Merge branch 'dev' into kilo

2025-12-06 17:22:49 +01:00 · 2022-04-22 15:11:24 -04:00
parent 459d388614 677db7c563
commit d8fdf2b701
10 changed files with 23 additions and 20 deletions
--- a/salt/common/tools/sbin/so-playbook-sync
+++ b/salt/common/tools/sbin/so-playbook-sync
@@ -18,7 +18,7 @@
 . /usr/sbin/so-common

 # Check to see if we are already running
-NUM_RUNNING=$(pgrep -cf "so-playbook-sync")
+NUM_RUNNING=$(pgrep -cf "/bin/bash /usr/sbin/so-playbook-sync")
 [ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING Playbook sync processes running...exiting." && exit 0

 docker exec so-soctopus python3 playbook_play-sync.py
--- a/salt/common/tools/sbin/so-sensor-clean
+++ b/salt/common/tools/sbin/so-sensor-clean
@@ -115,7 +115,7 @@ clean() {
 }

 # Check to see if we are already running
-NUM_RUNNING=$(pgrep -cf "so-sensor-clean")
+NUM_RUNNING=$(pgrep -cf "/bin/bash /usr/sbin/so-sensor-clean")
 [ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0

 if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -4067,7 +4067,7 @@ elasticsearch:
                field: "@timestamp"
                order: desc
              refresh_interval: 30s
-              number_of_shards: 1
+              number_of_shards: 2
              number_of_replicas: 0
        composed_of: 
          - agent-mappings
--- a/salt/kibana/bin/so-kibana-config-load
+++ b/salt/kibana/bin/so-kibana-config-load
@@ -59,7 +59,7 @@ update() {

    IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
    for i in "${LINES[@]}"; do
-      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
+      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
      echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
    done
 
--- a/salt/kibana/files/config_saved_objects.ndjson
+++ b/salt/kibana/files/config_saved_objects.ndjson
@@ -1 +1 @@
-{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.2","id": "7.17.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
+{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.3","id": "7.17.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
--- a/salt/workstation/packages.sls
+++ b/salt/workstation/packages.sls
@@ -26,7 +26,6 @@ workstation_packages:
      - mono-basic
      - mono-winforms
      - expect
-      - securityonion-networkminer
      - wireshark-gnome
      - dsniff
      - hping3
@@ -37,17 +36,20 @@ workstation_packages:
      - tcpdump
      - tcpflow
      - whois
-      - securityonion-foremost
      - chromium
-      - securityonion-tcpstat
-      - securityonion-tcptrace
      - libevent
      - sslsplit
-      - securityonion-bittwist
      - perl-IO-Compress 
      - perl-Net-DNS
+      - securityonion-networkminer
      - securityonion-chaosreader
      - securityonion-analyst-extras
+      - securityonion-bittwist
+      - securityonion-tcpstat
+      - securityonion-tcptrace
+      - securityonion-foremost
+      - securityonion-strelka-oneshot
+      - securityonion-strelka-fileshot

 {% else %}

--- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek
+++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek
@@ -38,12 +38,12 @@ event file_state_remove(f: fa_file)
        if ( !f$info?$extracted || FileExtract::prefix == "" ) {
                return;
        }
-        # Check some conditions so we know the file is intact:
-        # Check for MD5
-        # Check for total_bytes
-        # Check for missing bytes
-        # Check if timed out
-        if ( !f$info?$md5 || !f?$total_bytes || f$missing_bytes > 0 || f$info$timedout) {
+        # Check if any of the following conditions exist:
+        # - missing MD5
+        # - total_bytes exists (some protocols aren't populating this field) but is 0
+        # - missing bytes
+        # - timed out
+        if ( !f$info?$md5 || (f?$total_bytes && f$total_bytes == 0) || f$missing_bytes > 0 || f$info$timedout) {
          # Delete the file if it didn't pass our requirements check.

          local nuke = fmt("rm %s/%s", FileExtract::prefix, f$info$extracted);
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1915,7 +1915,7 @@ manager_global() {
 		"        template:"\
 		"          settings:"\
 		"            index:"\
-		"              number_of_shards: 1"\
+		"              number_of_shards: 2"\
 		"      warm: 7"\
 		"      close: 45"\
 		"      delete: 365"\
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -102,6 +102,9 @@ if [[ $is_analyst ]]; then
 	if ! whiptail_analyst_install; then
 		if [[ $is_analyst_iso ]]; then
 			if whiptail_analyst_nongrid_iso; then
+				# Remove setup from auto launching
+				parse_install_username
+				sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1
 				echo "Enabling graphical interface and setting it to load at boot"
 				systemctl set-default graphical.target
 				startx
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -784,7 +784,7 @@ whiptail_homenet_sensor() {
 	[ -n "$TESTING" ] && return

 	idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \
-		"\nBy default, the IDH services selected in the previous screen will be bound to all interfaces / IPs on this system.\n\nYou can choose below whether or not to prevent IDH services from being published on this system's management IP." 20 75 5 \
+		"\nBy default, the IDH services selected in the previous screen will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \
 		"$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 )

 	local exitstatus=$?
@@ -932,8 +932,6 @@ whiptail_install_type_other() {

 	[ -n "$TESTING" ] && return

-	# so-analyst-install will only work with a working network connection
-	# so only show it on network installs for now
 	install_type=$(whiptail --title "$whiptail_title" --radiolist \
 		"Choose node type:" 9 65 2 \
 		"ANALYST" "Setup will run 'so-setup analyst' " ON \