Merge pull request #9643 from Security-Onion-Solutions/2.4/dev

Merge Dev

salt/common/packages.sls

@@ -1,6 +1,33 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
-{% if GLOBALS.os != 'CentOS' %}     
+{% if GLOBALS.os == 'Ubuntu' %}
+commonpkgs:
+  pkg.installed:
+    - skip_suggestions: True
+    - pkgs:
+      - chrony
+      - apache2-utils
+      - wget
+      - ntpdate
+      - jq
+      - python3-docker
+      - curl
+      - ca-certificates
+      - software-properties-common
+      - apt-transport-https
+      - openssl
+      - netcat
+      - python3-mysqldb
+      - sqlite3
+      - libssl-dev
+      - python3-dateutil
+      - python3-m2crypto
+      - python3-mysqldb
+      - python3-packaging
+      - python3-lxml
+      - git
+      - vim
+{% elif GLOBALS.os == 'Rocky' %}     
 commonpkgs:
   pkg.installed:
     - skip_suggestions: True

salt/docker/init.sls

@@ -4,12 +4,25 @@
 # Elastic License 2.0.
 
 {% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
 
 dockergroup:
   group.present:
     - name: docker
     - gid: 920
 
+{% if GLOBALS.os == 'Ubuntu' %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 1.4.9-1
+      - docker-ce: 5:20.10.8~3-0~ubuntu-focal
+      - docker-ce-cli: 5:20.10.5~3-0~ubuntu-focal
+      - docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal
+    - hold: True
+    - update_holds: True
+{% else %}
 dockerheldpackages:
   pkg.installed:
     - pkgs:
@@ -19,6 +32,7 @@ dockerheldpackages:
       - docker-ce-rootless-extras: 20.10.5-3.el7
     - hold: True
     - update_holds: True
+{% endif %}
 
 #disable docker from managing iptables
 iptables_disabled:

salt/repo/client/ubuntu.sls

@@ -0,0 +1,20 @@
+# this removes the repo file left by bootstrap-salt.sh without -r
+remove_salt.list:
+  file.absent:
+    - name: /etc/apt/sources.list.d/salt.list
+
+saltstack.list:
+  file.managed:
+    - name: /etc/apt/sources.list.d/saltstack.list
+    - contents:
+      - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt3004.2/ {{grains.oscodename}} main
+
+apt_update:
+  cmd.run:
+    - name: apt-get update
+    - onchanges:
+      - file: saltstack.list
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30

salt/soc/defaults.yaml

@@ -1020,6 +1020,9 @@ soc:
         cacheMs: 300000
         verifyCert: false
         casesEnabled: true
+        extractCommonObservables:
+          - source.ip
+          - destination.ip
         timeoutMs: 300000
         timeShiftMs: 120000
         defaultDurationMs: 1800000

salt/soc/init.sls

@@ -115,7 +115,7 @@ so-soc:
       {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
       - {{ SN.split('_')|first }}:{{ SNDATA.ip }}
       {%- endfor %}
-      {%- endif %}
+    {%- endif %}
     - port_bindings:
       {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
       - {{ BINDING }}

salt/soc/soc_soc.yaml

@@ -69,6 +69,9 @@ soc:
           description: Set to true if the SOC case management module, natively integrated with Elasticsearch, should be enabled.
           global: True
           advanced: True
+        extractCommonObservables:
+          description: List of indexed fields to automatically extract into a case observable, when attaching related events to a case.
+          global: True
         timeShiftMs:
           description: Duration (in milliseconds) to further expand the PCAP time range when querying PCAP data related to an event. This duration is added to the normal duration value (see defaultDurationMs).
           global: True