diff --git a/README.md b/README.md index d3f7ac829..912ac745a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.0.0.rc1 +## Security Onion 2.0.2.rc1 -Security Onion 2.0.0 RC1 is here! This version requires a fresh install, but there is good news - we have brought back soup! From now on, you should be able to run soup on the manager to upgrade your environment to RC2 and beyond! +Security Onion 2.0.2 RC1 is here! This version requires a fresh install, but there is good news - we have brought back soup! From now on, you should be able to run soup on the manager to upgrade your environment to RC2 and beyond! ### Warnings and Disclaimers diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index abefebfc6..7ff0536b9 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,16 +1,16 @@ -### 2.0.0-rc1 ISO image built on 2020/07/20 +### 2.0.2-rc1 ISO image built on 2020/07/23 ### Download and Verify -2.0.0-rc1 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.0.0-rc1.iso +2.0.2-rc1 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.0.2-rc1.iso -MD5: 788570E839439C23956581C6145B8689 -SHA1: A87CAF016C989D4DB4D4ED619DF072B708BA28FE -SHA256: C5AC6419AF40CB98E93C53CE4101E7DE5F51AEE76DB46734191D783503649210 +MD5: DC991385818DB7A4242F4BF7045D1250 +SHA1: 0BD458F01F10B324DF90F95201CC33B9DEBEAFA3 +SHA256: BE851E5FB1952942A9C10F6563DF6EF93381D734FDFD7E05FFAC77A5064F781A Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.0-rc1.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.2-rc1.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.0-rc1.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.2-rc1.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.0.0-rc1.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.0.2-rc1.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.0.0-rc1.iso.sig securityonion-2.0.0-rc1.iso +gpg --verify securityonion-2.0.2-rc1.iso.sig securityonion-2.0.2-rc1.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 20 Jul 2020 03:01:19 PM EDT using RSA key ID FE507013 +gpg: Signature made Thu 23 Jul 2020 10:38:04 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index c6d3d6bf0..f902d659c 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -127,7 +127,7 @@ salt-call state.apply firewall queue=True if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then # If analyst, add to Wazuh AR whitelist if [ "$FULLROLE" == "analyst" ]; then - WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" + WAZUH_MGR_CFG="/nsm/wazuh/etc/ossec.conf" if ! grep -q "$IP" $WAZUH_MGR_CFG ; then DATE=$(date) sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG diff --git a/salt/elastalert/files/rules/so/suricata_thehive.yaml b/salt/elastalert/files/rules/so/suricata_thehive.yaml index cd887c9f9..fb6c6448d 100644 --- a/salt/elastalert/files/rules/so/suricata_thehive.yaml +++ b/salt/elastalert/files/rules/so/suricata_thehive.yaml @@ -9,7 +9,7 @@ es_host: {{es}} es_port: 9200 name: Suricata-Alert type: frequency -index: "so-ids-*" +index: "*:so-ids-*" num_events: 1 timeframe: minutes: 10 diff --git a/salt/elastalert/files/rules/so/wazuh_thehive.yaml b/salt/elastalert/files/rules/so/wazuh_thehive.yaml index ccb79e1e5..c01bb5894 100644 --- a/salt/elastalert/files/rules/so/wazuh_thehive.yaml +++ b/salt/elastalert/files/rules/so/wazuh_thehive.yaml @@ -9,7 +9,7 @@ es_host: {{es}} es_port: 9200 name: Wazuh-Alert type: frequency -index: "so-ossec-*" +index: "*:so-ossec-*" num_events: 1 timeframe: minutes: 10 diff --git a/salt/elasticsearch/files/ingest/beats.common b/salt/elasticsearch/files/ingest/beats.common index cafbc9e94..4e358582e 100644 --- a/salt/elasticsearch/files/ingest/beats.common +++ b/salt/elasticsearch/files/ingest/beats.common @@ -1,53 +1,8 @@ { "description" : "beats.common", "processors" : [ - {"community_id": {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}}, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "field": "event.module", "value": "sysmon", "override": true } }, - { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, - { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, - { "set": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.category", "value": "host,process,network", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.category", "value": "host,process", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.dataset", "value": "process_creation", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 2", "field": "event.dataset", "value": "process_changed_file", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.dataset", "value": "network_connection", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 5", "field": "event.dataset", "value": "process_terminated", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 6", "field": "event.dataset", "value": "driver_loaded", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 7", "field": "event.dataset", "value": "image_loaded", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 8", "field": "event.dataset", "value": "create_remote_thread", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 9", "field": "event.dataset", "value": "raw_file_access_read", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 10", "field": "event.dataset", "value": "process_access", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 11", "field": "event.dataset", "value": "file_create", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 12", "field": "event.dataset", "value": "registry_create_delete", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 13", "field": "event.dataset", "value": "registry_value_set", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 14", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 15", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 16", "field": "event.dataset", "value": "config_change", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 22", "field": "event.dataset", "value": "dns_query", "override": true } }, - { "rename": { "field": "agent.hostname", "target_field": "agent.name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.DestinationPort", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Image", "target_field": "process.executable", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ProcessID", "target_field": "process.pid", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ProcessGuid", "target_field": "process.entity_id", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.CommandLine", "target_field": "process.command_line", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.CurrentDirectory", "target_field": "process.working_directory", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Description", "target_field": "process.pe.description", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Product", "target_field": "process.pe.product", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.OriginalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.FileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ParentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ParentImage", "target_field": "process.parent.executable", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ParentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ParentProcessId", "target_field": "process.ppid", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Protocol", "target_field": "network.transport", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.SourceHostname", "target_field": "source.hostname", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.SourceIp", "target_field": "source.ip", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } }, + { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, + { "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "name":"win.eventlogs" } }, { "pipeline": { "name": "common" } } ] } \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/sysmon b/salt/elasticsearch/files/ingest/sysmon new file mode 100644 index 000000000..de6112d89 --- /dev/null +++ b/salt/elasticsearch/files/ingest/sysmon @@ -0,0 +1,52 @@ +{ + "description" : "sysmon", + "processors" : [ + {"community_id": {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}}, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "field": "event.module", "value": "sysmon", "override": true } }, + { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, + { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, + { "set": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.category", "value": "host,process,network", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.category", "value": "host,process", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.dataset", "value": "process_creation", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 2", "field": "event.dataset", "value": "process_changed_file", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.dataset", "value": "network_connection", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 5", "field": "event.dataset", "value": "process_terminated", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 6", "field": "event.dataset", "value": "driver_loaded", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 7", "field": "event.dataset", "value": "image_loaded", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 8", "field": "event.dataset", "value": "create_remote_thread", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 9", "field": "event.dataset", "value": "raw_file_access_read", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 10", "field": "event.dataset", "value": "process_access", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 11", "field": "event.dataset", "value": "file_create", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 12", "field": "event.dataset", "value": "registry_create_delete", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 13", "field": "event.dataset", "value": "registry_value_set", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 14", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 15", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 16", "field": "event.dataset", "value": "config_change", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 22", "field": "event.dataset", "value": "dns_query", "override": true } }, + { "rename": { "field": "agent.hostname", "target_field": "agent.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.DestinationPort", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Image", "target_field": "process.executable", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ProcessID", "target_field": "process.pid", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ProcessGuid", "target_field": "process.entity_id", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.CommandLine", "target_field": "process.command_line", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.CurrentDirectory", "target_field": "process.working_directory", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Description", "target_field": "process.pe.description", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Product", "target_field": "process.pe.product", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.OriginalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.FileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentImage", "target_field": "process.parent.executable", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentProcessId", "target_field": "process.ppid", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Protocol", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SourceHostname", "target_field": "source.hostname", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SourceIp", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/win.eventlogs b/salt/elasticsearch/files/ingest/win.eventlogs new file mode 100644 index 000000000..acdf97263 --- /dev/null +++ b/salt/elasticsearch/files/ingest/win.eventlogs @@ -0,0 +1,13 @@ +{ + "description" : "win.eventlogs", + "processors" : [ + + { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, + { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, + { "set": { "if": "ctx.winlog?.channel != null", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } }, + { "rename": { "field": "agent.hostname", "target_field": "agent.name", "ignore_missing": true } }, + + { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } }, + ] +} \ No newline at end of file diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 6889b892f..0d1f521e3 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -60,8 +60,8 @@ so-filebeat: - /nsm:/nsm:ro - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro - - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro - - /opt/so/wazuh/logs/archives:/wazuh/archives:ro + - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro + - /nsm/wazuh/logs/archives:/wazuh/archives:ro - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 61d6aecc1..8a3b539a2 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -169,8 +169,8 @@ so-logstash: {%- if grains['role'] == 'so-eval' %} - /nsm/zeek:/nsm/zeek:ro - /nsm/suricata:/suricata:ro - - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro - - /opt/so/wazuh/logs/archives:/wazuh/archives:ro + - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro + - /nsm/wazuh/logs/archives:/wazuh/archives:ro - /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/log/strelka:/strelka:ro {%- endif %} @@ -184,4 +184,4 @@ so-logstash: {% endfor %} {% for TEMPLATE in TEMPLATES %} - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} -{% endfor %} \ No newline at end of file +{% endfor %} diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json index e379d5003..ab99c175c 100644 --- a/salt/pcap/files/sensoroni.json +++ b/salt/pcap/files/sensoroni.json @@ -5,7 +5,7 @@ "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"debug", "agent": { - "pollIntervalMs": {{ CHECKININTERVALMS }}, + "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, "serverUrl": "https://{{ MANAGER }}/sensoroniagents", "verifyCert": false, "modules": { diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 517816fcd..dc3e4118f 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -1,6 +1,12 @@ { - "title": "Security Onion 2.0.0 RC1 is here!", + "title": "Security Onion 2.0.2 RC1 is here!", "changes": [ + { "summary": "Fixed standalone pcap interval issue." }, + { "summary": "Security Fix 1067: variables.txt from ISO install stays on disk for 10 days." }, + { "summary": "Security Fix 1068: Remove user values from static.sls." }, + { "summary": "Issue 1059: Fix distributed deployment sensor interval issue allowing PCAP." }, + { "summary": "Issue 1058: Support for passwords that start with special characters." }, + { "summary": "Minor soup updates." }, { "summary": "Re-branded 2.0 to give it a fresh look." }, { "summary": "All documentation has moved to https://docs.securityonion.net/en/2.0" }, { "summary": "soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date." }, diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init index 9fc1caf25..7eb50df5e 100644 --- a/salt/thehive/scripts/cortex_init +++ b/salt/thehive/scripts/cortex_init @@ -4,7 +4,7 @@ # {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', 'cortexchangeme') %} # {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} # {%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %} -# {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %} +# {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', 'soadmin') %} # {%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %} default_salt_dir=/opt/so/saltstack/default diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist index d39d68e36..8a8bc9832 100755 --- a/salt/wazuh/files/wazuh-manager-whitelist +++ b/salt/wazuh/files/wazuh-manager-whitelist @@ -20,7 +20,7 @@ local_salt_dir=/opt/so/saltstack/local # Check if Wazuh enabled if [ {{ WAZUH_ENABLED }} ]; then - WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" + WAZUH_MGR_CFG="/nsm/wazuh/etc/ossec.conf" if ! grep -q "{{ MANAGERIP }}" $WAZUH_MGR_CFG ; then DATE=`date` sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 2ae4ea715..314a5f47f 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -13,7 +13,7 @@ ossecm: user.present: - uid: 943 - gid: 945 - - home: /opt/so/conf/wazuh + - home: /nsm/wazuh - createhome: False - allow_uid_change: True - allow_gid_change: True @@ -23,7 +23,7 @@ ossecr: user.present: - uid: 944 - gid: 945 - - home: /opt/so/conf/wazuh + - home: /nsm/wazuh - createhome: False - allow_uid_change: True - allow_gid_change: True @@ -33,7 +33,7 @@ ossec: user.present: - uid: 945 - gid: 945 - - home: /opt/so/conf/wazuh + - home: /nsm/wazuh - createhome: False - allow_uid_change: True - allow_gid_change: True @@ -42,13 +42,13 @@ wazuhpkgs: pkg.installed: - skip_suggestions: False - pkgs: - - wazuh-agent: 3.10.2-1 + - wazuh-agent: 3.13.1-1 - hold: True - update_holds: True wazuhdir: file.directory: - - name: /opt/so/wazuh + - name: /nsm/wazuh - user: 945 - group: 945 - makedirs: True @@ -94,7 +94,7 @@ so-wazuh: - 0.0.0.0:1515:1515/tcp - 0.0.0.0:55000:55000 - binds: - - /opt/so/wazuh:/var/ossec/data:rw + - /nsm/wazuh:/var/ossec/data:rw # Register the agent registertheagent: @@ -113,3 +113,22 @@ wazuhagentservice: service.running: - name: wazuh-agent - enable: True + +/opt/so/conf/wazuh: + file.symlink: + - target: /nsm/wazuh/etc + +hidsruledir: + file.directory: + - name: /opt/so/rules/hids + - user: 939 + - group: 939 + - makedirs: True + +/opt/so/rules/hids/local_rules.xml: + file.symlink: + - target: /nsm/wazuh/etc/rules/local_rules.xml + +/opt/so/rules/hids/ruleset: + file.symlink: + - target: /nsm/wazuh/ruleset diff --git a/setup/so-functions b/setup/so-functions index 01f70f5e3..c955c5f8b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -937,13 +937,6 @@ manager_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - if [ -z "$SENSOR_CHECKIN_INTERVAL_MS" ]; then - SENSOR_CHECKIN_INTERVAL_MS=10000 - if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ]; then - SENSOR_CHECKIN_INTERVAL_MS=1000 - fi - fi - # Create the manager pillar printf '%s\n'\ "manager:"\ @@ -1014,6 +1007,13 @@ manager_pillar() { manager_static() { local static_pillar="$local_salt_dir/pillar/static.sls" + if [ -z "$SENSOR_CHECKIN_INTERVAL_MS" ]; then + SENSOR_CHECKIN_INTERVAL_MS=10000 + if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ]; then + SENSOR_CHECKIN_INTERVAL_MS=1000 + fi + fi + # Create a static file for global values printf '%s\n'\ "static:"\ diff --git a/sigs/securityonion-2.0.0-rc1.iso.sig b/sigs/securityonion-2.0.0-rc1.iso.sig deleted file mode 100644 index c3504de4c..000000000 Binary files a/sigs/securityonion-2.0.0-rc1.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.0.2-rc1.iso.sig b/sigs/securityonion-2.0.2-rc1.iso.sig new file mode 100644 index 000000000..c51d7e1e4 Binary files /dev/null and b/sigs/securityonion-2.0.2-rc1.iso.sig differ