diff --git a/README.md b/README.md index 3288bbb2f..7a2d2e4a2 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.3 +## Security Onion 2.3.10 -Security Onion 2.3.3 is here! +Security Onion 2.3.10 is here! ## Screenshots diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 256868b00..3ee915325 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,16 +1,16 @@ -### 2.3.3 ISO image built on 2020/10/25 +### 2.3.10 ISO image built on 2020/11/19 ### Download and Verify -2.3.3 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.3.iso +2.3.10 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.10.iso -MD5: 8010C32803CD62AA3F61487524E37049 -SHA1: DCA300424C9DF81A4F332B8AA3945E18779C9D28 -SHA256: 1099494AA3E476D682746AAD9C2BD7DED292589DFAAB7B517933336C07AA01D0 +MD5: 2043701FC0FE785A877ECAE74CD73694 +SHA1: 15AE0B332DAF91C7895FDBEB1FCF900D6ECA8299 +SHA256: 4CD3FB9335F0AA00339D0F76D03867439BF963169C47C0CF43C82A18C6F32830 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.3.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.10.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.3.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.10.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.3.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.10.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.3.iso.sig securityonion-2.3.3.iso +gpg --verify securityonion-2.3.10.iso.sig securityonion-2.3.10.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Sun 25 Oct 2020 10:44:27 AM EDT using RSA key ID FE507013 +gpg: Signature made Thu 19 Nov 2020 10:22:55 AM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index 795b96e3a..61499cdb5 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -1,6 +1,6 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0']%} +{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0','2.3.1']%} {% for VERSION in OLDVERSIONS %} remove_images_{{ VERSION }}: diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 46cd33f17..dca898eec 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -17,15 +17,14 @@ include: - mysql create_playbookdbuser: - module.run: - - mysql.user_create: - - user: playbookdbuser - - password: {{ PLAYBOOKPASS }} - - host: {{ DNET }}/255.255.255.0 - - connection_host: {{ MAINIP }} - - connection_port: 3306 - - connection_user: root - - connection_pass: {{ MYSQLPASS }} + mysql_user.present: + - name: playbookdbuser + - password: {{ PLAYBOOKPASS }} + - host: {{ DNET }}/255.255.255.0 + - connection_host: {{ MAINIP }} + - connection_port: 3306 + - connection_user: root + - connection_pass: {{ MYSQLPASS }} query_playbookdbuser_grants: mysql_query.run: diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index 02742737a..e774a2c7d 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3002.1 \ No newline at end of file + version: 3002.2 \ No newline at end of file diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index 871babdeb..baaaff411 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,5 +2,5 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3002.1 + version: 3002.2 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default \ No newline at end of file diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 8a0fe1f50..90f71f940 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -12,7 +12,7 @@ { "summary": "Resolved issue with Navigator layer(s) not loading correctly." }, { "summary": "Wazuh authd is now started by default on port 1515/tcp." }, { "summary": "Wazuh API default credentials are now removed after setup. Scripts have been added for API user management." }, - { "summary": "Upgraded Salt to 3002.1 due to CVEs." }, + { "summary": "Upgraded Salt to 3002.2 due to CVEs." }, { "summary": "If salt-minion is unable to apply states after the defined threshold, we assume salt-minion is in a bad state and the salt-minion service will be restarted." }, { "summary": "Fixed bug that prevented mysql from installing for Fleet if Playbook wasn't also installed." }, { "summary": "so-status will now show STARTING or WAIT_START, instead of ERROR, if so-status is run before a salt highstate has started or finished for the first time after system startup" }, diff --git a/setup/so-functions b/setup/so-functions index a01515866..8254b2819 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1445,7 +1445,7 @@ saltify() { if [ $OS = 'centos' ]; then set_progress_str 5 'Installing Salt repo' { - sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.1/SALTSTACK-GPG-KEY.pub; + sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.2/SALTSTACK-GPG-KEY.pub; cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo; } >> "$setup_log" 2>&1 set_progress_str 6 'Installing various dependencies' @@ -1462,14 +1462,14 @@ saltify() { # Download Ubuntu Keys in case manager updates = 1 mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.1/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" logCmd "cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo" fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3002.1" + logCmd "yum -y install salt-master-3002.2" fi systemctl enable salt-master >> "$setup_log" 2>&1 ;; @@ -1497,7 +1497,7 @@ saltify() { { if [[ ! $is_iso ]]; then yum -y install epel-release - yum -y install salt-minion-3002.1\ + yum -y install salt-minion-3002.2\ python3\ python36-docker\ python36-dateutil\ @@ -1541,8 +1541,8 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') # TODO: should this also be HELIXSENSOR? # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3002.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.2 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -1550,7 +1550,7 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3002.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 @@ -1563,7 +1563,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' apt-get -y install sqlite3 argon2 libssl-dev >> "$setup_log" 2>&1 set_progress_str 7 'Installing salt-master' - apt-get -y install salt-master=3002.1+ds-1 >> "$setup_log" 2>&1 + apt-get -y install salt-master=3002.2+ds-1 >> "$setup_log" 2>&1 apt-mark hold salt-master >> "$setup_log" 2>&1 ;; *) @@ -1574,14 +1574,14 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac apt-get update >> "$setup_log" 2>&1 set_progress_str 8 'Installing salt-minion & python modules' - apt-get -y install salt-minion=3002.1+ds-1\ - salt-common=3002.1+ds-1 >> "$setup_log" 2>&1 + apt-get -y install salt-minion=3002.2+ds-1\ + salt-common=3002.2+ds-1 >> "$setup_log" 2>&1 apt-mark hold salt-minion salt-common >> "$setup_log" 2>&1 if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb >> "$setup_log" 2>&1 diff --git a/setup/yum_repos/saltstack.repo b/setup/yum_repos/saltstack.repo index d104e252c..856d4d80c 100644 --- a/setup/yum_repos/saltstack.repo +++ b/setup/yum_repos/saltstack.repo @@ -1,6 +1,6 @@ [saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.1/ +baseurl=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.2/ enabled=1 gpgcheck=1 -gpgkey=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.1/SALTSTACK-GPG-KEY.pub \ No newline at end of file +gpgkey=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.2/SALTSTACK-GPG-KEY.pub \ No newline at end of file diff --git a/sigs/securityonion-2.3.10.iso.sig b/sigs/securityonion-2.3.10.iso.sig new file mode 100644 index 000000000..a9fe2820b Binary files /dev/null and b/sigs/securityonion-2.3.10.iso.sig differ