Merge branch 'dev' into foxtrot

2025-12-06 09:12:45 +01:00 · 2021-05-21 15:26:24 -04:00
parent f445186f1e 18922ed6f5
commit 946e369a44
14 changed files with 50 additions and 233 deletions
--- a/1
+++ b/1
@@ -1 +0,0 @@
-GRIDFIX
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
-## Security Onion 2.3.50
+## Security Onion 2.3.51

-Security Onion 2.3.50 is here!
+Security Onion 2.3.51 is here!

 ## Screenshots

--- a/VERIFY_ISO.md
+++ b/VERIFY_ISO.md
@@ -1,17 +1,17 @@
-### 2.3.50 ISO image built on 2021/04/27
+### 2.3.51 ISO image built on 2021/04/27


 ### Download and Verify

-2.3.50 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso
+2.3.51 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.51.iso

-MD5: C39CEA68B5A8AFC5CFFB2481797C0374  
-SHA1: 00AD9F29ABE3AB495136989E62EBB8FA00DA82C6  
-SHA256: D77AE370D7863837A989F6735413D1DD46B866D8D135A4C363B0633E3990387E 
+MD5: 7CFB525BEFC0A9F2ED148F5831E387FA  
+SHA1: 8CC34FCCC36822B309B8168AA706B3D1EC7F3BFD  
+SHA256: 9892C2546C9AE5A48015160F379B070F0BE30C89693B97F3F1E1592DDCE1DEE0 

 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.51.iso.sig

 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma

 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.51.iso.sig
 ```

 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.51.iso
 ```

 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.50.iso.sig securityonion-2.3.50.iso
+gpg --verify securityonion-2.3.51.iso.sig securityonion-2.3.51.iso
 ```

 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Tue 27 Apr 2021 02:17:25 PM EDT using RSA key ID FE507013
+gpg: Signature made Thu 20 May 2021 07:49:57 AM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -1,208 +0,0 @@
-{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
-{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%}
-{% set WAZUH = salt['pillar.get']('manager:wazuh', '0') %}
-{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
-{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
-{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
-{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
-{% set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %}
-{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
-
-eval:
-  containers:
-    - so-nginx
-    - so-telegraf
-    {% if  GRAFANA == '1' %}
-    - so-influxdb
-    - so-grafana
-    {% endif %}
-    - so-dockerregistry
-    - so-soc
-    - so-kratos
-    - so-idstools
-    {% if FLEETMANAGER %}
-    - so-mysql
-    - so-fleet
-    - so-redis
-    {% endif %}
-    - so-elasticsearch
-    - so-logstash
-    - so-kibana
-    - so-steno
-    - so-suricata
-    - so-zeek
-    - so-curator
-    - so-elastalert
-    {% if WAZUH != '0' %}
-    - so-wazuh
-    {% endif %}
-    - so-soctopus
-    {% if THEHIVE != '0' %}
-    - so-thehive
-    - so-thehive-es
-    - so-cortex
-    {% endif %}
-    {% if PLAYBOOK != '0' %}
-    - so-playbook
-    {% endif %}
-    {% if FREQSERVER != '0' %}
-    - so-freqserver
-    {% endif %}
-    {% if DOMAINSTATS != '0' %}
-    - so-domainstats
-    {% endif %}
-heavy_node:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-redis
-    - so-logstash
-    - so-elasticsearch
-    - so-curator
-    - so-steno
-    - so-suricata
-    - so-wazuh
-    - so-filebeat
-    {% if ZEEKVER != 'SURICATA' %}
-    - so-zeek
-    {% endif %}
-helix:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-idstools
-    - so-steno
-    - so-zeek
-    - so-redis
-    - so-logstash
-    - so-filebeat
-hot_node:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-logstash
-    - so-elasticsearch
-    - so-curator
-manager_search:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-soc
-    - so-kratos
-    - so-acng
-    - so-idstools
-    - so-redis
-    - so-logstash
-    - so-elasticsearch
-    - so-curator
-    - so-kibana
-    - so-elastalert
-    - so-filebeat
-    - so-soctopus
-    {% if FLEETMANAGER %}
-    - so-mysql
-    - so-fleet
-    - so-redis
-    {% endif %}
-    {% if WAZUH != '0' %}
-    - so-wazuh
-    {% endif %}
-    - so-soctopus
-    {% if THEHIVE != '0' %}
-    - so-thehive
-    - so-thehive-es
-    - so-cortex
-    {% endif %}
-    {% if PLAYBOOK != '0' %}
-    - so-playbook
-    {% endif %}
-    {% if FREQSERVER != '0' %}
-    - so-freqserver
-    {% endif %}
-    {% if DOMAINSTATS != '0' %}
-    - so-domainstats
-    {% endif %}
-manager:
-  containers:
-    - so-dockerregistry
-    - so-nginx
-    - so-telegraf
-    {% if  GRAFANA == '1' %}
-    - so-influxdb
-    - so-grafana
-    {% endif %}
-    - so-soc
-    - so-kratos
-    - so-acng
-    - so-idstools
-    - so-redis
-    - so-elasticsearch
-    - so-logstash
-    - so-kibana
-    - so-elastalert
-    - so-filebeat
-    {% if FLEETMANAGER %}
-    - so-mysql
-    - so-fleet
-    - so-redis
-    {% endif %}
-    {% if WAZUH != '0' %}
-    - so-wazuh
-    {% endif %}
-    - so-soctopus
-    {% if THEHIVE != '0' %}
-    - so-thehive
-    - so-thehive-es
-    - so-cortex
-    {% endif %}
-    {% if PLAYBOOK != '0' %}
-    - so-playbook
-    {% endif %}
-    {% if FREQSERVER != '0' %}
-    - so-freqserver
-    {% endif %}
-    {% if DOMAINSTATS != '0' %}
-    - so-domainstats
-    {% endif %}
-parser_node:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-logstash
-search_node:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-logstash
-    - so-elasticsearch
-    - so-curator
-    - so-filebeat
-    {% if WAZUH != '0' %}
-    - so-wazuh
-    {% endif %}
-sensor:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-steno
-    - so-suricata
-    {% if ZEEKVER != 'SURICATA' %}
-    - so-zeek
-    {% endif %}
-    - so-wazuh
-    - so-filebeat
-warm_node:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-elasticsearch
-fleet:
-  containers:
-    {% if FLEETNODE %}
-    - so-mysql
-    - so-fleet
-    - so-redis
-    - so-filebeat
-    - so-nginx
-    - so-telegraf
-    {% endif %}
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -510,6 +510,7 @@ wait_for_web_response() {
 	expected=$2
 	maxAttempts=${3:-300}
 	logfile=/root/wait_for_web_response.log
+	truncate -s 0 "$logfile"
 	attempt=0
 	while [[ $attempt -lt $maxAttempts ]]; do
 		attempt=$((attempt+1))
--- a/salt/grafana/init.sls
+++ b/salt/grafana/init.sls
@@ -11,7 +11,7 @@
 {% set GRAFANA_SETTINGS = salt['grains.filter_by'](default_settings, default='grafana', merge=salt['pillar.get']('grafana', {})) %}


-{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %}
+{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %}

 # Grafana all the things
 grafanadir:
--- a/salt/influxdb/init.sls
+++ b/salt/influxdb/init.sls
@@ -3,7 +3,7 @@

 {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}

-{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %}
+{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %}

 {% set MANAGER = salt['grains.get']('master') %}
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
@@ -17,7 +17,6 @@
 include:
  - salt.minion
  - salt.python3-influxdb
-
 # Influx DB
 influxconfdir:
  file.directory:
@@ -139,4 +138,4 @@ so_downsample_cq:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed

-{% endif %}
+{% endif %}
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -44,12 +44,24 @@ hold_salt_packages:
 {% endfor %}
 {% endif %}

+remove_info_log_level_logfile:
+  file.line:
+    - name: /etc/salt/minion
+    - match: "log_level_logfile: info"
+    - mode: delete
+
+remove_info_log_level:
+  file.line:
+    - name: /etc/salt/minion
+    - match: "log_level: info"
+    - mode: delete
+
 set_log_levels:
  file.append:
    - name: /etc/salt/minion
    - text:
-      - "log_level: info"
-      - "log_level_logfile: info"
+      - "log_level: error"
+      - "log_level_logfile: error"
    - listen_in:
      - service: salt_minion_service

--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -54,7 +54,7 @@
        "verifyCert": false
      },
      "influxdb": {
-{%- if grains['role'] in ['so-import'] %}
+{%- if grains['role'] in ['so-import'] or (grains['role'] == 'so-eval' and GRAFANA == 0) %}
        "hostUrl": "",
 {%- else %}
        "hostUrl": "https://{{ MANAGERIP }}:8086",
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -78,6 +78,7 @@ zeekspoolownership:
  file.directory:
    - name: /nsm/zeek/spool
    - user: 937
+    - max_depth: 0
    - recurse:
      - user

--- a/setup/automation/distributed-iso-sensor
+++ b/setup/automation/distributed-iso-sensor
@@ -34,7 +34,7 @@ ZEEKVERSION=ZEEK
 # HELIXAPIKEY=
 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
 HNSENSOR=inherit
-HOSTNAME=distributed-sensor
+HOSTNAME=Distributed-Sensor
 install_type=SENSOR
 # LSINPUTBATCHCOUNT=
 # LSINPUTTHREADS=
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1348,15 +1348,16 @@ filter_unused_nics() {
 	
 	nic_list=()
 	for nic in "${filtered_nics[@]}"; do
+		local nic_mac=$(cat "/sys/class/net/${nic}/address" 2>/dev/null)
 		case $(cat "/sys/class/net/${nic}/carrier" 2>/dev/null) in
 			1)
-				nic_list+=("$nic" "Link UP " "OFF")
+				nic_list+=("$nic" "$nic_mac  Link UP " "OFF")
 				;;
 			0)
-				nic_list+=("$nic" "Link DOWN " "OFF")
+				nic_list+=("$nic" "$nic_mac  Link DOWN " "OFF")
 				;;
 			*)
-				nic_list+=("$nic" "Link UNKNOWN " "OFF")
+				nic_list+=("$nic" "$nic_mac  Link UNKNOWN " "OFF")
 				;;
 		esac
 	done
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -408,6 +408,7 @@ whiptail_enable_components() {
 	PLAYBOOK=0
 	STRELKA=0

+if [[ $is_eval ]]; then
 	COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
 	"Select Components to install:" 20 75 8 \
 	GRAFANA "Enable Grafana for system monitoring" ON \
@@ -416,6 +417,17 @@ whiptail_enable_components() {
 	THEHIVE "Enable TheHive" ON \
 	PLAYBOOK "Enable Playbook" ON \
 	STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3)
+else
+	COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
+	"Select Components to install:" 20 75 7 \
+	OSQUERY "Enable Fleet with osquery" ON \
+	WAZUH "Enable Wazuh" ON \
+	THEHIVE "Enable TheHive" ON \
+	PLAYBOOK "Enable Playbook" ON \
+	STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3)
+	export "GRAFANA=1"
+fi
+
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus

--- a/sigs/securityonion-2.3.51.iso.sig
+++ b/sigs/securityonion-2.3.51.iso.sig