Merge pull request #7392 from Security-Onion-Solutions/hotfix/2.3.100

Hotfix 2.3.100 20220301
2025-12-06 09:12:45 +01:00 · 2022-03-02 10:24:50 -05:00
parent bc5fa55ecd ff4345d3aa
commit d570b56c55
5 changed files with 25 additions and 16 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-20220202 20220203
+20220202 20220203 20220301
--- a/VERIFY_ISO.md
+++ b/VERIFY_ISO.md
@@ -1,18 +1,18 @@
-### 2.3.100-20220203 ISO image built on 2022/02/03
+### 2.3.100-20220301 ISO image built on 2022/03/01



 ### Download and Verify

-2.3.100-20220203 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220203.iso
+2.3.100-20220301 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220301.iso

-MD5: 14705B2F2F9C973D944A4545449799C5  
-SHA1: D73405BE3DE404DE19979B58DEA6F22F434E622D  
-SHA256: 3DD54ACBFDE0047A5EA238415F025ADB6D6AAFF53BEE084A602327CB3242B580 
+MD5: 53A992D6321B7C33440219BAD9157769  
+SHA1: D730157F4847EB91393CF0C1A22410708312F605  
+SHA256: F6C0E55968ED1F0AA35CB9E1F7FF5BEB27673638A4F2223302B301360BC401A1 

 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220203.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220301.iso.sig

 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma

 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220203.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220301.iso.sig
 ```

 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220203.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220301.iso
 ```

 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.100-20220203.iso.sig securityonion-2.3.100-20220203.iso
+gpg --verify securityonion-2.3.100-20220301.iso.sig securityonion-2.3.100-20220301.iso
 ```

 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Thu 03 Feb 2022 03:35:03 PM EST using RSA key ID FE507013
+gpg: Signature made Tue 01 Mar 2022 03:14:02 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/salt/curator/files/action/delete.yml
+++ b/salt/curator/files/action/delete.yml
@@ -18,6 +18,10 @@ actions:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-.*|so-.*)$'
+    - filtertype: pattern
+      kind: regex
+      value: '^(so-case.*)$'
+      exclude: True
    - filtertype: space
      source: creation_date
      use_age: True
--- a/salt/curator/files/bin/so-curator-closed-delete-delete
+++ b/salt/curator/files/bin/so-curator-closed-delete-delete
@@ -34,9 +34,13 @@ overlimit() {

 closedindices() {

-        INDICES=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed 2> /dev/null)
+	# If we can't query Elasticsearch, then immediately return false.
+        {{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed >/dev/null 2>&1
        [ $? -eq 1 ] && return false 
-        echo ${INDICES} | grep -q -E "(logstash-|so-)"
+	# First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed.
+	# Next, filter out any so-case indices.
+	# Finally, use grep's -q option to return true if there are any remaining logstash- or so- indices.
+        {{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -q -E "(logstash-|so-)"
 }

 # Check for 2 conditions:
@@ -47,9 +51,10 @@ while overlimit && closedindices; do

 	# We need to determine OLDEST_INDEX:
 	# First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed.
-	# Then, sort by date by telling sort to use hyphen as delimiter and then sort on the third field.
+	# Next, filter out any so-case indices and only select the remaining logstash- or so- indices.
+	# Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field.
 	# Finally, select the first entry in that sorted list.
-	OLDEST_INDEX=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1)
+	OLDEST_INDEX=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1)
 	
 	# Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it.
 	{{ ELASTICCURL }} -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX}
--- a/sigs/securityonion-2.3.100-20220301.iso.sig
+++ b/sigs/securityonion-2.3.100-20220301.iso.sig