From 3c16218c5a084fa7287b27d9b27c7976cc6471a7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 27 Jul 2023 15:45:18 -0400 Subject: [PATCH 001/100] map services,pkg,config for firewall state --- salt/firewall/init.sls | 24 +++++++++++++++++++----- salt/firewall/ipt.map.jinja | 14 ++++++++++++++ 2 files changed, 33 insertions(+), 5 deletions(-) create mode 100644 salt/firewall/ipt.map.jinja diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 5ab028989..929016e63 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -1,15 +1,29 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'firewall/ipt.map.jinja' import iptmap %} + +install_iptables: + pkg.installed: + - name: {{ iptmap.iptpkg }} + +iptables_persist: + pkg.installed: + - name: {{ iptmap.persistpkg }} + +iptables_service: + service.running: + - name: {{ iptmap.service }} + - enabled: True create_sysconfig_iptables: file.touch: - - name: /etc/sysconfig/iptables + - name: {{ iptmap.configfile }} - makedirs: True - - unless: 'ls /etc/sysconfig/iptables' + - unless: 'ls {{ iptmap.configfile }}' iptables_config: file.managed: - - name: /etc/sysconfig/iptables + - name: {{ iptmap.configfile }} - source: salt://firewall/iptables.jinja - template: jinja @@ -24,11 +38,11 @@ disable_firewalld: iptables_restore: cmd.run: - - name: iptables-restore < /etc/sysconfig/iptables + - name: iptables-restore < {{ iptmap.configfile }} - require: - file: iptables_config - onlyif: - - iptables-restore --test /etc/sysconfig/iptables + - iptables-restore --test {{ iptmap.configfile }} {% if grains.os_family == 'RedHat' %} enable_firewalld: diff --git a/salt/firewall/ipt.map.jinja b/salt/firewall/ipt.map.jinja new file mode 100644 index 000000000..245bbac8a --- /dev/null +++ b/salt/firewall/ipt.map.jinja @@ -0,0 +1,14 @@ +{% set iptmap = salt['grains.filter_by']({ + 'Debian': { + 'service': 'netfilter-persistent', + 'iptpkg': 'iptables', + 'persistpkg': 'iptables-persistent', + 'configfile': '/etc/iptables/rules.v4' + }, + 'RedHat': { + 'service': 'iptables', + 'iptpkg': 'iptables', + 'persistpkg': 'iptables-services', + 'configfile': '/etc/sysconfig/iptables' + }, +}) %} From 54080c42fe9902e7b29f244df4c7b34aa0ece5af Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 27 Jul 2023 17:01:19 -0400 Subject: [PATCH 002/100] enable, not enabled --- salt/firewall/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 929016e63..cf7ae01a6 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -13,7 +13,7 @@ iptables_persist: iptables_service: service.running: - name: {{ iptmap.service }} - - enabled: True + - enable: True create_sysconfig_iptables: file.touch: From 3a22ef8e86b518640670ff338aa111fadac47b38 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jul 2023 08:40:32 -0400 Subject: [PATCH 003/100] change iptables package name for redhat fam --- salt/firewall/ipt.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/ipt.map.jinja b/salt/firewall/ipt.map.jinja index 245bbac8a..8559f9a08 100644 --- a/salt/firewall/ipt.map.jinja +++ b/salt/firewall/ipt.map.jinja @@ -7,7 +7,7 @@ }, 'RedHat': { 'service': 'iptables', - 'iptpkg': 'iptables', + 'iptpkg': 'iptables-nft', 'persistpkg': 'iptables-services', 'configfile': '/etc/sysconfig/iptables' }, From 4c8373452d10c558687844e680ca84221175644b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jul 2023 11:35:34 -0400 Subject: [PATCH 004/100] change to iptables-nft-services --- salt/firewall/ipt.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/ipt.map.jinja b/salt/firewall/ipt.map.jinja index 8559f9a08..629c1bdd8 100644 --- a/salt/firewall/ipt.map.jinja +++ b/salt/firewall/ipt.map.jinja @@ -8,7 +8,7 @@ 'RedHat': { 'service': 'iptables', 'iptpkg': 'iptables-nft', - 'persistpkg': 'iptables-services', + 'persistpkg': 'iptables-nft-services', 'configfile': '/etc/sysconfig/iptables' }, }) %} From aa56085758c2db021961a7f591b920a4e0dc7433 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 25 Jul 2023 14:44:02 -0600 Subject: [PATCH 005/100] New Action "Add to Case" --- salt/soc/defaults.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index a8e1a0bb4..53db2c838 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -10,6 +10,14 @@ soc: target: links: - '/#/hunt?q="{value|escape}" | groupby event.module* event.dataset' + - name: actionAddToCase + description: actionAddToCaseHelp + icon: fa-briefcase + jsCall: openAddToCaseDialog + categories: + - hunt + - alerts + - dashboards - name: actionCorrelate description: actionCorrelateHelp icon: fab fa-searchengin From 5c90a5f27e339a046a6a2bacef0ef11e9c52a361 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 28 Jul 2023 16:08:01 -0400 Subject: [PATCH 006/100] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 79a614418..59aa62c1f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.4 +2.4.5 From 1ca78fd297bc8a9275d5576b46f525805b8e84c4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 28 Jul 2023 16:29:46 -0400 Subject: [PATCH 007/100] Update README.md to 2.4 RC2 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3ab976bb5..aa3aa6ddf 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.4 Release Candidate 1 (RC1) +## Security Onion 2.4 Release Candidate 2 (RC2) -Security Onion 2.4 Release Candidate 1 (RC1) is here! +Security Onion 2.4 Release Candidate 2 (RC2) is here! ## Screenshots From 5a59975cb88abeeaed460c7f00780a8d0fc5b774 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 10:14:31 -0400 Subject: [PATCH 008/100] Update so-yara-download --- salt/strelka/tools/sbin_jinja/so-yara-download | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/strelka/tools/sbin_jinja/so-yara-download b/salt/strelka/tools/sbin_jinja/so-yara-download index 9ec6fa41f..a8087173c 100644 --- a/salt/strelka/tools/sbin_jinja/so-yara-download +++ b/salt/strelka/tools/sbin_jinja/so-yara-download @@ -8,7 +8,7 @@ NOROOT=1 {%- if proxy %} export http_proxy={{ proxy }} export https_proxy={{ proxy }} -export no_proxy= salt['pillar.get']('manager:no_proxy') +export no_proxy=salt['pillar.get']('manager:no_proxy') {%- endif %} mkdir -p /tmp/yara From 4939447764c085c94fe82884b78690cce6e38c78 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 10:16:37 -0400 Subject: [PATCH 009/100] Update so-yara-download --- salt/manager/tools/sbin_jinja/so-yara-download | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin_jinja/so-yara-download b/salt/manager/tools/sbin_jinja/so-yara-download index adfb8c529..e9b991b6c 100644 --- a/salt/manager/tools/sbin_jinja/so-yara-download +++ b/salt/manager/tools/sbin_jinja/so-yara-download @@ -8,7 +8,7 @@ NOROOT=1 {%- if proxy %} export http_proxy={{ proxy }} export https_proxy={{ proxy }} -export no_proxy= salt['pillar.get']('manager:no_proxy') +export no_proxy=salt['pillar.get']('manager:no_proxy') {%- endif %} repos="/opt/so/conf/strelka/repos.txt" From f867be9e04ec246951f953d9538f22d049d45138 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 10:19:51 -0400 Subject: [PATCH 010/100] Fix no_proxy --- salt/idstools/tools/sbin_jinja/so-rule-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/idstools/tools/sbin_jinja/so-rule-update b/salt/idstools/tools/sbin_jinja/so-rule-update index 6a5976a1c..3e4b382e6 100755 --- a/salt/idstools/tools/sbin_jinja/so-rule-update +++ b/salt/idstools/tools/sbin_jinja/so-rule-update @@ -12,7 +12,7 @@ chown -R socore:socore /nsm/rules/suricata {%- if proxy %} export http_proxy={{ proxy }} export https_proxy={{ proxy }} -export no_proxy= salt['pillar.get']('manager:no_proxy') +export no_proxy=salt['pillar.get']('manager:no_proxy') {%- endif %} {%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %} docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force From 1c42d70d3097ba0969c28f65973c68020941a869 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 10:36:00 -0400 Subject: [PATCH 011/100] Update soc_sensor.yaml --- salt/sensor/soc_sensor.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/sensor/soc_sensor.yaml b/salt/sensor/soc_sensor.yaml index 61466b2b1..0774e9bcf 100644 --- a/salt/sensor/soc_sensor.yaml +++ b/salt/sensor/soc_sensor.yaml @@ -1,7 +1,9 @@ sensor: interface: description: Main sensor monitoring interface. - helpLink: sensor.html + helpLink: sensor.html + readonly: True mtu: description: Main IP address of the grid host. - helpLink: host.html \ No newline at end of file + helpLink: host.html + readonly: True From 16217912db2b05e3578d9f8b729038bd8b0661ee Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 13:04:33 -0400 Subject: [PATCH 012/100] Update Soup --- salt/manager/tools/sbin/soup | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 4f113fab7..8497cf902 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -391,6 +391,8 @@ preupgrade_changes() { echo "Checking to see if changes are needed." [[ "$INSTALLEDVERSION" == 2.4.2 ]] && up_to_2.4.3 + [[ "$INSTALLEDVERSION" == 2.4.3]] && up_to_2.4.4 + [[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5 true } @@ -399,6 +401,8 @@ postupgrade_changes() { echo "Running post upgrade processes." [[ "$POSTVERSION" == 2.4.2 ]] && post_to_2.4.3 + [[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4 + [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 true @@ -409,6 +413,15 @@ post_to_2.4.3() { POSTVERSION=2.4.3 } +post_to_2.4.4() { + echo "Nothing to apply" + POSTVERSION=2.4.4 +} + +post_to_2.4.5() { + echo "Nothing to apply" + POSTVERSION=2.4.5 +} stop_salt_master() { # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts @@ -455,7 +468,19 @@ stop_salt_minion() { up_to_2.4.3() { echo "Nothing to do for 2.4.3" ## - INSTALLEDVERSION=2.3.140 + INSTALLEDVERSION=2.4.3 +} + +up_to_2.4.4() { + echo "Nothing to do for 2.4.4" + ## + INSTALLEDVERSION=2.4.4 +} + +up_to_2.4.5() { + echo "Nothing to do for 2.4.5" + ## + INSTALLEDVERSION=2.4.5 } verify_upgradespace() { From e78e6b74ed367a986b62b6f084ab004c1826f22e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 13:07:29 -0400 Subject: [PATCH 013/100] Update Soup --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 8497cf902..e0724503d 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -346,7 +346,7 @@ clone_to_tmp() { # Make a temp location for the files mkdir -p /tmp/sogh cd /tmp/sogh - SOUP_BRANCH="" + SOUP_BRANCH="-b 2.4/main" if [ -n "$BRANCH" ]; then SOUP_BRANCH="-b $BRANCH" fi From 77101fec1264f9f4a75c4bab12362c8308434eae Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 31 Jul 2023 13:12:32 -0400 Subject: [PATCH 014/100] Update Soup --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index e0724503d..31f1d0fea 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -391,7 +391,7 @@ preupgrade_changes() { echo "Checking to see if changes are needed." [[ "$INSTALLEDVERSION" == 2.4.2 ]] && up_to_2.4.3 - [[ "$INSTALLEDVERSION" == 2.4.3]] && up_to_2.4.4 + [[ "$INSTALLEDVERSION" == 2.4.3 ]] && up_to_2.4.4 [[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5 true } From 95581f505a84074ae1bbfd9fed83bdda477a6049 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 31 Jul 2023 13:18:57 -0400 Subject: [PATCH 015/100] import DOCKER in idh.enabled --- salt/idh/enabled.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index 480e7eedc..7ef0ebb46 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -6,6 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} include: - idh.config From 57562ad5e366a00f2d1d0d6f8af03fe8992c7de5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 31 Jul 2023 13:34:08 -0400 Subject: [PATCH 016/100] add managersearch and standlone fw rules for searchnode --- salt/firewall/defaults.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 57446a5c2..20b966e48 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -866,6 +866,14 @@ firewall: portgroups: - elasticsearch_node - elasticsearch_rest + managersearch: + portgroups: + - elasticsearch_node + - elasticsearch_rest + standalone: + portgroups: + - elasticsearch_node + - elasticsearch_rest dockernet: portgroups: - elasticsearch_node From a89508f1ae63cf80d156fbfd136af23dd4cbde2f Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 31 Jul 2023 15:17:24 -0400 Subject: [PATCH 017/100] Heavy Node fixes --- salt/elasticagent/enabled.sls | 3 + .../files/elastic-agent.yml.jinja | 349 +++++++++++++++++- .../grid-nodes_heavy/elasticsearch-logs.json | 106 ------ .../grid-nodes_heavy/kratos-logs.json | 29 -- .../grid-nodes_heavy/osquery-grid-nodes.json | 2 +- .../grid-nodes_heavy/redis-logs.json | 76 ---- .../grid-nodes_heavy/soc-auth-sync-logs.json | 29 -- .../grid-nodes_heavy/soc-salt-relay-logs.json | 29 -- .../grid-nodes_heavy/soc-sensoroni-logs.json | 29 -- .../grid-nodes_heavy/soc-server-logs.json | 29 -- .../grid-nodes_heavy/system-grid-nodes.json | 2 +- 11 files changed, 336 insertions(+), 347 deletions(-) delete mode 100644 salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json delete mode 100644 salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json delete mode 100644 salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json delete mode 100644 salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json delete mode 100644 salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json delete mode 100644 salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json delete mode 100644 salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index 4c00920ac..b133d94ab 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -35,6 +35,7 @@ so-elastic-agent: - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /nsm:/nsm:ro + - /opt/so/log:/opt/so/log:ro {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} - {{ BIND }} @@ -47,6 +48,8 @@ so-elastic-agent: - {{ XTRAENV }} {% endfor %} {% endif %} + - require: + - file: create-elastic-agent-config - watch: - file: create-elastic-agent-config diff --git a/salt/elasticagent/files/elastic-agent.yml.jinja b/salt/elasticagent/files/elastic-agent.yml.jinja index 2d32a3b17..92aacfa44 100644 --- a/salt/elasticagent/files/elastic-agent.yml.jinja +++ b/salt/elasticagent/files/elastic-agent.yml.jinja @@ -3,7 +3,7 @@ {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} id: aea1ba80-1065-11ee-a369-97538913b6a9 -revision: 2 +revision: 1 outputs: default: type: elasticsearch @@ -22,56 +22,369 @@ agent: metrics: false features: {} inputs: - - id: logfile-logs-80ffa884-2cfc-459a-964a-34df25714d85 - name: suricata-logs - revision: 1 + - id: logfile-logs-fefef78c-422f-4cfa-8abf-4cd1b9428f62 + name: import-evtx-logs + revision: 2 type: logfile use_output: default meta: package: name: log - version: + version: data_stream: namespace: so - package_policy_id: 80ffa884-2cfc-459a-964a-34df25714d85 + package_policy_id: fefef78c-422f-4cfa-8abf-4cd1b9428f62 streams: - - id: logfile-log.log-80ffa884-2cfc-459a-964a-34df25714d85 + - id: logfile-log.log-fefef78c-422f-4cfa-8abf-4cd1b9428f62 + data_stream: + dataset: import + paths: + - /nsm/import/*/evtx/*.json + processors: + - dissect: + field: log.file.path + tokenizer: '/nsm/import/%{import.id}/evtx/%{import.file}' + target_prefix: '' + - decode_json_fields: + fields: + - message + target: '' + - drop_fields: + ignore_missing: true + fields: + - host + - add_fields: + fields: + dataset: system.security + type: logs + namespace: default + target: data_stream + - add_fields: + fields: + dataset: system.security + module: system + imported: true + target: event + - then: + - add_fields: + fields: + dataset: windows.sysmon_operational + target: data_stream + - add_fields: + fields: + dataset: windows.sysmon_operational + module: windows + imported: true + target: event + if: + equals: + winlog.channel: Microsoft-Windows-Sysmon/Operational + - then: + - add_fields: + fields: + dataset: system.application + target: data_stream + - add_fields: + fields: + dataset: system.application + target: event + if: + equals: + winlog.channel: Application + - then: + - add_fields: + fields: + dataset: system.system + target: data_stream + - add_fields: + fields: + dataset: system.system + target: event + if: + equals: + winlog.channel: System + - then: + - add_fields: + fields: + dataset: windows.powershell_operational + target: data_stream + - add_fields: + fields: + dataset: windows.powershell_operational + module: windows + target: event + if: + equals: + winlog.channel: Microsoft-Windows-PowerShell/Operational + tags: + - import + - id: logfile-redis-fc98c947-7d17-4861-a318-7ad075f6d1b0 + name: redis-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: redis + version: + data_stream: + namespace: default + package_policy_id: fc98c947-7d17-4861-a318-7ad075f6d1b0 + streams: + - id: logfile-redis.log-fc98c947-7d17-4861-a318-7ad075f6d1b0 + data_stream: + dataset: redis.log + type: logs + exclude_files: + - .gz$ + paths: + - /opt/so/log/redis/redis.log + tags: + - redis-log + exclude_lines: + - '^\s+[\-`(''.|_]' + - id: logfile-logs-3b56803d-5ade-4c93-b25e-9b37182f66b8 + name: import-suricata-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: log + version: + data_stream: + namespace: so + package_policy_id: 3b56803d-5ade-4c93-b25e-9b37182f66b8 + streams: + - id: logfile-log.log-3b56803d-5ade-4c93-b25e-9b37182f66b8 + data_stream: + dataset: import + pipeline: suricata.common + paths: + - /nsm/import/*/suricata/eve*.json + processors: + - add_fields: + fields: + module: suricata + imported: true + category: network + target: event + - dissect: + field: log.file.path + tokenizer: '/nsm/import/%{import.id}/suricata/%{import.file}' + target_prefix: '' + - id: logfile-logs-c327e1a3-1ebe-449c-a8eb-f6f35032e69d + name: soc-server-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: log + version: + data_stream: + namespace: so + package_policy_id: c327e1a3-1ebe-449c-a8eb-f6f35032e69d + streams: + - id: logfile-log.log-c327e1a3-1ebe-449c-a8eb-f6f35032e69d + data_stream: + dataset: soc + pipeline: common + paths: + - /opt/so/log/soc/sensoroni-server.log + processors: + - decode_json_fields: + add_error_key: true + process_array: true + max_depth: 2 + fields: + - message + target: soc + - add_fields: + fields: + module: soc + dataset_temp: server + category: host + target: event + - rename: + ignore_missing: true + fields: + - from: soc.fields.sourceIp + to: source.ip + - from: soc.fields.status + to: http.response.status_code + - from: soc.fields.method + to: http.request.method + - from: soc.fields.path + to: url.path + - from: soc.message + to: event.action + - from: soc.level + to: log.level + tags: + - so-soc + - id: logfile-logs-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073 + name: soc-sensoroni-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: log + version: + data_stream: + namespace: so + package_policy_id: 906e0d4c-9ec3-4c6a-bef6-e347ec9fd073 + streams: + - id: logfile-log.log-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073 + data_stream: + dataset: soc + pipeline: common + paths: + - /opt/so/log/sensoroni/sensoroni.log + processors: + - decode_json_fields: + add_error_key: true + process_array: true + max_depth: 2 + fields: + - message + target: sensoroni + - add_fields: + fields: + module: soc + dataset_temp: sensoroni + category: host + target: event + - rename: + ignore_missing: true + fields: + - from: sensoroni.fields.sourceIp + to: source.ip + - from: sensoroni.fields.status + to: http.response.status_code + - from: sensoroni.fields.method + to: http.request.method + - from: sensoroni.fields.path + to: url.path + - from: sensoroni.message + to: event.action + - from: sensoroni.level + to: log.level + - id: logfile-logs-df0d7f2c-221f-433b-b18b-d1cf83250515 + name: soc-salt-relay-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: log + version: + data_stream: + namespace: so + package_policy_id: df0d7f2c-221f-433b-b18b-d1cf83250515 + streams: + - id: logfile-log.log-df0d7f2c-221f-433b-b18b-d1cf83250515 + data_stream: + dataset: soc + pipeline: common + paths: + - /opt/so/log/soc/salt-relay.log + processors: + - dissect: + field: message + tokenizer: '%{soc.ts} | %{event.action}' + target_prefix: '' + - add_fields: + fields: + module: soc + dataset_temp: salt_relay + category: host + target: event + tags: + - so-soc + - id: logfile-logs-74bd2366-fe52-493c-bddc-843a017fc4d0 + name: soc-auth-sync-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: log + version: + data_stream: + namespace: so + package_policy_id: 74bd2366-fe52-493c-bddc-843a017fc4d0 + streams: + - id: logfile-log.log-74bd2366-fe52-493c-bddc-843a017fc4d0 + data_stream: + dataset: soc + pipeline: common + paths: + - /opt/so/log/soc/sync.log + processors: + - dissect: + field: message + tokenizer: '%{event.action}' + target_prefix: '' + - add_fields: + fields: + module: soc + dataset_temp: auth_sync + category: host + target: event + tags: + - so-soc + - id: logfile-logs-d151d9bf-ff2a-4529-9520-c99244bc0253 + name: suricata-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: log + version: + data_stream: + namespace: so + package_policy_id: d151d9bf-ff2a-4529-9520-c99244bc0253 + streams: + - id: logfile-log.log-d151d9bf-ff2a-4529-9520-c99244bc0253 data_stream: dataset: suricata + pipeline: suricata.common paths: - /nsm/suricata/eve*.json processors: - add_fields: - target: event fields: - category: network module: suricata - pipeline: suricata.common - - id: logfile-logs-90103ac4-f6bd-4a4a-b596-952c332390fc + category: network + target: event + - id: logfile-logs-31f94d05-ae75-40ee-b9c5-0e0356eff327 name: strelka-logs - revision: 1 + revision: 2 type: logfile use_output: default meta: package: name: log - version: + version: data_stream: namespace: so - package_policy_id: 90103ac4-f6bd-4a4a-b596-952c332390fc + package_policy_id: 31f94d05-ae75-40ee-b9c5-0e0356eff327 streams: - - id: logfile-log.log-90103ac4-f6bd-4a4a-b596-952c332390fc + - id: logfile-log.log-31f94d05-ae75-40ee-b9c5-0e0356eff327 data_stream: dataset: strelka + pipeline: strelka.file paths: - /nsm/strelka/log/strelka.log processors: - add_fields: - target: event fields: - category: file module: strelka - pipeline: strelka.file + category: file + target: event - id: logfile-logs-6197fe84-9b58-4d9b-8464-3d517f28808d name: zeek-logs revision: 1 diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json deleted file mode 100644 index 711602775..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "package": { - "name": "elasticsearch", - "version": "" - }, - "name": "elasticsearch-logs", - "namespace": "default", - "description": "Elasticsearch Logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "elasticsearch-logfile": { - "enabled": true, - "streams": { - "elasticsearch.audit": { - "enabled": false, - "vars": { - "paths": [ - "/var/log/elasticsearch/*_audit.json" - ] - } - }, - "elasticsearch.deprecation": { - "enabled": false, - "vars": { - "paths": [ - "/var/log/elasticsearch/*_deprecation.json" - ] - } - }, - "elasticsearch.gc": { - "enabled": false, - "vars": { - "paths": [ - "/var/log/elasticsearch/gc.log.[0-9]*", - "/var/log/elasticsearch/gc.log" - ] - } - }, - "elasticsearch.server": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/elasticsearch/*.log" - ] - } - }, - "elasticsearch.slowlog": { - "enabled": false, - "vars": { - "paths": [ - "/var/log/elasticsearch/*_index_search_slowlog.json", - "/var/log/elasticsearch/*_index_indexing_slowlog.json" - ] - } - } - } - }, - "elasticsearch-elasticsearch/metrics": { - "enabled": false, - "vars": { - "hosts": [ - "http://localhost:9200" - ], - "scope": "node" - }, - "streams": { - "elasticsearch.stack_monitoring.ccr": { - "enabled": false - }, - "elasticsearch.stack_monitoring.cluster_stats": { - "enabled": false - }, - "elasticsearch.stack_monitoring.enrich": { - "enabled": false - }, - "elasticsearch.stack_monitoring.index": { - "enabled": false - }, - "elasticsearch.stack_monitoring.index_recovery": { - "enabled": false, - "vars": { - "active.only": true - } - }, - "elasticsearch.stack_monitoring.index_summary": { - "enabled": false - }, - "elasticsearch.stack_monitoring.ml_job": { - "enabled": false - }, - "elasticsearch.stack_monitoring.node": { - "enabled": false - }, - "elasticsearch.stack_monitoring.node_stats": { - "enabled": false - }, - "elasticsearch.stack_monitoring.pending_tasks": { - "enabled": false - }, - "elasticsearch.stack_monitoring.shard": { - "enabled": false - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json deleted file mode 100644 index c9e4183de..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "kratos-logs", - "namespace": "so", - "description": "Kratos logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.log": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/kratos/kratos.log" - ], - "data_stream.dataset": "kratos", - "tags": ["so-kratos"], - "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos", - "custom": "pipeline: kratos" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json index d0281c111..b1454d4bd 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json @@ -3,7 +3,7 @@ "name": "osquery_manager", "version": "" }, - "name": "osquery-grid-nodes", + "name": "osquery-grid-nodes_heavy", "namespace": "default", "policy_id": "so-grid-nodes_heavy", "inputs": { diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json deleted file mode 100644 index cddcedfd8..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "package": { - "name": "redis", - "version": "" - }, - "name": "redis-logs", - "namespace": "default", - "description": "Redis logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "redis-logfile": { - "enabled": true, - "streams": { - "redis.log": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/redis/redis.log" - ], - "tags": [ - "redis-log" - ], - "preserve_original_event": false - } - } - } - }, - "redis-redis": { - "enabled": false, - "streams": { - "redis.slowlog": { - "enabled": false, - "vars": { - "hosts": [ - "127.0.0.1:6379" - ], - "password": "" - } - } - } - }, - "redis-redis/metrics": { - "enabled": false, - "vars": { - "hosts": [ - "127.0.0.1:6379" - ], - "idle_timeout": "20s", - "maxconn": 10, - "network": "tcp", - "password": "" - }, - "streams": { - "redis.info": { - "enabled": false, - "vars": { - "period": "10s" - } - }, - "redis.key": { - "enabled": false, - "vars": { - "key.patterns": "- limit: 20\n pattern: *\n", - "period": "10s" - } - }, - "redis.keyspace": { - "enabled": false, - "vars": { - "period": "10s" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json deleted file mode 100644 index 2004c8c5d..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "soc-auth-sync-logs", - "namespace": "so", - "description": "Security Onion - Elastic Auth Sync - Logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.log": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/soc/sync.log" - ], - "data_stream.dataset": "soc", - "tags": ["so-soc"], - "processors": "- dissect:\n tokenizer: \"%{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: auth_sync", - "custom": "pipeline: common" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json deleted file mode 100644 index b1b6098c1..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "soc-salt-relay-logs", - "namespace": "so", - "description": "Security Onion - Salt Relay - Logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.log": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/soc/salt-relay.log" - ], - "data_stream.dataset": "soc", - "tags": ["so-soc"], - "processors": "- dissect:\n tokenizer: \"%{soc.ts} | %{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: salt_relay", - "custom": "pipeline: common" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json deleted file mode 100644 index 5954e5052..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "soc-sensoroni-logs", - "namespace": "so", - "description": "Security Onion - Sensoroni - Logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.log": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/sensoroni/sensoroni.log" - ], - "data_stream.dataset": "soc", - "tags": [], - "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"sensoroni\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: sensoroni\n- rename:\n fields:\n - from: \"sensoroni.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"sensoroni.fields.status\"\n to: \"http.response.status_code\"\n - from: \"sensoroni.fields.method\"\n to: \"http.request.method\"\n - from: \"sensoroni.fields.path\"\n to: \"url.path\"\n - from: \"sensoroni.message\"\n to: \"event.action\"\n - from: \"sensoroni.level\"\n to: \"log.level\"\n ignore_missing: true", - "custom": "pipeline: common" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json deleted file mode 100644 index 89e26563a..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "soc-server-logs", - "namespace": "so", - "description": "Security Onion Console Logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.log": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/soc/sensoroni-server.log" - ], - "data_stream.dataset": "soc", - "tags": ["so-soc"], - "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"soc\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: server\n- rename:\n fields:\n - from: \"soc.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"soc.fields.status\"\n to: \"http.response.status_code\"\n - from: \"soc.fields.method\"\n to: \"http.request.method\"\n - from: \"soc.fields.path\"\n to: \"url.path\"\n - from: \"soc.message\"\n to: \"event.action\"\n - from: \"soc.level\"\n to: \"log.level\"\n ignore_missing: true", - "custom": "pipeline: common" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json index 31d30d4e0..3df514f0b 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json @@ -4,7 +4,7 @@ "name": "system", "version": "" }, - "name": "system-grid-nodes", + "name": "system-grid-nodes_heavy", "namespace": "default", "inputs": { "system-logfile": { From b6dd347eb8ba085b9452b705aa860fe88f89e8d0 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 31 Jul 2023 15:22:29 -0400 Subject: [PATCH 018/100] Heavy Node add manager --- salt/logstash/enabled.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index a88e97b19..cd9d6dd7e 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -9,6 +9,11 @@ {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'logstash/map.jinja' import LOGSTASH_MERGED %} {% from 'logstash/map.jinja' import REDIS_NODES %} +{# we append the manager here so that it is added to extra_hosts so the heavynode can resolve it #} +{# we cannont append in the logstash/map.jinja because then it would be added to the 0900_input_redis.conf #} +{% if GLOBALS.role == 'so-heavynode' %} +{% do REDIS_NODES.append({GLOBALS.manager:GLOBALS.manager_ip}) %} +{% endif %} {% set lsheap = LOGSTASH_MERGED.settings.lsheap %} include: From 6a55a8e5c08c0cbfd3f7fae2ec2c3fda12eece82 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 31 Jul 2023 22:17:22 -0400 Subject: [PATCH 019/100] Elastic 8.2.2 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 9b69eb781..a2dedd324 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.7.1","id": "8.7.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.8.2","id": "8.8.2","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 44c926ba8d0672a6545fdf31f596a7e5797bf8a2 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 31 Jul 2023 22:18:07 -0400 Subject: [PATCH 020/100] Elastic 8.8.2 --- salt/kibana/tools/sbin_jinja/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-config-load b/salt/kibana/tools/sbin_jinja/so-kibana-config-load index e65955178..159a69e68 100644 --- a/salt/kibana/tools/sbin_jinja/so-kibana-config-load +++ b/salt/kibana/tools/sbin_jinja/so-kibana-config-load @@ -63,7 +63,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.7.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.8.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From 5dd5f9fc1caa8c613226faf801c6f7f83796eedc Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 31 Jul 2023 22:18:43 -0400 Subject: [PATCH 021/100] Elastic 8.8.2 --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 53c8664d2..f9459587d 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -5,7 +5,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -ELASTIC_AGENT_TARBALL_VERSION="8.7.1" +ELASTIC_AGENT_TARBALL_VERSION="8.8.2" DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" From 29b64eadd42306852873047bd883900b558ea958 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 1 Aug 2023 02:20:22 +0000 Subject: [PATCH 022/100] Change log.log to log.logs --- .../grid-nodes_general/import-zeek-logs.json | 2 +- .../integrations-dynamic/grid-nodes_general/zeek-logs.json | 2 +- .../files/integrations/grid-nodes_general/idh-logs.json | 2 +- .../files/integrations/grid-nodes_general/import-evtx-logs.json | 2 +- .../integrations/grid-nodes_general/import-suricata-logs.json | 2 +- .../files/integrations/grid-nodes_general/kratos-logs.json | 2 +- .../integrations/grid-nodes_general/soc-auth-sync-logs.json | 2 +- .../integrations/grid-nodes_general/soc-salt-relay-logs.json | 2 +- .../integrations/grid-nodes_general/soc-sensoroni-logs.json | 2 +- .../files/integrations/grid-nodes_general/soc-server-logs.json | 2 +- .../files/integrations/grid-nodes_general/strelka-logs.json | 2 +- .../files/integrations/grid-nodes_general/suricata-logs.json | 2 +- .../files/integrations/grid-nodes_heavy/kratos-logs.json | 2 +- .../files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json | 2 +- .../integrations/grid-nodes_heavy/soc-salt-relay-logs.json | 2 +- .../files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json | 2 +- .../files/integrations/grid-nodes_heavy/soc-server-logs.json | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json index 4c22f0446..0979f98b6 100644 --- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json @@ -13,7 +13,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json index 2cec88bf2..32bff857b 100644 --- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json @@ -14,7 +14,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json index 32055112a..29cc1a879 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index d9f8daeb9..178b6ed53 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -12,7 +12,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json index f17ee33d1..3b8cffcc1 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json index c342b57bd..b1fb71077 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json index 84e9ae94d..3aa740881 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json index 07bd89b89..840f36f6b 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json index bee14ebf5..60ee95f45 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json index 285d79148..b789adc1d 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json index 6f6beca99..089b5d4f8 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json index 7ff43c3a8..a9d857b24 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json index c9e4183de..684cfd59b 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json index 2004c8c5d..e031fe08c 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json index b1b6098c1..1c8399bca 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json index 5954e5052..a5e4b6217 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json index 89e26563a..f36a00c37 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ From 48d9c14563fe44e2c28a978140a1944cfe73e1cc Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 1 Aug 2023 02:20:43 +0000 Subject: [PATCH 023/100] Enable log package by default --- salt/elasticfleet/defaults.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 46d496955..3d806d63f 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -32,4 +32,5 @@ elasticfleet: - fim - github - google_workspace + - log - 1password From 9d59e4250f39b56023a87cd0c5d39fb5a67a9311 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 31 Jul 2023 22:23:54 -0400 Subject: [PATCH 024/100] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 59aa62c1f..7d52aac7f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.5 +2.4.0-foxtrot From f84b0a3219d3f2046f48138b39d310afaef4937a Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 31 Jul 2023 23:16:46 -0400 Subject: [PATCH 025/100] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 7d52aac7f..59aa62c1f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-foxtrot +2.4.5 From 527a6ba454e26f48bec1af1abd409019e1075f2d Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 31 Jul 2023 23:52:38 -0400 Subject: [PATCH 026/100] Use asterisk when searching 'msg' since it is now a keyword --- salt/soc/defaults.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 53db2c838..cb7d400a0 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1140,7 +1140,7 @@ soc: showSubtitle: true - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity - query: 'event.dataset:kratos.audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip identity_id' showSubtitle: true - name: SOC - App description: Logs generated by the Security Onion Console (SOC) server and modules @@ -1405,7 +1405,7 @@ soc: query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module* | groupby event.dataset | groupby event.module* | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SOC Auth description: SOC (Security Onion Console) authentication logs - query: 'event.dataset:kratos.audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' - name: Elastalerts description: Elastalert logs query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' From 2875a7a2e5163fae947e58e354154c8c64fa5366 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Aug 2023 09:48:44 -0400 Subject: [PATCH 027/100] Sensor NIC offload --- salt/sensor/files/99-so-checksum-offload-disable | 12 ++++++++++++ salt/sensor/init.sls | 11 +++++++++++ salt/top.sls | 5 +++++ 3 files changed, 28 insertions(+) create mode 100755 salt/sensor/files/99-so-checksum-offload-disable create mode 100644 salt/sensor/init.sls diff --git a/salt/sensor/files/99-so-checksum-offload-disable b/salt/sensor/files/99-so-checksum-offload-disable new file mode 100755 index 000000000..fdce54f5e --- /dev/null +++ b/salt/sensor/files/99-so-checksum-offload-disable @@ -0,0 +1,12 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + + +. /usr/sbin/so-common + +init_monitor $MNIC diff --git a/salt/sensor/init.sls b/salt/sensor/init.sls new file mode 100644 index 000000000..34133e488 --- /dev/null +++ b/salt/sensor/init.sls @@ -0,0 +1,11 @@ +offload_script: + file.managed: + - name: /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable + - source: salt://sensor/files/99-so-checksum-offload-disable + - mode: 755 + +execute_checksum: + cmd.run: + - name: /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable + - onchanges: + - file: offload_script \ No newline at end of file diff --git a/salt/top.sls b/salt/top.sls index e53895324..bc51c2db1 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -36,6 +36,7 @@ base: '*_sensor and G@saltversion:{{saltversion}}': - match: compound + - sensor - ssl - sensoroni - telegraf @@ -52,6 +53,7 @@ base: '*_eval and G@saltversion:{{saltversion}}': - match: compound - salt.master + - sensor - ca - ssl - registry @@ -118,6 +120,7 @@ base: '*_standalone and G@saltversion:{{saltversion}}': - match: compound - salt.master + - sensor - ca - ssl - registry @@ -196,6 +199,7 @@ base: '*_heavynode and G@saltversion:{{saltversion}}': - match: compound + - sensor - ssl - sensoroni - nginx @@ -216,6 +220,7 @@ base: '*_import and G@saltversion:{{saltversion}}': - match: compound - salt.master + - sensor - ca - ssl - registry From 87a5d20ac968f811338556d71d66edcf066eb9dd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Aug 2023 10:03:59 -0400 Subject: [PATCH 028/100] Sensor NIC offload --- salt/sensor/files/99-so-checksum-offload-disable | 4 +++- salt/sensor/init.sls | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/sensor/files/99-so-checksum-offload-disable b/salt/sensor/files/99-so-checksum-offload-disable index fdce54f5e..72f7838db 100755 --- a/salt/sensor/files/99-so-checksum-offload-disable +++ b/salt/sensor/files/99-so-checksum-offload-disable @@ -9,4 +9,6 @@ . /usr/sbin/so-common -init_monitor $MNIC +{% set MNIC = salt['pillar.get']('sensor:interface') %} + +init_monitor {{ MNIC }} diff --git a/salt/sensor/init.sls b/salt/sensor/init.sls index 34133e488..53cd808c6 100644 --- a/salt/sensor/init.sls +++ b/salt/sensor/init.sls @@ -3,6 +3,7 @@ offload_script: - name: /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable - source: salt://sensor/files/99-so-checksum-offload-disable - mode: 755 + - template: jinja execute_checksum: cmd.run: From b6579d7d45474c229316cfa1653bc86565e3e725 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Aug 2023 10:13:44 -0400 Subject: [PATCH 029/100] Sensor NIC offload --- salt/common/tools/sbin/so-common | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index f9459587d..0581c09c6 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -225,12 +225,15 @@ init_monitor() { if [[ $MONITORNIC == "bond0" ]]; then BIFACES=$(lookup_bond_interfaces) + for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload; do + ethtool -K "$MONITORNIC" "$i" off; + done else BIFACES=$MONITORNIC fi for DEVICE_IFACE in $BIFACES; do - for i in rx tx sg tso ufo gso gro lro; do + for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload; do ethtool -K "$DEVICE_IFACE" "$i" off; done ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on From 4adaddf13f2e5b42dc16362d4bc24726277ad5bf Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 1 Aug 2023 10:14:59 -0400 Subject: [PATCH 030/100] Move syslog to the INPUT chain where needed --- salt/firewall/defaults.yaml | 79 +++++++++++++++++++++---------------- 1 file changed, 45 insertions(+), 34 deletions(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 20b966e48..3095c052e 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -198,9 +198,6 @@ firewall: portgroups: - redis - elasticsearch_node - self: - portgroups: - - syslog beats_endpoint: portgroups: - beats_5044 @@ -218,9 +215,6 @@ firewall: strelka_frontend: portgroups: - strelka_frontend - syslog: - portgroups: - - syslog analyst: portgroups: - nginx @@ -255,6 +249,12 @@ firewall: localhost: portgroups: - all + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -425,12 +425,6 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update - self: - portgroups: - - syslog - syslog: - portgroups: - - syslog beats_endpoint: portgroups: - beats_5044 @@ -497,6 +491,12 @@ firewall: receiver: portgroups: - salt_manager + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -588,9 +588,6 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update - self: - portgroups: - - syslog beats_endpoint: portgroups: - beats_5044 @@ -608,9 +605,6 @@ firewall: endgame: portgroups: - endgame - syslog: - portgroups: - - syslog analyst: portgroups: - nginx @@ -660,6 +654,12 @@ firewall: receiver: portgroups: - salt_manager + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -760,9 +760,6 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update - self: - portgroups: - - syslog beats_endpoint: portgroups: - beats_5044 @@ -783,9 +780,6 @@ firewall: strelka_frontend: portgroups: - strelka_frontend - syslog: - portgroups: - - syslog analyst: portgroups: - nginx @@ -838,6 +832,12 @@ firewall: receiver: portgroups: - salt_manager + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -884,9 +884,6 @@ firewall: searchnode: portgroups: - elasticsearch_node - self: - portgroups: - - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -918,6 +915,12 @@ firewall: localhost: portgroups: - all + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -942,9 +945,6 @@ firewall: chain: DOCKER-USER: hostgroups: - self: - portgroups: - - syslog strelka_frontend: portgroups: - strelka_frontend @@ -979,6 +979,12 @@ firewall: localhost: portgroups: - all + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -1030,6 +1036,9 @@ firewall: strelka_frontend: portgroups: - strelka_frontend + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -1189,11 +1198,7 @@ firewall: self: portgroups: - redis - - syslog - beats_5644 - syslog: - portgroups: - - syslog beats_endpoint: portgroups: - beats_5044 @@ -1234,6 +1239,12 @@ firewall: localhost: portgroups: - all + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: From f35f42c83d58c4aabee7ca7c7a48a8d16b344c97 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Aug 2023 10:23:45 -0400 Subject: [PATCH 031/100] Sensor NIC offload --- salt/common/tools/sbin/so-common | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 0581c09c6..3c79110b3 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -225,7 +225,7 @@ init_monitor() { if [[ $MONITORNIC == "bond0" ]]; then BIFACES=$(lookup_bond_interfaces) - for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload; do + for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do ethtool -K "$MONITORNIC" "$i" off; done else @@ -233,7 +233,7 @@ init_monitor() { fi for DEVICE_IFACE in $BIFACES; do - for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload; do + for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do ethtool -K "$DEVICE_IFACE" "$i" off; done ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on From 3fa0a98830682de91c80c0eaa862bfd0fa5516a1 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 1 Aug 2023 12:45:09 -0400 Subject: [PATCH 032/100] Update verbiage and links in soc_sensor.yaml --- salt/sensor/soc_sensor.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/sensor/soc_sensor.yaml b/salt/sensor/soc_sensor.yaml index 0774e9bcf..9ab0c236e 100644 --- a/salt/sensor/soc_sensor.yaml +++ b/salt/sensor/soc_sensor.yaml @@ -1,9 +1,9 @@ sensor: interface: description: Main sensor monitoring interface. - helpLink: sensor.html + helpLink: network.html readonly: True mtu: - description: Main IP address of the grid host. - helpLink: host.html + description: Maximum Transmission Unit (MTU) of the sensor monitoring interface. + helpLink: network.html readonly: True From 968fee3488eee120dcf1fc1e403539e09e93c459 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 1 Aug 2023 13:10:41 -0400 Subject: [PATCH 033/100] Regen Agent Installers when Fleet URLs change --- .../tools/sbin_jinja/so-elastic-agent-gen-installers | 6 ++++++ .../tools/sbin_jinja/so-elastic-fleet-urls-update | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index 2a19dcbd9..d7d6458c9 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -11,6 +11,12 @@ . /usr/sbin/so-common . /usr/sbin/so-elastic-fleet-common +LOG="/opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log" + +# Check to see if we are already running +NUM_RUNNING=$(pgrep -cf "/bin/bash /sbin/so-elastic-agent-gen-installers") +[ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING gen installers script processes running...exiting." >>$LOG && exit 0 + for i in {1..30} do ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key') diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update index 24c5dabed..4a744665a 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update @@ -62,7 +62,7 @@ fi NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}") NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}') -# Compare the current & new list of URLs - if different, update the Fleet Server URLs +# Compare the current & new list of URLs - if different, update the Fleet Server URLs & regenerate the agent installer if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then printf "\nHashes match - no update needed.\n" printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n" @@ -71,4 +71,5 @@ else printf "\nHashes don't match - update needed.\n" printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n" update_fleet_urls + /sbin/so-elastic-agent-gen-installers & fi From 2d13bf1a61441f43ee14cfc33e495a32249e3d7c Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 1 Aug 2023 14:40:12 -0400 Subject: [PATCH 034/100] Present logs to the host --- salt/elasticagent/enabled.sls | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index b133d94ab..bff4cee6b 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -33,6 +33,7 @@ so-elastic-agent: {% endif %} - binds: - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro + - /opt/so/log/elastic-agent:/usr/share/elastic-agent/logs - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /nsm:/nsm:ro - /opt/so/log:/opt/so/log:ro @@ -40,7 +41,8 @@ so-elastic-agent: {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} - {{ BIND }} {% endfor %} - {% endif %} + {% endif %} + - LOGS_PATH=logs - environment: - FLEET_CA=/etc/pki/tls/certs/intca.crt {% if DOCKER.containers['so-elastic-agent'].extra_env %} From 1cbf60825d0f47bc0a7831840fdb7ef6f8bb4d9d Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 1 Aug 2023 14:40:52 -0400 Subject: [PATCH 035/100] Add log dir --- salt/elasticagent/config.sls | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/elasticagent/config.sls b/salt/elasticagent/config.sls index 8b24f3b22..b0b4321fa 100644 --- a/salt/elasticagent/config.sls +++ b/salt/elasticagent/config.sls @@ -28,6 +28,13 @@ elasticagentconfdir: - group: 939 - makedirs: True +elasticagentlogdir: + file.directory: + - name: /opt/so/log/elastic-agent + - user: 949 + - group: 939 + - makedirs: True + elasticagent_sbin_jinja: file.recurse: - name: /usr/sbin From 4e2eb86b36e4fc2c999bbb0957618f5b78ebda56 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 1 Aug 2023 20:11:51 +0000 Subject: [PATCH 036/100] Move LOGS_PATH to environment vars --- salt/elasticagent/enabled.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index bff4cee6b..67d7b975d 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -42,9 +42,9 @@ so-elastic-agent: - {{ BIND }} {% endfor %} {% endif %} - - LOGS_PATH=logs - environment: - FLEET_CA=/etc/pki/tls/certs/intca.crt + - LOGS_PATH=logs {% if DOCKER.containers['so-elastic-agent'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %} - {{ XTRAENV }} From 44b086a02864415010764d5afe5bae25a4e87461 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 1 Aug 2023 20:13:50 +0000 Subject: [PATCH 037/100] Change path --- salt/elasticagent/config.sls | 2 +- salt/elasticagent/enabled.sls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticagent/config.sls b/salt/elasticagent/config.sls index b0b4321fa..b54186fab 100644 --- a/salt/elasticagent/config.sls +++ b/salt/elasticagent/config.sls @@ -30,7 +30,7 @@ elasticagentconfdir: elasticagentlogdir: file.directory: - - name: /opt/so/log/elastic-agent + - name: /opt/so/log/elasticagent - user: 949 - group: 939 - makedirs: True diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index 67d7b975d..963b8549b 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -33,7 +33,7 @@ so-elastic-agent: {% endif %} - binds: - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro - - /opt/so/log/elastic-agent:/usr/share/elastic-agent/logs + - /opt/so/log/elasticagent:/usr/share/elastic-agent/logs - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /nsm:/nsm:ro - /opt/so/log:/opt/so/log:ro From 0e047cffad7d39ed0d3cde192e110c60ffde7242 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 1 Aug 2023 20:14:53 +0000 Subject: [PATCH 038/100] Add to logrotate --- salt/logrotate/defaults.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/salt/logrotate/defaults.yaml b/salt/logrotate/defaults.yaml index 311a344b3..4d6a688e4 100644 --- a/salt/logrotate/defaults.yaml +++ b/salt/logrotate/defaults.yaml @@ -90,6 +90,26 @@ logrotate: - extension .log - dateext - dateyesterday + /opt/so/log/elasticagent/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/elasticagent/*_x_ndjson: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .ndjson + - dateext + - dateyesterday /opt/so/log/elasticfleet/*_x_log: - daily - rotate 14 From 7037fc52f805623825f3bee9794bd2dab820ed3a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 1 Aug 2023 16:21:06 -0400 Subject: [PATCH 039/100] sync all modules before running states --- setup/so-setup | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-setup b/setup/so-setup index ce0aa83f7..20a1168c9 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -661,6 +661,7 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.show_top" sleep 2 # Debug RSA Key format errors logCmd "salt-key -ya $MINION_ID" + logCmd "salt-call saltutil.sync_all" logCmd "salt-call state.apply common.packages" logCmd "salt-call state.apply common" From 8b3a38f5733aa1ca8920d8c5be33fa3b86c1d91c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 1 Aug 2023 16:30:24 -0400 Subject: [PATCH 040/100] resolve login page flicker --- salt/nginx/etc/nginx.conf | 4 +++- setup/so-verify | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 52e3d6d3d..05da0b5d8 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -296,7 +296,9 @@ http { error_page 429 = @error429; location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; + if ($request_uri ~* ^/(?!(^/api/.*))) { + add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; + } return 302 /auth/self-service/login/browser; } diff --git a/setup/so-verify b/setup/so-verify index 918610732..07d24d114 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -51,6 +51,7 @@ log_has_errors() { grep -vE "/nsm/rules/sigma*" | \ grep -vE "/nsm/rules/yara*" | \ grep -vE "Failed to restart snapd" | \ + grep -vE "Login Failed Details" | \ grep -vE "Running scope as unit" &> "$error_log" if [[ $? -eq 0 ]]; then From 23414599eed535d95ec2a4ba8946b461a7c3644a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 1 Aug 2023 16:53:26 -0400 Subject: [PATCH 041/100] use simple json (w/o template) to resolve sluggishness --- salt/common/tools/sbin/so-status | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 4a12d71b4..f4abd8aa3 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -103,7 +103,7 @@ def output(options, console, code, data): def check_container_status(options, console): code = 0 cli = "docker" - proc = subprocess.run([cli, 'ps', '--format', '{{json .}}'], stdout=subprocess.PIPE, encoding="utf-8") + proc = subprocess.run([cli, 'ps', '--format', 'json'], stdout=subprocess.PIPE, encoding="utf-8") if proc.returncode != 0: fail("Container system error; unable to obtain container process statuses") From 0d5ed2e8359e30642bb6081e070f83e3f526d68a Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 2 Aug 2023 13:21:03 +0000 Subject: [PATCH 042/100] Set version for Elastic Defend and enable updates --- .../endpoints-initial/elastic-defend-endpoints.json | 4 ++-- .../tools/sbin/so-elastic-fleet-integration-policy-load | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json index 7d7f5bb35..6ffb6418e 100644 --- a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json +++ b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json @@ -5,7 +5,7 @@ "package": { "name": "endpoint", "title": "Elastic Defend", - "version": "" + "version": "8.8.0" }, "enabled": true, "policy_id": "endpoints-initial", @@ -25,4 +25,4 @@ } } }] -} \ No newline at end of file +} diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load index 49bfb69ac..501aafbda 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -15,10 +15,8 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n" elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION" if [ -n "$INTEGRATION_ID" ]; then - if [ "$NAME" != "elastic-defend-endpoints" ]; then - printf "\n\nIntegration $NAME exists - Updating integration\n" - elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" - fi + printf "\n\nIntegration $NAME exists - Updating integration\n" + elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" else printf "\n\nIntegration does not exist - Creating integration\n" elastic_fleet_integration_create "@$INTEGRATION" From e6940190274bf438e6b1bf33b04cb933bb4675d8 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 2 Aug 2023 13:50:14 +0000 Subject: [PATCH 043/100] Add package list --- .../tools/sbin/so-elastic-fleet-package-list | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100755 salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list new file mode 100755 index 000000000..7e68c6e83 --- /dev/null +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list @@ -0,0 +1,15 @@ +#!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-elastic-fleet-common + +# Let's snag a cookie from Kibana +SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') + +# List configured package policies +curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages" -H 'kbn-xsrf: true' | jq + +echo From b520c1abb777a479df05e7e033edfa7b57b37d77 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 2 Aug 2023 10:36:40 -0400 Subject: [PATCH 044/100] Allow multiple Custom Fleet FQDN --- salt/elasticfleet/defaults.yaml | 3 ++- salt/elasticfleet/soc_elasticfleet.yaml | 2 +- .../sbin_jinja/so-elastic-fleet-outputs-update | 14 +++++++++----- .../sbin_jinja/so-elastic-fleet-urls-update | 16 ++++++++++------ 4 files changed, 22 insertions(+), 13 deletions(-) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 3d806d63f..62a1302c1 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -2,7 +2,8 @@ elasticfleet: enabled: False config: server: - custom_fqdn: '' + custom_fqdn: + - '' enable_auto_configuration: True endpoints_enrollment: '' es_token: '' diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 9b918f0ac..772e68181 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -12,7 +12,7 @@ elasticfleet: config: server: custom_fqdn: - description: Custom FQDN for Agents to connect to. + description: Custom FQDN for Agents to connect to. One per line. global: True helpLink: elastic-fleet.html advanced: True diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update index 042084d84..400a6224f 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update @@ -2,7 +2,6 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %} . /usr/sbin/so-common @@ -41,10 +40,15 @@ else NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.hostname }}:5055") fi -{% if CUSTOMFQDN != "" %} -# Add Custom Hostname to list -NEW_LIST+=("{{ CUSTOMFQDN }}:5055") -{% endif %} +# Query for FQDN entries & add them to the list +CUSTOMFQDNLIST=$( salt-call --out=json pillar.get elasticfleet:config:server:custom_fqdn | jq -r '.local | .[]') +if [ -n "$CUSTOMFQDNLIST" ]; then + readarray -t CUSTOMFQDN <<< $CUSTOMFQDNLIST + for CUSTOMNAME in "${CUSTOMFQDN[@]}" + do + NEW_LIST+=("$CUSTOMNAME:5055") + done +fi # Query for the current Grid Nodes that are running Logstash LOGSTASHNODES=$(salt-call --out=json pillar.get logstash:nodes | jq '.local') diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update index 4a744665a..52727780d 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update @@ -2,7 +2,6 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %} . /usr/sbin/so-common @@ -41,10 +40,15 @@ else NEW_LIST=("https://{{ GLOBALS.url_base }}:8220" "https://{{ GLOBALS.hostname }}:8220") fi -{% if CUSTOMFQDN != "" %} -# Add Custom Hostname to list -NEW_LIST+=("https://{{ CUSTOMFQDN }}:8220") -{% endif %} +# Query for FQDN entries & add them to the list +CUSTOMFQDNLIST=$( salt-call --out=json pillar.get elasticfleet:config:server:custom_fqdn | jq -r '.local | .[]') +if [ -n "$CUSTOMFQDNLIST" ]; then + readarray -t CUSTOMFQDN <<< $CUSTOMFQDNLIST + for CUSTOMNAME in "${CUSTOMFQDN[@]}" + do + NEW_LIST+=("https://$CUSTOMNAME:8220") + done +fi # Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes) LOGSTASHNODES=$(salt-call --out=json pillar.get logstash:nodes | jq '.local') @@ -71,5 +75,5 @@ else printf "\nHashes don't match - update needed.\n" printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n" update_fleet_urls - /sbin/so-elastic-agent-gen-installers & + /sbin/so-elastic-agent-gen-installers >> /opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log & fi From 407cb2a537f0c19e170e0905d495760fa5fe9ae6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 2 Aug 2023 10:56:41 -0400 Subject: [PATCH 045/100] force portgroups added to hostgroups in roles to be list of strings --- salt/firewall/soc_firewall.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index d1db56a0b..0011a245e 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -191,6 +191,7 @@ firewall: description: Portgroups to add access to the docker containers for this role. advanced: True multiline: True + forcedType: "[]string" helpLink: firewall.html sensor: portgroups: *portgroupsdocker @@ -241,6 +242,7 @@ firewall: description: Portgroups to add access to the host. advanced: True multiline: True + forcedType: "[]string" helpLink: firewall.html dockernet: portgroups: *portgroupshost From 5630b353c4106928f9a7e9debc2d636fd7471243 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 2 Aug 2023 11:20:51 -0400 Subject: [PATCH 046/100] change how pgrep finds salt-master PID --- salt/common/packages.sls | 2 ++ salt/manager/tools/sbin/soup | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 0fc067245..9cbfd08bb 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -17,6 +17,7 @@ commonpkgs: - netcat-openbsd - sqlite3 - libssl-dev + - procps - python3-dateutil - python3-docker - python3-packaging @@ -70,6 +71,7 @@ commonpkgs: - net-tools - nmap-ncat - openssl + - procps - python3-dnf-plugin-versionlock - python3-docker - python3-m2crypto diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 31f1d0fea..582e4502b 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -436,7 +436,7 @@ stop_salt_master() { echo "" echo "Storing salt-master pid." - MASTERPID=$(pgrep salt-master | head -1) + MASTERPID=$(pgrep -f '/opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master MainProcess') echo "Found salt-master PID $MASTERPID" systemctl_func "stop" "salt-master" timeout 30 tail --pid=$MASTERPID -f /dev/null || echo "salt-master still running at $(date +"%T.%6N") after waiting 30s. We cannot kill due to systemd restart option." From 98731210003a80cac470db809f665081b963b00f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 2 Aug 2023 12:54:31 -0400 Subject: [PATCH 047/100] change pgrep for salt-minion PID --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 582e4502b..71f3f7a2a 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -455,7 +455,7 @@ stop_salt_minion() { set -e echo "Storing salt-minion pid." - MINIONPID=$(pgrep salt-minion | head -1) + MINIONPID=$(pgrep -f '/opt/saltstack/salt/bin/python3.10 /usr/bin/salt-minion' | head -1) echo "Found salt-minion PID $MINIONPID" systemctl_func "stop" "salt-minion" From f6c620455556a1edad4b0dbb398a976f591fa424 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 2 Aug 2023 13:05:24 -0400 Subject: [PATCH 048/100] procps to procps-ng --- salt/common/packages.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 9cbfd08bb..5f4a348e7 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -71,7 +71,7 @@ commonpkgs: - net-tools - nmap-ncat - openssl - - procps + - procps-ng - python3-dnf-plugin-versionlock - python3-docker - python3-m2crypto From ac28f90af3bd66a6f443711fa3be61c8ef4d9f92 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 2 Aug 2023 13:15:11 -0400 Subject: [PATCH 049/100] Remove override --- salt/elasticsearch/files/ingest/filterlog | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/filterlog b/salt/elasticsearch/files/ingest/filterlog index fb197c706..850c15d99 100644 --- a/salt/elasticsearch/files/ingest/filterlog +++ b/salt/elasticsearch/files/ingest/filterlog @@ -49,7 +49,6 @@ "on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}] } }, - { "set": { "field": "_index", "value": "so-firewall", "override": true } }, { "set": { "if": "ctx.network?.transport_id == '0'", "field": "network.transport", "value": "icmp", "override": true } }, { "community_id": {} }, { "set": { "field": "module", "value": "pfsense", "override": true } }, From f1023510524d5c46a5ebca8acf6cf2293faa6026 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 2 Aug 2023 13:25:44 -0400 Subject: [PATCH 050/100] Add event --- salt/elasticsearch/files/ingest/filterlog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/ingest/filterlog b/salt/elasticsearch/files/ingest/filterlog index 850c15d99..52d83dd0a 100644 --- a/salt/elasticsearch/files/ingest/filterlog +++ b/salt/elasticsearch/files/ingest/filterlog @@ -51,8 +51,8 @@ }, { "set": { "if": "ctx.network?.transport_id == '0'", "field": "network.transport", "value": "icmp", "override": true } }, { "community_id": {} }, - { "set": { "field": "module", "value": "pfsense", "override": true } }, - { "set": { "field": "dataset", "value": "firewall", "override": true } }, + { "set": { "field": "event.module", "value": "pfsense", "override": true } }, + { "set": { "field": "event.dataset", "value": "firewall", "override": true } }, { "set": { "field": "category", "value": "network", "override": true } }, { "remove": { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"], "ignore_failure": true } } ] From c17b324108a1ba353b92f6a5cd89d17c2ca18654 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 2 Aug 2023 14:04:19 -0400 Subject: [PATCH 051/100] dont count adv_ sls files for number of minions in deployment --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 71f3f7a2a..0a1c9237d 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -859,7 +859,7 @@ main() { set +e echo "Checking the number of minions." - NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l) + NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | grep -v adv_ | wc -l) if [[ $UPGRADESALT -eq 1 ]] && [[ $NUM_MINIONS -gt 1 ]]; then if [[ $is_airgap -eq 0 ]]; then echo "" From 64776936cc4e50d21e623f874e0ba599adc12b78 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 2 Aug 2023 14:09:43 -0400 Subject: [PATCH 052/100] no longer need so-user migrate in 2.4 --- salt/manager/tools/sbin/soup | 3 --- 1 file changed, 3 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 0a1c9237d..1b0fb1478 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -875,9 +875,6 @@ main() { echo "Checking sudoers file." check_sudoers - echo "Checking for necessary user migrations." - so-user migrate - systemctl_func "start" "$cron_service_name" if [[ -n $lsl_msg ]]; then From aab55c8cf6d76b3a81e68db7e6f85d864c957ce8 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 2 Aug 2023 15:09:26 -0400 Subject: [PATCH 053/100] Regen Agent Installers --- salt/manager/tools/sbin/soup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 1b0fb1478..85f5b45f4 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -419,7 +419,8 @@ post_to_2.4.4() { } post_to_2.4.5() { - echo "Nothing to apply" + echo "Regenerating Elastic Agent Installers" + /sbin/so-elastic-agent-gen-installers POSTVERSION=2.4.5 } From 8036df4b203d2998f26201a69acdb9c786ba165f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 2 Aug 2023 15:10:31 -0400 Subject: [PATCH 054/100] ensure suri rules are synced for import installs --- setup/so-setup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 20a1168c9..ccc9f6f2f 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -695,9 +695,11 @@ if ! [[ -f $install_opt_file ]]; then logCmd "so-rule-update" title "Downloading YARA rules" logCmd "su socore -c '/usr/sbin/so-yara-download'" - if [[ $monints ]]; then + if [[ $monints || $is_import ]]; then title "Restarting Suricata to pick up the new rules" logCmd "so-suricata-restart" + fi + if [[ $monints ]]; then title "Restarting Strelka to use new rules" logCmd "so-strelka-restart" fi From f153c1125d9dba74b5358c298936fbd0b873c2f8 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 2 Aug 2023 15:23:18 -0400 Subject: [PATCH 055/100] Allow multiple Custom Fleet FQDN --- salt/elasticfleet/defaults.yaml | 3 +-- salt/elasticfleet/enabled.sls | 13 ++++++++++--- salt/elasticfleet/soc_elasticfleet.yaml | 1 + 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 62a1302c1..0ae7a5176 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -2,8 +2,7 @@ elasticfleet: enabled: False config: server: - custom_fqdn: - - '' + custom_fqdn: [] enable_auto_configuration: True endpoints_enrollment: '' es_token: '' diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 025a87e14..bb6410f2c 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -15,6 +15,7 @@ include: - elasticfleet.config - elasticfleet.sostatus + - ssl # If enabled, automatically update Fleet Logstash Outputs {% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %} @@ -61,11 +62,14 @@ so-elastic-fleet: - {{ BINDING }} {% endfor %} - binds: - - /etc/pki:/etc/pki:ro + - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro + - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro + - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro {% if GLOBALS.os_family == 'Debian' %} - - /etc/ssl:/etc/ssl:ro + - /etc/ssl/elasticfleet-server.crt:/etc/ssl/elasticfleet-server.crt:ro + - /etc/ssl/elasticfleet-server.key:/etc/ssl/elasticfleet-server.key:ro + - /etc/ssl/tls/certs/intca.crt:/etc/ssl/tls/certs/intca.crt:ro {% endif %} - #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} @@ -93,6 +97,9 @@ so-elastic-fleet: - {{ XTRAENV }} {% endfor %} {% endif %} + - watch: + - x509: etc_elasticfleet_key + - x509: etc_elasticfleet_crt {% endif %} {% if GLOBALS.role != "so-fleet" %} diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 772e68181..af660358a 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -16,6 +16,7 @@ elasticfleet: global: True helpLink: elastic-fleet.html advanced: True + forcedType: "[]string" enable_auto_configuration: description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs. global: True From eb512d9aa27c1f8f7db7ede491bdc743d899bf88 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 2 Aug 2023 16:21:23 -0400 Subject: [PATCH 056/100] add mono-devel --- salt/desktop/packages.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/desktop/packages.sls b/salt/desktop/packages.sls index 401be0cd6..30d2f96e5 100644 --- a/salt/desktop/packages.sls +++ b/salt/desktop/packages.sls @@ -295,6 +295,7 @@ desktop_packages: - mesa-vulkan-drivers - microcode_ctl - mobile-broadband-provider-info + - mono-devel - mpfr - mpg123-libs - mtdev From 435da77388d2d268166811194652342c915dff24 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 2 Aug 2023 16:53:45 -0400 Subject: [PATCH 057/100] add gtk2 --- salt/desktop/packages.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/desktop/packages.sls b/salt/desktop/packages.sls index 30d2f96e5..3b0d4c8ba 100644 --- a/salt/desktop/packages.sls +++ b/salt/desktop/packages.sls @@ -181,6 +181,7 @@ desktop_packages: - gstreamer1-plugins-good-gtk - gstreamer1-plugins-ugly-free - gtk-update-icon-cache + - gtk2 - gtk3 - gtk4 - gtkmm30 From ab28cee7cf3041ac6276b120956e8d117a1323b4 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 2 Aug 2023 17:45:37 -0400 Subject: [PATCH 058/100] Allow multiple Custom Fleet FQDN --- salt/ssl/init.sls | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 97e971b83..15c29791f 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -7,7 +7,7 @@ {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %} +{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} {% set global_ca_text = [] %} {% set global_ca_server = [] %} @@ -154,7 +154,7 @@ etc_elasticfleet_crt: - signing_policy: elasticfleet - private_key: /etc/pki/elasticfleet-server.key - CN: {{ GLOBALS.url_base }} - - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }} {% if CUSTOMFQDN != "" %},DNS:{{ CUSTOMFQDN }}{% endif %} + - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn[0] != "" %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - days_remaining: 0 - days_valid: 820 - backup: True @@ -211,7 +211,7 @@ etc_elasticfleet_logstash_crt: - signing_policy: elasticfleet - private_key: /etc/pki/elasticfleet-logstash.key - CN: {{ GLOBALS.url_base }} - - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }} {% if CUSTOMFQDN != "" %},DNS:{{ CUSTOMFQDN }}{% endif %} + - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn[0] != "" %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - days_remaining: 0 - days_valid: 820 - backup: True From 1c8a8c460c90572cbeea725a88a60dc358c5b5f9 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 2 Aug 2023 17:53:29 -0400 Subject: [PATCH 059/100] Restart logstash when certs change --- salt/logstash/enabled.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index cd9d6dd7e..a33080f8d 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -22,6 +22,7 @@ include: {% endif %} - logstash.config - logstash.sostatus + - ssl so-logstash: docker_container.running: @@ -90,6 +91,8 @@ so-logstash: {% endfor %} {% endif %} - watch: + - x509: etc_elasticfleet_logstash_key + - x509: etc_elasticfleet_logstash_crt - file: lsetcsync {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %} - file: ls_pipeline_{{assigned_pipeline}} From 3054b8dcb9fa452ca25e6cd936999f3ff4e41727 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 2 Aug 2023 18:57:46 -0400 Subject: [PATCH 060/100] refactor elastic-agent download for soup ctrl+c anomalies --- salt/common/tools/sbin/so-common | 64 +++++++++++++++++++++++++++++++- salt/manager/tools/sbin/soup | 18 ++++----- setup/so-functions | 20 +--------- 3 files changed, 74 insertions(+), 28 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 3c79110b3..702c73c8c 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -5,7 +5,16 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +# Elastic agent is not managed by salt. Because of this we must store this base information in a +# script that accompanies the soup system. Since so-common is one of those special soup files, +# and since this same logic is required during installation, it's included in this file. ELASTIC_AGENT_TARBALL_VERSION="8.8.2" +ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" +ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" +ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" +ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" +ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent + DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" @@ -161,6 +170,37 @@ disable_fastestmirror() { sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf } +download_and_verify() { + source_url=$1 + source_md5_url=$2 + dest_file=$3 + md5_file=$4 + expand_dir=$5 + + if [[ -n "$expand_dir" ]]; then + mkdir -p "$expand_dir" + fi + + if ! verify_md5_checksum "$dest_file" "$md5_file"; then + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_url' --output '$dest_file'" "" "" + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_md5_url' --output '$md5_file'" "" "" + + SOURCEHASH=$(md5sum "$dest_file" | awk '{ print $1 }') + HASH=$(cat "$md5_file") + + if verify_md5_checksum "$dest_file" "$md5_file"; then + echo "Source file and checksum are good." + else + echo "Unable to download and verify the source file and checksum." + return 1 + fi + fi + + if [[ -n "$expand_dir" ]]; then + tar -xf "$dest_file" -C "$expand_dir" + fi +} + elastic_license() { read -r -d '' message <<- EOM @@ -211,7 +251,7 @@ gpg_rpm_import() { echo "Imported $RPMKEY" done elif [[ $is_rpm ]]; then - info "Importing the security onion GPG key" + echo "Importing the security onion GPG key" rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub fi } @@ -470,6 +510,11 @@ has_uppercase() { || return 1 } +update_elastic_agent() { + echo "Checking if Elastic Agent update is necessary..." + download_and_verify "$ELASTIC_AGENT_URL" "$ELASTIC_AGENT_MD5_URL" "$ELASTIC_AGENT_FILE" "$ELASTIC_AGENT_MD5" "$ELASTIC_AGENT_EXPANSION_DIR" +} + valid_cidr() { # Verify there is a backslash in the string echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1 @@ -623,6 +668,23 @@ valid_username() { echo "$user" | grep -qP '^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$' && return 0 || return 1 } +verify_md5_checksum() { + data_file=$1 + md5_file=${2:-${data_file}.md5} + + if [[ ! -f "$dest_file" || ! -f "$md5_file" ]]; then + return 2 + fi + + SOURCEHASH=$(md5sum "$data_file" | awk '{ print $1 }') + HASH=$(cat "$md5_file") + + if [[ "$HASH" == "$SOURCEHASH" ]]; then + return 0 + fi + return 1 +} + wait_for_web_response() { url=$1 expected=$2 diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 85f5b45f4..bd41bdcf2 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -467,21 +467,21 @@ stop_salt_minion() { up_to_2.4.3() { - echo "Nothing to do for 2.4.3" - ## - INSTALLEDVERSION=2.4.3 + echo "Nothing to do for 2.4.3" + + INSTALLEDVERSION=2.4.3 } up_to_2.4.4() { - echo "Nothing to do for 2.4.4" - ## - INSTALLEDVERSION=2.4.4 + echo "Nothing to do for 2.4.4" + + INSTALLEDVERSION=2.4.4 } up_to_2.4.5() { - echo "Nothing to do for 2.4.5" - ## - INSTALLEDVERSION=2.4.5 + update_elastic_agent + + INSTALLEDVERSION=2.4.5 } verify_upgradespace() { diff --git a/setup/so-functions b/setup/so-functions index d46c42e0e..c8da13043 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1014,25 +1014,9 @@ detect_os() { } download_elastic_agent_artifacts() { - agentArchive=/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz - agentMd5=/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5 - beatsDir=/nsm/elastic-fleet/artifacts/beats/elastic-agent - logCmd "mkdir -p $beatsDir" - if [[ ! -f "$agentArchive" ]]; then - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz --output $agentArchive" "" "" - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5 --output $agentMd5" "" "" - - SOURCEHASH=$(md5sum $agentArchive | awk '{ print $1 }') - HASH=$(cat $agentMd5) - - if [[ "$HASH" == "$SOURCEHASH" ]]; then - info "Elastic Agent source hash is good." - else - info "Unable to download the Elastic Agent source files." - fail_setup - fi + if ! update_elastic_agent 2>&1 | tee -a "$setup_log"; then + fail_setup fi - logCmd "tar -xf $agentArchive -C $beatsDir" } installer_progress_loop() { From 5414b0756c71a23cb61c4d639a258f3749d5a030 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 2 Aug 2023 19:25:07 -0400 Subject: [PATCH 061/100] remove unused vars --- salt/common/tools/sbin/so-common | 3 --- 1 file changed, 3 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 702c73c8c..a76aab1f1 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -184,9 +184,6 @@ download_and_verify() { if ! verify_md5_checksum "$dest_file" "$md5_file"; then retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_url' --output '$dest_file'" "" "" retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_md5_url' --output '$md5_file'" "" "" - - SOURCEHASH=$(md5sum "$dest_file" | awk '{ print $1 }') - HASH=$(cat "$md5_file") if verify_md5_checksum "$dest_file" "$md5_file"; then echo "Source file and checksum are good." From 1bc7bbc76efe8dcead09867a34358f64ea71e2c5 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 2 Aug 2023 20:02:37 -0400 Subject: [PATCH 062/100] Refactor custom_fqdn --- salt/ssl/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 15c29791f..063172e00 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -154,7 +154,7 @@ etc_elasticfleet_crt: - signing_policy: elasticfleet - private_key: /etc/pki/elasticfleet-server.key - CN: {{ GLOBALS.url_base }} - - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn[0] != "" %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} + - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - days_remaining: 0 - days_valid: 820 - backup: True @@ -211,7 +211,7 @@ etc_elasticfleet_logstash_crt: - signing_policy: elasticfleet - private_key: /etc/pki/elasticfleet-logstash.key - CN: {{ GLOBALS.url_base }} - - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn[0] != "" %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} + - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - days_remaining: 0 - days_valid: 820 - backup: True From 3368789b43f78c6fa3616151d94de4ee99c46a66 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 3 Aug 2023 08:49:45 -0400 Subject: [PATCH 063/100] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 59aa62c1f..7d52aac7f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.5 +2.4.0-foxtrot From 3847863b3d471e69e591e5d1c9c9d26fce569f51 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 3 Aug 2023 08:51:23 -0400 Subject: [PATCH 064/100] Add time shift --- salt/common/tools/sbin_jinja/so-import-evtx | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin_jinja/so-import-evtx b/salt/common/tools/sbin_jinja/so-import-evtx index fec7223b8..5920f58c1 100755 --- a/salt/common/tools/sbin_jinja/so-import-evtx +++ b/salt/common/tools/sbin_jinja/so-import-evtx @@ -44,6 +44,10 @@ while [[ $# -gt 0 ]]; do --quiet) quiet=1 ;; + --shift) + SHIFTDATE=$1 + shift + ;; -*) echo "Encountered unexpected parameter: $param" usage @@ -68,8 +72,10 @@ function status { function evtx2es() { EVTX=$1 HASH=$2 + SHIFTDATE=$3 docker run --rm \ + -e "SHIFTTS=$SHIFTDATE" \ -v "$EVTX:/tmp/data.evtx" \ -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \ -v "/nsm/import/evtx-end_newest:/tmp/newest" \ @@ -113,7 +119,9 @@ echo $END_NEWEST > /nsm/import/evtx-end_newest for EVTX in $INPUT_FILES; do EVTX=$(/usr/bin/realpath "$EVTX") status "Processing Import: ${EVTX}" - + if ! [ -z "$SHIFTDATE" ]; then + status "- timeshifting logs to end date of $SHIFTDATE" + fi # generate a unique hash to assist with dedupe checks HASH=$(md5sum "${EVTX}" | awk '{ print $1 }') HASH_DIR=/nsm/import/${HASH} @@ -136,7 +144,7 @@ for EVTX in $INPUT_FILES; do # import evtx and write them to import ingest pipeline status "- importing logs to Elasticsearch..." - evtx2es "${EVTX}" $HASH + evtx2es "${EVTX}" $HASH "$SHIFTDATE" if [[ $? -ne 0 ]]; then INVALID_EVTXS_COUNT=$((INVALID_EVTXS_COUNT + 1)) status "- WARNING: This evtx file may not have fully imported successfully" @@ -222,4 +230,4 @@ if [[ $json -eq 1 ]]; then }''' fi -exit $RESULT \ No newline at end of file +exit $RESULT From cf2233bbb6702c4e4da396ade6449373493a933b Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 3 Aug 2023 08:54:54 -0400 Subject: [PATCH 065/100] Add help information for time shift --- salt/common/tools/sbin_jinja/so-import-evtx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/common/tools/sbin_jinja/so-import-evtx b/salt/common/tools/sbin_jinja/so-import-evtx index 5920f58c1..dff2133cf 100755 --- a/salt/common/tools/sbin_jinja/so-import-evtx +++ b/salt/common/tools/sbin_jinja/so-import-evtx @@ -27,6 +27,8 @@ Imports one or more evtx files into Security Onion. The evtx files will be analy Options: --json Outputs summary in JSON format. Implies --quiet. --quiet Silences progress information to stdout. + --shift Adds a time shift. Accepts a single argument that is intended to be the date of the last record, and shifts the dates of the previous records accordingly. + Ex. sudo so-import-evtx --shift 2023-08-01T01:01:01.00000Z example.evtx EOF } From d4389d5057dbef48a4965296b38fbc15978baa85 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 3 Aug 2023 11:56:48 -0400 Subject: [PATCH 066/100] ensure AIRGAP is lowercase and check for true --- salt/manager/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 31f1d0fea..20517f58d 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -179,8 +179,8 @@ update_registry() { check_airgap() { # See if this is an airgap install - AIRGAP=$(cat /opt/so/saltstack/local/pillar/global/soc_global.sls | grep airgap: | awk '{print $2}') - if [[ "$AIRGAP" == "True" ]]; then + AIRGAP=$(cat /opt/so/saltstack/local/pillar/global/soc_global.sls | grep airgap: | awk '{print $2}' | tr '[:upper:]' '[:lower:]') + if [[ "$AIRGAP" == "true" ]]; then is_airgap=0 UPDATE_DIR=/tmp/soagupdate/SecurityOnion AGDOCKER=/tmp/soagupdate/docker From 80598d7f8d26530f4ce55ea097f6fab526c94131 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 3 Aug 2023 14:36:47 -0400 Subject: [PATCH 067/100] Update soup for airgap --- salt/manager/tools/sbin/soup | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index f47c1d5e2..0cea456f4 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -184,7 +184,7 @@ check_airgap() { is_airgap=0 UPDATE_DIR=/tmp/soagupdate/SecurityOnion AGDOCKER=/tmp/soagupdate/docker - AGREPO=/tmp/soagupdate/Packages + AGREPO=/tmp/soagupdate/minimal/Packages else is_airgap=1 fi @@ -402,9 +402,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.2 ]] && post_to_2.4.3 [[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4 - [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 - - + [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 true } @@ -479,11 +477,22 @@ up_to_2.4.4() { } up_to_2.4.5() { - update_elastic_agent + determine_elastic_agent_upgrade INSTALLEDVERSION=2.4.5 } +determine_elastic_agent_upgrade() { + if [[ $is_airgap -eq 0 ]]; then + update_elastic_agent_airgap + else + update_elastic_agent +} + +update_elastic_agent_airgap() { + rsync -av /tmp/soagupdate/fleet/* /nsm/elastic-fleet/artifacts/ +} + verify_upgradespace() { CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//') if [ "$CURRENTSPACE" -lt "10" ]; then @@ -521,6 +530,7 @@ update_centos_repo() { echo "Syncing new updates to /nsm/repo" rsync -av $AGREPO/* /nsm/repo/ echo "Creating repo" + dnf -y install yum-utils createrepo createrepo /nsm/repo } From 9172e10dbabfb7d2217f054da5c89a6a0a4ba541 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 3 Aug 2023 14:47:53 -0400 Subject: [PATCH 068/100] check if there are files in yum.repos.d before trying to move them --- setup/so-functions | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index c8da13043..567584a2f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1881,7 +1881,9 @@ securityonion_repo() { if [[ $is_oracle ]]; then logCmd "dnf -v clean all" logCmd "mkdir -vp /root/oldrepos" - logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/" + if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then + logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/" + fi if [[ $is_desktop_iso ]]; then gpg_rpm_import if [[ ! $is_airgap ]]; then From d40a8927c3c184aa716b37452726175a4d86dedf Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 3 Aug 2023 14:51:43 -0400 Subject: [PATCH 069/100] install salt version specified in master.defaults.yaml for desktop --- setup/so-functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 567584a2f..0f73a11a6 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -85,12 +85,13 @@ analyze_system() { desktop_salt_local() { + SALTVERSION=$(egrep 'version: [0-9]{4}' ../salt/salt/master.defaults.yaml | sed 's/^.*version: //') # Install everything using local salt # Set the repo securityonion_repo gpg_rpm_import # Install salt - logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-$SALTVERSION httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" logCmd "salt-call state.apply desktop --local --file-root=../salt/ -l info" From 27b70cbf6891d021981d5c798332f602f8612b25 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 3 Aug 2023 15:21:20 -0400 Subject: [PATCH 070/100] Use jinja instead --- .../tools/sbin_jinja/so-elastic-fleet-urls-update | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update index 52727780d..c484fa704 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update @@ -2,6 +2,7 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} . /usr/sbin/so-common @@ -41,7 +42,8 @@ else fi # Query for FQDN entries & add them to the list -CUSTOMFQDNLIST=$( salt-call --out=json pillar.get elasticfleet:config:server:custom_fqdn | jq -r '.local | .[]') +{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %} +CUSTOMFQDNLIST=({{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}) if [ -n "$CUSTOMFQDNLIST" ]; then readarray -t CUSTOMFQDN <<< $CUSTOMFQDNLIST for CUSTOMNAME in "${CUSTOMFQDN[@]}" @@ -49,6 +51,7 @@ if [ -n "$CUSTOMFQDNLIST" ]; then NEW_LIST+=("https://$CUSTOMNAME:8220") done fi +{% endif %} # Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes) LOGSTASHNODES=$(salt-call --out=json pillar.get logstash:nodes | jq '.local') From e78fcbc6cbc2fa4362e45e378eebfcc80a0d8fc9 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 3 Aug 2023 15:25:11 -0400 Subject: [PATCH 071/100] Refactor for Jinja instead --- .../tools/sbin_jinja/so-elastic-fleet-outputs-update | 7 +++++-- .../tools/sbin_jinja/so-elastic-fleet-urls-update | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update index 400a6224f..17c867c07 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update @@ -2,6 +2,7 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} . /usr/sbin/so-common @@ -41,14 +42,16 @@ else fi # Query for FQDN entries & add them to the list -CUSTOMFQDNLIST=$( salt-call --out=json pillar.get elasticfleet:config:server:custom_fqdn | jq -r '.local | .[]') +{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %} +CUSTOMFQDNLIST=({{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}) if [ -n "$CUSTOMFQDNLIST" ]; then readarray -t CUSTOMFQDN <<< $CUSTOMFQDNLIST for CUSTOMNAME in "${CUSTOMFQDN[@]}" do - NEW_LIST+=("$CUSTOMNAME:5055") + NEW_LIST+=("https://$CUSTOMNAME:8220") done fi +{% endif %} # Query for the current Grid Nodes that are running Logstash LOGSTASHNODES=$(salt-call --out=json pillar.get logstash:nodes | jq '.local') diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update index c484fa704..7d29fe080 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update @@ -2,7 +2,7 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} +{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} . /usr/sbin/so-common From d4fbf7d6a694288aa6bb9168dd2245eee7011d17 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 3 Aug 2023 15:26:43 -0400 Subject: [PATCH 072/100] convert to gnome classic --- salt/desktop/scripts/convert-gnome-classic.sh | 0 salt/desktop/xwindows.sls | 4 ++++ 2 files changed, 4 insertions(+) create mode 100644 salt/desktop/scripts/convert-gnome-classic.sh diff --git a/salt/desktop/scripts/convert-gnome-classic.sh b/salt/desktop/scripts/convert-gnome-classic.sh new file mode 100644 index 000000000..e69de29bb diff --git a/salt/desktop/xwindows.sls b/salt/desktop/xwindows.sls index ea0c7df4f..ebb7ecb9f 100644 --- a/salt/desktop/xwindows.sls +++ b/salt/desktop/xwindows.sls @@ -14,6 +14,10 @@ graphical_target: - require: - desktop_packages +convert_gnome_classic: + cmd.script: + - name: salt://desktop/scripts/convert-gnome-classic.sh + {% else %} desktop_xwindows_os_fail: From 9319c3f2e1c7757abcd2fc68b6d1a2e7713a0b39 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 3 Aug 2023 15:27:24 -0400 Subject: [PATCH 073/100] Update soup for airgap --- salt/manager/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 0cea456f4..cede5c438 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -487,6 +487,7 @@ determine_elastic_agent_upgrade() { update_elastic_agent_airgap else update_elastic_agent + fi } update_elastic_agent_airgap() { From 15b8e1a753902b906e9a73f274bd8fb46760e120 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 3 Aug 2023 15:37:26 -0400 Subject: [PATCH 074/100] add convert-gnome-classic.sh --- salt/desktop/scripts/convert-gnome-classic.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/desktop/scripts/convert-gnome-classic.sh b/salt/desktop/scripts/convert-gnome-classic.sh index e69de29bb..e69a43b2d 100644 --- a/salt/desktop/scripts/convert-gnome-classic.sh +++ b/salt/desktop/scripts/convert-gnome-classic.sh @@ -0,0 +1,4 @@ +#!/bin/bash +echo "Setting default session to gnome-classic" +cp /usr/share/accountsservice/user-templates/standard /etc/accountsservice/user-templates/ +sed -i 's|Session=gnome|Session=gnome-classic|g' /etc/accountsservice/user-templates/standard From 3e4136e641c27dbd0f2a08cd870550c640d65a3f Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 3 Aug 2023 15:56:05 -0400 Subject: [PATCH 075/100] Update help text --- salt/common/tools/sbin_jinja/so-import-evtx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin_jinja/so-import-evtx b/salt/common/tools/sbin_jinja/so-import-evtx index dff2133cf..59a13612c 100755 --- a/salt/common/tools/sbin_jinja/so-import-evtx +++ b/salt/common/tools/sbin_jinja/so-import-evtx @@ -28,7 +28,7 @@ Options: --json Outputs summary in JSON format. Implies --quiet. --quiet Silences progress information to stdout. --shift Adds a time shift. Accepts a single argument that is intended to be the date of the last record, and shifts the dates of the previous records accordingly. - Ex. sudo so-import-evtx --shift 2023-08-01T01:01:01.00000Z example.evtx + Ex. sudo so-import-evtx --shift "2023-08-01 01:01:01" example.evtx EOF } From ca6276b922c86b0df31a25670b6872a6b6523b5e Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 3 Aug 2023 15:58:33 -0400 Subject: [PATCH 076/100] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 7d52aac7f..59aa62c1f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-foxtrot +2.4.5 From 6b5343f582d5651a1b7ad1bcb403f106796af630 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 3 Aug 2023 16:25:02 -0400 Subject: [PATCH 077/100] Update for 8.8.2 --- .../endpoints-initial/elastic-defend-endpoints.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json index 6ffb6418e..8ab4f748e 100644 --- a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json +++ b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json @@ -9,13 +9,12 @@ }, "enabled": true, "policy_id": "endpoints-initial", - "vars": {}, "inputs": [{ - "type": "endpoint", + "type": "ENDPOINT_INTEGRATION_CONFIG", "enabled": true, "streams": [], "config": { - "integration_config": { + "_config": { "value": { "type": "endpoint", "endpointConfig": { From 2caca92082ef54c71ad617b469ca699bdbcf6418 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 3 Aug 2023 17:11:43 -0400 Subject: [PATCH 078/100] Raid refactor + yara and rule proxy --- salt/common/tools/sbin_jinja/so-raid-status | 116 ++++++++---------- salt/idstools/tools/sbin_jinja/so-rule-update | 16 ++- .../manager/tools/sbin_jinja/so-yara-download | 3 +- 3 files changed, 62 insertions(+), 73 deletions(-) diff --git a/salt/common/tools/sbin_jinja/so-raid-status b/salt/common/tools/sbin_jinja/so-raid-status index c5ac5fac6..0249f4ccd 100755 --- a/salt/common/tools/sbin_jinja/so-raid-status +++ b/salt/common/tools/sbin_jinja/so-raid-status @@ -1,7 +1,7 @@ #!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. @@ -9,25 +9,26 @@ . /usr/sbin/so-common -appliance_check() { - {%- if salt['grains.get']('sosmodel', '') %} - APPLIANCE=1 - {%- if grains['sosmodel'] in ['SO2AMI01', 'SO2GCI01', 'SO2AZI01'] %} - exit 0 - {%- endif %} - DUDEYOUGOTADELL=$(dmidecode |grep Dell) - if [[ -n $DUDEYOUGOTADELL ]]; then - APPTYPE=dell - else - APPTYPE=sm - fi - mkdir -p /opt/so/log/raid - - {%- else %} - echo "This is not an appliance" - exit 0 - {%- endif %} -} +{%- if salt['grains.get']('sosmodel', '') %} +{%- set model = salt['grains.get']('sosmodel') %} +model={{ model }} +# Don't need cloud images to use this +if [[ $model =~ ^(SO2AMI01|SO2AZI01|SO2GCI01)$ ]]; then + exit 0 +fi +{%- else %} +echo "This is not an appliance" +exit 0 +{%- endif %} +if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200|SOSSNNV|SOSMN)$ ]]; then + is_bossraid=true +fi +if [[ $model =~ ^(SOSSNNV|SOSMN)$ ]]; then + is_swraid=true +fi +if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200)$ ]]; then + is_hwraid=true +fi check_nsm_raid() { PERCCLI=$(/opt/raidtools/perccli/perccli64 /c0/v0 show|grep RAID|grep Optl) @@ -49,61 +50,44 @@ check_nsm_raid() { check_boss_raid() { MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional) - if [[ -n $DUDEYOUGOTADELL ]]; then - if [[ -n $MVCLI ]]; then - BOSSRAID=0 - else - BOSSRAID=1 - fi + if [[ -n $MVCLI ]]; then + BOSSRAID=0 + else + BOSSRAID=1 fi } check_software_raid() { - if [[ -n $DUDEYOUGOTADELL ]]; then - SWRC=$(grep "_" /proc/mdstat) - - if [[ -n $SWRC ]]; then - # RAID is failed in some way - SWRAID=1 - else - SWRAID=0 - fi + SWRC=$(grep "_" /proc/mdstat) + if [[ -n $SWRC ]]; then + # RAID is failed in some way + SWRAID=1 + else + SWRAID=0 fi } -# This script checks raid status if you use SO appliances +# Set everything to 0 +SWRAID=0 +BOSSRAID=0 +HWRAID=0 -# See if this is an appliance - -appliance_check -check_nsm_raid -check_boss_raid -{%- if salt['grains.get']('sosmodel', '') %} -{%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %} -check_software_raid -{%- endif %} -{%- endif %} - -if [[ -n $SWRAID ]]; then - if [[ $SWRAID == '0' && $BOSSRAID == '0' ]]; then - RAIDSTATUS=0 - else - RAIDSTATUS=1 - fi -elif [[ -n $DUDEYOUGOTADELL ]]; then - if [[ $BOSSRAID == '0' && $HWRAID == '0' ]]; then - RAIDSTATUS=0 - else - RAIDSTATUS=1 - fi -elif [[ "$APPTYPE" == 'sm' ]]; then - if [[ -n "$HWRAID" ]]; then - RAIDSTATUS=0 - else - RAIDSTATUS=1 - fi +if [[ $is_hwraid ]]; then + check_nsm_raid +fi +if [[ $is_bossraid ]]; then + check_boss_raid +fi +if [[ $is_swraid ]]; then + check_software_raid fi -echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log +sum=$(($SWRAID + $BOSSRAID + $HWRAID)) +if [[ $sum == "0" ]]; then + RAIDSTATUS=0 +else + RAIDSTATUS=1 +fi +echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log \ No newline at end of file diff --git a/salt/idstools/tools/sbin_jinja/so-rule-update b/salt/idstools/tools/sbin_jinja/so-rule-update index 3e4b382e6..504831f9f 100755 --- a/salt/idstools/tools/sbin_jinja/so-rule-update +++ b/salt/idstools/tools/sbin_jinja/so-rule-update @@ -3,17 +3,21 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'idstools/map.jinja' import IDSTOOLSMERGED %} -{%- set proxy = salt['pillar.get']('manager:proxy') %} + +{%- set proxy = salt['pillar.get']('manager:proxy') %} +{%- set noproxy = salt['pillar.get']('manager:no_proxy', '') %} + +# Download the rules from the internet +{%- if proxy %} +export http_proxy={{ proxy }} +export https_proxy={{ proxy }} +export no_proxy="{{ noproxy }}" +{%- endif %} mkdir -p /nsm/rules/suricata chown -R socore:socore /nsm/rules/suricata # Download the rules from the internet {%- if GLOBALS.airgap != 'True' %} -{%- if proxy %} -export http_proxy={{ proxy }} -export https_proxy={{ proxy }} -export no_proxy=salt['pillar.get']('manager:no_proxy') -{%- endif %} {%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %} docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force {%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %} diff --git a/salt/manager/tools/sbin_jinja/so-yara-download b/salt/manager/tools/sbin_jinja/so-yara-download index e9b991b6c..aa9576253 100644 --- a/salt/manager/tools/sbin_jinja/so-yara-download +++ b/salt/manager/tools/sbin_jinja/so-yara-download @@ -3,12 +3,13 @@ NOROOT=1 . /usr/sbin/so-common {%- set proxy = salt['pillar.get']('manager:proxy') %} +{%- set noproxy = salt['pillar.get']('manager:no_proxy', '') %} # Download the rules from the internet {%- if proxy %} export http_proxy={{ proxy }} export https_proxy={{ proxy }} -export no_proxy=salt['pillar.get']('manager:no_proxy') +export no_proxy="{{ noproxy }}" {%- endif %} repos="/opt/so/conf/strelka/repos.txt" From 2472d6a7279e025e6714925dac83bb7c9f9eca42 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 3 Aug 2023 18:52:29 -0400 Subject: [PATCH 079/100] Don't watch certs on search nodes --- salt/logstash/enabled.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index a33080f8d..731ad4ca3 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -91,8 +91,10 @@ so-logstash: {% endfor %} {% endif %} - watch: + {% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-import', 'so-fleet', 'so-receiver'] %} - x509: etc_elasticfleet_logstash_key - x509: etc_elasticfleet_logstash_crt + {% endif %} - file: lsetcsync {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %} - file: ls_pipeline_{{assigned_pipeline}} From 593cdbd06001f3492423c1c590b4e5ac3d5ae92d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 08:50:06 -0400 Subject: [PATCH 080/100] add rules for idh to connect to managers, change idh from sensor to idh in so-firewall-minion --- salt/firewall/defaults.yaml | 33 ++++++++++++++++++++++ salt/manager/tools/sbin/so-firewall-minion | 4 +-- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 3095c052e..48074b0be 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -383,6 +383,17 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + idh: + portgroups: + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update sensor: portgroups: - beats_5044 @@ -548,6 +559,17 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + idh: + portgroups: + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update sensor: portgroups: - beats_5044 @@ -723,6 +745,17 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + idh: + portgroups: + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update sensor: portgroups: - docker_registry diff --git a/salt/manager/tools/sbin/so-firewall-minion b/salt/manager/tools/sbin/so-firewall-minion index 4834f0e41..7b0ddab90 100755 --- a/salt/manager/tools/sbin/so-firewall-minion +++ b/salt/manager/tools/sbin/so-firewall-minion @@ -74,9 +74,9 @@ fi so-firewall includehost heavynode "$IP" --apply ;; 'IDH') - so-firewall includehost sensor "$IP" --apply + so-firewall includehost idh "$IP" --apply ;; 'RECEIVER') so-firewall includehost receiver "$IP" --apply ;; - esac \ No newline at end of file + esac From 682289ef23736b687cd271a503c58200143c4c9f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 09:01:09 -0400 Subject: [PATCH 081/100] add sensoroni ports where missing --- salt/firewall/defaults.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 48074b0be..125bf0f08 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -370,6 +370,7 @@ firewall: - elastic_agent_data - elastic_agent_update - localrules + - sensoroni fleet: portgroups: - elasticsearch_rest @@ -404,6 +405,7 @@ firewall: - yum - docker_registry - influxdb + - sensoroni searchnode: portgroups: - redis @@ -416,6 +418,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni heavynode: portgroups: - redis @@ -428,6 +431,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni receiver: portgroups: - yum @@ -436,6 +440,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni beats_endpoint: portgroups: - beats_5044 @@ -546,6 +551,7 @@ firewall: - elastic_agent_data - elastic_agent_update - localrules + - sensoroni fleet: portgroups: - elasticsearch_rest @@ -580,6 +586,7 @@ firewall: - yum - docker_registry - influxdb + - sensoroni searchnode: portgroups: - redis @@ -591,6 +598,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni heavynode: portgroups: - redis @@ -602,6 +610,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni receiver: portgroups: - yum @@ -610,6 +619,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni beats_endpoint: portgroups: - beats_5044 @@ -793,6 +803,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni beats_endpoint: portgroups: - beats_5044 From dd1fa51eb5bb2dc916401af541cc961c531497f2 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 4 Aug 2023 09:03:17 -0400 Subject: [PATCH 082/100] Generate community_id for defend endpoint logs --- salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 index 0c317ae48..45583a464 100644 --- a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 +++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 @@ -78,6 +78,7 @@ { "set": { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } }, { "set": { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } }, { "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } }, + {"community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } }, { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } ], "on_failure": [ From 78950ebfbb39d21ec3917b9bb3819c420b0935cc Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 4 Aug 2023 09:16:58 -0400 Subject: [PATCH 083/100] Update so-whiptail --- setup/so-whiptail | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 4e9ccea60..c55e2db8f 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1012,9 +1012,9 @@ whiptail_manager_unreachable() { local msg read -r -d '' msg <<- EOM - Setup is unable to access the manager at this time. + Setup is unable to access the manager. This most likely means that you need to allow this machine to connect through the manager's firewall. - Run the following on the manager: + You can either go to SOC --> Administration --> Configuration and choose the correct firewall option from the list OR you can run the following command on the manager: sudo so-firewall-minion --role=$install_type --ip=$MAINIP From a51acfc314004e9c2f066fe387a85f34a92ab7da Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 09:17:22 -0400 Subject: [PATCH 084/100] rename analyst to workstation for fw rules. allow workstation to connect to salt_manager port on managers --- salt/firewall/defaults.yaml | 31 ++++++++++++++-------- salt/firewall/soc_firewall.yaml | 2 +- salt/manager/tools/sbin/so-firewall-minion | 3 +++ 3 files changed, 24 insertions(+), 12 deletions(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 125bf0f08..0d32d57ca 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -1,6 +1,5 @@ firewall: hostgroups: - analyst: [] anywhere: - 0.0.0.0/0 beats_endpoint: [] @@ -26,6 +25,7 @@ firewall: standalone: [] strelka_frontend: [] syslog: [] + workstation: [] customhostgroup0: [] customhostgroup1: [] customhostgroup2: [] @@ -215,9 +215,9 @@ firewall: strelka_frontend: portgroups: - strelka_frontend - analyst: + workstation: portgroups: - - nginx + - yum customhostgroup0: portgroups: [] customhostgroup1: @@ -458,9 +458,9 @@ firewall: endgame: portgroups: - endgame - analyst: + workstation: portgroups: - - nginx + - yum customhostgroup0: portgroups: [] customhostgroup1: @@ -507,6 +507,9 @@ firewall: receiver: portgroups: - salt_manager + workstation: + portgroups: + - salt_manager self: portgroups: - syslog @@ -637,9 +640,9 @@ firewall: endgame: portgroups: - endgame - analyst: + workstation: portgroups: - - nginx + - yum customhostgroup0: portgroups: [] customhostgroup1: @@ -686,6 +689,9 @@ firewall: receiver: portgroups: - salt_manager + workstation: + portgroups: + - salt_manager self: portgroups: - syslog @@ -824,9 +830,9 @@ firewall: strelka_frontend: portgroups: - strelka_frontend - analyst: + workstation: portgroups: - - nginx + - yum customhostgroup0: portgroups: [] customhostgroup1: @@ -876,6 +882,9 @@ firewall: receiver: portgroups: - salt_manager + workstation: + portgroups: + - salt_manager self: portgroups: - syslog @@ -1169,9 +1178,9 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update - analyst: + workstation: portgroups: - - nginx + - yum customhostgroup0: portgroups: [] customhostgroup1: diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 0011a245e..78c0ebc73 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -1,6 +1,6 @@ firewall: hostgroups: - analyst: &hostgroupsettings + workstation: &hostgroupsettings description: List of IP or CIDR blocks to allow access to this hostgroup. forcedType: "[]string" helplink: firewall.html diff --git a/salt/manager/tools/sbin/so-firewall-minion b/salt/manager/tools/sbin/so-firewall-minion index 7b0ddab90..d3bbb3eeb 100755 --- a/salt/manager/tools/sbin/so-firewall-minion +++ b/salt/manager/tools/sbin/so-firewall-minion @@ -79,4 +79,7 @@ fi 'RECEIVER') so-firewall includehost receiver "$IP" --apply ;; + 'WORKSTATION') + so-firewall includehost workstation "$IP" --apply + ;; esac From 726ec7235000959622e9af7df4f5a80dc6aa1fb3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 09:22:59 -0400 Subject: [PATCH 085/100] allow idh to connect to salt_manager ports on managres --- salt/firewall/defaults.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 0d32d57ca..ff776d309 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -492,6 +492,9 @@ firewall: fleet: portgroups: - salt_manager + idh: + portgroups: + - salt_manager localhost: portgroups: - all @@ -674,6 +677,9 @@ firewall: fleet: portgroups: - salt_manager + idh: + portgroups: + - salt_manager localhost: portgroups: - all @@ -863,7 +869,10 @@ firewall: - all fleet: portgroups: - - salt_manager + - salt_manager + idh: + portgroups: + - salt_manager localhost: portgroups: - all From 0f52530d0760cf67cbda82ee81d18b220fe3cc17 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 09:37:58 -0400 Subject: [PATCH 086/100] soc_firewall.yaml update adding idh and rename analyst to workstation --- salt/firewall/soc_firewall.yaml | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 78c0ebc73..27c52e123 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -213,7 +213,7 @@ firewall: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker - analyst: + workstation: portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker @@ -338,7 +338,9 @@ firewall: DOCKER-USER: hostgroups: manager: - portgroups: *portgroupsdocker + portgroups: *portgroupsdocker + idh: + portgroups: *portgroupsdocker sensor: portgroups: *portgroupsdocker searchnode: @@ -359,7 +361,7 @@ firewall: portgroups: *portgroupsdocker endgame: portgroups: *portgroupsdocker - analyst: + workstation: portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker @@ -389,12 +391,16 @@ firewall: portgroups: *portgroupshost localhost: portgroups: *portgroupshost + idh: + portgroups: *portgroupshost sensor: portgroups: *portgroupshost searchnode: portgroups: *portgroupshost heavynode: portgroups: *portgroupshost + workstation: + portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost customhostgroup1: @@ -422,6 +428,8 @@ firewall: hostgroups: managersearch: portgroups: *portgroupsdocker + idh: + portgroups: *portgroupsdocker sensor: portgroups: *portgroupsdocker searchnode: @@ -442,7 +450,7 @@ firewall: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker - analyst: + workstation: portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker @@ -472,12 +480,16 @@ firewall: portgroups: *portgroupshost localhost: portgroups: *portgroupshost + idh: + portgroups: *portgroupshost sensor: portgroups: *portgroupshost searchnode: portgroups: *portgroupshost heavynode: portgroups: *portgroupshost + workstation: + portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost customhostgroup1: @@ -509,6 +521,8 @@ firewall: portgroups: *portgroupsdocker fleet: portgroups: *portgroupsdocker + idh: + portgroups: *portgroupsdocker sensor: portgroups: *portgroupsdocker searchnode: @@ -531,7 +545,7 @@ firewall: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker - analyst: + workstation: portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker @@ -565,12 +579,16 @@ firewall: portgroups: *portgroupshost standalone: portgroups: *portgroupshost + idh: + portgroups: *portgroupshost sensor: portgroups: *portgroupshost searchnode: portgroups: *portgroupshost heavynode: portgroups: *portgroupshost + workstation: + portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost customhostgroup1: @@ -793,7 +811,7 @@ firewall: portgroups: *portgroupsdocker elastic_agent_endpoint: portgroups: *portgroupsdocker - analyst: + workstation: portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker From 014aeffb2af91889bc182a8dd4cbf215ceef820f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 09:56:33 -0400 Subject: [PATCH 087/100] add analyst back --- salt/firewall/defaults.yaml | 17 +++++++++++++++-- salt/firewall/soc_firewall.yaml | 13 ++++++++++++- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index ff776d309..9b8325a34 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -1,5 +1,6 @@ firewall: hostgroups: + analyst: [] anywhere: - 0.0.0.0/0 beats_endpoint: [] @@ -215,9 +216,9 @@ firewall: strelka_frontend: portgroups: - strelka_frontend - workstation: + analyst: portgroups: - - yum + - nginx customhostgroup0: portgroups: [] customhostgroup1: @@ -441,6 +442,9 @@ firewall: - elastic_agent_data - elastic_agent_update - sensoroni + analyst: + portgroups: + - nginx beats_endpoint: portgroups: - beats_5044 @@ -626,6 +630,9 @@ firewall: - elastic_agent_data - elastic_agent_update - sensoroni + analyst: + portgroups: + - nginx beats_endpoint: portgroups: - beats_5044 @@ -816,6 +823,9 @@ firewall: - elastic_agent_data - elastic_agent_update - sensoroni + analyst: + portgroups: + - nginx beats_endpoint: portgroups: - beats_5044 @@ -1187,6 +1197,9 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + analyst: + portgroups: + - nginx workstation: portgroups: - yum diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 27c52e123..8f8dbb69d 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -1,6 +1,6 @@ firewall: hostgroups: - workstation: &hostgroupsettings + analyst: &hostgroupsettings description: List of IP or CIDR blocks to allow access to this hostgroup. forcedType: "[]string" helplink: firewall.html @@ -45,6 +45,7 @@ firewall: standalone: *hostgroupsettings strelka_frontend: *hostgroupsettings syslog: *hostgroupsettings + workstation: *hostgroupsettings customhostgroup0: &customhostgroupsettings description: List of IP or CIDR blocks to allow to this hostgroup. forcedType: "[]string" @@ -213,6 +214,8 @@ firewall: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker workstation: portgroups: *portgroupsdocker customhostgroup0: @@ -361,6 +364,8 @@ firewall: portgroups: *portgroupsdocker endgame: portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker workstation: portgroups: *portgroupsdocker customhostgroup0: @@ -450,6 +455,8 @@ firewall: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker workstation: portgroups: *portgroupsdocker customhostgroup0: @@ -545,6 +552,8 @@ firewall: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker workstation: portgroups: *portgroupsdocker customhostgroup0: @@ -811,6 +820,8 @@ firewall: portgroups: *portgroupsdocker elastic_agent_endpoint: portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker workstation: portgroups: *portgroupsdocker customhostgroup0: From 209da766ba1c8af4822fabb4f1848f275a792595 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 4 Aug 2023 12:16:14 -0400 Subject: [PATCH 088/100] Update soup to rotate log file --- salt/manager/tools/sbin/soup | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index cede5c438..e32936c90 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -972,6 +972,11 @@ while getopts ":b:f:y" opt; do done shift $((OPTIND - 1)) +if [ -f $SOUP_LOG ]; then + CURRENT_TIME=$(date +%Y%m%d.%H%M%S) + mv $SOUP_LOG $SOUP_LOG.$INSTALLEDVERSION.CURRENT_TIME +fi + if [[ -z $UNATTENDED ]]; then cat << EOF From 63373710b4e107311e50e1e93b4a02fb57fca004 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 4 Aug 2023 12:26:36 -0400 Subject: [PATCH 089/100] Update soup to rotate log file --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index e32936c90..d31ee997b 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -974,7 +974,7 @@ shift $((OPTIND - 1)) if [ -f $SOUP_LOG ]; then CURRENT_TIME=$(date +%Y%m%d.%H%M%S) - mv $SOUP_LOG $SOUP_LOG.$INSTALLEDVERSION.CURRENT_TIME + mv $SOUP_LOG $SOUP_LOG.$INSTALLEDVERSION.$CURRENT_TIME fi if [[ -z $UNATTENDED ]]; then From 36747cf940566bb6aaccf50a7e5b3dad094f4197 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 13:52:01 -0400 Subject: [PATCH 090/100] add networkminer to desktop.packages --- salt/desktop/packages.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/desktop/packages.sls b/salt/desktop/packages.sls index 3b0d4c8ba..5c0121e7b 100644 --- a/salt/desktop/packages.sls +++ b/salt/desktop/packages.sls @@ -349,6 +349,7 @@ desktop_packages: - snappy - sound-theme-freedesktop - soundtouch + - securityonion-networkminer - speech-dispatcher - speech-dispatcher-espeak-ng - speex From 0ba1e7521a551fa5f3d5b85dba7651e54325619b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 15:36:44 -0400 Subject: [PATCH 091/100] set default session for preexisting users --- salt/desktop/files/session.jinja | 7 +++++++ salt/desktop/xwindows.sls | 17 +++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 salt/desktop/files/session.jinja diff --git a/salt/desktop/files/session.jinja b/salt/desktop/files/session.jinja new file mode 100644 index 000000000..823e62f2d --- /dev/null +++ b/salt/desktop/files/session.jinja @@ -0,0 +1,7 @@ +# This file is managed by Salt in the desktop.xwindows state +# It will not be overwritten if it already exists + +[User] +Session=gnome-classic +Icon=/home/{{USERNAME}}/.face +SystemAccount=false diff --git a/salt/desktop/xwindows.sls b/salt/desktop/xwindows.sls index ebb7ecb9f..792724eb4 100644 --- a/salt/desktop/xwindows.sls +++ b/salt/desktop/xwindows.sls @@ -18,6 +18,23 @@ convert_gnome_classic: cmd.script: - name: salt://desktop/scripts/convert-gnome-classic.sh +{% for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %} +{% set username = username.split('/')[2] %} +{% if username != 'zeek' %} +{% if not salt['file.file_exists']('/var/lib/AccountsService/users/' ~ username) %} + +{{username}}_session: + file.managed: + - name: /var/lib/AccountsService/users/{{username}} + - source: salt://desktop/files/session.jinja + - template: jinja + - defaults: + USERNAME: {{username}} + +{% endif %} +{% endif %} +{% endfor %} + {% else %} desktop_xwindows_os_fail: From 89c4f58296aa3ed2081b9a73c56bf88adf75b030 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 15:41:10 -0400 Subject: [PATCH 092/100] fix indents --- salt/desktop/xwindows.sls | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/desktop/xwindows.sls b/salt/desktop/xwindows.sls index 792724eb4..c7790f9f4 100644 --- a/salt/desktop/xwindows.sls +++ b/salt/desktop/xwindows.sls @@ -18,10 +18,10 @@ convert_gnome_classic: cmd.script: - name: salt://desktop/scripts/convert-gnome-classic.sh -{% for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %} -{% set username = username.split('/')[2] %} -{% if username != 'zeek' %} -{% if not salt['file.file_exists']('/var/lib/AccountsService/users/' ~ username) %} +{% for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %} +{% set username = username.split('/')[2] %} +{% if username != 'zeek' %} +{% if not salt['file.file_exists']('/var/lib/AccountsService/users/' ~ username) %} {{username}}_session: file.managed: @@ -31,9 +31,9 @@ convert_gnome_classic: - defaults: USERNAME: {{username}} +{% endif %} {% endif %} -{% endif %} -{% endfor %} +{% endfor %} {% else %} From 9d3744aa2567f6774cc5dd8d0328948dcfc03646 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 4 Aug 2023 16:05:28 -0400 Subject: [PATCH 093/100] Refactor to remove new line --- .../sbin_jinja/so-elastic-fleet-outputs-update | 14 ++++++-------- .../tools/sbin_jinja/so-elastic-fleet-urls-update | 14 ++++++-------- 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update index 17c867c07..b88b564ed 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update @@ -43,14 +43,12 @@ fi # Query for FQDN entries & add them to the list {% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %} -CUSTOMFQDNLIST=({{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}) -if [ -n "$CUSTOMFQDNLIST" ]; then - readarray -t CUSTOMFQDN <<< $CUSTOMFQDNLIST - for CUSTOMNAME in "${CUSTOMFQDN[@]}" - do - NEW_LIST+=("https://$CUSTOMNAME:8220") - done -fi +CUSTOMFQDNLIST=('{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}') +readarray -t -d ' ' CUSTOMFQDN < <(printf '%s' "$CUSTOMFQDNLIST") +for CUSTOMNAME in "${CUSTOMFQDN[@]}" +do + NEW_LIST+=("$CUSTOMNAME:5055") +done {% endif %} # Query for the current Grid Nodes that are running Logstash diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update index 7d29fe080..31c7becca 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update @@ -43,14 +43,12 @@ fi # Query for FQDN entries & add them to the list {% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %} -CUSTOMFQDNLIST=({{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}) -if [ -n "$CUSTOMFQDNLIST" ]; then - readarray -t CUSTOMFQDN <<< $CUSTOMFQDNLIST - for CUSTOMNAME in "${CUSTOMFQDN[@]}" - do - NEW_LIST+=("https://$CUSTOMNAME:8220") - done -fi +CUSTOMFQDNLIST=('{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}') +readarray -t -d ' ' CUSTOMFQDN < <(printf '%s' "$CUSTOMFQDNLIST") +for CUSTOMNAME in "${CUSTOMFQDN[@]}" +do + NEW_LIST+=("https://$CUSTOMNAME:8220") +done {% endif %} # Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes) From 9af2a731ca7152d98db820a52cb147b02c942fd4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 16:29:30 -0400 Subject: [PATCH 094/100] fix count of WORKERS for zeekcaptureloss script for telegraf --- salt/telegraf/scripts/zeekcaptureloss.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/telegraf/scripts/zeekcaptureloss.sh b/salt/telegraf/scripts/zeekcaptureloss.sh index e0c8758f2..e254ada32 100644 --- a/salt/telegraf/scripts/zeekcaptureloss.sh +++ b/salt/telegraf/scripts/zeekcaptureloss.sh @@ -11,10 +11,15 @@ # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp # if this script isn't already running +{%- from 'zeek/config.map.jinja' import ZEEKMERGED %} if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then if [ -d "/host/nsm/zeek/spool/logger" ]; then - WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }} +{%- if ZEEKMERGED.config.node.pins %} + WORKERS={{ ZEEKMERGED.config.node.pins | length }} +{%- else %} + WORKERS={{ ZEEKMERGED.config.node.lb_procs }} +{%- endif %} ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log elif [ -d "/host/nsm/zeek/spool/zeeksa" ]; then WORKERS=1 From ec81cbd70d8aa33986c5609d5dc92895784434f1 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 5 Aug 2023 09:11:58 -0400 Subject: [PATCH 095/100] Revert yesterday's change to zeekcaptureloss.sh --- salt/telegraf/scripts/zeekcaptureloss.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/salt/telegraf/scripts/zeekcaptureloss.sh b/salt/telegraf/scripts/zeekcaptureloss.sh index e254ada32..4389fd601 100644 --- a/salt/telegraf/scripts/zeekcaptureloss.sh +++ b/salt/telegraf/scripts/zeekcaptureloss.sh @@ -11,15 +11,9 @@ # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp # if this script isn't already running -{%- from 'zeek/config.map.jinja' import ZEEKMERGED %} if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then if [ -d "/host/nsm/zeek/spool/logger" ]; then -{%- if ZEEKMERGED.config.node.pins %} - WORKERS={{ ZEEKMERGED.config.node.pins | length }} -{%- else %} - WORKERS={{ ZEEKMERGED.config.node.lb_procs }} -{%- endif %} ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log elif [ -d "/host/nsm/zeek/spool/zeeksa" ]; then WORKERS=1 From 90102b1148047a445ba900d524d562ae6b75227b Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 5 Aug 2023 09:23:27 -0400 Subject: [PATCH 096/100] Finish reverting yesterday's change to zeekcaptureloss.sh --- salt/telegraf/scripts/zeekcaptureloss.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/telegraf/scripts/zeekcaptureloss.sh b/salt/telegraf/scripts/zeekcaptureloss.sh index 4389fd601..e0c8758f2 100644 --- a/salt/telegraf/scripts/zeekcaptureloss.sh +++ b/salt/telegraf/scripts/zeekcaptureloss.sh @@ -14,6 +14,7 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then if [ -d "/host/nsm/zeek/spool/logger" ]; then + WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }} ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log elif [ -d "/host/nsm/zeek/spool/zeeksa" ]; then WORKERS=1 From 3c5cd941c78b123835c3a473cc5ae9970b73e690 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 7 Aug 2023 08:45:30 -0400 Subject: [PATCH 097/100] Update DOWNLOAD_AND_VERIFY_ISO.md for 2.4.5 --- DOWNLOAD_AND_VERIFY_ISO.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index c1594b954..0ea6db8ed 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.4.4-20230728 ISO image built on 2023/07/28 +### 2.4.5-20230807 ISO image released on 2023/08/07 ### Download and Verify -2.4.4-20230728 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.4-20230728.iso - -MD5: F63E76245F3E745B5BDE9E6E647A7CB6 -SHA1: 6CE4E4A3399CD282D4F8592FB19D510388AB3EEA -SHA256: BF8FEB91B1D94B67C3D4A79D209B068F4A46FEC7C15EEF65B0FCE9851D7E6C9F +2.4.5-20230807 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso + +MD5: F83FD635025A3A65B380EAFCEB61A92E +SHA1: 5864D4CD520617E3328A3D956CAFCC378A8D2D08 +SHA256: D333BAE0DD198DFD80DF59375456D228A4E18A24EDCDB15852CD4CA3F92B69A7 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.4-20230728.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.4-20230728.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.4-20230728.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.4-20230728.iso.sig securityonion-2.4.4-20230728.iso +gpg --verify securityonion-2.4.5-20230807.iso.sig securityonion-2.4.5-20230807.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 11 Jul 2023 06:23:37 PM EDT using RSA key ID FE507013 +gpg: Signature made Sat 05 Aug 2023 10:12:46 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. From 6e8f31e08373177b4b82b9d16f02664aaa916dbb Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 7 Aug 2023 08:59:24 -0400 Subject: [PATCH 098/100] Delete sigs --- sigs | Bin 566 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 sigs diff --git a/sigs b/sigs deleted file mode 100644 index 75a14e1a124888e706fa4e8a2cb8c950e0df7217..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%XJRr~nEH5PT3| zxBgIY6IR&||9=cs@>p+WKyMXEHkdmM9dKN0A_e16|Moe1B^c6!o-~gn=Kj$D8!zb`EjAq^qcU?a}o%Y zDg9=2aqmC*5q>UkyS%K!=yB%liislB5j5FN*Cpo}eO0mrT4n|YgLgq+bx%~B&xTUb ztNgVOS17l{E;!>9=IsB*%qV5K>b~dg>q`zAKq?LL>fdWJEYKH`Lh40-3ZSL1y(Has zLx)b4*VPCx;QTRT9YqP)L}1+sLSnsKZNkRsM0d-(lrnP?{6T8)n5B_CUG=Fx&}umS zr%NsOIn^)hUDLNq+P0kSbQ-W--|qGoc5@cZ;3Z89-8lHAc>pT3v2x8v_e_6vs!o4d zwD5%VtV5fj5`ddN&NgtSJI;;(QyqtKsuJU~M809}yP6#5E0=~sT|HDCt~1K7gPLf? z@C7|#7tJ91EY55yD`(Q8;N7@pBl0O?XV=j|qyCHbM#Jj5bTOQNtyAg9srzf(VL^Z* EkfHt+T>t<8 From 9ae32e2bd66168ac37fd924d5fe042a11fd1091d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 7 Aug 2023 09:02:52 -0400 Subject: [PATCH 099/100] create sigs directory and add sig for 2.4.5 --- sigs/securityonion-2.4.5-20230807.iso.sig | Bin 0 -> 566 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/securityonion-2.4.5-20230807.iso.sig diff --git a/sigs/securityonion-2.4.5-20230807.iso.sig b/sigs/securityonion-2.4.5-20230807.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..fdf914164d39f45c413fd96952298f9733355d32 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%Xou-T(>-5PT3| zxBgIY6W3V}|7ARLdu8Uk&=%aLd1eaANXl51uCg=jVr4eayWWo!3JlNr+(j+XW?8qFP5X6QaP5#PecYT1>OAuzC7>i4Rj@v&4=B(BpnOQWIA z2A@7#vZgCT;V|o&PF;@JY9=^AaOW{>4#zzg?c1Zas>6>-wS%Mmh$GYnudPa^Jr9zu zs(~Aip0%%-0^LpOJjMtMdyS2Z*t-J$)8Dg4?{H`YsPy}t9_h%qJa*UX0ZD)~OY#uM zBz!Z96O4cz441jxvb>Y-PM$%Un^Jl}ZJr_=mC~HS*YP7m zj}Z+_UTFqr6zSgYq7P~*1tW6Z)u7wkCF`;At%WU!r;6W6J?9EmiFg9>T`P=#eZmIC EYdvxXlK=n! literal 0 HcmV?d00001 From 37b98ba1889fcda67d030f40ee888f282954f1ff Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 7 Aug 2023 09:29:34 -0400 Subject: [PATCH 100/100] add spaces for proper rendering DOWNLOAD_AND_VERIFY_ISO.md --- DOWNLOAD_AND_VERIFY_ISO.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index 0ea6db8ed..b9b3da297 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -7,9 +7,9 @@ 2.4.5-20230807 ISO image: https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso -MD5: F83FD635025A3A65B380EAFCEB61A92E -SHA1: 5864D4CD520617E3328A3D956CAFCC378A8D2D08 -SHA256: D333BAE0DD198DFD80DF59375456D228A4E18A24EDCDB15852CD4CA3F92B69A7 +MD5: F83FD635025A3A65B380EAFCEB61A92E +SHA1: 5864D4CD520617E3328A3D956CAFCC378A8D2D08 +SHA256: D333BAE0DD198DFD80DF59375456D228A4E18A24EDCDB15852CD4CA3F92B69A7 Signature for ISO image: https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig