Merge branch 'dev' into foxtrot

salt/common/tools/sbin/so-index-list

@@ -15,4 +15,4 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-curl -X GET -k -L https://localhost:9200/_cat/indices?v
+curl -X GET -k -L "https://localhost:9200/_cat/indices?v&s=index"

salt/common/tools/sbin/so-playbook-sync

@@ -17,4 +17,8 @@
 
 . /usr/sbin/so-common
 
+# Check to see if we are already running
+IS_RUNNING=$(ps aux | pgrep -f "so-playbook-sync" | wc -l)
+[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0
+
 docker exec so-soctopus python3 playbook_play-sync.py

salt/common/tools/sbin/so-sensor-clean

@@ -115,7 +115,7 @@ clean() {
 }
 
 # Check to see if we are already running
-IS_RUNNING=$(ps aux | grep "so-sensor-clean" | grep -v grep | wc -l)
+IS_RUNNING=$(ps aux | pgrep -f "so-sensor-clean" | wc -l)
 [ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0
 
 if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then

salt/elastalert/files/modules/so/playbook-es.py

@@ -17,7 +17,7 @@ class PlaybookESAlerter(Alerter):
     def alert(self, matches):
        for match in matches:
             today = strftime("%Y.%m.%d", gmtime())
-            timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S", gmtime())
+            timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S"'.000Z', gmtime())
             headers = {"Content-Type": "application/json"}
             payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp}
             url = f"https://{self.rule['elasticsearch_host']}/so-playbook-alerts-{today}/_doc/"

setup/automation/eval-net-centos

@@ -41,7 +41,7 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
+MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/import-airgap

@@ -42,7 +42,7 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
+MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/import-ami

@@ -41,7 +41,7 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
+MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/import-iso

@@ -41,7 +41,7 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
+MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/import-net-centos

@@ -41,7 +41,7 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
+MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/yum_repos/securityonion.repo

@@ -53,4 +53,12 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH
 enabled=1
 name=Wazuh repository
 baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh_repo/
+protect=1
+
+[wazuh4_repo]
+gpgcheck=1
+gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH
+enabled=1
+name=Wazuh repository
+baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/
 protect=1

setup/yum_repos/securityonioncache.repo

@@ -53,4 +53,12 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH
 enabled=1
 name=Wazuh repository
 baseurl=http://repocache.securityonion.net/file/securityonion-repo/wazuh_repo/
+protect=1
+
+[wazuh4_repo]
+gpgcheck=1
+gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH
+enabled=1
+name=Wazuh repository
+baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/
 protect=1