diff --git a/README.md b/README.md index 8619d0a5a..38e1d64dd 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.0 +## Security Onion 2.3.1 -Security Onion 2.3.0 is here! +Security Onion 2.3.1 is here! ### Release Notes diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 1fcb48734..26b926971 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,16 +1,16 @@ -### 2.3.0 ISO image built on 2020/10/15 +### 2.3.1 ISO image built on 2020/10/22 ### Download and Verify -2.3.0 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.0.iso +2.3.1 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.1.iso -MD5: E05B220E4FD7C054DF5C50906EE1375B -SHA1: 55E93C6EAB140AB4A0F07873CC871EBFDC699CD6 -SHA256: 57B96A6E0951143E123BFC0CD0404F7466776E69F3C115F5A0444C0C6D5A6E32 +MD5: EF2DEBCCBAE0B0BCCC906552B5FF918A +SHA1: 16AFCACB102BD217A038044D64E7A86DA351640E +SHA256: 7125F90B6323179D0D29F5745681BE995BD2615E64FA1E0046D94888A72C539E Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.0.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.1.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.0.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.1.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.0.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.1.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.0.iso.sig securityonion-2.3.0.iso +gpg --verify securityonion-2.3.1.iso.sig securityonion-2.3.1.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 15 Oct 2020 08:06:28 PM EDT using RSA key ID FE507013 +gpg: Signature made Thu 22 Oct 2020 10:34:27 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/VERSION b/VERSION index 276cbf9e2..2bf1c1ccf 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.0 +2.3.1 diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable index ae8981fe9..0f2d694fe 100755 --- a/salt/common/tools/sbin/so-features-enable +++ b/salt/common/tools/sbin/so-features-enable @@ -51,7 +51,7 @@ manager_check() { } manager_check -VERSION=$(grep soversion $local_salt_dir/pillar/global.sls | cut -d':' -f2|sed 's/ //g') +VERSION=$(lookup_pillar soversion) # Modify global.sls to enable Features sed -i 's/features: False/features: True/' $local_salt_dir/pillar/global.sls SUFFIX="-features" diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index c0acc7c98..7f9acf080 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -116,7 +116,7 @@ def addhostgroup(args): print('Missing host group name argument', file=sys.stderr) showUsage(args) - name = args[1] + name = args[0] content = loadYaml(hostgroupsFilename) if name in content['firewall']['hostgroups']: print('Already exists', file=sys.stderr) diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index 1a73fae7e..795b96e3a 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -1,6 +1,6 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3']%} +{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0']%} {% for VERSION in OLDVERSIONS %} remove_images_{{ VERSION }}: @@ -42,4 +42,4 @@ remove_images_{{ VERSION }}: - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive-es:{{ VERSION }}' - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }}' - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}' -{% endfor %} \ No newline at end of file +{% endfor %} diff --git a/salt/elasticsearch/files/ingest/common.nids b/salt/elasticsearch/files/ingest/common.nids index 25d24926c..df6af7a85 100644 --- a/salt/elasticsearch/files/ingest/common.nids +++ b/salt/elasticsearch/files/ingest/common.nids @@ -6,7 +6,7 @@ { "set": { "if": "ctx.rule?.uuid > 1999999", "field": "rule.reference", "value": "https://doc.emergingthreats.net/{{rule.uuid}}" } }, { "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "string" } }, { "dissect": { "if": "ctx.rule.name != null", "field": "rule.name", "pattern" : "%{rule_type} %{rest_of_rulename} ", "ignore_failure": true } }, - { "set": { "if": "ctx.rule_type == 'GPL'", "field": "rule_ruleset", "value": "Snort GPL" } }, + { "set": { "if": "ctx.rule_type == 'GPL'", "field": "rule.ruleset", "value": "Snort GPL" } }, { "set": { "if": "ctx.rule_type == 'ET'", "field": "rule.ruleset", "value": "Emerging Threats" } }, { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 99f1de188..3587b6ffd 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -74,7 +74,6 @@ filebeat.modules: # List of prospectors to fetch data. filebeat.inputs: #------------------------------ Log prospector -------------------------------- -{%- if grains['role'] in ['so-sensor', "so-eval", "so-helix", "so-heavynode", "so-standalone", "so-import"] %} - type: udp enabled: true host: "0.0.0.0:514" @@ -100,6 +99,8 @@ filebeat.inputs: - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] fields_under_root: true + +{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} {%- if ZEEKVER != 'SURICATA' %} {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} - type: log diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 6bbcea8b4..b770f7cc8 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -82,6 +82,7 @@ so-filebeat: - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro - port_bindings: - 0.0.0.0:514:514/udp + - 0.0.0.0:514:514/tcp - watch: - file: /opt/so/conf/filebeat/etc/filebeat.yml diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 6d6a181ac..cb2de370c 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -134,6 +134,7 @@ role: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} + - {{ portgroups.beats_5644 }} self: portgroups: - {{ portgroups.syslog}} @@ -424,6 +425,9 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} + self: + portgroups: + - {{ portgroups.syslog}} INPUT: hostgroups: anywhere: @@ -437,6 +441,11 @@ role: - {{ portgroups.all }} sensor: chain: + DOCKER-USER: + hostgroups: + self: + portgroups: + - {{ portgroups.syslog}} INPUT: hostgroups: anywhere: @@ -463,6 +472,9 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} + self: + portgroups: + - {{ portgroups.syslog}} INPUT: hostgroups: anywhere: @@ -530,9 +542,6 @@ role: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} beats_endpoint: portgroups: - {{ portgroups.beats_5044 }} diff --git a/salt/grafana/dashboards/eval/eval.json b/salt/grafana/dashboards/eval/eval.json index 1bcf84f02..241db393e 100644 --- a/salt/grafana/dashboards/eval/eval.json +++ b/salt/grafana/dashboards/eval/eval.json @@ -918,11 +918,11 @@ }, { "color": "rgba(237, 129, 40, 0.89)", - "value": "{{ ROOTFS * '.80'|float }}" + "value": "{{ NSMFS * '.80'|float }}" }, { "color": "rgba(245, 54, 54, 0.9)", - "value": "{{ ROOTFS * '.90'|float }}" + "value": "{{ NSMFS * '.90'|float }}" } ] }, @@ -4623,4 +4623,4 @@ "title": "Evaluation Mode - {{ SERVERNAME }} Overview", "uid": "{{ UID }}", "version": 6 -} \ No newline at end of file +} diff --git a/salt/grafana/dashboards/standalone/standalone.json b/salt/grafana/dashboards/standalone/standalone.json index ac733db5c..d5ddb4ca3 100644 --- a/salt/grafana/dashboards/standalone/standalone.json +++ b/salt/grafana/dashboards/standalone/standalone.json @@ -936,11 +936,11 @@ }, { "color": "rgba(237, 129, 40, 0.89)", - "value": "{{ ROOTFS * '.80'|float }}" + "value": "{{ NSMFS * '.80'|float }}" }, { "color": "rgba(245, 54, 54, 0.9)", - "value": "{{ ROOTFS * '.90'|float }}" + "value": "{{ NSMFS * '.90'|float }}" } ] }, @@ -6683,4 +6683,4 @@ "title": "Standalone Mode - {{ SERVERNAME }} Overview", "uid": "{{ UID }}", "version": 1 -} \ No newline at end of file +} diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json index 2c3bdaf31..5924750a4 100644 --- a/salt/soc/files/soc/alerts.actions.json +++ b/salt/soc/files/soc/alerts.actions.json @@ -1,6 +1,6 @@ [ - { "name": "", "description": "actionHuntHelp", "icon": "fa-search", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, - { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, - { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } - ] \ No newline at end of file + { "name": "", "description": "actionHuntHelp", "icon": "fa-crosshairs", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, + { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, + { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } +] \ No newline at end of file diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index e7caffafc..5aa9b220b 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -1,25 +1,13 @@ { - "title": "Security Onion 2.3.0 is here!", + "title": "Security Onion 2.3.1 is here!", "changes": [ - { "summary": "We have a new Alerts interface for reviewing alerts and acknowledging or escalating them. Escalating creates a new case in TheHive. Please note that TheHive no longer receives alerts directly." }, - { "summary": "Kibana no longer presents the option to create alerts from events, but instead allows creation of cases from events." }, - { "summary": "Our Security Onion ISO now works for UEFI as well as Secure Boot." }, - { "summary": "Airgap deployments can now be updated using the latest ISO. Please read this documentation carefully." }, - { "summary": "Suricata has been updated to version 5.0.4." }, - { "summary": "Zeek has been updated to version 3.0.11." }, - { "summary": "Stenographer has been updated to the latest version." }, - { "summary": "soup will now attempt to clean up old docker images to free up space." }, - { "summary": "Hunt actions can be customized via hunt.actions.json." }, - { "summary": "Hunt queries can be customized via hunt.queries.json." }, - { "summary": "Hunt event fields can be customized via hunt.eventfields.json." }, - { "summary": "Alerts actions can be customized via alerts.actions.json." }, - { "summary": "Alerts queries can be customized via alerts.queries.json." }, - { "summary": "Alerts event fields can be customized via alerts.eventfields.json." }, - { "summary": "The help documentation is now viewable offline for airgap installations." }, - { "summary": "The script so-user-add will now validate the password is acceptable before attempting to create the user." }, - { "summary": "Playbook and Grafana no longer use static passwords for their admin accounts." }, - { "summary": "Analyst VM now comes with NetworkMiner 2.6 installed." }, - { "summary": "Strelka YARA matches now generate alerts that can be viewed through the Alerts interface." }, + { "summary": "Fixed a SOC issue in airgap mode that was preventing people from logging in." }, + { "summary": "Downloading Elastic features images will now download the correct images." }, + { "summary": "Winlogbeat download no longer requires Internet access." }, + { "summary": "Adjusted Alerts quick action bar to allow searching for a specific value while remaining in Alerts view." }, + { "summary": "/nsm will properly display disk usage on the standalone Grafana dashboard." }, + { "summary": "The manager node now has syslog listener enabled by default (you'll still need to allow syslog traffic through the firewall of course)." }, + { "summary": "Fixed an issue when creating host groups with so-firewall." }, { "summary": "Known Issues " } ] } diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json index 2c3bdaf31..82f9731ed 100644 --- a/salt/soc/files/soc/hunt.actions.json +++ b/salt/soc/files/soc/hunt.actions.json @@ -1,6 +1,5 @@ [ - { "name": "", "description": "actionHuntHelp", "icon": "fa-search", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, - { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, - { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } - ] \ No newline at end of file + { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, + { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } +] \ No newline at end of file diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 54d24bde7..61c4ab6bb 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -16,7 +16,7 @@ "baseUrl": "/", "maxPacketCount": 5000, "htmlDir": "html", - {%- if ISAIRGAP is sameas true -%} + {%- if ISAIRGAP is sameas true %} "airgapEnabled": true, {%- else %} "airgapEnabled": false, @@ -54,8 +54,8 @@ } }, "client": { - {%- if ISAIRGAP is sameas true -%} - "docsUrl": "/docs/, + {%- if ISAIRGAP is sameas true %} + "docsUrl": "/docs/", {%- else %} "docsUrl": "https://docs.securityonion.net/en/2.3/", {%- endif %} diff --git a/sigs/securityonion-2.3.1.iso.sig b/sigs/securityonion-2.3.1.iso.sig new file mode 100644 index 000000000..751cb380a Binary files /dev/null and b/sigs/securityonion-2.3.1.iso.sig differ