/then for unsupported indices check --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 44cfd67fc..82ac52d37 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -403,6 +403,7 @@ es_indices_check() { echo echo "$UNSUPPORTED_INDICES" exit 1 + fi } generate_and_clean_tarballs() { From 34d3c6a8820aad61389320c404e2e2b73db9cd4a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 13 Jul 2022 09:32:28 -0400 Subject: [PATCH 62/84] increment version to 2.3.140 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b10115e77..d5a8586cf 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.130 +## Security Onion 2.3.140 -Security Onion 2.3.130 is here! +Security Onion 2.3.140 is here! ## Screenshots From 086cf3996da4c9b837b5c5cf7e2e21a75d151337 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Jul 2022 11:21:27 -0400 Subject: [PATCH 63/84] do not start elastalert if elasticsearch is not v8 --- salt/elastalert/init.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 7f6002331..b1f6bae8e 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -107,6 +107,10 @@ wait_for_elasticsearch: cmd.run: - name: so-elasticsearch-wait +is_elasticsearch_v8: + cmd.shell: + - name: "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" #if not 8 do not start ES + so-elastalert: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }} @@ -123,6 +127,7 @@ so-elastalert: - {{MANAGER_URL}}:{{MANAGER_IP}} - require: - cmd: wait_for_elasticsearch + - cmd: is_elasticsearch_v8 - file: elastarules - file: elastalogdir - file: elastacustmodulesdir From c67a58a5b113f3b34b0cb5e9a361135e981d7afd Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 13 Jul 2022 12:40:03 -0400 Subject: [PATCH 64/84] change hyperlink for Elastic 8 issues --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 82ac52d37..e72c7806c 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -399,7 +399,7 @@ es_indices_check() { if [ -z "$UNSUPPORTED_INDICES" ]; then echo "No unsupported indices found." else - echo "The following indices were created with Elasticsearch 6, and are not supported when upgrading to Elasticsearch 8. These indices may need to be deleted, migrated, or re-indexed before proceeding with the upgrade. Please see https://docs.securityonion.net/en/2.3/elasticsearch.html for more details." + echo "The following indices were created with Elasticsearch 6, and are not supported when upgrading to Elasticsearch 8. These indices may need to be deleted, migrated, or re-indexed before proceeding with the upgrade. Please see https://docs.securityonion.net/en/2.3/soup.html#elastic-8 for more details." echo echo "$UNSUPPORTED_INDICES" exit 1 From 7d7cf42d9a326d37777e0198b5c1daa2df6aab82 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Jul 2022 15:21:34 -0400 Subject: [PATCH 65/84] use onlyif requisite instead --- salt/elastalert/init.sls | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index b1f6bae8e..ed2549a36 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -107,10 +107,6 @@ wait_for_elasticsearch: cmd.run: - name: so-elasticsearch-wait -is_elasticsearch_v8: - cmd.shell: - - name: "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" #if not 8 do not start ES - so-elastalert: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }} @@ -127,13 +123,15 @@ so-elastalert: - {{MANAGER_URL}}:{{MANAGER_IP}} - require: - cmd: wait_for_elasticsearch - - cmd: is_elasticsearch_v8 - file: elastarules - file: elastalogdir - file: elastacustmodulesdir - file: elastaconf - watch: - file: elastaconf + - onlyif: + - "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #} + append_so-elastalert_so-status.conf: file.append: From 0fd4f34b5b594dd5a604172be70f8dcb5e93ed61 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 13 Jul 2022 16:48:39 -0400 Subject: [PATCH 66/84] Add shebang so that so-kibana-space-defaults will work correctly on Ubuntu --- salt/common/tools/sbin/so-kibana-space-defaults | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index 586cf38c2..53c692a51 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -1,3 +1,4 @@ +#!/bin/bash . /usr/sbin/so-common {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" From 2443e8b97e0a1ad2691f312e66541e10de2f2673 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 14 Jul 2022 12:04:56 -0400 Subject: [PATCH 67/84] Change web_response to evaluate the response from the Spaces API and the default space query --- salt/common/tools/sbin/so-kibana-space-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index 53c692a51..b52e609dc 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -1,7 +1,7 @@ #!/bin/bash . /usr/sbin/so-common {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} -wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" +wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "{{ ELASTICCURL }}" ## This hackery will be removed if using Elastic Auth ## # Let's snag a cookie from Kibana From cf8c6a6e94c9b432ae05619f2d509fd89a9894f3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 14 Jul 2022 15:17:27 -0400 Subject: [PATCH 68/84] Update defaults.yaml --- salt/suricata/defaults.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 9c358b448..84b45b369 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -218,7 +218,7 @@ suricata: enabled: "yes" # memcap: 64mb rdp: - #enabled: "no" + enabled: "yes" ssh: enabled: "yes" smtp: @@ -331,7 +331,16 @@ suricata: dhcp: enabled: "yes" sip: - #enabled: "no" + enabled: "yes" + rfb: + enabled: "yes" + detection-ports: + dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 + mqtt: + enabled: "no" + http2: + enabled: "no" + asn1-max-frames: 256 run-as: user: suricata From 3430df6a20c16e674c98ec2ff863a7f1d79ba095 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 15 Jul 2022 13:26:25 -0400 Subject: [PATCH 69/84] 2.3.140 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.140-20220715.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.140-20220715.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 09f6c368d..b353dd3ed 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.130-20220607 ISO image built on 2022/06/07 +### 2.3.140-20220715 ISO image built on 2022/06/07 ### Download and Verify -2.3.130-20220607 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso +2.3.140-20220715 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220715.iso -MD5: 0034D6A9461C04357AFF512875408A4C -SHA1: BF80EEB101C583153CAD8E185A7DB3173FD5FFE8 -SHA256: 15943623B96D8BB4A204A78668447F36B54A63ABA5F8467FBDF0B25C5E4E6078 +MD5: C3A6197DE75D0B0933536143B9CB977E +SHA1: 47F3BA9771AACA9712484C47DB5FB67D1230D8F0 +SHA256: CC3485C23C6CE10855188D7015EEA495F6846A477187D378057B6C88F6B8C654 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.130-20220607.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220715.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.130-20220607.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220715.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220715.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.130-20220607.iso.sig securityonion-2.3.130-20220607.iso +gpg --verify securityonion-2.3.140-20220715.iso.sig securityonion-2.3.140-20220715.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 07 Jun 2022 01:27:20 PM EDT using RSA key ID FE507013 +gpg: Signature made Fri 15 Jul 2022 11:52:40 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.140-20220715.iso.sig b/sigs/securityonion-2.3.140-20220715.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..553535a6ad770a28bba2a2d2b97996f4478c3596 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;ExjYt3r2@re`V7LBIa1)N>5B(j_nK&h}fGEd|%sJlI zBNbV)fs(20^jmg$D$@w=-6XR)D%m;UDRC_hZhwD^gGL+Mgg?h9ZuhZqO(ON(_*Sk{N5{4$0GbFYLI1rlD21T*F7f=n6QBy h@S1!0o|$aZC{2cRpWt1!Ss?*jm-|KM@zq){uQqEM2h;!n literal 0 HcmV?d00001 From 0a14dad84982de42844b69cc8ec1dda1383f7c1b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 15 Jul 2022 13:31:51 -0400 Subject: [PATCH 70/84] Update VERIFY_ISO.md --- VERIFY_ISO.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index b353dd3ed..fa6706cc6 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,4 +1,4 @@ -### 2.3.140-20220715 ISO image built on 2022/06/07 +### 2.3.140-20220715 ISO image built on 2022/07/15 From f5e10430edbd6fcf6940e98a9cd00890c470ea46 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 18 Jul 2022 09:07:13 -0400 Subject: [PATCH 71/84] Add forward slash to fix issue with missing query path --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e72c7806c..527bf1fc2 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -832,7 +832,7 @@ up_to_2.3.140() { COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query -k --output /dev/null + so-elasticsearch-query / -k --output /dev/null if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" From 2914007393ddbf8115115ed619f87c2280dbf419 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 18 Jul 2022 09:07:34 -0400 Subject: [PATCH 72/84] Add forward slash to fix issue with missing query path --- salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load index 93c1c6298..e776e84a0 100644 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -30,7 +30,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query -k --output /dev/null --silent --head --fail + so-elasticsearch-query / -k --output /dev/null --silent --head --fail if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" From 3711eb52b85f40b92b3aa5ee0c0731cdd05fc598 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 18 Jul 2022 10:54:50 -0400 Subject: [PATCH 73/84] 2.3.140 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.140-20220715.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.140-20220718.iso.sig | Bin 0 -> 543 bytes 3 files changed, 11 insertions(+), 11 deletions(-) delete mode 100644 sigs/securityonion-2.3.140-20220715.iso.sig create mode 100644 sigs/securityonion-2.3.140-20220718.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index fa6706cc6..d48743291 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.140-20220715 ISO image built on 2022/07/15 +### 2.3.140-20220718 ISO image built on 2022/07/18 ### Download and Verify -2.3.140-20220715 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220715.iso +2.3.140-20220718 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso -MD5: C3A6197DE75D0B0933536143B9CB977E -SHA1: 47F3BA9771AACA9712484C47DB5FB67D1230D8F0 -SHA256: CC3485C23C6CE10855188D7015EEA495F6846A477187D378057B6C88F6B8C654 +MD5: 9570065548DBFA6230F28FF623A8B61A +SHA1: D48B2CC81DF459C3EBBC0C54BD9AAFAB4327CB75 +SHA256: 0E31E15EDFD3392B9569FCCAF1E4518432ECB0D7A174CCA745F2F22CDAC4A034 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220715.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220715.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220715.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.140-20220715.iso.sig securityonion-2.3.140-20220715.iso +gpg --verify securityonion-2.3.140-20220718.iso.sig securityonion-2.3.140-20220718.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Fri 15 Jul 2022 11:52:40 AM EDT using RSA key ID FE507013 +gpg: Signature made Mon 18 Jul 2022 10:16:05 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.140-20220715.iso.sig b/sigs/securityonion-2.3.140-20220715.iso.sig deleted file mode 100644 index 553535a6ad770a28bba2a2d2b97996f4478c3596..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;ExjYt3r2@re`V7LBIa1)N>5B(j_nK&h}fGEd|%sJlI zBNbV)fs(20^jmg$D$@w=-6XR)D%m;UDRC_hZhwD^gGL+Mgg?h9ZuhZqO(ON(_*Sk{N5{4$0GbFYLI1rlD21T*F7f=n6QBy h@S1!0o|$aZC{2cRpWt1!Ss?*jm-|KM@zq){uQqEM2h;!n diff --git a/sigs/securityonion-2.3.140-20220718.iso.sig b/sigs/securityonion-2.3.140-20220718.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..5628c323f0c85e99d9aab98d657a8a615dd3e108 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;E#Yb5{*2@re`V7LBIa1+Hk5C3JnavmceA)8AZggeZS zDLrEFnGXx|saM*K<6N>OeUiM#U@$`LyVMj(zdoLi#tbaHAl8>}0za7+99++7mq;8L zdyN;F2|5OEnd=LpM8LKh%vTx3L~FnCfg;QFH@d7?W1`vOpMjDjjN)O$Bz2krGWP2k z`1GGfHmC#X84)ksBfb?!(?jH1j+;NsHk7f9r|>ED8(&KnY95p#;9X`I> zLG_nIlhA_`YJdle*XRh`LV$n%0ah4N$9v^NC}wEz$#lyjn8LA$=uMY4FPzmEM%c1l z!wUAG(&It~@htt0*9rhC1ifoK4MD!ouY@$c3UchVYlO{2J7!GtM{QQ^aW02%@w=Hf zb^LxyJA6P)oh#+=XT-UHuSTs$IWpWjSCD!!`t0G;#{rIuLrd zcvO(sv@#Ma*lkdRkh^^#;M8mn_nOx*2Z1$nXUyy%MSm*hk%jCe2@eVqF*nCqAnI9z h>{-9Gx Date: Tue, 19 Jul 2022 10:21:36 -0400 Subject: [PATCH 74/84] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index d3f5a12fa..8ab213017 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +20220719 From 07b8785f3d223da16f317a126897fb31fa0801bd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 19 Jul 2022 10:23:10 -0400 Subject: [PATCH 75/84] Update soup --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 527bf1fc2..1532dd02c 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -825,6 +825,7 @@ up_to_2.3.130() { } up_to_2.3.140() { + so-elastalert-stop ## Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ## echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." # Wait for ElasticSearch to initialize From 4a7c994b662bddbdaf0bca2419f973b1caf7be11 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 19 Jul 2022 14:31:45 +0000 Subject: [PATCH 76/84] Revise Elastalert index check deletion logic --- salt/common/tools/sbin/soup | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 1532dd02c..855960737 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -852,13 +852,33 @@ up_to_2.3.140() { fi # Delete Elastalert indices - for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elasticsearch-query $i -XDELETE; done - # Check to ensure Elastalert indices have been deleted - RESPONSE=$(so-elasticsearch-query elastalert*) - if [[ "$RESPONSE" == "{}" ]]; then - echo "Elastalert indices have been deleted." - else - fail "Something went wrong. Could not delete the Elastalert indices. Exiting." + for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); + do + so-elasticsearch-query $i -XDELETE; + done + + # Check to ensure Elastalert indices are deleted + COUNT=0 + ELASTALERT_INDICES_DELETED="no" + while [[ "$COUNT" -le 240 ]]; do + RESPONSE=$(so-elasticsearch-query elastalert*) + if [[ "$RESPONSE" == "{}" ]]; then + ELASTALERT_INDICES_DELETED="yes" + echo "Elastalert indices successfully deleted." + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + + # If we were unable to delete the Elastalert indices, exit the script + if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then + echo + echo -e "Unable to connect to delete Elastalert indices. Exiting." + echo + exit 1 fi ## INSTALLEDVERSION=2.3.140 From f3a0ab0b2d8816bdbe1b862bf258051da57924db Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 19 Jul 2022 14:48:19 +0000 Subject: [PATCH 77/84] Perform Elastalert index check twice --- salt/common/tools/sbin/soup | 43 ++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 855960737..9982d2dc6 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -850,28 +850,31 @@ up_to_2.3.140() { echo exit 1 fi - - # Delete Elastalert indices - for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); - do - so-elasticsearch-query $i -XDELETE; + CHECK_COUNT=0 + while [[ "$CHECK_COUNT" -le 2 ]]; do + # Delete Elastalert indices + for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do + so-elasticsearch-query $i -XDELETE; + done + + # Check to ensure Elastalert indices are deleted + COUNT=0 + ELASTALERT_INDICES_DELETED="no" + while [[ "$COUNT" -le 240 ]]; do + RESPONSE=$(so-elasticsearch-query elastalert*) + if [[ "$RESPONSE" == "{}" ]]; then + ELASTALERT_INDICES_DELETED="yes" + echo "Elastalert indices successfully deleted." + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + ((CHECK_COUNT+=1)) done - # Check to ensure Elastalert indices are deleted - COUNT=0 - ELASTALERT_INDICES_DELETED="no" - while [[ "$COUNT" -le 240 ]]; do - RESPONSE=$(so-elasticsearch-query elastalert*) - if [[ "$RESPONSE" == "{}" ]]; then - ELASTALERT_INDICES_DELETED="yes" - echo "Elastalert indices successfully deleted." - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi - done # If we were unable to delete the Elastalert indices, exit the script if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then From 5ceff527960cf0c897f7fe374ef6ce49a8bafee1 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 19 Jul 2022 14:54:39 +0000 Subject: [PATCH 78/84] Move Elastalert indices check to function and call from beginning of soup and during pre-upgrade to 2.3.140 --- salt/common/tools/sbin/soup | 128 ++++++++++++++++++++---------------- 1 file changed, 70 insertions(+), 58 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 9982d2dc6..e6f54fe4e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -371,6 +371,74 @@ clone_to_tmp() { fi } +elastalert_indices_check() { + + # Stop Elastalert to prevent Elastalert indices from being re-created + so-elastalert-stop + + # Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ## + echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." + + # Wait for ElasticSearch to initialize + echo -n "Waiting for ElasticSearch..." + COUNT=0 + ELASTICSEARCH_CONNECTED="no" + while [[ "$COUNT" -le 240 ]]; do + so-elasticsearch-query / -k --output /dev/null + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + + # Unable to connect to Elasticsearch + if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo + exit 1 + fi + + # Check Elastalert indices + CHECK_COUNT=0 + while [[ "$CHECK_COUNT" -le 2 ]]; do + # Delete Elastalert indices + for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do + so-elasticsearch-query $i -XDELETE; + done + + # Check to ensure Elastalert indices are deleted + COUNT=0 + ELASTALERT_INDICES_DELETED="no" + while [[ "$COUNT" -le 240 ]]; do + RESPONSE=$(so-elasticsearch-query elastalert*) + if [[ "$RESPONSE" == "{}" ]]; then + ELASTALERT_INDICES_DELETED="yes" + echo "Elastalert indices successfully deleted." + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + ((CHECK_COUNT+=1)) + done + + # If we were unable to delete the Elastalert indices, exit the script + if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then + echo + echo -e "Unable to connect to delete Elastalert indices. Exiting." + echo + exit 1 + fi +} + enable_highstate() { echo "Enabling highstate." salt-call state.enable highstate -l info --local @@ -825,64 +893,7 @@ up_to_2.3.130() { } up_to_2.3.140() { - so-elastalert-stop - ## Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ## - echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." - # Wait for ElasticSearch to initialize - echo -n "Waiting for ElasticSearch..." - COUNT=0 - ELASTICSEARCH_CONNECTED="no" - while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query / -k --output /dev/null - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi - done - if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then - echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" - echo - exit 1 - fi - CHECK_COUNT=0 - while [[ "$CHECK_COUNT" -le 2 ]]; do - # Delete Elastalert indices - for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do - so-elasticsearch-query $i -XDELETE; - done - - # Check to ensure Elastalert indices are deleted - COUNT=0 - ELASTALERT_INDICES_DELETED="no" - while [[ "$COUNT" -le 240 ]]; do - RESPONSE=$(so-elasticsearch-query elastalert*) - if [[ "$RESPONSE" == "{}" ]]; then - ELASTALERT_INDICES_DELETED="yes" - echo "Elastalert indices successfully deleted." - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi - done - ((CHECK_COUNT+=1)) - done - - - # If we were unable to delete the Elastalert indices, exit the script - if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then - echo - echo -e "Unable to connect to delete Elastalert indices. Exiting." - echo - exit 1 - fi + elastalert_indices_check ## INSTALLEDVERSION=2.3.140 } @@ -1202,6 +1213,7 @@ main() { verify_latest_update_script es_version_check es_indices_check + elastalert_indices_check echo "" set_palette check_elastic_license From 340dbe8547d64cbe87c38ca39f7a1d8eaa095ea7 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 19 Jul 2022 13:25:09 -0400 Subject: [PATCH 79/84] Check to see if Elastalert is enabled before trying to run 'so-elastalert-stop'. Also suppress error output for when so-elastalert container is not present. --- salt/common/tools/sbin/soup | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e6f54fe4e..d41fcdfcf 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -374,10 +374,9 @@ clone_to_tmp() { elastalert_indices_check() { # Stop Elastalert to prevent Elastalert indices from being re-created - so-elastalert-stop - - # Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ## - echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." + if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then + so-elastalert-stop || true + fi # Wait for ElasticSearch to initialize echo -n "Waiting for ElasticSearch..." @@ -403,8 +402,9 @@ elastalert_indices_check() { echo exit 1 fi - + # Check Elastalert indices + echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." CHECK_COUNT=0 while [[ "$CHECK_COUNT" -le 2 ]]; do # Delete Elastalert indices From dd48d66c1c4c9d6c4da43f454a96501072d10057 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 19 Jul 2022 14:39:44 -0400 Subject: [PATCH 80/84] 2.3.140 Hotfix --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.140-20220719.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.140-20220719.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index d48743291..73735f3b7 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.140-20220718 ISO image built on 2022/07/18 +### 2.3.140-20220719 ISO image built on 2022/07/19 ### Download and Verify -2.3.140-20220718 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso +2.3.140-20220719 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220719.iso -MD5: 9570065548DBFA6230F28FF623A8B61A -SHA1: D48B2CC81DF459C3EBBC0C54BD9AAFAB4327CB75 -SHA256: 0E31E15EDFD3392B9569FCCAF1E4518432ECB0D7A174CCA745F2F22CDAC4A034 +MD5: 68768DF9861B93BB8CC9637C80239803 +SHA1: F15421C045227B334C7044E5F7F309A2BC7AEB19 +SHA256: 4736E3E80E28EFBAB1923C121A3F78DBDBCBBBF65D715924A88B2E96EB3C6093 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220719.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220719.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220719.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.140-20220718.iso.sig securityonion-2.3.140-20220718.iso +gpg --verify securityonion-2.3.140-20220719.iso.sig securityonion-2.3.140-20220719.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 18 Jul 2022 10:16:05 AM EDT using RSA key ID FE507013 +gpg: Signature made Tue 19 Jul 2022 02:00:29 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.140-20220719.iso.sig b/sigs/securityonion-2.3.140-20220719.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..6bcf9fd7d913ab61331e801daa6fbc2b83218f35 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;E$@jUB#DwD$r?do1-L2*#KDrTwJtC zB)1IOca$F#HNYs^V@S)ncI@FWZ1FX?! z36n>7`GB2HPN&bP%U;Dtm|dcLVsbe%XQvV6O{ZsGD)cL|J!kO>vEeSsZRJRk;il1@ z9Kt)zveuC8igQTpqmCoo3rI0F{?N}Dzs}W)&4*(IN7z-uPKMVWF@-6Huml@#i4TFD z1~Sh-@(3nui2^I9W!6bv*JT1P>y?H3VIO6Gs#`cHT?!|xiwZnzZA2(?#uT>W4T*VJ z8$WT!>>BR*5pf(ykUDP}HN4x8Dx6~BC9%6yTcfc)xHQ6uMe*}CS=$0Q`2%$fzMN@g z!B?%%j>6>~!NhU^AC({wRQSrT6yADtfVE!^$_aV#vRb3|qSBH$;hO`OlA91_rG6DSP9=z&?H=y}#qo0o(up literal 0 HcmV?d00001 From 1d2534b2a127f4cfc605e4d7f68ad71af56bcdf8 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 29 Jul 2022 08:24:57 -0400 Subject: [PATCH 81/84] Increment version --- HOTFIX | 2 +- VERSION | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/HOTFIX b/HOTFIX index 8ab213017..d3f5a12fa 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -20220719 + diff --git a/VERSION b/VERSION index 3994a975c..70a2b29d7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.140 +2.3.150 From 2cc665bac635d961f9f1fe20570fd0d77dcee921 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Jul 2022 09:55:20 -0400 Subject: [PATCH 82/84] https://github.com/Security-Onion-Solutions/securityonion/issues/8404 --- salt/top.sls | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/top.sls b/salt/top.sls index 87f96143f..27193f7ac 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -84,7 +84,9 @@ base: {%- if STRELKA %} - strelka {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -433,7 +435,9 @@ base: - redis - fleet - fleet.install_package + {%- if FILEBEAT %} - filebeat + {%- endif %} - schedule - docker_clean @@ -507,7 +511,9 @@ base: {%- endif %} - schedule - docker_clean + {%- if FILEBEAT %} - filebeat + {%- endif %} - idh 'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )': From 4c1585f8d8fecfad2a3000eabb94378339e6b353 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 29 Jul 2022 14:50:10 -0400 Subject: [PATCH 83/84] FIX: Display PCAP menu action on Dashboards page #8343 --- salt/soc/files/soc/menu.actions.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/menu.actions.json b/salt/soc/files/soc/menu.actions.json index 8af63f2a8..0a9894c89 100644 --- a/salt/soc/files/soc/menu.actions.json +++ b/salt/soc/files/soc/menu.actions.json @@ -19,7 +19,7 @@ "/joblookup?esid={:soc_id}&time={:@timestamp}", "/joblookup?ncid={:network.community_id}&time={:@timestamp}" ], - "categories": ["hunt", "alerts"]}, + "categories": ["hunt", "alerts", "dashboards"]}, { "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank", "links": [ "/cyberchef/#input={value|base64}" From 10ba3b4b5a771193d8694fabe005d85e623e8236 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 29 Jul 2022 16:30:12 -0400 Subject: [PATCH 84/84] increment version --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d5a8586cf..170bb0039 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.140 +## Security Onion 2.3.150 -Security Onion 2.3.140 is here! +Security Onion 2.3.150 is here! ## Screenshots