diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index 229e9f612..563b71c90 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -33,6 +33,7 @@ body: - 2.4.180 - 2.4.190 - 2.4.200 + - 2.4.210 - Other (please provide detail below) validations: required: true diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index f354ed191..a8d270efc 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.190-20251024 ISO image released on 2025/10/24 +### 2.4.200-20251216 ISO image released on 2025/12/16 ### Download and Verify -2.4.190-20251024 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.190-20251024.iso +2.4.200-20251216 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.200-20251216.iso -MD5: 25358481FB876226499C011FC0710358 -SHA1: 0B26173C0CE136F2CA40A15046D1DFB78BCA1165 -SHA256: 4FD9F62EDA672408828B3C0C446FE5EA9FF3C4EE8488A7AB1101544A3C487872 +MD5: 07B38499952D1F2FD7B5AF10096D0043 +SHA1: 7F3A26839CA3CAEC2D90BB73D229D55E04C7D370 +SHA256: 8D3AC735873A2EA8527E16A6A08C34BD5018CBC0925AC4096E15A0C99F591D5F Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.190-20251024.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.200-20251216.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.190-20251024.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.200-20251216.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.190-20251024.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.200-20251216.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.190-20251024.iso.sig securityonion-2.4.190-20251024.iso +gpg --verify securityonion-2.4.200-20251216.iso.sig securityonion-2.4.200-20251216.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 23 Oct 2025 07:21:46 AM EDT using RSA key ID FE507013 +gpg: Signature made Mon 15 Dec 2025 05:24:11 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/VERSION b/VERSION index 86df31761..b880b422c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.200 +2.4.210 diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index c9f77aa7d..38559e68c 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -857,53 +857,11 @@ elasticsearch: composed_of: - agent-mappings - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - container-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - - log-mappings - metadata-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - common-settings - common-dynamic-mappings data_stream: diff --git a/salt/elasticsearch/files/ingest/kratos b/salt/elasticsearch/files/ingest/kratos index 9551dad24..d59f45587 100644 --- a/salt/elasticsearch/files/ingest/kratos +++ b/salt/elasticsearch/files/ingest/kratos @@ -1,9 +1,90 @@ { - "description" : "kratos", - "processors" : [ - {"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}}, - {"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"kratos.{{{audience}}}","media_type":"text/plain"}}, - {"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg" }}, - { "pipeline": { "name": "common" } } - ] + "description": "kratos", + "processors": [ + { + "set": { + "field": "audience", + "value": "access", + "override": false, + "ignore_failure": true + } + }, + { + "set": { + "field": "event.dataset", + "ignore_empty_value": true, + "ignore_failure": true, + "value": "kratos.{{{audience}}}", + "media_type": "text/plain" + } + }, + { + "set": { + "field": "event.action", + "ignore_failure": true, + "copy_from": "msg" + } + }, + { + "rename": { + "field": "http_request", + "target_field": "http.request", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http_response", + "target_field": "http.response", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.path", + "target_field": "http.uri", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.method", + "target_field": "http.method", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.method", + "target_field": "http.method", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.query", + "target_field": "http.query", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.headers.user-agent", + "target_field": "http.useragent", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "pipeline": { + "name": "common" + } + } + ] } \ No newline at end of file diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml index 598a94fa1..b70141b6f 100644 --- a/salt/kratos/defaults.yaml +++ b/salt/kratos/defaults.yaml @@ -46,6 +46,7 @@ kratos: ui_url: https://URL_BASE/ login: ui_url: https://URL_BASE/login/ + lifespan: 60m error: ui_url: https://URL_BASE/login/ registration: diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index bc95d9b03..1b8c016c1 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -182,6 +182,10 @@ kratos: global: True advanced: True helpLink: kratos.html + lifespan: + description: Defines the duration that a login form will remain valid. + global: True + helpLink: kratos.html error: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 0aeb58c8a..045c05c42 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -133,7 +133,7 @@ function getinstallinfo() { return 1 fi - source <(echo $INSTALLVARS) + export $(echo "$INSTALLVARS" | xargs) if [ $? -ne 0 ]; then log "ERROR" "Failed to source install variables" return 1 diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 53f755016..6efdbf00c 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -426,6 +426,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.170 ]] && up_to_2.4.180 [[ "$INSTALLEDVERSION" == 2.4.180 ]] && up_to_2.4.190 [[ "$INSTALLEDVERSION" == 2.4.190 ]] && up_to_2.4.200 + [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.210 true } @@ -458,6 +459,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.170 ]] && post_to_2.4.180 [[ "$POSTVERSION" == 2.4.180 ]] && post_to_2.4.190 [[ "$POSTVERSION" == 2.4.190 ]] && post_to_2.4.200 + [[ "$POSTVERSION" == 2.4.200 ]] && post_to_2.4.210 true } @@ -644,6 +646,14 @@ post_to_2.4.200() { POSTVERSION=2.4.200 } +post_to_2.4.210() { + echo "Rolling over Kratos index to apply new index template" + + rollover_index "logs-kratos-so" + + POSTVERSION=2.4.210 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -920,6 +930,12 @@ up_to_2.4.200() { INSTALLEDVERSION=2.4.200 } +up_to_2.4.210() { + echo "Nothing to do for 2.4.210" + + INSTALLEDVERSION=2.4.210 +} + add_hydra_pillars() { mkdir -p /opt/so/saltstack/local/pillar/hydra touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls @@ -1173,11 +1189,12 @@ hash_normalized_file() { return 1 fi - sed -E \ + # Ensure trailing newline for consistent hashing regardless of source file + { sed -E \ -e 's/^[[:space:]]+//; s/[[:space:]]+$//' \ -e '/^$/d' \ -e 's|--url=http://[^:]+:7788|--url=http://MANAGER:7788|' \ - "$file" | sha256sum | awk '{print $1}' + "$file"; echo; } | sed '/^$/d' | sha256sum | awk '{print $1}' } # Known-default hashes for so-rule-update (ETOPEN ruleset) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 28db2ef5f..6f9fc0226 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -115,16 +115,16 @@ soc: ':kratos:': - soc_timestamp - event.dataset - - http_request.headers.x-real-ip + - http.request.headers.x-real-ip - user.name - - http_request.headers.user-agent + - http.useragent - msg ':hydra:': - soc_timestamp - event.dataset - - http_request.headers.x-real-ip + - http.request.headers.x-real-ip - user.name - - http_request.headers.user-agent + - http.useragent - msg '::conn': - soc_timestamp @@ -1747,7 +1747,7 @@ soc: showSubtitle: true - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity - query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip user.name' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip user.name' showSubtitle: true - name: SOC - App description: Logs generated by the Security Onion Console (SOC) server and modules @@ -2027,10 +2027,10 @@ soc: query: '* | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SOC Logins description: SOC (Security Onion Console) logins - query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip user.name | groupby user.name | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip user.name | groupby user.name | groupby http.useragent' - name: SOC Login Failures description: SOC (Security Onion Console) login failures - query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip http_request.headers.user-agent | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip http.useragent | groupby http.useragent' - name: Alerts description: Overview of all alerts query: 'tags:alert | groupby event.module* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby rule.name | groupby event.severity | groupby destination.as.organization.name' diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 11442afba..a9b09b813 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -652,7 +652,6 @@ soc: assistant: apiUrl: description: The URL of the AI gateway. - advanced: True global: True healthTimeoutSeconds: description: Timeout in seconds for the Onion AI health check. diff --git a/sigs/securityonion-2.4.200-20251216.iso.sig b/sigs/securityonion-2.4.200-20251216.iso.sig new file mode 100644 index 000000000..cc7286fae Binary files /dev/null and b/sigs/securityonion-2.4.200-20251216.iso.sig differ