diff --git a/README.md b/README.md index 0739efec5..d67e8b20b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.90-20211206 +## Security Onion 2.3.90-20211213 -Security Onion 2.3.90-20211206 is here! +Security Onion 2.3.90-20211213 is here! ## Screenshots diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 7dfb372cf..cbc3f85ea 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.90-20211206 ISO image built on 2021/12/06 +### 2.3.90-20211213 ISO image built on 2021/12/13 ### Download and Verify -2.3.90-20211206 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.90-20211206.iso +2.3.90-20211213 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.90-20211213.iso -MD5: 8A5FDF731D548E27D123E5B711890AEC -SHA1: B4AF33FE1D64592D46C780AF0C5E7FBD21A22BDE -SHA256: 091DA2D06C82447639D324EE32DBC385AE407078B3A55F4E0704B22DB6B29A7E +MD5: D7E90433B416627347DD54B7C3C07F18 +SHA1: 11E212B2237162749F5E3BD959C84D6C4720D213 +SHA256: 01DD0AF3CF5BBFD4AF7463F8897935A885E3D9CC8B9B3B5E9A01E0A2EF37ED95 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90-20211206.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90-20211213.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90-20211206.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90-20211213.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.90-20211206.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.90-20211213.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.90-20211206.iso.sig securityonion-2.3.90-20211206.iso +gpg --verify securityonion-2.3.90-20211213.iso.sig securityonion-2.3.90-20211213.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 06 Dec 2021 10:14:29 AM EST using RSA key ID FE507013 +gpg: Signature made Mon 13 Dec 2021 11:46:27 AM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 0b0f89698..7985cc287 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -132,7 +132,7 @@ update_docker_containers() { # Let's make sure we have the public key run_check_net_err \ "curl --retry 5 --retry-delay 60 -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" \ - "Could not pull signature key file, please ensure connectivity to https://raw.gihubusercontent.com" \ + "Could not pull signature key file, please ensure connectivity to https://raw.githubusercontent.com" \ noretry >> "$LOG_FILE" 2>&1 result=$? if [[ $result -eq 0 ]]; then diff --git a/salt/elasticsearch/files/scripts/so-catrust b/salt/elasticsearch/files/scripts/so-catrust index c157d9691..61b5e9063 100644 --- a/salt/elasticsearch/files/scripts/so-catrust +++ b/salt/elasticsearch/files/scripts/so-catrust @@ -24,9 +24,9 @@ set -e # Check to see if we have extracted the ca cert. if [ ! -f /opt/so/saltstack/local/salt/common/cacerts ]; then - docker run -v /etc/pki/ca.crt:/etc/pki/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} -keystore /etc/pki/ca-trust/extracted/java/cacerts -alias SOSCA -import -file /etc/pki/ca.crt -storepass changeit -noprompt - docker cp so-elasticsearchca:/etc/pki/ca-trust/extracted/java/cacerts /opt/so/saltstack/local/salt/common/cacerts - docker cp so-elasticsearchca:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem + docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} -keystore /etc/ssl/certs/java/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt + docker cp so-elasticsearchca:/etc/ssl/certs/java/cacerts /opt/so/saltstack/local/salt/common/cacerts + docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem docker rm so-elasticsearchca echo "" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem echo "sosca" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 84ce545b8..3e87ce71c 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -131,6 +131,10 @@ esrolesdir: - group: 939 - makedirs: True +eslibdir: + file.absent: + - name: /opt/so/conf/elasticsearch/lib + esingestdynamicconf: file.recurse: - name: /opt/so/conf/elasticsearch/ingest @@ -258,7 +262,7 @@ so-elasticsearch: {% if TRUECLUSTER is sameas false or (TRUECLUSTER is sameas true and not salt['pillar.get']('nodestab', {})) %} - discovery.type=single-node {% endif %} - - ES_JAVA_OPTS=-Xms{{ esheap }} -Xmx{{ esheap }} -Des.transport.cname_in_publish_address=true + - ES_JAVA_OPTS=-Xms{{ esheap }} -Xmx{{ esheap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true ulimits: - memlock=-1:-1 - nofile=65536:65536 @@ -271,7 +275,7 @@ so-elasticsearch: - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw - - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro + - /opt/so/conf/ca/cacerts:/etc/ssl/certs/java/cacerts:ro {% if ismanager %} - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro {% else %} diff --git a/salt/logstash/etc/jvm.options b/salt/logstash/etc/jvm.options new file mode 100644 index 000000000..5af9281fc --- /dev/null +++ b/salt/logstash/etc/jvm.options @@ -0,0 +1 @@ +-Dlog4j2.formatMsgNoLookups=true diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 069b2f7bd..5c9c05d7d 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -61,6 +61,10 @@ logstash: - gid: 931 - home: /opt/so/conf/logstash +lslibdir: + file.absent: + - name: /opt/so/conf/logstash/lib + lsetcdir: file.directory: - name: /opt/so/conf/logstash/etc diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index c6537d2f5..869b6d553 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -7,19 +7,37 @@ {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if "beat-ext" in [tags] and "import" not in [tags] and "filebeat" not in [metadata][pipeline] { - elasticsearch { - pipeline => "beats.common" - hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} - user => "{{ ES_USER }}" - password => "{{ ES_PASS }}" -{% endif %} - index => "so-beats" - template_name => "so-beats" - template => "/templates/so-beats-template.json" - template_overwrite => true - ssl => true - ssl_certificate_verification => false - } + if [metadata][_id] { + elasticsearch { + pipeline => "beats.common" + hosts => "{{ ES }}" + {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" + {% endif %} + index => "so-beats" + template_name => "so-beats" + template => "/templates/so-beats-template.json" + template_overwrite => true + ssl => true + ssl_certificate_verification => false + document_id => "%{[metadata][_id]}" + } + } else { + elasticsearch { + pipeline => "beats.common" + hosts => "{{ ES }}" + {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" + {% endif %} + index => "so-beats" + template_name => "so-beats" + template => "/templates/so-beats-template.json" + template_overwrite => true + ssl => true + ssl_certificate_verification => false + } } + } } diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index d7050e226..7cbe34c90 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -95,7 +95,7 @@ so-thehive-es: - /opt/so/conf/thehive/etc/es/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro - /opt/so/log/thehive:/var/log/elasticsearch:rw - environment: - - ES_JAVA_OPTS=-Xms512m -Xmx512m + - ES_JAVA_OPTS=-Xms512m -Xmx512m -Dlog4j2.formatMsgNoLookups=true - port_bindings: - 0.0.0.0:9400:9400 - 0.0.0.0:9500:9500 diff --git a/sigs/securityonion-2.3.90-20211210.iso.sig b/sigs/securityonion-2.3.90-20211210.iso.sig new file mode 100644 index 000000000..4fb061626 Binary files /dev/null and b/sigs/securityonion-2.3.90-20211210.iso.sig differ diff --git a/sigs/securityonion-2.3.90-20211213.iso.sig b/sigs/securityonion-2.3.90-20211213.iso.sig new file mode 100644 index 000000000..cbf5489f2 Binary files /dev/null and b/sigs/securityonion-2.3.90-20211213.iso.sig differ