From 7cdb9678103212056081867c367d8359c93342fb Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 13 Jul 2021 11:36:18 -0400 Subject: [PATCH 1/4] Only route to FB module pipeline if filebeat in metadata --- .../pipelines/config/so/9050_output_filebeatmodules.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja index 56c8a311b..f8a9b25af 100644 --- a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja +++ b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja @@ -6,7 +6,7 @@ {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { - if [metadata][pipeline] { + if "filebeat" in [metadata][pipeline] { elasticsearch { id => "filebeat_modules_metadata_pipeline" pipeline => "%{[metadata][pipeline]}" From e2c5967191b76830960af88458131a8cb6d0e6e5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Jul 2021 11:38:20 -0400 Subject: [PATCH 2/4] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 6e1406eb7..af7d2d9ae 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES +ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES FBPIPELINE From 741e825ab9c6b67287563272393cfeb5a5666441 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Jul 2021 15:44:26 -0400 Subject: [PATCH 3/4] Remove old airgap scripts --- salt/common/tools/sbin/so-airgap-hotfixapply | 64 ------------------- .../tools/sbin/so-airgap-hotfixdownload | 33 ---------- 2 files changed, 97 deletions(-) delete mode 100755 salt/common/tools/sbin/so-airgap-hotfixapply delete mode 100755 salt/common/tools/sbin/so-airgap-hotfixdownload diff --git a/salt/common/tools/sbin/so-airgap-hotfixapply b/salt/common/tools/sbin/so-airgap-hotfixapply deleted file mode 100755 index 0149cdf61..000000000 --- a/salt/common/tools/sbin/so-airgap-hotfixapply +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -UPDATE_DIR=/tmp/sohotfixapply - -if [ -z "$1" ]; then - echo "No tarball given. Please provide the filename so I can run the hotfix" - echo "so-airgap-hotfixapply /path/to/sohotfix.tar" - exit 1 -else - if [ ! -f "$1" ]; then - echo "Unable to find $1. Make sure your path is correct and retry." - exit 1 - else - echo "Determining if we need to apply this hotfix" - rm -rf $UPDATE_DIR - mkdir -p $UPDATE_DIR - tar xvf $1 -C $UPDATE_DIR - - # Compare some versions - NEWVERSION=$(cat $UPDATE_DIR/VERSION) - HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX) - CURRENTHOTFIX=$(cat /etc/sohotfix) - INSTALLEDVERSION=$(cat /etc/soversion) - - if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then - echo "Checking to see if there are hotfixes needed" - if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then - echo "You are already running the latest version of Security Onion." - rm -rf $UPDATE_DIR - exit 1 - else - echo "We need to apply a hotfix" - copy_new_files - echo $HOTFIXVERSION > /etc/sohotfix - salt-call state.highstate -l info queue=True - echo "The Hotfix $HOTFIXVERSION has been applied" - # Clean up - rm -rf $UPDATE_DIR - exit 0 - fi - else - echo "This hotfix is not compatible with your current version. Download the latest ISO and run soup" - rm -rf $UPDATE_DIR - fi - - fi -fi \ No newline at end of file diff --git a/salt/common/tools/sbin/so-airgap-hotfixdownload b/salt/common/tools/sbin/so-airgap-hotfixdownload deleted file mode 100755 index 422fa5f1f..000000000 --- a/salt/common/tools/sbin/so-airgap-hotfixdownload +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -# Get the latest code -rm -rf /tmp/sohotfix -mkdir -p /tmp/sohotfix -cd /tmp/sohotfix -git clone https://github.com/Security-Onion-Solutions/securityonion -if [ ! -d "/tmp/sohotfix/securityonion" ]; then - echo "I was unable to get the latest code. Check your internet and try again." - exit 1 -else - echo "Looks like we have the code lets create the tarball." - cd /tmp/sohotfix/securityonion - tar cvf /tmp/sohotfix/sohotfix.tar HOTFIX VERSION salt pillar - echo "" - echo "Copy /tmp/sohotfix/sohotfix.tar to portable media and then copy it to your airgap manager." - exit 0 -fi \ No newline at end of file From 92a80f9a58646e3994c77eb5c2f1d5b948c7c4b7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 14 Jul 2021 10:30:10 -0400 Subject: [PATCH 4/4] Update ISO info --- VERIFY_ISO.md | 22 +++++++++---------- sigs/securityonion-2.3.60-FBPIPELINE.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.60-FBPIPELINE.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index d64b20075..b79f81c72 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.60-ECSFIX ISO image built on 2021/07/02 +### 2.3.60-FBPIPELINE ISO image built on 2021/07/13 ### Download and Verify -2.3.60-ECSFIX ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso +2.3.60-FBPIPELINE ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.60-FBPIPELINE.iso -MD5: BCD2C449BD3B65D96A0D1E479C0414F9 -SHA1: 18FB8F33C19980992B291E5A7EC23D5E13853933 -SHA256: AD3B750E7FC4CA0D58946D8FEB703AE9B01508E314967566B06CFE5D8A8086E9 +MD5: 2EA2B337289D0CFF0C7488E8E88FE7BE +SHA1: 7C22F16AD395E079F4C5345093AF26C105E36D4C +SHA256: 3B685BBD19711229C5FCD5D254BA5024AF0C36A3E379790B5E83037CE2668724 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-FBPIPELINE.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.60-ECSFIX.iso.sig securityonion-2.3.60-ECSFIX.iso +gpg --verify securityonion-2.3.60-FBPIPELINE.iso.sig securityonion-2.3.60-FBPIPELINE.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Fri 02 Jul 2021 10:15:04 AM EDT using RSA key ID FE507013 +gpg: Signature made Tue 13 Jul 2021 04:12:08 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig b/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..56418a152a0e92f0f49ecb19a5e5829208c02d07 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;90^Oyh%2@re`V7LBIa1(!}5B@xPR#8-;uiHcl0@3*S}#^;B0m+2ie*Z{>Lm)x zy!gLhT|?6%eOJbhKu%=&sA~Rb*1{>`o=S?7#9<9<1yXqNG%G%AQ0Vrlxa*;0aF{6m za0X?1iM6Z0Htd{UMpDl5UlAJWHk(^aW1R?%7{lC@Z#_uuJ(JcDn%|z8WYshk4b2v? zGJ`#Y-^m^?=iO|E!+C|0Wph?}OT^kib5jdg>*h>Ub{x2}DE@48$Q=!-EXJ#z))7C} ziKxQc@30q*wl^QoCBi!@N`N?iFRZUeb7rJv!9og4bsI`#sPJrshrK(B);G>A8sP^Q zea^e*Xs@#})uGVzrIJ3W9gO&Ph8Tb3LE4D-`{PEcyWm;@)w4DX14af#`LxwuuJCpe zUs@qnC+qYzF+2N^@Y3F?U9ZR7fUq`2%#_D)S>D&668~Oou^5CVoaWNsV)*8v1i=u1 z;c7DF!Q76NwQ(_aSFZFBwRyjiYslKr-xS4UT8KyrYQMcN2VF9-2RT#%5} h+6FRS4wBhD?XtfNC`;ny$o=-pb-6W>U0dsiZm&%O4_p8M literal 0 HcmV?d00001