From 0c079edc1acf6e78227e22cb1b1802f7e10f6d85 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 8 Jul 2021 14:27:16 -0400 Subject: [PATCH 01/37] Reverse proxy requests to playbook, soctopus, and nodered --- salt/nginx/etc/nginx.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index cafa583b5..bfde1dd53 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -277,6 +277,7 @@ http { } location /nodered/ { + auth_request /auth/sessions/whoami; proxy_pass http://{{ manager_ip }}:1880/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -290,6 +291,7 @@ http { } location /playbook/ { + auth_request /auth/sessions/whoami; proxy_pass http://{{ manager_ip }}:3200/playbook/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -346,6 +348,7 @@ http { } location /soctopus/ { + auth_request /auth/sessions/whoami; proxy_pass http://{{ manager_ip }}:7000/; proxy_read_timeout 300; proxy_connect_timeout 300; From 08ba4fdbee00908972f70adc726ea47190c3a407 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 8 Jul 2021 16:34:16 -0400 Subject: [PATCH 02/37] Update Kibana saved objects to 7.13.3 --- salt/kibana/files/saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson index ee2842b66..cdd334272 100644 --- a/salt/kibana/files/saved_objects.ndjson +++ b/salt/kibana/files/saved_objects.ndjson @@ -460,7 +460,7 @@ {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"z16.04 - Sysmon - Logs","version":1},"id":"6d189680-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"3072c750-6d71-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"29611940-6d75-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHHk1sxQT5EBNmq43Y","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQyLDRd"} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Action (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQzLDRd"} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ0LDRd"} -{"attributes":{"buildNum":39457,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":100,"theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion":"7.13.2","id":"7.13.2","migrationVersion":{"config":"7.12.0"},"references":[],"type":"config","updated_at":"2021-04-29T21:42:52.430Z","version":"WzY3NTUsM10="} +{"attributes":{"buildNum":39457,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":100,"theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion":"7.13.3","id":"7.13.3","migrationVersion":{"config":"7.12.0"},"references":[],"type":"config","updated_at":"2021-04-29T21:42:52.430Z","version":"WzY3NTUsM10="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - MIME Flavors","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ2LDRd"} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_9KpxQT5EBNmq4Oo","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ3LDRd"} {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"z16.04 - Bro - Modbus","version":1},"id":"70c005f0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"178209e0-6e1b-11e7-b553-7f80727663c1","name":"panel_5","type":"visualization"},{"id":"AWDG_9KpxQT5EBNmq4Oo","name":"panel_6","type":"visualization"},{"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ4LDRd"} From 90970f97e8695b62f7aa337bfd99d16a63059a4a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 9 Jul 2021 15:44:27 -0400 Subject: [PATCH 03/37] Add function to check if files copied to local have been changed in default --- salt/common/tools/sbin/soup | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index bc95c5428..a59c63ffe 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -182,6 +182,33 @@ check_airgap() { fi } +check_local_mods() { + local salt_local=/opt/so/saltstack/local + + local_mod_arr=() + + while IFS= read -r -d '' local_file; do + stripped_path=${local_file#"$salt_local"} + default_file="${DEFAULT_SALT_DIR}${stripped_path}" + if [[ -f $default_file ]]; then + file_diff=$(diff "$default_file" "$local_file" ) + if [[ $(echo "$file_diff" | grep -c "^<") -gt 0 ]]; then + local_mod_arr+=( "$local_file" ) + fi + fi + done< <(find $salt_local -type f -print0) + + if [[ ${#local_mod_arr} -gt 0 ]]; then + echo "Potentially breaking changes found in the following files (check ${DEFAULT_SALT_DIR} for original copy):" + for file_str in "${local_mod_arr[@]}"; do + echo " $file_str" + done + echo "" + echo "To reference this list later, check $SOUP_LOG" + sleep 10 + fi +} + check_sudoers() { if grep -q "so-setup" /etc/sudoers; then echo "There is an entry for so-setup in the sudoers file, this can be safely deleted using \"visudo\"." @@ -956,6 +983,8 @@ main() { fi fi + check_local_mods + check_sudoers if [[ -n $lsl_msg ]]; then From c6bb32b8625e14f05d0903c342c0fcd0d508add0 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sat, 10 Jul 2021 07:34:52 -0400 Subject: [PATCH 04/37] Bump version to 2.3.70 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 678d59d4f..e183d6a6c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.60 +2.3.70 From ff656365d2b4be8658a228828872840854e31bad Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 12 Jul 2021 09:22:22 -0400 Subject: [PATCH 05/37] Add newline to local modifications warning --- salt/common/tools/sbin/soup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a59c63ffe..8ca8681d3 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -199,7 +199,8 @@ check_local_mods() { done< <(find $salt_local -type f -print0) if [[ ${#local_mod_arr} -gt 0 ]]; then - echo "Potentially breaking changes found in the following files (check ${DEFAULT_SALT_DIR} for original copy):" + echo "Potentially breaking changes found in the following files." + echo "(Check ${DEFAULT_SALT_DIR} for original copy):" for file_str in "${local_mod_arr[@]}"; do echo " $file_str" done From f3ecdf21bf93d22a1c5ee49ab61db44b010cfab0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 12 Jul 2021 09:28:24 -0400 Subject: [PATCH 06/37] Revert "Add newline to local modifications warning" This reverts commit ff656365d2b4be8658a228828872840854e31bad. --- salt/common/tools/sbin/soup | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 8ca8681d3..a59c63ffe 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -199,8 +199,7 @@ check_local_mods() { done< <(find $salt_local -type f -print0) if [[ ${#local_mod_arr} -gt 0 ]]; then - echo "Potentially breaking changes found in the following files." - echo "(Check ${DEFAULT_SALT_DIR} for original copy):" + echo "Potentially breaking changes found in the following files (check ${DEFAULT_SALT_DIR} for original copy):" for file_str in "${local_mod_arr[@]}"; do echo " $file_str" done From 78c58e61ea3f5ee56db78bb8fcf972494a2309bb Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 12 Jul 2021 09:38:01 -0400 Subject: [PATCH 07/37] Resolves #4765 --- salt/common/tools/sbin/so-firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 86387fc24..9772305fe 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -35,6 +35,7 @@ def showUsage(options, args): print('') print(' General commands:') print(' help - Prints this usage information.') + print(' apply - Apply the firewall state.') print('') print(' Host commands:') print(' listhostgroups - Lists the known host groups.') @@ -66,7 +67,7 @@ def checkDefaultPortsOption(options): def checkApplyOption(options): if "--apply" in options: - return apply() + return apply(None, None) def loadYaml(filename): file = open(filename, "r") @@ -328,7 +329,7 @@ def removehost(options, args): code = checkApplyOption(options) return code -def apply(): +def apply(options, args): proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True']) return proc.returncode @@ -356,7 +357,8 @@ def main(): "addport": addport, "removeport": removeport, "addhostgroup": addhostgroup, - "addportgroup": addportgroup + "addportgroup": addportgroup, + "apply": apply } code=1 From a895270bc850eb65682daa090d973b435462e6b0 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 12 Jul 2021 10:27:43 -0400 Subject: [PATCH 08/37] Allow setting Filebeat logging level in pillar --- salt/filebeat/etc/filebeat.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 2a86b486f..f904ccfa6 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -16,6 +16,7 @@ {%- set FBMEMFLUSHMINEVENTS = salt['pillar.get']('filebeat:mem_flush_min_events', 2048) -%} {%- set FBLSWORKERS = salt['pillar.get']('filebeat:ls_workers', 1) -%} {%- set FBLSBULKMAXSIZE = salt['pillar.get']('filebeat:ls_bulk_max_size', 2048) -%} +{%- set FBLOGGINGLEVEL = salt['pillar.get']('filebeat:logging:level', 'warning') -%} name: {{ HOSTNAME }} @@ -25,7 +26,7 @@ name: {{ HOSTNAME }} # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug -logging.level: warning +logging.level: {{ FBLOGGINGLEVEL }} # Enable debug output for selected components. To enable all selectors use ["*"] # Other available selectors are "beat", "publish", "service" From e6f9592cde56f07efafa3329cedb8922ce876833 Mon Sep 17 00:00:00 2001 From: doug Date: Mon, 12 Jul 2021 13:24:21 -0400 Subject: [PATCH 09/37] FIX: Suricata dns.response.code needs to be renamed to dns.response.code_name #4770 --- salt/elasticsearch/files/ingest/suricata.dns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/suricata.dns b/salt/elasticsearch/files/ingest/suricata.dns index 85229ee92..2f5958e2e 100644 --- a/salt/elasticsearch/files/ingest/suricata.dns +++ b/salt/elasticsearch/files/ingest/suricata.dns @@ -12,7 +12,7 @@ { "rename": { "field": "message2.dns.qr", "target_field": "dns.qr", "ignore_missing": true } }, { "rename": { "field": "message2.dns.rd", "target_field": "dns.recursion.desired", "ignore_missing": true } }, { "rename": { "field": "message2.dns.ra", "target_field": "dns.recursion.available", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.rcode", "target_field": "dns.response.code", "ignore_missing": true } }, + { "rename": { "field": "message2.dns.rcode", "target_field": "dns.response.code_name", "ignore_missing": true } }, { "rename": { "field": "message2.grouped.A", "target_field": "dns.answers.data", "ignore_missing": true } }, { "rename": { "field": "message2.grouped.CNAME", "target_field": "dns.answers.name", "ignore_missing": true } }, { "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } }, From ca2b24f7357602c70857f713e406a77ea2a96397 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 13 Jul 2021 08:46:57 -0400 Subject: [PATCH 10/37] Add jinja raw tag --- salt/common/tools/sbin/soup | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a59c63ffe..ce8923e90 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -182,6 +182,8 @@ check_airgap() { fi } +# {% raw %} + check_local_mods() { local salt_local=/opt/so/saltstack/local @@ -209,6 +211,8 @@ check_local_mods() { fi } +# {% endraw %} + check_sudoers() { if grep -q "so-setup" /etc/sudoers; then echo "There is an entry for so-setup in the sudoers file, this can be safely deleted using \"visudo\"." From 7cdb9678103212056081867c367d8359c93342fb Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 13 Jul 2021 11:36:18 -0400 Subject: [PATCH 11/37] Only route to FB module pipeline if filebeat in metadata --- .../pipelines/config/so/9050_output_filebeatmodules.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja index 56c8a311b..f8a9b25af 100644 --- a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja +++ b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja @@ -6,7 +6,7 @@ {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { - if [metadata][pipeline] { + if "filebeat" in [metadata][pipeline] { elasticsearch { id => "filebeat_modules_metadata_pipeline" pipeline => "%{[metadata][pipeline]}" From e2c5967191b76830960af88458131a8cb6d0e6e5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Jul 2021 11:38:20 -0400 Subject: [PATCH 12/37] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 6e1406eb7..af7d2d9ae 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES +ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES FBPIPELINE From 741e825ab9c6b67287563272393cfeb5a5666441 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Jul 2021 15:44:26 -0400 Subject: [PATCH 13/37] Remove old airgap scripts --- salt/common/tools/sbin/so-airgap-hotfixapply | 64 ------------------- .../tools/sbin/so-airgap-hotfixdownload | 33 ---------- 2 files changed, 97 deletions(-) delete mode 100755 salt/common/tools/sbin/so-airgap-hotfixapply delete mode 100755 salt/common/tools/sbin/so-airgap-hotfixdownload diff --git a/salt/common/tools/sbin/so-airgap-hotfixapply b/salt/common/tools/sbin/so-airgap-hotfixapply deleted file mode 100755 index 0149cdf61..000000000 --- a/salt/common/tools/sbin/so-airgap-hotfixapply +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -UPDATE_DIR=/tmp/sohotfixapply - -if [ -z "$1" ]; then - echo "No tarball given. Please provide the filename so I can run the hotfix" - echo "so-airgap-hotfixapply /path/to/sohotfix.tar" - exit 1 -else - if [ ! -f "$1" ]; then - echo "Unable to find $1. Make sure your path is correct and retry." - exit 1 - else - echo "Determining if we need to apply this hotfix" - rm -rf $UPDATE_DIR - mkdir -p $UPDATE_DIR - tar xvf $1 -C $UPDATE_DIR - - # Compare some versions - NEWVERSION=$(cat $UPDATE_DIR/VERSION) - HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX) - CURRENTHOTFIX=$(cat /etc/sohotfix) - INSTALLEDVERSION=$(cat /etc/soversion) - - if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then - echo "Checking to see if there are hotfixes needed" - if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then - echo "You are already running the latest version of Security Onion." - rm -rf $UPDATE_DIR - exit 1 - else - echo "We need to apply a hotfix" - copy_new_files - echo $HOTFIXVERSION > /etc/sohotfix - salt-call state.highstate -l info queue=True - echo "The Hotfix $HOTFIXVERSION has been applied" - # Clean up - rm -rf $UPDATE_DIR - exit 0 - fi - else - echo "This hotfix is not compatible with your current version. Download the latest ISO and run soup" - rm -rf $UPDATE_DIR - fi - - fi -fi \ No newline at end of file diff --git a/salt/common/tools/sbin/so-airgap-hotfixdownload b/salt/common/tools/sbin/so-airgap-hotfixdownload deleted file mode 100755 index 422fa5f1f..000000000 --- a/salt/common/tools/sbin/so-airgap-hotfixdownload +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -# Get the latest code -rm -rf /tmp/sohotfix -mkdir -p /tmp/sohotfix -cd /tmp/sohotfix -git clone https://github.com/Security-Onion-Solutions/securityonion -if [ ! -d "/tmp/sohotfix/securityonion" ]; then - echo "I was unable to get the latest code. Check your internet and try again." - exit 1 -else - echo "Looks like we have the code lets create the tarball." - cd /tmp/sohotfix/securityonion - tar cvf /tmp/sohotfix/sohotfix.tar HOTFIX VERSION salt pillar - echo "" - echo "Copy /tmp/sohotfix/sohotfix.tar to portable media and then copy it to your airgap manager." - exit 0 -fi \ No newline at end of file From 441cd3fc5916640f651eb3f4489ea9a9db7b55a0 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 14 Jul 2021 13:42:51 +0000 Subject: [PATCH 14/37] Move Wazuh-specific data to wazuh.data --- salt/elasticsearch/files/ingest/ossec | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/ossec b/salt/elasticsearch/files/ingest/ossec index 868de2798..69bca3003 100644 --- a/salt/elasticsearch/files/ingest/ossec +++ b/salt/elasticsearch/files/ingest/ossec @@ -33,6 +33,7 @@ { "rename": { "field": "data.win.eventdata.user", "target_field": "user.name", "ignore_missing": true } }, { "rename": { "field": "data.win.system", "target_field": "winlog", "ignore_missing": true } }, { "rename": { "field": "data.win.eventdata", "target_field": "winlog.event_data", "ignore_missing": true } }, + { "rename": { "field": "data", "target_field": "wazuh.data", "ignore_missing": true } }, { "rename": { "field": "winlog.eventID", "target_field": "winlog.event_id", "ignore_missing": true } }, { "rename": { "field": "predecoder.program_name", "target_field": "process.name", "ignore_missing": true } }, { "rename": { "field": "decoder.name", "target_field": "event.dataset", "ignore_missing": true } }, From 323b5d6694d698412227557e1cf18c282bcd92f6 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 14 Jul 2021 13:43:34 +0000 Subject: [PATCH 15/37] Add dynamic mapping for wazuh --- salt/elasticsearch/templates/so/so-common-template.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index 26a5f2ec7..8ac94793b 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -680,6 +680,10 @@ "redis":{ "type":"object", "dynamic": true + }, + "wazuh":{ + "type":"object", + "dynamic": true } } } From 723172bc1fe31c1f262f8bf599d98735cf19ff15 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 14 Jul 2021 13:45:09 +0000 Subject: [PATCH 16/37] Add path_unmatch for data.port so it is not mapped as integer --- salt/elasticsearch/templates/so/so-common-template.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index 8ac94793b..8afac271c 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -65,7 +65,8 @@ { "port": { "path_match": "*.port", - "mapping": { + "path_unmatch": "*.data.port", + "mapping": { "type": "integer", "fields" : { "keyword" : { From 92a80f9a58646e3994c77eb5c2f1d5b948c7c4b7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 14 Jul 2021 10:30:10 -0400 Subject: [PATCH 17/37] Update ISO info --- VERIFY_ISO.md | 22 +++++++++---------- sigs/securityonion-2.3.60-FBPIPELINE.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.60-FBPIPELINE.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index d64b20075..b79f81c72 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.60-ECSFIX ISO image built on 2021/07/02 +### 2.3.60-FBPIPELINE ISO image built on 2021/07/13 ### Download and Verify -2.3.60-ECSFIX ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso +2.3.60-FBPIPELINE ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.60-FBPIPELINE.iso -MD5: BCD2C449BD3B65D96A0D1E479C0414F9 -SHA1: 18FB8F33C19980992B291E5A7EC23D5E13853933 -SHA256: AD3B750E7FC4CA0D58946D8FEB703AE9B01508E314967566B06CFE5D8A8086E9 +MD5: 2EA2B337289D0CFF0C7488E8E88FE7BE +SHA1: 7C22F16AD395E079F4C5345093AF26C105E36D4C +SHA256: 3B685BBD19711229C5FCD5D254BA5024AF0C36A3E379790B5E83037CE2668724 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-FBPIPELINE.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.60-ECSFIX.iso.sig securityonion-2.3.60-ECSFIX.iso +gpg --verify securityonion-2.3.60-FBPIPELINE.iso.sig securityonion-2.3.60-FBPIPELINE.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Fri 02 Jul 2021 10:15:04 AM EDT using RSA key ID FE507013 +gpg: Signature made Tue 13 Jul 2021 04:12:08 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig b/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..56418a152a0e92f0f49ecb19a5e5829208c02d07 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;90^Oyh%2@re`V7LBIa1(!}5B@xPR#8-;uiHcl0@3*S}#^;B0m+2ie*Z{>Lm)x zy!gLhT|?6%eOJbhKu%=&sA~Rb*1{>`o=S?7#9<9<1yXqNG%G%AQ0Vrlxa*;0aF{6m za0X?1iM6Z0Htd{UMpDl5UlAJWHk(^aW1R?%7{lC@Z#_uuJ(JcDn%|z8WYshk4b2v? zGJ`#Y-^m^?=iO|E!+C|0Wph?}OT^kib5jdg>*h>Ub{x2}DE@48$Q=!-EXJ#z))7C} ziKxQc@30q*wl^QoCBi!@N`N?iFRZUeb7rJv!9og4bsI`#sPJrshrK(B);G>A8sP^Q zea^e*Xs@#})uGVzrIJ3W9gO&Ph8Tb3LE4D-`{PEcyWm;@)w4DX14af#`LxwuuJCpe zUs@qnC+qYzF+2N^@Y3F?U9ZR7fUq`2%#_D)S>D&668~Oou^5CVoaWNsV)*8v1i=u1 z;c7DF!Q76NwQ(_aSFZFBwRyjiYslKr-xS4UT8KyrYQMcN2VF9-2RT#%5} h+6FRS4wBhD?XtfNC`;ny$o=-pb-6W>U0dsiZm&%O4_p8M literal 0 HcmV?d00001 From 05aad07bfc1e0277a90e9e391d9a0f82a93385c7 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 14 Jul 2021 15:04:46 +0000 Subject: [PATCH 18/37] Replace staging path with processed path for analyzed files --- salt/elasticsearch/files/ingest/strelka.file | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index e5e8560f8..fbcf1252a 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -8,6 +8,7 @@ { "rename": { "field": "scan.hash", "target_field": "hash", "ignore_missing": true } }, { "rename": { "field": "scan.exiftool", "target_field": "exiftool", "ignore_missing": true } }, { "grok": { "if": "ctx.request?.attributes?.filename != null", "field": "request.attributes.filename", "patterns": ["-%{WORD:log.id.fuid}-"], "ignore_failure": true } }, + { "gsub": { "if": "ctx.request?.attributes?.filename != null", "field": "request.attributes.filename", "pattern": "\/nsm\/strelka\/staging", "replacement": "\/nsm\/strelka\/processed" } }, { "foreach": { "if": "ctx.exiftool?.keys !=null", From ff25cecd5444044e561bc89015ef7adbacf9a0bd Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 15 Jul 2021 13:53:31 -0400 Subject: [PATCH 19/37] Remove unused function --- setup/so-whiptail | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index afd691632..0a2e5c53a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1844,19 +1844,6 @@ whiptail_suricata_pins() { } -whiptail_node_updates() { - - [ -n "$TESTING" ] && return - - NODEUPDATES=$(whiptail --title "$whiptail_title" --radiolist \ - "How would you like to download OS package updates for your grid?" 20 75 4 \ - "MANAGER" "Manager node is proxy for updates." ON \ - "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} whiptail_you_sure() { From 33f396bdaeb53c711645f5a5e07a756dae8c07e0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 15 Jul 2021 13:53:57 -0400 Subject: [PATCH 20/37] Add uppercase warning function --- setup/so-whiptail | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 0a2e5c53a..693d0554b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1844,6 +1844,36 @@ whiptail_suricata_pins() { } +# shellcheck disable=2120 +whiptail_uppercase_warning() { + local type=${1:-hostname} + + local HOSTNAME='TestHostname' + local REDIRECTIT='my.TestDomain.com' + + local msg + if [[ $type == 'hostname' ]]; then + read -r -d '' msg <<- EOM + The value "$HOSTNAME" contains non-lowercase characters. + + Continuing with this hostname could render the system unusable in certain cases, and will also disable the option later in setup to access Security Onion's web interface via the hostname. + EOM + else + read -r -d '' msg <<- EOM + The value "$REDIRECTIT" contains non-lowercase characters. + + Continuing with this value could render the system unusable in certain cases. + EOM + fi + + read -r -d '' msg <<- EOM + $msg + + For best results, it is recommended to only use lowercase ${type}s with Security Onion. For more information see https://docs.securityonion.com/uppercase (URL TBD) + EOM + + whiptail --title "$whiptail_title" --yesno "$msg" --yes-button "Continue anyway" --no-button "Go back" 16 75 +} whiptail_you_sure() { From ac98e1fd0f55900693e9b20293d6ca0a8d80d758 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 15 Jul 2021 16:36:24 -0400 Subject: [PATCH 21/37] Remove testing default values, change wording, set default option to no --- setup/so-whiptail | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 693d0554b..e404152e5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1846,21 +1846,19 @@ whiptail_suricata_pins() { # shellcheck disable=2120 whiptail_uppercase_warning() { - local type=${1:-hostname} - - local HOSTNAME='TestHostname' - local REDIRECTIT='my.TestDomain.com' + local type=$1 local msg - if [[ $type == 'hostname' ]]; then + if [[ -z $type ]]; then + type="hostname" read -r -d '' msg <<- EOM - The value "$HOSTNAME" contains non-lowercase characters. + The value "$HOSTNAME" contains uppercase characters. Continuing with this hostname could render the system unusable in certain cases, and will also disable the option later in setup to access Security Onion's web interface via the hostname. EOM else read -r -d '' msg <<- EOM - The value "$REDIRECTIT" contains non-lowercase characters. + The value "$REDIRECTHOST" contains uppercase characters. Continuing with this value could render the system unusable in certain cases. EOM @@ -1872,7 +1870,7 @@ whiptail_uppercase_warning() { For best results, it is recommended to only use lowercase ${type}s with Security Onion. For more information see https://docs.securityonion.com/uppercase (URL TBD) EOM - whiptail --title "$whiptail_title" --yesno "$msg" --yes-button "Continue anyway" --no-button "Go back" 16 75 + whiptail --title "$whiptail_title" --yesno "$msg" --yes-button "Continue anyway" --no-button "Go back" --defaultno 16 75 } whiptail_you_sure() { From b552973e004dab7fc35cd62a01f8d22fd1557d62 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 15 Jul 2021 16:36:46 -0400 Subject: [PATCH 22/37] Add logic to show uppercase warning message when appropriate --- salt/common/tools/sbin/so-common | 14 +++++++++++++ setup/so-functions | 34 ++++++++++++++++++++++++++++++-- setup/so-whiptail | 13 ++++++++---- 3 files changed, 55 insertions(+), 6 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index c4f6aca30..ce59c64db 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -160,6 +160,14 @@ fail() { exit 1 } +fqdn_lowercase() { + local fqdn=$1 + + echo "$fqdn" | grep -qP '(?=^.{4,253}$)(^((?!-)[a-z0-9-]{0,62}[a-z0-9]\.)+[a-z]{2,63}$)' \ + && return 0 \ + || return 1 +} + get_random_value() { length=${1:-20} head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 @@ -186,6 +194,12 @@ header() { printf '%s\n' "" "$banner" " $*" "$banner" } +hostname_lowercase() { + local hostname=$1 + + [[ $hostname =~ ^[a-z0-9\-]+$ ]] && return 0 || return 1 +} + init_monitor() { MONITORNIC=$1 diff --git a/setup/so-functions b/setup/so-functions index ff019953e..98dd007cb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -423,14 +423,28 @@ collect_homenet_snsr() { } collect_hostname() { + collect_hostname_validate + + while ! hostname_lowercase "$HOSTNAME"; do + if ! (whiptail_uppercase_warning); then + collect_hostname_validate + else + no_use_hostname=true + break + fi + done +} + +collect_hostname_validate() { if [[ $automated == no ]] && [[ "$HOSTNAME" == *'localhost'* ]]; then HOSTNAME=securityonion; fi whiptail_set_hostname "$HOSTNAME" - if [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once + if [[ -z $default_hostname_flag ]] && [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once if ! (whiptail_avoid_default_hostname); then whiptail_set_hostname "$HOSTNAME" fi + default_hostname_flag=true fi while ! valid_hostname "$HOSTNAME"; do @@ -648,7 +662,23 @@ collect_proxy_details() { } collect_redirect_host() { - whiptail_set_redirect_host "$HOSTNAME" + collect_redirect_host_validate + + while ! hostname_lowercase "$REDIRECTHOST" && ! fqdn_lowercase "$REDIRECTHOST"; do + local text + ! valid_hostname "$REDIRECTHOST" && text="domain name" || text="hostname" + if ! (whiptail_uppercase_warning "$text"); then + collect_redirect_host_validate "$REDIRECTHOST" + else + break + fi + done +} + +collect_redirect_host_validate() { + local prefill=${1:-$HOSTNAME} + + whiptail_set_redirect_host "$prefill" while ! valid_ip4 "$REDIRECTHOST" && ! valid_hostname "$REDIRECTHOST" && ! valid_fqdn "$REDIRECTHOST"; do whiptail_invalid_input diff --git a/setup/so-whiptail b/setup/so-whiptail index e404152e5..10d86ec2b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1661,11 +1661,16 @@ whiptail_set_redirect() { [ -n "$TESTING" ] && return + local options=() + options+=( "IP" "Use IP address to access the web interface" ON ) + [[ $no_use_hostname != true ]] && options+=( "HOSTNAME" "Use hostname to access the web interface" OFF ) + options+=("OTHER" "Use a different name like a FQDN or Load Balancer" OFF) + REDIRECTINFO=$(whiptail --title "$whiptail_title" --radiolist \ - "How would you like to access the web interface?\n\nSecurity Onion uses strict cookie enforcement, so whatever you choose here will be the only way that you can access the web interface.\n\nIf you choose something other than IP address, then you'll need to ensure that you can resolve the name via DNS or hosts entry. If you are unsure, please select IP." 20 75 4 \ - "IP" "Use IP address to access the web interface" ON \ - "HOSTNAME" "Use hostname to access the web interface" OFF \ - "OTHER" "Use a different name like a FQDN or Load Balancer" OFF 3>&1 1>&2 2>&3 ) + "How would you like to access the web interface?\n\nSecurity Onion uses strict cookie enforcement, so whatever you choose here will be the only way that you can access the web interface.\n\nIf you choose something other than IP address, then you'll need to ensure that you can resolve the name via DNS or hosts entry. If you are unsure, please select IP." 20 75 4 \ + "${options[@]}" \ + 3>&1 1>&2 2>&3 + ) local exitstatus=$? whiptail_check_exitstatus $exitstatus } From 0deb77468fe57484f2c38c7f0be7f2103e378cf1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 16 Jul 2021 15:39:09 -0400 Subject: [PATCH 23/37] Change uppercase regex Check for any uppercase characters rather than revalidating input sans uppercase --- salt/common/tools/sbin/so-common | 22 ++++++++-------------- setup/so-functions | 4 ++-- 2 files changed, 10 insertions(+), 16 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index ce59c64db..7ad74ad49 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -160,14 +160,6 @@ fail() { exit 1 } -fqdn_lowercase() { - local fqdn=$1 - - echo "$fqdn" | grep -qP '(?=^.{4,253}$)(^((?!-)[a-z0-9-]{0,62}[a-z0-9]\.)+[a-z]{2,63}$)' \ - && return 0 \ - || return 1 -} - get_random_value() { length=${1:-20} head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 @@ -194,12 +186,6 @@ header() { printf '%s\n' "" "$banner" " $*" "$banner" } -hostname_lowercase() { - local hostname=$1 - - [[ $hostname =~ ^[a-z0-9\-]+$ ]] && return 0 || return 1 -} - init_monitor() { MONITORNIC=$1 @@ -386,6 +372,14 @@ set_version() { fi } +has_uppercase() { + local string=$1 + + echo "$string" | grep -qP '[A-Z]' \ + && return 0 \ + || return 1 +} + valid_cidr() { # Verify there is a backslash in the string echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1 diff --git a/setup/so-functions b/setup/so-functions index 98dd007cb..7bbaa1fda 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -425,7 +425,7 @@ collect_homenet_snsr() { collect_hostname() { collect_hostname_validate - while ! hostname_lowercase "$HOSTNAME"; do + while has_uppercase "$HOSTNAME"; do if ! (whiptail_uppercase_warning); then collect_hostname_validate else @@ -664,7 +664,7 @@ collect_proxy_details() { collect_redirect_host() { collect_redirect_host_validate - while ! hostname_lowercase "$REDIRECTHOST" && ! fqdn_lowercase "$REDIRECTHOST"; do + while has_uppercase "$REDIRECTHOST"; do local text ! valid_hostname "$REDIRECTHOST" && text="domain name" || text="hostname" if ! (whiptail_uppercase_warning "$text"); then From 7e86681509c8216c371dfb0fa2bd3a543516d6dd Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 16 Jul 2021 16:50:49 -0400 Subject: [PATCH 24/37] FIX: Airgap link to Release Notes #4685 --- salt/soc/files/soc/soc.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 36135b6e5..fc6d5f28d 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -91,9 +91,11 @@ {%- if ISAIRGAP is sameas true %} "docsUrl": "/docs/", "cheatsheetUrl": "/docs/cheatsheet.pdf", + "releaseNotesUrl": "/docs/#release-notes", {%- else %} "docsUrl": "https://docs.securityonion.net/en/2.3/", "cheatsheetUrl": "https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf", + "releaseNotesUrl": "https://docs.securityonion.net/en/2.3/release-notes", {%- endif %} "apiTimeoutMs": {{ API_TIMEOUT }}, "webSocketTimeoutMs": {{ WEBSOCKET_TIMEOUT }}, From bde86e0383ed6673211a382850cf6202507d1131 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 19 Jul 2021 12:42:46 -0400 Subject: [PATCH 25/37] Use http_auth instead of username/password until Curator is upgraded to next version --- salt/curator/files/curator.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/salt/curator/files/curator.yml b/salt/curator/files/curator.yml index bdde14fc1..956f60491 100644 --- a/salt/curator/files/curator.yml +++ b/salt/curator/files/curator.yml @@ -18,17 +18,15 @@ client: hosts: - {{elasticsearch}} port: 9200 -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} - username: {{ ES_USER }} - password: {{ ES_PASS }} -{% endif %} +{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} + http_auth: {{ ES_USER }}:{{ ES_PASS }} +{%- endif %} url_prefix: use_ssl: True certificate: client_cert: client_key: ssl_no_validate: True - http_auth: timeout: 30 master_only: False From 0669aa6bbdb6d9d924c4b6506e764d716320561c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Jul 2021 12:49:43 -0400 Subject: [PATCH 26/37] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index af7d2d9ae..31f81a97c 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES FBPIPELINE +ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES FBPIPELINE CURATORAUTH From fea4f3f9734bce630a409640f4d465c467c6078e Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 19 Jul 2021 12:57:42 -0400 Subject: [PATCH 27/37] Check if Filebeat modules are being used for incoming Beats --- salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 2ad403ab9..c6537d2f5 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -6,7 +6,7 @@ {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { - if "beat-ext" in [tags] and "import" not in [tags] { + if "beat-ext" in [tags] and "import" not in [tags] and "filebeat" not in [metadata][pipeline] { elasticsearch { pipeline => "beats.common" hosts => "{{ ES }}" From 3b6e683d37b795943bf2116b6cc71cf21fb57008 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Jul 2021 09:21:22 -0400 Subject: [PATCH 28/37] Curator Fix --- VERIFY_ISO.md | 22 +++++++++--------- sigs/securityonion-2.3.60-CURATORAUTH.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.60-CURATORAUTH.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index b79f81c72..1e35ea1c7 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.60-FBPIPELINE ISO image built on 2021/07/13 +### 2.3.60-CURATORAUTH ISO image built on 2021/07/19 ### Download and Verify -2.3.60-FBPIPELINE ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.60-FBPIPELINE.iso +2.3.60-CURATORAUTH ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.60-CURATORAUTH.iso -MD5: 2EA2B337289D0CFF0C7488E8E88FE7BE -SHA1: 7C22F16AD395E079F4C5345093AF26C105E36D4C -SHA256: 3B685BBD19711229C5FCD5D254BA5024AF0C36A3E379790B5E83037CE2668724 +MD5: 953DD42AB3A3560BB35F4E9F69212AE3 +SHA1: 5D18B98B19FD7F8C799E88FC28ABC46990FC6B9B +SHA256: E26F43F969241985DC74915842492F876EC7B8CBAF5F2F52405554E7C92408C2 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-CURATORAUTH.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-CURATORAUTH.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-FBPIPELINE.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-CURATORAUTH.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.60-FBPIPELINE.iso.sig securityonion-2.3.60-FBPIPELINE.iso +gpg --verify securityonion-2.3.60-CURATORAUTH.iso.sig securityonion-2.3.60-CURATORAUTH.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 13 Jul 2021 04:12:08 PM EDT using RSA key ID FE507013 +gpg: Signature made Mon 19 Jul 2021 01:25:34 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.60-CURATORAUTH.iso.sig b/sigs/securityonion-2.3.60-CURATORAUTH.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..b6213a63d68f1cc5eb07502cc7193d16ecc8c3f1 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;98wT=J^2@re`V7LBIa1#f15B?;qEFC}ui!zZ*i3L+X zJCL-0Z26gU(PHf&Ul9kjFI<#mJh2bji~}q@T%$C*vGN2clstW>&6cMy-`{?@e&gIg z7}xPNP$!NqTpYsdIAdm63_Ryg54pNNevsnWV^D6g-~3F~`3_D`k5ZQ55Db){gvjPQV-cX`J$(qeL4B7ZMEnXV6;2Gv7PC#Ed(hx=_&%ezixwucVMGf_z$U z%kJ+oGKiKKO0FJT|Cpis>2u*kw`k``b*oN2SD~dn&I|ktVH|MJGXX>RwK>Q$|C+e| zAICSgCiV!3V|EFyqUy&(4xtL_BXQh-Lj0qINA4jh6;Nj~L0W%Su0-e$ky~g*rYSj5 zG$9E5n9l~h^yU{*+_UT$e}2T{3Dylr122{>08Yi0vXjeCtYe2aVvhY)W#o%_ofo~< zd=qN6iR!x9)|a)0POs+HlDsO%wYJu))ayju>%{N9N6+9IGe z^=1tcZX2@XW&g97uh|jdqkxqm$~2BW1b7oc Date: Wed, 21 Jul 2021 14:40:23 -0400 Subject: [PATCH 29/37] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 678d59d4f..625e2aa35 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.60 +2.3.61 From 7c9df2d75a6636ac2416e3966e8350c340051e79 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 21 Jul 2021 14:40:53 -0400 Subject: [PATCH 30/37] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 31f81a97c..d3f5a12fa 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES FBPIPELINE CURATORAUTH + From 74874dfff2337a69a864e45fb5628a8d359b9763 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 21 Jul 2021 14:59:33 -0400 Subject: [PATCH 31/37] Allow web pages to load blob data --- salt/nginx/etc/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index cafa583b5..4fa5c8435 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -149,7 +149,7 @@ http { root /opt/socore/html; index index.html; - add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:; frame-ancestors 'self'"; + add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob:; frame-ancestors 'self'"; add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; From ad8c12afa5340e67066ff74a0604bf8005794726 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 21 Jul 2021 15:07:02 -0400 Subject: [PATCH 32/37] Upgrade ES to 7.13.4 --- salt/kibana/files/saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson index ee2842b66..56fd82222 100644 --- a/salt/kibana/files/saved_objects.ndjson +++ b/salt/kibana/files/saved_objects.ndjson @@ -460,7 +460,7 @@ {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"z16.04 - Sysmon - Logs","version":1},"id":"6d189680-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"3072c750-6d71-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"29611940-6d75-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHHk1sxQT5EBNmq43Y","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQyLDRd"} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Action (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQzLDRd"} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ0LDRd"} -{"attributes":{"buildNum":39457,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":100,"theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion":"7.13.2","id":"7.13.2","migrationVersion":{"config":"7.12.0"},"references":[],"type":"config","updated_at":"2021-04-29T21:42:52.430Z","version":"WzY3NTUsM10="} +{"attributes":{"buildNum":39457,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":100,"theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion":"7.13.4","id":"7.13.4","migrationVersion":{"config":"7.12.0"},"references":[],"type":"config","updated_at":"2021-04-29T21:42:52.430Z","version":"WzY3NTUsM10="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - MIME Flavors","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ2LDRd"} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_9KpxQT5EBNmq4Oo","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ3LDRd"} {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"z16.04 - Bro - Modbus","version":1},"id":"70c005f0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"178209e0-6e1b-11e7-b553-7f80727663c1","name":"panel_5","type":"visualization"},{"id":"AWDG_9KpxQT5EBNmq4Oo","name":"panel_6","type":"visualization"},{"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ4LDRd"} From fa9d7afb46a6f6dfff675c6e18484356aff82511 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 16 Jul 2021 16:50:49 -0400 Subject: [PATCH 33/37] FIX: Airgap link to Release Notes #4685 --- salt/soc/files/soc/soc.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 36135b6e5..fc6d5f28d 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -91,9 +91,11 @@ {%- if ISAIRGAP is sameas true %} "docsUrl": "/docs/", "cheatsheetUrl": "/docs/cheatsheet.pdf", + "releaseNotesUrl": "/docs/#release-notes", {%- else %} "docsUrl": "https://docs.securityonion.net/en/2.3/", "cheatsheetUrl": "https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf", + "releaseNotesUrl": "https://docs.securityonion.net/en/2.3/release-notes", {%- endif %} "apiTimeoutMs": {{ API_TIMEOUT }}, "webSocketTimeoutMs": {{ WEBSOCKET_TIMEOUT }}, From 257062e20c30e10cebc4a827e53a75301e57d181 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 22 Jul 2021 09:48:34 -0400 Subject: [PATCH 34/37] Update release notes link to match top right menu for airgap --- salt/soc/files/soc/motd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/motd.md b/salt/soc/files/soc/motd.md index ab9d6b843..fd95b089d 100644 --- a/salt/soc/files/soc/motd.md +++ b/salt/soc/files/soc/motd.md @@ -6,7 +6,7 @@ If you're ready to dive-in, take a look at the [Alerts](/#/alerts) interface to ## What's New -The release notes have moved to the upper-right menu. Click on the [What's New](/docs/#document-release-notes) menu option to find all the latest fixes and features in this version of Security Onion! +The release notes have moved to the upper-right menu. Click on the [What's New](/docs/#release-notes) menu option to find all the latest fixes and features in this version of Security Onion! ## Customize This Space From 3d3593a1a9f8edb658a3c2ec1b206d5c825e2bae Mon Sep 17 00:00:00 2001 From: doug Date: Mon, 12 Jul 2021 13:24:21 -0400 Subject: [PATCH 35/37] FIX: Suricata dns.response.code needs to be renamed to dns.response.code_name #4770 --- salt/elasticsearch/files/ingest/suricata.dns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/suricata.dns b/salt/elasticsearch/files/ingest/suricata.dns index 85229ee92..2f5958e2e 100644 --- a/salt/elasticsearch/files/ingest/suricata.dns +++ b/salt/elasticsearch/files/ingest/suricata.dns @@ -12,7 +12,7 @@ { "rename": { "field": "message2.dns.qr", "target_field": "dns.qr", "ignore_missing": true } }, { "rename": { "field": "message2.dns.rd", "target_field": "dns.recursion.desired", "ignore_missing": true } }, { "rename": { "field": "message2.dns.ra", "target_field": "dns.recursion.available", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.rcode", "target_field": "dns.response.code", "ignore_missing": true } }, + { "rename": { "field": "message2.dns.rcode", "target_field": "dns.response.code_name", "ignore_missing": true } }, { "rename": { "field": "message2.grouped.A", "target_field": "dns.answers.data", "ignore_missing": true } }, { "rename": { "field": "message2.grouped.CNAME", "target_field": "dns.answers.name", "ignore_missing": true } }, { "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } }, From 578c7aac35608c2c3ddeec01127812725ccf32e2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Jul 2021 13:06:26 -0400 Subject: [PATCH 36/37] 2.3.61 --- VERIFY_ISO.md | 22 +++++++++++----------- sigs/securityonion-2.3.61.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.61.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 1e35ea1c7..f71c088cf 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.60-CURATORAUTH ISO image built on 2021/07/19 +### 2.3.61 ISO image built on 2021/07/22 ### Download and Verify -2.3.60-CURATORAUTH ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.60-CURATORAUTH.iso +2.3.61 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.61.iso -MD5: 953DD42AB3A3560BB35F4E9F69212AE3 -SHA1: 5D18B98B19FD7F8C799E88FC28ABC46990FC6B9B -SHA256: E26F43F969241985DC74915842492F876EC7B8CBAF5F2F52405554E7C92408C2 +MD5: 538F29F3AB57087FC879108FFC81447C +SHA1: C2239206572CBEB697CFA2A4850A16A54BF5FB0D +SHA256: F5035361B63D1EE8D87CE7B0D8333E521A44453274785B62630CAC76C1BEA929 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-CURATORAUTH.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.61.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-CURATORAUTH.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.61.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-CURATORAUTH.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.61.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.60-CURATORAUTH.iso.sig securityonion-2.3.60-CURATORAUTH.iso +gpg --verify securityonion-2.3.61.iso.sig securityonion-2.3.61.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 19 Jul 2021 01:25:34 PM EDT using RSA key ID FE507013 +gpg: Signature made Thu 22 Jul 2021 10:28:58 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.61.iso.sig b/sigs/securityonion-2.3.61.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..4e191e92e47c6afafbeb0f041867b484d8f36da4 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;9CfT{or2@re`V7LBIa1+~%5BvOM0jYh4l-9AQB5Zui0q#+#cO zjA&c*#$Ko|PEbmw-|;@3r^+uHAs$u|m$KoxR{?t6Sng!TGgKH@aC3RuidTnh(4lCQ zGT3bQpumljQvi@Ha2Tl)GjY zlGEO}XfzK#06-cma3eu(hKWb1wUu%j9UKv8$zH`yJ3j6XFsEM3i4CW|*0^5;0 z_g_U!Bb1Z?uz&%rR0(JlZ literal 0 HcmV?d00001 From 7a753a56ece051427440b95e657b0b291ae2493f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 22 Jul 2021 13:53:58 -0400 Subject: [PATCH 37/37] Update README with 2.3.61 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4bff52b20..b3a31cbf8 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.60 +## Security Onion 2.3.61 -Security Onion 2.3.60 is here! +Security Onion 2.3.61 is here! ## Screenshots