From 8d84718c91c4d424ea7065c910e2a8e37ec07c3d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 26 Oct 2020 13:08:30 -0400 Subject: [PATCH 01/17] Update VERIFY_ISO.md --- VERIFY_ISO.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 281821214..f6dc51b60 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -5,9 +5,9 @@ 2.3.2 ISO image: https://download.securityonion.net/file/securityonion/securityonion-2.3.2.iso -MD5: EF2DEBCCBAE0B0BCCC906552B5FF918A -SHA1: 16AFCACB102BD217A038044D64E7A86DA351640E -SHA256: 7125F90B6323179D0D29F5745681BE995BD2615E64FA1E0046D94888A72C539E +MD5: 8010C32803CD62AA3F61487524E37049 +SHA1: DCA300424C9DF81A4F332B8AA3945E18779C9D28 +SHA256: 1099494AA3E476D682746AAD9C2BD7DED292589DFAAB7B517933336C07AA01D0 Signature for ISO image: https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.2.iso.sig From 7f4b8e8183fe6c31258add1079bf4d0904028efa Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 3 Nov 2020 11:39:42 -0500 Subject: [PATCH 02/17] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6138a2271..3c2835764 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.2 +## Security Onion 2.3.3 -Security Onion 2.3.2 is here! +Security Onion 2.3.3 is here! ### Release Notes From 85ea61bf987524f9ebc3831f886e2cb487420599 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 3 Nov 2020 11:40:03 -0500 Subject: [PATCH 03/17] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index f90b1afc0..0bee604df 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.2 +2.3.3 From a859aa4f48144a57a57152123b32e051854a8a68 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 3 Nov 2020 11:54:28 -0500 Subject: [PATCH 04/17] upgrade from salt 3001.1 to salt 3002.1 - https://github.com/Security-Onion-Solutions/securityonion/issues/1807 --- salt/salt/master.defaults.yaml | 2 +- salt/salt/minion.defaults.yaml | 2 +- setup/so-functions | 22 +++++++++++----------- setup/yum_repos/saltstack.repo | 4 ++-- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index 8694ffbc7..02742737a 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3001.1 \ No newline at end of file + version: 3002.1 \ No newline at end of file diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index 31c313df6..26384e55e 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3001.1 \ No newline at end of file + version: 3002.1 \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 06f103cfc..a971d23c1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1410,7 +1410,7 @@ saltify() { if [ $OS = 'centos' ]; then set_progress_str 5 'Installing Salt repo' { - sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3001.1/SALTSTACK-GPG-KEY.pub; + sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.1/SALTSTACK-GPG-KEY.pub; cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo; } >> "$setup_log" 2>&1 set_progress_str 6 'Installing various dependencies' @@ -1427,14 +1427,14 @@ saltify() { # Download Ubuntu Keys in case manager updates = 1 mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.1/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" logCmd "cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo" fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3001.1" + logCmd "yum -y install salt-master-3002.1" fi systemctl enable salt-master >> "$setup_log" 2>&1 ;; @@ -1462,7 +1462,7 @@ saltify() { { if [[ ! $is_iso ]]; then yum -y install epel-release - yum -y install salt-minion-3001.1\ + yum -y install salt-minion-3002.1\ python3\ python36-docker\ python36-dateutil\ @@ -1506,8 +1506,8 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') # TODO: should this also be HELIXSENSOR? # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3001.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3002.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -1515,7 +1515,7 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3002.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 @@ -1528,7 +1528,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' apt-get -y install sqlite3 argon2 libssl-dev >> "$setup_log" 2>&1 set_progress_str 7 'Installing salt-master' - apt-get -y install salt-master=3001.1+ds-1 >> "$setup_log" 2>&1 + apt-get -y install salt-master=3002.1+ds-1 >> "$setup_log" 2>&1 apt-mark hold salt-master >> "$setup_log" 2>&1 ;; *) @@ -1539,14 +1539,14 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3001.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac apt-get update >> "$setup_log" 2>&1 set_progress_str 8 'Installing salt-minion & python modules' - apt-get -y install salt-minion=3001.1+ds-1\ - salt-common=3001.1+ds-1 >> "$setup_log" 2>&1 + apt-get -y install salt-minion=3002.1+ds-1\ + salt-common=3002.1+ds-1 >> "$setup_log" 2>&1 apt-mark hold salt-minion salt-common >> "$setup_log" 2>&1 if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-dateutil python3-m2crypto python3-mysqldb >> "$setup_log" 2>&1 diff --git a/setup/yum_repos/saltstack.repo b/setup/yum_repos/saltstack.repo index 2e1b425fb..d104e252c 100644 --- a/setup/yum_repos/saltstack.repo +++ b/setup/yum_repos/saltstack.repo @@ -1,6 +1,6 @@ [saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3001.1/ +baseurl=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.1/ enabled=1 gpgcheck=1 -gpgkey=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3001.1/SALTSTACK-GPG-KEY.pub \ No newline at end of file +gpgkey=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.1/SALTSTACK-GPG-KEY.pub \ No newline at end of file From aa9aa592137e9551e15a4356d98fc677be41d6e2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 3 Nov 2020 12:27:55 -0500 Subject: [PATCH 05/17] Correct cheatsheetUrl for airgap installs --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index f5326597a..c48229a0c 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -56,7 +56,7 @@ "client": { {%- if ISAIRGAP is sameas true %} "docsUrl": "/docs/", - "docsUrl": "/docs/cheatsheet.pdf", + "cheatsheetUrl": "/docs/cheatsheet.pdf", {%- else %} "docsUrl": "https://docs.securityonion.net/en/2.3/", "cheatsheetUrl": "https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf", From 887f412e481105d9cac4c18a8988ab2f176b9db8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 3 Nov 2020 13:54:00 -0500 Subject: [PATCH 06/17] Remove docker_clean from docker_update function --- salt/common/tools/sbin/soup | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e24b7f105..770b8077c 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -381,8 +381,6 @@ update_dockers() { docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION done fi - # Cleanup on Aisle 4 - clean_dockers echo "Add Registry back if airgap" if [ $is_airgap -eq 0 ]; then docker load -i $AGDOCKER/registry_image.tar From def993f4ed5829a0b0f70684f219513e1636ca44 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 3 Nov 2020 16:50:22 -0500 Subject: [PATCH 07/17] Improve salt version update comment --- setup/so-functions | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index a971d23c1..08f9dd8b6 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1403,7 +1403,12 @@ reserve_group_ids() { groupadd -g 946 cyberchef } -# When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and salt/salt/master.defaults.yaml and salt/salt/minion.defaults.yaml +# CAUTION! SALT VERSION UDDATES - READ BELOW +# When updating the salt version, also update the version in: +# - securityonion-builds/iso-resources/build.sh +# - securityonion-builds/iso-resources/packages.lst +# - securityonion/salt/salt/master.defaults.yaml +# - securityonion/salt/salt/minion.defaults.yaml saltify() { # Install updates and Salt From e8616e4d46f7d200296b9a4d60ab6c521307949d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 3 Nov 2020 17:19:55 -0500 Subject: [PATCH 08/17] Update soup --- salt/common/tools/sbin/soup | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 770b8077c..e7ddd0ee2 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -409,6 +409,10 @@ upgrade_check_salt() { if [ "$INSTALLEDSALTVERSION" == "$NEWSALTVERSION" ]; then echo "You are already running the correct version of Salt for Security Onion." else + UPGRADESALT=1 + fi + +upgrade_salt() { SALTUPGRADED=True echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION." echo "" @@ -419,7 +423,11 @@ upgrade_check_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION" + if [ $is_airgap -eq 0 ]; then + sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable "$NEWSALTVERSION" + else + sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION" + fi echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" @@ -439,7 +447,6 @@ upgrade_check_salt() { apt-mark hold "salt-master" apt-mark hold "salt-minion" fi - fi } verify_latest_update_script() { @@ -500,29 +507,38 @@ echo "Let's see if we need to update Security Onion." upgrade_check space_check +echo "Checking for Salt Master and Minion updates." +upgrade_check_salt + echo "" echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION." echo "" +echo "Updating dockers to $NEWVERSION." +update_dockers +echo "" echo "Stopping Salt Minion service." systemctl stop salt-minion echo "" echo "Stopping Salt Master service." systemctl stop salt-master echo "" -echo "Checking for Salt Master and Minion updates." -upgrade_check_salt +# Does salt need upgraded. If so update it. +if [ "$UPGRADESALT" == "1" ]; then + echo "Upgrading Salt" + # Update the repo files so it can actually upgrade + if [ $is_airgap -eq 0 ]; then + update_centos_repo + fi + upgrade_salt +fi echo "Making pillar changes." pillar_changes echo "" -echo "" -echo "Updating dockers to $NEWVERSION." -update_dockers - # Only update the repo if its airgap -if [ $is_airgap -eq 0 ]; then +if [[ $is_airgap -eq 0 ]] && [[ "$UPGRADESALT" != "1" ]]; then update_centos_repo fi From 8edb1529a9fc7ae3a422e8d124d5e86a1928b7e2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 3 Nov 2020 17:36:53 -0500 Subject: [PATCH 09/17] Update soup --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e7ddd0ee2..a2af78d64 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -411,7 +411,7 @@ upgrade_check_salt() { else UPGRADESALT=1 fi - +} upgrade_salt() { SALTUPGRADED=True echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION." From c7367eea38f457951728dcf309c0eda73d81dddf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 3 Nov 2020 19:08:58 -0500 Subject: [PATCH 10/17] Fix AGREPO Variable --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a2af78d64..efcf2eaac 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -286,7 +286,7 @@ unmount_update() { update_centos_repo() { # Update the files in the repo echo "Syncing new updates to /nsm/repo" - rsync -a $AGDOCKER/repo /nsm/repo + rsync -a $AGREPO/repo /nsm/repo echo "Creating repo" createrepo /nsm/repo } From cf001875c2f016aebd04cf8a531b647878087c12 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 3 Nov 2020 20:14:15 -0500 Subject: [PATCH 11/17] Update soup --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index efcf2eaac..85aaea1b3 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -286,7 +286,7 @@ unmount_update() { update_centos_repo() { # Update the files in the repo echo "Syncing new updates to /nsm/repo" - rsync -a $AGREPO/repo /nsm/repo + rsync -av $AGREPO/* /nsm/repo/ echo "Creating repo" createrepo /nsm/repo } From ec64314b70e8d9fad09b16543259a0aa931825ea Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 4 Nov 2020 10:00:44 -0500 Subject: [PATCH 12/17] Fix soup to clear yum cache for airgap --- salt/common/tools/sbin/soup | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 85aaea1b3..aac34acb8 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -140,9 +140,9 @@ detect_os() { } highstate() { - # Run a highstate but first cancel a running one. - salt-call saltutil.kill_all_jobs - salt-call state.highstate -l info + # Run a highstate. + echo "Running a highstate. This could take a few minutes" + salt-call state.highstate -l info queue=True } masterlock() { @@ -529,6 +529,7 @@ if [ "$UPGRADESALT" == "1" ]; then # Update the repo files so it can actually upgrade if [ $is_airgap -eq 0 ]; then update_centos_repo + yum clean all fi upgrade_salt fi @@ -575,10 +576,12 @@ highstate playbook unmount_update -SALTUPGRADED="True" -if [[ "$SALTUPGRADED" == "True" ]]; then +if [ "$UPGRADESALT" == "1" ]; then echo "" echo "Upgrading Salt on the remaining Security Onion nodes from $INSTALLEDSALTVERSION to $NEWSALTVERSION." + if [ $is_airgap -eq 0 ]; then + salt -C 'not *_eval and not *_helix and not *_manager and not *_managersearch and not *_standalone' cmd.run "yum clean all" + fi salt -C 'not *_eval and not *_helix and not *_manager and not *_managersearch and not *_standalone' -b $BATCHSIZE state.apply salt.minion echo "" fi From 4592e2d4d7bc9f97215468d9785e187849aa4b82 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 4 Nov 2020 10:08:01 -0500 Subject: [PATCH 13/17] add airgap option to upgradecommand --- salt/salt/map.jinja | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index 89ceadd5b..40a0f4095 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -1,5 +1,6 @@ {% import_yaml 'salt/minion.defaults.yaml' as salt %} {% set SALTVERSION = salt.salt.minion.version %} +{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% if grains.os|lower == 'ubuntu' %} {% set COMMON = 'salt-common' %} @@ -9,10 +10,14 @@ {% if grains.saltversion|string != SALTVERSION|string %} {% if grains.os|lower in ['centos', 'redhat'] %} - {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && sh /usr/sbin/bootstrap-salt.sh -F -x python3 stable ' ~ SALTVERSION %} + {% if ISAIRGAP is sameas true %} + {% set UPGRADECOMMAND = 'yum clean all && yum versionlock delete "salt-*" && sh /usr/sbin/bootstrap-salt.sh -r -F -x python3 stable ' ~ SALTVERSION %} + {% else %} + {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && sh /usr/sbin/bootstrap-salt.sh -F -x python3 stable ' ~ SALTVERSION %} + {% endif %} {% elif grains.os|lower == 'ubuntu' %} {% set UPGRADECOMMAND = 'apt-mark unhold salt-common && apt-mark unhold salt-minion && sh /usr/sbin/bootstrap-salt.sh -F -x python3 stable ' ~ SALTVERSION %} {% endif %} {% else %} {% set UPGRADECOMMAND = 'echo Already running Salt Minon version ' ~ SALTVERSION %} -{% endif %} \ No newline at end of file +{% endif %} From e989fc7041834e1c32631f26ffef28d6566e74ab Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 4 Nov 2020 10:58:52 -0500 Subject: [PATCH 14/17] Update map.jinja --- salt/salt/map.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index 40a0f4095..9c7d0ac39 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -1,5 +1,5 @@ -{% import_yaml 'salt/minion.defaults.yaml' as salt %} -{% set SALTVERSION = salt.salt.minion.version %} +{% import_yaml 'salt/minion.defaults.yaml' as saltminion %} +{% set SALTVERSION = saltminion.salt.minion.version %} {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% if grains.os|lower == 'ubuntu' %} From 2aa21512e53a500a9761ca1f1b560c31909ab4f0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 4 Nov 2020 13:40:45 -0500 Subject: [PATCH 15/17] Update soup --- salt/common/tools/sbin/soup | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index aac34acb8..08c9778ef 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -141,7 +141,6 @@ detect_os() { highstate() { # Run a highstate. - echo "Running a highstate. This could take a few minutes" salt-call state.highstate -l info queue=True } From 3825becd1b6c91e47a95d6863c88925ec19775e6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 4 Nov 2020 13:44:52 -0500 Subject: [PATCH 16/17] Update changes.json --- salt/soc/files/soc/changes.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 680dbd54d..e9556aee6 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -1,8 +1,7 @@ { - "title": "Security Onion 2.3.2 is here!", + "title": "Security Onion 2.3.3 is here!", "changes": [ - { "summary": "Elastic components have been upgraded to 7.9.3." }, - { "summary": "Fixed an issue where curator was unable to delete a closed index." }, + { "summary": "Updated salt to 3002.1 to address CVE-2020-16846, CVE-2020-17490, CVE-2020-25592." }, { "summary": "Cheat sheet is now available for airgap installs." }, { "summary": "Known Issues
  • It is still possible to update your grid from any release candidate to 2.3. However, if you have a true production deployment, then we recommend a fresh image and install for best results.
  • In 2.3.0 we made some changes to data types in the elastic index templates. This will cause some errors in Kibana around field conflicts. You can address this in 2 ways:
    1. Delete all the data on the ES nodes preserving all of your other settings suchs as BPFs by running sudo so-elastic-clear on all the search nodes
    2. Re-Index the data. This is not a quick process but you can find more information at https://docs.securityonion.net/en/2.3/elasticsearch.html#re-indexing
  • Please be patient as we update our documentation. We have made a concerted effort to update as much as possible but some things still may be incorrect or ommited. If you have questions or feedback, please start a discussion at https://securityonion.net/discuss.
  • Once you update your grid to 2.3.0, any new nodes that join the grid must be 2.3.0. For example, if you try to join a new RC1 node it will fail. For best results, use the latest ISO (or 2.3.0 installer from github) when joining to an 2.3.0 grid.
  • Shipping Windows Eventlogs with Osquery will fail intermittently with utf8 errors logged in the Application log. This is scheduled to be fixed in Osquery 4.5.
  • When running soup to upgrade from RC1/RC2/RC3 to 2.3.0, there is a Salt error that occurs during the final highstate. This error is related to the patch_os_schedule and can be ignored as it will not occur again in subsequent highstates.
  • When Search Nodes are upgraded from RC1 to 2.3.0, there is a chance of a race condition where certificates are missing. This will show errors in the manager log to the remote node. To fix this run the following on the search node that is having the issue:
    1. Stop elasticsearch - sudo so-elasticsearch-stop
    2. Run the SSL state - sudo salt-call state.apply ssl
    3. Restart elasticsearch - sudo so-elasticsearch-restart
  • If you are upgrading from RC1 you might see errors around registry:2 missing. This error does not break the actual upgrade. To fix, run the following on the manager:
    1. Stop the Docker registry - sudo docker stop so-dockerregistry
    2. Remove the container - sudo docker rm so-dockerregistry
    3. Run the registry state - sudo salt-call state.apply registry
" } ] From 6b144903fc7a86839608abbe050ff04b0eea80ed Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 4 Nov 2020 13:47:37 -0500 Subject: [PATCH 17/17] Update VERIFY_ISO.md --- VERIFY_ISO.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index f6dc51b60..256868b00 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,16 +1,16 @@ -### 2.3.2 ISO image built on 2020/10/25 +### 2.3.3 ISO image built on 2020/10/25 ### Download and Verify -2.3.2 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.2.iso +2.3.3 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.3.iso MD5: 8010C32803CD62AA3F61487524E37049 SHA1: DCA300424C9DF81A4F332B8AA3945E18779C9D28 SHA256: 1099494AA3E476D682746AAD9C2BD7DED292589DFAAB7B517933336C07AA01D0 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.2.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.3.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,17 +24,17 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.2.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.3.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.2.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.3.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.2.iso.sig securityonion-2.3.2.iso +gpg --verify securityonion-2.3.3.iso.sig securityonion-2.3.3.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: