diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index 816c4f827..1e6299a8e 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.4.10-20230815 ISO image released on 2023/08/15 +### 2.4.10-20230821 ISO image released on 2023/08/21 ### Download and Verify -2.4.10-20230815 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230815.iso +2.4.10-20230821 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso -MD5: 97AEC929FB1FC22F106C0C93E3476FAB -SHA1: 78AF37FD19FDC34BA324C1A661632D19D1F2284A -SHA256: D04BA45D1664FC3CF7EA2188CB7E570642F6390C3959B4AFBB8222A853859394 +MD5: 353EB36F807DC947F08F79B3DCFA420E +SHA1: B25E3BEDB81BBEF319DC710267E6D78422F39C56 +SHA256: 3D369E92FEB65D14E1A981E99FA223DA52C92057A037C243AD6332B6B9A6D9BC Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230815.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230815.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230815.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.10-20230815.iso.sig securityonion-2.4.10-20230815.iso +gpg --verify securityonion-2.4.10-20230821.iso.sig securityonion-2.4.10-20230821.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Sun 13 Aug 2023 05:30:29 PM EDT using RSA key ID FE507013 +gpg: Signature made Mon 21 Aug 2023 09:47:50 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/HOTFIX b/HOTFIX index d3f5a12fa..2fd1e16d4 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +20230821 diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index 178b6ed53..4887a1a01 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -20,8 +20,8 @@ ], "data_stream.dataset": "import", "custom": "", - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n namespace: default\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows", - "tags": [ + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.34.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-1.24.0\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.34.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.34.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-1.24.0\n- add_fields:\n target: data_stream\n fields:\n dataset: import", + "tags": [ "import" ] } diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common index 197a111fb..6ada43003 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -62,8 +62,9 @@ elastic_fleet_package_latest_version_check() { } elastic_fleet_package_install() { - PKGKEY=$1 - curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PKGKEY" + PKG=$1 + VERSION=$2 + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"force":true}' "localhost:5601/api/fleet/epm/packages/$PKG/$VERSION" } elastic_fleet_package_is_installed() { diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load index c1e14f64f..819d7ecff 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load @@ -11,7 +11,7 @@ {%- for PACKAGE in SUPPORTED_PACKAGES %} echo "Setting up {{ PACKAGE }} package..." VERSION=$(elastic_fleet_package_version_check "{{ PACKAGE }}") -elastic_fleet_package_install "{{ PACKAGE }}-$VERSION" +elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION" echo {%- endfor %} echo diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade index 81eb01534..2fb3f7798 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade @@ -11,7 +11,7 @@ {%- for PACKAGE in SUPPORTED_PACKAGES %} echo "Upgrading {{ PACKAGE }} package..." VERSION=$(elastic_fleet_package_latest_version_check "{{ PACKAGE }}") -elastic_fleet_package_install "{{ PACKAGE }}-$VERSION" +elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION" echo {%- endfor %} echo diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 index 45583a464..688000fb7 100644 --- a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 +++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 @@ -78,7 +78,9 @@ { "set": { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } }, { "set": { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } }, { "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } }, - {"community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } }, + { "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } }, + { "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } }, + { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } }, { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } ], "on_failure": [ diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index af09cc9df..0b4136065 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -569,6 +569,9 @@ upgrade_check() { # Let's make sure we actually need to update. NEWVERSION=$(cat $UPDATE_DIR/VERSION) HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX) + if [ ! -f /etc/sohotfix ]; then + touch /etc/sohotfix + fi [[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix) if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then echo "Checking to see if there are hotfixes needed" @@ -660,15 +663,15 @@ verify_latest_update_script() { } # Keeping this block in case we need to do a hotfix that requires salt update -#apply_hotfix() { +apply_hotfix() { # if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then # fix_wazuh # elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then # 2_3_10_hotfix_1 # else -# echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" + echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" # fi -#} +} #upgrade salt to 3004.1 @@ -790,7 +793,7 @@ main() { else update_registry set +e - update_docker_containers "soup" + update_docker_containers "soup" "" "" "$SOUP_LOG" set -e fi diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index a25a7c270..4e48688f3 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -198,7 +198,7 @@ etc_elasticfleet_logstash_key: - new: True {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%} - prereq: - - x509: etc_elasticfleet_crt + - x509: etc_elasticfleet_logstash_crt {%- endif %} - retry: attempts: 5 @@ -259,7 +259,7 @@ etc_elasticfleetlumberjack_key: - new: True {% if salt['file.file_exists']('/etc/pki/elasticfleet-lumberjack.key') -%} - prereq: - - x509: etc_elasticfleet_crt + - x509: etc_elasticfleetlumberjack_crt {%- endif %} - retry: attempts: 5 @@ -283,7 +283,7 @@ etc_elasticfleetlumberjack_crt: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-lumberjack.key -topk8 -out /etc/pki/elasticfleet-lumberjack.p8 -nocrypt" - onchanges: - - x509: etc_elasticfleet_key + - x509: etc_elasticfleetlumberjack_key eflogstashlumberjackperms: file.managed: @@ -327,7 +327,7 @@ etc_elasticfleet_agent_key: - new: True {% if salt['file.file_exists']('/etc/pki/elasticfleet-agent.key') -%} - prereq: - - x509: etc_elasticfleet_crt + - x509: etc_elasticfleet_agent_crt {%- endif %} - retry: attempts: 5 @@ -350,7 +350,7 @@ etc_elasticfleet_agent_crt: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-agent.key -topk8 -out /etc/pki/elasticfleet-agent.p8 -nocrypt" - onchanges: - - x509: etc_elasticfleet_key + - x509: etc_elasticfleet_agent_key efagentperms: file.managed: diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls index c8666ef2b..9da40660e 100644 --- a/salt/suricata/config.sls +++ b/salt/suricata/config.sls @@ -68,6 +68,14 @@ surilogdir: - user: 940 - group: 939 +surinsmdir: + file.directory: + - name: /nsm/suricata + - user: 940 + - group: 939 + - mode: 755 + - makedirs: True + suridatadir: file.directory: - name: /nsm/suricata/extracted diff --git a/setup/so-setup b/setup/so-setup index d048cc8bc..2b9a0fd01 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -577,6 +577,7 @@ if ! [[ -f $install_opt_file ]]; then if [[ $waitforstate ]]; then touch /root/accept_changes + touch /etc/sohotfix make_some_dirs percentage=0 es_heapsize diff --git a/sigs/securityonion-2.4.10-20230821.iso.sig b/sigs/securityonion-2.4.10-20230821.iso.sig new file mode 100644 index 000000000..251032166 Binary files /dev/null and b/sigs/securityonion-2.4.10-20230821.iso.sig differ