From 79854f111ed7944a56e84b203bf24a65050e872a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 19 Oct 2020 10:27:40 -0400 Subject: [PATCH 01/22] add 514 tcp listener to filebeat docker and add syslog listener to fb config for manager and manager search - https://github.com/Security-Onion-Solutions/securityonion/issues/1551 --- salt/filebeat/etc/filebeat.yml | 2 +- salt/filebeat/init.sls | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 99f1de188..0ba7720fc 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -74,7 +74,7 @@ filebeat.modules: # List of prospectors to fetch data. filebeat.inputs: #------------------------------ Log prospector -------------------------------- -{%- if grains['role'] in ['so-sensor', "so-eval", "so-helix", "so-heavynode", "so-standalone", "so-import"] %} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} - type: udp enabled: true host: "0.0.0.0:514" diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 6bbcea8b4..b770f7cc8 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -82,6 +82,7 @@ so-filebeat: - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro - port_bindings: - 0.0.0.0:514:514/udp + - 0.0.0.0:514:514/tcp - watch: - file: /opt/so/conf/filebeat/etc/filebeat.yml From 10e4248cfc344561f50376f0cbad9e85871fc778 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 19 Oct 2020 16:10:20 -0400 Subject: [PATCH 02/22] and node that gets filebeat state now can listen for syslog - https://github.com/Security-Onion-Solutions/securityonion/issues/1551 --- salt/filebeat/etc/filebeat.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 0ba7720fc..3587b6ffd 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -74,7 +74,6 @@ filebeat.modules: # List of prospectors to fetch data. filebeat.inputs: #------------------------------ Log prospector -------------------------------- -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} - type: udp enabled: true host: "0.0.0.0:514" @@ -100,6 +99,8 @@ filebeat.inputs: - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] fields_under_root: true + +{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} {%- if ZEEKVER != 'SURICATA' %} {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} - type: log From a119d8f27d11b8078273596db9a93c652b404256 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Oct 2020 11:28:49 -0400 Subject: [PATCH 03/22] Fix config for airgap installs --- salt/soc/files/soc/soc.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 54d24bde7..f5b831dc1 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -16,7 +16,7 @@ "baseUrl": "/", "maxPacketCount": 5000, "htmlDir": "html", - {%- if ISAIRGAP is sameas true -%} + {%- if ISAIRGAP is sameas true %} "airgapEnabled": true, {%- else %} "airgapEnabled": false, @@ -54,7 +54,7 @@ } }, "client": { - {%- if ISAIRGAP is sameas true -%} + {%- if ISAIRGAP is sameas true %} "docsUrl": "/docs/, {%- else %} "docsUrl": "https://docs.securityonion.net/en/2.3/", From 4a9fcfb8cf9ae9631d77b7acd7a5451efd22496b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Oct 2020 13:17:40 -0400 Subject: [PATCH 04/22] Fix missing quote --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index f5b831dc1..61c4ab6bb 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -55,7 +55,7 @@ }, "client": { {%- if ISAIRGAP is sameas true %} - "docsUrl": "/docs/, + "docsUrl": "/docs/", {%- else %} "docsUrl": "https://docs.securityonion.net/en/2.3/", {%- endif %} From d37ddf584a341f925325bc0f1624fbaab05c532c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 20 Oct 2020 14:12:18 -0400 Subject: [PATCH 05/22] Correct quick action defaults --- salt/soc/files/soc/alerts.actions.json | 10 +++++----- salt/soc/files/soc/hunt.actions.json | 9 ++++----- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json index 2c3bdaf31..5924750a4 100644 --- a/salt/soc/files/soc/alerts.actions.json +++ b/salt/soc/files/soc/alerts.actions.json @@ -1,6 +1,6 @@ [ - { "name": "", "description": "actionHuntHelp", "icon": "fa-search", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, - { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, - { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } - ] \ No newline at end of file + { "name": "", "description": "actionHuntHelp", "icon": "fa-crosshairs", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, + { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, + { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } +] \ No newline at end of file diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json index 2c3bdaf31..82f9731ed 100644 --- a/salt/soc/files/soc/hunt.actions.json +++ b/salt/soc/files/soc/hunt.actions.json @@ -1,6 +1,5 @@ [ - { "name": "", "description": "actionHuntHelp", "icon": "fa-search", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, - { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, - { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } - ] \ No newline at end of file + { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, + { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } +] \ No newline at end of file From 4765ef5f5cbfd663f0a8c77391b26b9f35183008 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 20 Oct 2020 22:14:23 -0400 Subject: [PATCH 06/22] Change rule_ruleset to rule.ruleset --- salt/elasticsearch/files/ingest/common.nids | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/common.nids b/salt/elasticsearch/files/ingest/common.nids index 25d24926c..df6af7a85 100644 --- a/salt/elasticsearch/files/ingest/common.nids +++ b/salt/elasticsearch/files/ingest/common.nids @@ -6,7 +6,7 @@ { "set": { "if": "ctx.rule?.uuid > 1999999", "field": "rule.reference", "value": "https://doc.emergingthreats.net/{{rule.uuid}}" } }, { "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "string" } }, { "dissect": { "if": "ctx.rule.name != null", "field": "rule.name", "pattern" : "%{rule_type} %{rest_of_rulename} ", "ignore_failure": true } }, - { "set": { "if": "ctx.rule_type == 'GPL'", "field": "rule_ruleset", "value": "Snort GPL" } }, + { "set": { "if": "ctx.rule_type == 'GPL'", "field": "rule.ruleset", "value": "Snort GPL" } }, { "set": { "if": "ctx.rule_type == 'ET'", "field": "rule.ruleset", "value": "Emerging Threats" } }, { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, From 5f43380aa0cb665e681885cb271cbdb9ddd9238e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Oct 2020 11:20:34 -0400 Subject: [PATCH 07/22] add firewall rules for syslog --- salt/firewall/assigned_hostgroups.map.yaml | 23 ++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 6d6a181ac..cfb774cd9 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -424,6 +424,12 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} + self: + portgroups: + - {{ portgroups.syslog}} + syslog: + portgroups: + - {{ portgroups.syslog }} INPUT: hostgroups: anywhere: @@ -437,6 +443,14 @@ role: - {{ portgroups.all }} sensor: chain: + DOCKER-USER: + hostgroups: + self: + portgroups: + - {{ portgroups.syslog}} + syslog: + portgroups: + - {{ portgroups.syslog }} INPUT: hostgroups: anywhere: @@ -463,6 +477,12 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} + self: + portgroups: + - {{ portgroups.syslog}} + syslog: + portgroups: + - {{ portgroups.syslog }} INPUT: hostgroups: anywhere: @@ -533,6 +553,9 @@ role: self: portgroups: - {{ portgroups.syslog}} + syslog: + portgroups: + - {{ portgroups.syslog }} beats_endpoint: portgroups: - {{ portgroups.beats_5044 }} From 8805fef187b87f5c630d9a54ab55dd68fd141bd8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Oct 2020 12:43:28 -0400 Subject: [PATCH 08/22] firewall to allow search nodes to connect to beats on manager --- salt/firewall/assigned_hostgroups.map.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index cfb774cd9..b3989a36c 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -134,6 +134,7 @@ role: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} + - {{ portgroups.beats_5644 }} self: portgroups: - {{ portgroups.syslog}} From ef1e05db3e64893fc82b2f9d7a5bfe873c94b78e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Oct 2020 14:41:03 -0400 Subject: [PATCH 09/22] only allow hosts in syslog host group to connect to manager type nodes --- salt/firewall/assigned_hostgroups.map.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index b3989a36c..cb2de370c 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -428,9 +428,6 @@ role: self: portgroups: - {{ portgroups.syslog}} - syslog: - portgroups: - - {{ portgroups.syslog }} INPUT: hostgroups: anywhere: @@ -449,9 +446,6 @@ role: self: portgroups: - {{ portgroups.syslog}} - syslog: - portgroups: - - {{ portgroups.syslog }} INPUT: hostgroups: anywhere: @@ -481,9 +475,6 @@ role: self: portgroups: - {{ portgroups.syslog}} - syslog: - portgroups: - - {{ portgroups.syslog }} INPUT: hostgroups: anywhere: @@ -551,12 +542,6 @@ role: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - syslog: - portgroups: - - {{ portgroups.syslog }} beats_endpoint: portgroups: - {{ portgroups.beats_5044 }} From 32294eb2ed30ac74b15bb4bfab687084a928daf2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Oct 2020 15:34:35 -0400 Subject: [PATCH 10/22] fix arg for so-firewall addhostgroup --- salt/common/tools/sbin/so-firewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index c0acc7c98..7f9acf080 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -116,7 +116,7 @@ def addhostgroup(args): print('Missing host group name argument', file=sys.stderr) showUsage(args) - name = args[1] + name = args[0] content = loadYaml(hostgroupsFilename) if name in content['firewall']['hostgroups']: print('Already exists', file=sys.stderr) From 712dc6b27740f29563bfd033f89e2efe8435daf3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Oct 2020 16:47:48 -0400 Subject: [PATCH 11/22] fix grabbing soversion in so-features-enable --- salt/common/tools/sbin/so-features-enable | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable index ae8981fe9..0f2d694fe 100755 --- a/salt/common/tools/sbin/so-features-enable +++ b/salt/common/tools/sbin/so-features-enable @@ -51,7 +51,7 @@ manager_check() { } manager_check -VERSION=$(grep soversion $local_salt_dir/pillar/global.sls | cut -d':' -f2|sed 's/ //g') +VERSION=$(lookup_pillar soversion) # Modify global.sls to enable Features sed -i 's/features: False/features: True/' $local_salt_dir/pillar/global.sls SUFFIX="-features" From 905fcd06a6e4fece3a66bac1333e9bbe74d94228 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Oct 2020 08:51:40 -0400 Subject: [PATCH 12/22] Remove old 2.3.0 dockers --- salt/docker_clean/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index 1a73fae7e..795b96e3a 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -1,6 +1,6 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3']%} +{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0']%} {% for VERSION in OLDVERSIONS %} remove_images_{{ VERSION }}: @@ -42,4 +42,4 @@ remove_images_{{ VERSION }}: - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive-es:{{ VERSION }}' - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }}' - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}' -{% endfor %} \ No newline at end of file +{% endfor %} From 460a39146088f13b75ce050abc5d8532468d7bb5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Oct 2020 10:00:20 -0400 Subject: [PATCH 13/22] Update changes.json --- salt/soc/files/soc/changes.json | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index e7caffafc..5aa9b220b 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -1,25 +1,13 @@ { - "title": "Security Onion 2.3.0 is here!", + "title": "Security Onion 2.3.1 is here!", "changes": [ - { "summary": "We have a new Alerts interface for reviewing alerts and acknowledging or escalating them. Escalating creates a new case in TheHive. Please note that TheHive no longer receives alerts directly." }, - { "summary": "Kibana no longer presents the option to create alerts from events, but instead allows creation of cases from events." }, - { "summary": "Our Security Onion ISO now works for UEFI as well as Secure Boot." }, - { "summary": "Airgap deployments can now be updated using the latest ISO. Please read this documentation carefully." }, - { "summary": "Suricata has been updated to version 5.0.4." }, - { "summary": "Zeek has been updated to version 3.0.11." }, - { "summary": "Stenographer has been updated to the latest version." }, - { "summary": "soup will now attempt to clean up old docker images to free up space." }, - { "summary": "Hunt actions can be customized via hunt.actions.json." }, - { "summary": "Hunt queries can be customized via hunt.queries.json." }, - { "summary": "Hunt event fields can be customized via hunt.eventfields.json." }, - { "summary": "Alerts actions can be customized via alerts.actions.json." }, - { "summary": "Alerts queries can be customized via alerts.queries.json." }, - { "summary": "Alerts event fields can be customized via alerts.eventfields.json." }, - { "summary": "The help documentation is now viewable offline for airgap installations." }, - { "summary": "The script so-user-add will now validate the password is acceptable before attempting to create the user." }, - { "summary": "Playbook and Grafana no longer use static passwords for their admin accounts." }, - { "summary": "Analyst VM now comes with NetworkMiner 2.6 installed." }, - { "summary": "Strelka YARA matches now generate alerts that can be viewed through the Alerts interface." }, + { "summary": "Fixed a SOC issue in airgap mode that was preventing people from logging in." }, + { "summary": "Downloading Elastic features images will now download the correct images." }, + { "summary": "Winlogbeat download no longer requires Internet access." }, + { "summary": "Adjusted Alerts quick action bar to allow searching for a specific value while remaining in Alerts view." }, + { "summary": "/nsm will properly display disk usage on the standalone Grafana dashboard." }, + { "summary": "The manager node now has syslog listener enabled by default (you'll still need to allow syslog traffic through the firewall of course)." }, + { "summary": "Fixed an issue when creating host groups with so-firewall." }, { "summary": "Known Issues
  • It is still possible to update your grid from any release candidate to 2.3. However, if you have a true production deployment, then we recommend a fresh image and install for best results.
  • In 2.3.0 we made some changes to data types in the elastic index templates. This will cause some errors in Kibana around field conflicts. You can address this in 2 ways:
    1. Delete all the data on the ES nodes preserving all of your other settings suchs as BPFs by running sudo so-elastic-clear on all the search nodes
    2. Re-Index the data. This is not a quick process but you can find more information at https://docs.securityonion.net/en/2.3/elasticsearch.html#re-indexing
  • Please be patient as we update our documentation. We have made a concerted effort to update as much as possible but some things still may be incorrect or ommited. If you have questions or feedback, please start a discussion at https://securityonion.net/discuss.
  • Once you update your grid to 2.3.0, any new nodes that join the grid must be 2.3.0. For example, if you try to join a new RC1 node it will fail. For best results, use the latest ISO (or 2.3.0 installer from github) when joining to an 2.3.0 grid.
  • Shipping Windows Eventlogs with Osquery will fail intermittently with utf8 errors logged in the Application log. This is scheduled to be fixed in Osquery 4.5.
  • When running soup to upgrade from RC1/RC2/RC3 to 2.3.0, there is a Salt error that occurs during the final highstate. This error is related to the patch_os_schedule and can be ignored as it will not occur again in subsequent highstates.
  • When Search Nodes are upgraded from RC1 to 2.3.0, there is a chance of a race condition where certificates are missing. This will show errors in the manager log to the remote node. To fix this run the following on the search node that is having the issue:
    1. Stop elasticsearch - sudo so-elasticsearch-stop
    2. Run the SSL state - sudo salt-call state.apply ssl
    3. Restart elasticsearch - sudo so-elasticsearch-restart
  • If you are upgrading from RC1 you might see errors around registry:2 missing. This error does not break the actual upgrade. To fix, run the following on the manager:
    1. Stop the Docker registry - sudo docker stop so-dockerregistry
    2. Remove the container - sudo docker rm so-dockerregistry
    3. Run the registry state - sudo salt-call state.apply registry
" } ] } From 172ca9aa8ded0391048e716de80a173ce7804b6f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 22 Oct 2020 10:52:34 -0400 Subject: [PATCH 14/22] add option to enable or disable to steno docker container - https://github.com/Security-Onion-Solutions/securityonion/issues/1601 --- salt/pcap/init.sls | 6 +++--- salt/pcap/map.jinja | 17 +++++++++++++---- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index a82e0fb8d..ade70d718 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -23,7 +23,7 @@ {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} {% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %} {% set BPF_COMPILED = "" %} -{% from "pcap/map.jinja" import START with context %} +{% from "pcap/map.jinja" import STENOOPTIONS with context %} # PCAP Section @@ -135,9 +135,9 @@ sensoronilog: - makedirs: True so-steno: - docker_container.running: + docker_container.{{ STENOOPTIONS.status }}: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-steno:{{ VERSION }} - - start: {{ START }} + - start: {{ STENOOPTIONS.start }} - network_mode: host - privileged: True - port_bindings: diff --git a/salt/pcap/map.jinja b/salt/pcap/map.jinja index ad4d70e80..e37dfb126 100644 --- a/salt/pcap/map.jinja +++ b/salt/pcap/map.jinja @@ -1,6 +1,15 @@ -# don't start the docker container if it is an import node -{% if grains.id.split('_')|last == 'import' %} - {% set START = False %} +{% set PCAPOPTIONS = {} %} +{% set ENABLED = salt['pillar.get']('steno:enabled', 'True') %} + +# don't start the docker container if it is an import node or disabled via pillar +{% if grains.id.split('_')|last == 'import' || ENABLED is sameas false %} + {% set PCAPOPTIONS['start'] = False %} {% else %} - {% set START = True %} + {% set PCAPOPTIONS['start'] = True %} +{% endif %} + +{% if ENABLED is sameas false %} + {% set PCAPOPTIONS['status'] = 'stopped' %} +{% else %} + {% set PCAPOPTIONS['status'] = 'running' %} {% endif %} \ No newline at end of file From aa59eff1ac1d128834dbe2723d9138853a3db9e0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 22 Oct 2020 10:59:03 -0400 Subject: [PATCH 15/22] fix if statement --- salt/pcap/map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/pcap/map.jinja b/salt/pcap/map.jinja index e37dfb126..8f8608ce5 100644 --- a/salt/pcap/map.jinja +++ b/salt/pcap/map.jinja @@ -2,7 +2,7 @@ {% set ENABLED = salt['pillar.get']('steno:enabled', 'True') %} # don't start the docker container if it is an import node or disabled via pillar -{% if grains.id.split('_')|last == 'import' || ENABLED is sameas false %} +{% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %} {% set PCAPOPTIONS['start'] = False %} {% else %} {% set PCAPOPTIONS['start'] = True %} From 0b6b6e38fc7d6be68a7ff8ef62ebe77d630d8c89 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 22 Oct 2020 11:24:18 -0400 Subject: [PATCH 16/22] fix map for steno --- salt/pcap/map.jinja | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/pcap/map.jinja b/salt/pcap/map.jinja index 8f8608ce5..b3c746bcc 100644 --- a/salt/pcap/map.jinja +++ b/salt/pcap/map.jinja @@ -1,15 +1,15 @@ -{% set PCAPOPTIONS = {} %} +{% set STENOOPTIONS = {} %} {% set ENABLED = salt['pillar.get']('steno:enabled', 'True') %} # don't start the docker container if it is an import node or disabled via pillar {% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %} - {% set PCAPOPTIONS['start'] = False %} + {% do STENOOPTIONS.update({'start': False}) %} {% else %} - {% set PCAPOPTIONS['start'] = True %} + {% do STENOOPTIONS.update({'start': True}) %} {% endif %} {% if ENABLED is sameas false %} - {% set PCAPOPTIONS['status'] = 'stopped' %} + {% do STENOOPTIONS.update({'status': 'stopped'}) %} {% else %} - {% set PCAPOPTIONS['status'] = 'running' %} + {% do STENOOPTIONS.update({'status': 'running'}) %} {% endif %} \ No newline at end of file From 92d397d573a71df9b6151ba5438f6e21de438cf9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Oct 2020 11:59:39 -0400 Subject: [PATCH 17/22] Update ISO instructions --- VERIFY_ISO.md | 22 +++++++++++----------- sigs/securityonion-2.3.1.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.1.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 1fcb48734..26b926971 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,16 +1,16 @@ -### 2.3.0 ISO image built on 2020/10/15 +### 2.3.1 ISO image built on 2020/10/22 ### Download and Verify -2.3.0 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.0.iso +2.3.1 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.1.iso -MD5: E05B220E4FD7C054DF5C50906EE1375B -SHA1: 55E93C6EAB140AB4A0F07873CC871EBFDC699CD6 -SHA256: 57B96A6E0951143E123BFC0CD0404F7466776E69F3C115F5A0444C0C6D5A6E32 +MD5: EF2DEBCCBAE0B0BCCC906552B5FF918A +SHA1: 16AFCACB102BD217A038044D64E7A86DA351640E +SHA256: 7125F90B6323179D0D29F5745681BE995BD2615E64FA1E0046D94888A72C539E Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.0.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.1.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.0.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.1.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.0.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.1.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.0.iso.sig securityonion-2.3.0.iso +gpg --verify securityonion-2.3.1.iso.sig securityonion-2.3.1.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 15 Oct 2020 08:06:28 PM EDT using RSA key ID FE507013 +gpg: Signature made Thu 22 Oct 2020 10:34:27 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.1.iso.sig b/sigs/securityonion-2.3.1.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..751cb380a3d1786a6d9b4508bfbd0eb0dc61423c GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;4@m~#LM2@re`V7LBIa1(KF5CEnpg0~t$4(aHjfrFvP zzuOB2jE2;ww!N!e(96=qlL1xbBVEGGI^%k(jFd7{Jecl={))P}GeEQ9NU^o|qqHD~ zACY-Up;cs_k*D3|g zfWq{D{8a0h_EP|1T{_GJHMcZqbjfOF^vl0#^2nqEDXYc17+Q3N_^%qcP16WbK%s%) zO*3%`5rCp>NLQtxFhRRB*tpS~+FVs*aYIL5jPIM3Jlcj^Bgc*CTswWZ##1S7;V8lj z`-0@Dkp0XxbvQzUHe@e5u31S(RL5G}Ps}V7=EIl1%Vg!r*lt%S*bcQIL_u zHPjMy=Y02nj2GbI+ph0-o9*T2W2S#o7Z19m>{Qj?7A*9^1V;=g#7Qn=Y(S%1fopdi zqU3OSZT6Hk;_q8=+j?tmqbuOdQ&&qer6D=*De(2M(Jtr#HImqKaIf76L;|qQ3-a-8 h&3=opHm0JUmlcQ-t*A9@anSpaV=jM_*!_SYLqh_~4-EhS literal 0 HcmV?d00001 From 0bfdef274b96202dd4e3e89f9eee13feb98a4598 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 22 Oct 2020 12:09:19 -0400 Subject: [PATCH 18/22] update so-status to work with disabled containers - https://github.com/Security-Onion-Solutions/securityonion/issues/1601 --- salt/common/tools/sbin/so-status | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 276720b8b..519d9f39d 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -27,10 +27,15 @@ ERROR_STRING="ERROR" SUCCESS_STRING="OK" PENDING_STRING="PENDING" MISSING_STRING='MISSING' +DISABLED_STRING='DISABLED' CALLER=$(ps -o comm= $PPID) declare -a BAD_STATUSES=("removing" "paused" "exited" "dead") declare -a PENDING_STATUSES=("paused" "created" "restarting") declare -a GOOD_STATUSES=("running") +declare -a DISABLED_CONTAINERS=() +{%- if salt['pillar.get']('steno:enabled', 'True') is sameas false %} +DISABLED_CONTAINERS+=("so-steno") +{%- endif %} declare -a temp_container_name_list=() declare -a temp_container_state_list=() @@ -104,6 +109,7 @@ populate_container_lists() { parse_status() { local container_state=${1} + local service_name=${2} [[ $container_state = "missing" ]] && printf $MISSING_STRING && return 1 @@ -117,7 +123,13 @@ parse_status() { # This is technically not needed since the default is error state for state in "${BAD_STATUSES[@]}"; do - [[ $container_state = "$state" ]] && printf $ERROR_STRING && return 1 + if [[ " ${DISABLED_CONTAINERS[@]} " =~ " ${service_name} " ]]; then + printf $DISABLED_STRING + return 0 + elif [[ $container_state = "$state" ]]; then + printf $ERROR_STRING + return 1 + fi done printf $ERROR_STRING && return 1 @@ -127,7 +139,7 @@ parse_status() { print_line() { local service_name=${1} - local service_state="$( parse_status ${2} )" + local service_state="$( parse_status ${2} ${1} )" local columns=$(tput cols) local state_color="\e[0m" @@ -137,7 +149,7 @@ print_line() { state_color="\e[1;31m" elif [[ $service_state = "$SUCCESS_STRING" ]]; then state_color="\e[1;32m" - elif [[ $service_state = "$PENDING_STRING" ]]; then + elif [[ $service_state = "$PENDING_STRING" ]] || [[ $service_state = "$DISABLED_STRING" ]]; then state_color="\e[1;33m" fi From 4a0796359b3a57e32f8f0bc0353973f47406e54d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Oct 2020 12:54:05 -0400 Subject: [PATCH 19/22] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8619d0a5a..38e1d64dd 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.0 +## Security Onion 2.3.1 -Security Onion 2.3.0 is here! +Security Onion 2.3.1 is here! ### Release Notes From 174bbc6cd94420ddd1a0b0781e226fce612d5aa7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Oct 2020 14:14:57 -0400 Subject: [PATCH 20/22] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 2bf1c1ccf..9fa5f12ab 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.1 +2.3.10 From 50a767ca6cbb9204a02ff9bda273c31baccf9d59 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 22 Oct 2020 14:52:07 -0400 Subject: [PATCH 21/22] dont list aptcacherng in so-status if user chose open updates during setup - https://github.com/Security-Onion-Solutions/securityonion/issues/1573 --- salt/common/maps/manager.map.jinja | 7 +++++-- salt/common/maps/managersearch.map.jinja | 7 +++++-- salt/common/maps/standalone.map.jinja | 7 +++++-- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/salt/common/maps/manager.map.jinja b/salt/common/maps/manager.map.jinja index 7eb2b7b6c..45358d017 100644 --- a/salt/common/maps/manager.map.jinja +++ b/salt/common/maps/manager.map.jinja @@ -5,7 +5,6 @@ 'so-telegraf', 'so-soc', 'so-kratos', - 'so-aptcacherng', 'so-idstools', 'so-redis', 'so-elasticsearch', @@ -15,4 +14,8 @@ 'so-filebeat', 'so-soctopus' ] -} %} \ No newline at end of file +} %} + +{% if salt['pillar.get']('global:managerupdate') == 1 %} + {% do docker.containers.append('so-aptcacherng') %} +{% endif %} \ No newline at end of file diff --git a/salt/common/maps/managersearch.map.jinja b/salt/common/maps/managersearch.map.jinja index f8e34a7c3..66c5afd43 100644 --- a/salt/common/maps/managersearch.map.jinja +++ b/salt/common/maps/managersearch.map.jinja @@ -4,7 +4,6 @@ 'so-telegraf', 'so-soc', 'so-kratos', - 'so-aptcacherng', 'so-idstools', 'so-redis', 'so-logstash', @@ -15,4 +14,8 @@ 'so-filebeat', 'so-soctopus' ] -} %} \ No newline at end of file +} %} + +{% if salt['pillar.get']('global:managerupdate') == 1 %} + {% do docker.containers.append('so-aptcacherng') %} +{% endif %} \ No newline at end of file diff --git a/salt/common/maps/standalone.map.jinja b/salt/common/maps/standalone.map.jinja index d66cad1f9..ae3177f4b 100644 --- a/salt/common/maps/standalone.map.jinja +++ b/salt/common/maps/standalone.map.jinja @@ -4,7 +4,6 @@ 'so-telegraf', 'so-soc', 'so-kratos', - 'so-aptcacherng', 'so-idstools', 'so-redis', 'so-logstash', @@ -19,4 +18,8 @@ 'so-soctopus', 'so-sensoroni' ] -} %} \ No newline at end of file +} %} + +{% if salt['pillar.get']('global:managerupdate') == 1 %} + {% do docker.containers.append('so-aptcacherng') %} +{% endif %} \ No newline at end of file From 51ca66121903b01041ef537e79fee54bfff01c98 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Oct 2020 14:54:34 -0400 Subject: [PATCH 22/22] update wording for USB device vs CDROM --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e24b7f105..07848a31c 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -47,7 +47,7 @@ airgap_mounted() { echo "If you just copied the .iso file over you can specify the path." echo "If you burned the ISO to a disk the standard way you can specify the device." echo "Example: /home/user/securityonion-2.X.0.iso" - echo "Example: /dev/cdrom" + echo "Example: /dev/sdx1" echo "" read -p 'Enter the location of the iso: ' ISOLOC if [ -f $ISOLOC ]; then