From e84d624d2326456fcde6c4c8230f3a1d53f3812c Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 16 Aug 2023 20:10:20 +0000 Subject: [PATCH 01/11] Force package installation --- salt/elasticfleet/tools/sbin/so-elastic-fleet-common | 5 +++-- .../tools/sbin_jinja/so-elastic-fleet-package-upgrade | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common index 197a111fb..6ada43003 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -62,8 +62,9 @@ elastic_fleet_package_latest_version_check() { } elastic_fleet_package_install() { - PKGKEY=$1 - curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PKGKEY" + PKG=$1 + VERSION=$2 + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"force":true}' "localhost:5601/api/fleet/epm/packages/$PKG/$VERSION" } elastic_fleet_package_is_installed() { diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade index 81eb01534..2fb3f7798 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade @@ -11,7 +11,7 @@ {%- for PACKAGE in SUPPORTED_PACKAGES %} echo "Upgrading {{ PACKAGE }} package..." VERSION=$(elastic_fleet_package_latest_version_check "{{ PACKAGE }}") -elastic_fleet_package_install "{{ PACKAGE }}-$VERSION" +elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION" echo {%- endfor %} echo From 4887eb4957cd0c2409bc5472e657fa4115f3df2f Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 16 Aug 2023 22:31:14 -0400 Subject: [PATCH 02/11] Update so-elastic-fleet-package-load --- .../elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load index c1e14f64f..819d7ecff 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load @@ -11,7 +11,7 @@ {%- for PACKAGE in SUPPORTED_PACKAGES %} echo "Setting up {{ PACKAGE }} package..." VERSION=$(elastic_fleet_package_version_check "{{ PACKAGE }}") -elastic_fleet_package_install "{{ PACKAGE }}-$VERSION" +elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION" echo {%- endfor %} echo From 7971d9749ac5bc441a4aa35e76ea2d23688b0fd7 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 17 Aug 2023 14:08:48 +0000 Subject: [PATCH 03/11] Assign pipeline to import --- .../integrations/grid-nodes_general/import-evtx-logs.json | 4 ++-- salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index 178b6ed53..4887a1a01 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -20,8 +20,8 @@ ], "data_stream.dataset": "import", "custom": "", - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n namespace: default\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows", - "tags": [ + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.34.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-1.24.0\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.34.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.34.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-1.24.0\n- add_fields:\n target: data_stream\n fields:\n dataset: import", + "tags": [ "import" ] } diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 index 45583a464..688000fb7 100644 --- a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 +++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 @@ -78,7 +78,9 @@ { "set": { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } }, { "set": { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } }, { "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } }, - {"community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } }, + { "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } }, + { "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } }, + { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } }, { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } ], "on_failure": [ From fb3fee5d4bb288b9582a19b11de0c03be04a1919 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 17 Aug 2023 14:43:35 -0400 Subject: [PATCH 04/11] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index d3f5a12fa..2fd1e16d4 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +20230821 From e04ec1042a6a8cec477b8475416095e5506e4e8c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 18 Aug 2023 09:12:19 -0400 Subject: [PATCH 05/11] Update soup --- salt/manager/tools/sbin/soup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index af09cc9df..857ce0775 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -660,15 +660,15 @@ verify_latest_update_script() { } # Keeping this block in case we need to do a hotfix that requires salt update -#apply_hotfix() { +apply_hotfix() { # if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then # fix_wazuh # elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then # 2_3_10_hotfix_1 # else -# echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" + echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" # fi -#} +} #upgrade salt to 3004.1 From 8aeb4706e1cc7416248faf1d523682871747a69a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 18 Aug 2023 09:57:51 -0400 Subject: [PATCH 06/11] force soup docker output to log --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index af09cc9df..0277d373d 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -790,7 +790,7 @@ main() { else update_registry set +e - update_docker_containers "soup" + update_docker_containers "soup" "" "" "$SOUP_LOG" set -e fi From 0d4a49a0fff14cc42ceff84ef619b7c9e8bda4d7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 18 Aug 2023 15:34:36 -0400 Subject: [PATCH 07/11] Update so-setup --- setup/so-setup | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-setup b/setup/so-setup index d048cc8bc..2b9a0fd01 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -577,6 +577,7 @@ if ! [[ -f $install_opt_file ]]; then if [[ $waitforstate ]]; then touch /root/accept_changes + touch /etc/sohotfix make_some_dirs percentage=0 es_heapsize From 421cfc46ad8d456a0b6f46044a64771a1b572956 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 18 Aug 2023 15:39:58 -0400 Subject: [PATCH 08/11] Update soup --- salt/manager/tools/sbin/soup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index d0b8f4b22..0b4136065 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -569,6 +569,9 @@ upgrade_check() { # Let's make sure we actually need to update. NEWVERSION=$(cat $UPDATE_DIR/VERSION) HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX) + if [ ! -f /etc/sohotfix ]; then + touch /etc/sohotfix + fi [[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix) if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then echo "Checking to see if there are hotfixes needed" From e2fd371886fb7d24e49523d63b79db78fab5c8d7 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 21 Aug 2023 07:26:37 -0400 Subject: [PATCH 09/11] Fix certs on Rec and Heavy --- salt/ssl/init.sls | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index a25a7c270..4e48688f3 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -198,7 +198,7 @@ etc_elasticfleet_logstash_key: - new: True {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%} - prereq: - - x509: etc_elasticfleet_crt + - x509: etc_elasticfleet_logstash_crt {%- endif %} - retry: attempts: 5 @@ -259,7 +259,7 @@ etc_elasticfleetlumberjack_key: - new: True {% if salt['file.file_exists']('/etc/pki/elasticfleet-lumberjack.key') -%} - prereq: - - x509: etc_elasticfleet_crt + - x509: etc_elasticfleetlumberjack_crt {%- endif %} - retry: attempts: 5 @@ -283,7 +283,7 @@ etc_elasticfleetlumberjack_crt: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-lumberjack.key -topk8 -out /etc/pki/elasticfleet-lumberjack.p8 -nocrypt" - onchanges: - - x509: etc_elasticfleet_key + - x509: etc_elasticfleetlumberjack_key eflogstashlumberjackperms: file.managed: @@ -327,7 +327,7 @@ etc_elasticfleet_agent_key: - new: True {% if salt['file.file_exists']('/etc/pki/elasticfleet-agent.key') -%} - prereq: - - x509: etc_elasticfleet_crt + - x509: etc_elasticfleet_agent_crt {%- endif %} - retry: attempts: 5 @@ -350,7 +350,7 @@ etc_elasticfleet_agent_crt: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-agent.key -topk8 -out /etc/pki/elasticfleet-agent.p8 -nocrypt" - onchanges: - - x509: etc_elasticfleet_key + - x509: etc_elasticfleet_agent_key efagentperms: file.managed: From 710b800bc22ff64f55c8e82deb16c27499db02fe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 21 Aug 2023 09:00:11 -0400 Subject: [PATCH 10/11] Update config.sls --- salt/suricata/config.sls | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls index c8666ef2b..9da40660e 100644 --- a/salt/suricata/config.sls +++ b/salt/suricata/config.sls @@ -68,6 +68,14 @@ surilogdir: - user: 940 - group: 939 +surinsmdir: + file.directory: + - name: /nsm/suricata + - user: 940 + - group: 939 + - mode: 755 + - makedirs: True + suridatadir: file.directory: - name: /nsm/suricata/extracted From 84d5d52ec850d157ab58461ac5ef807899318cae Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 21 Aug 2023 15:36:57 -0400 Subject: [PATCH 11/11] 2.4.10 Hotfix --- DOWNLOAD_AND_VERIFY_ISO.md | 22 ++++++++++----------- sigs/securityonion-2.4.10-20230821.iso.sig | Bin 0 -> 566 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.4.10-20230821.iso.sig diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index 816c4f827..1e6299a8e 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.4.10-20230815 ISO image released on 2023/08/15 +### 2.4.10-20230821 ISO image released on 2023/08/21 ### Download and Verify -2.4.10-20230815 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230815.iso +2.4.10-20230821 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso -MD5: 97AEC929FB1FC22F106C0C93E3476FAB -SHA1: 78AF37FD19FDC34BA324C1A661632D19D1F2284A -SHA256: D04BA45D1664FC3CF7EA2188CB7E570642F6390C3959B4AFBB8222A853859394 +MD5: 353EB36F807DC947F08F79B3DCFA420E +SHA1: B25E3BEDB81BBEF319DC710267E6D78422F39C56 +SHA256: 3D369E92FEB65D14E1A981E99FA223DA52C92057A037C243AD6332B6B9A6D9BC Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230815.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230815.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230815.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.10-20230815.iso.sig securityonion-2.4.10-20230815.iso +gpg --verify securityonion-2.4.10-20230821.iso.sig securityonion-2.4.10-20230821.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Sun 13 Aug 2023 05:30:29 PM EDT using RSA key ID FE507013 +gpg: Signature made Mon 21 Aug 2023 09:47:50 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.4.10-20230821.iso.sig b/sigs/securityonion-2.4.10-20230821.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..251032166d6230346dbf71728f011eebc5da5576 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%YTB1^@~P5PT3| zxBgIY6Sa5`{10%j$#G-=&7)Yq?msqB@!u8T^uU>^@;#Crl{W6zggRK{<&)>3PB<|W z3QeU+TCg*fDq}`2`@kpe+l91Igs!)ZOmc&uoQQuB^tUYOd*WEMp4^%fbozh-CKmR; zkbRG*xPHN#ORrwOPdyA*I3(_Ms3_!*l@+3*YJiWet3vUg(gexEZ- z3>e?Faf*TjCy9~w$OfJTsO~Dpa{8^kv9Wy%KQ^CnYLTdgozr!IqoXsOvoJ~Trb-m) z7ia>3pr}A2=k4KGs;ed1eNIp380u=}J4hw+vNkq53Cs@BM0-a=2l({(&!+3rEBX{Y z#oJnGgJ5dRbxaSLZ3m(-twNHPUv1eTjpR-!537!>D01}zIBR53z5YCEeSZ%K6LBKz zg?a5yptkv##1Gjf1DRzBkRgZ~OmojzHOkR$i>+2{*LMqgQerR2H(qZiQP<`atWbCw z`nKWfmeeAOFyBG~BmiKF6-IFe|7M;vJ+k(AE?QBn$4klcY49);j2Qi3zGHsNUsZX- z^tsTqc@y5=wjs(=8sgj6llp7&OS*KK_A{)k$TDgWqnT-ZCVD zh_$&2)-T`}yCIFrqvU1>;qnuX5StsZmIbF_-3zS~fFyiK#wIr9abDudJoMmpK@FQu EZ&ou9XaE2J literal 0 HcmV?d00001