Merge branch '2.4/main' into jertel/hfm

salt/ca/files/signing_policies.conf

@@ -37,7 +37,7 @@ x509_signing_policies:
     - ST: Utah
     - L: Salt Lake City
     - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "critical keyEncipherment digitalSignature"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
     - extendedKeyUsage: serverAuth

salt/kibana/defaults.yaml

@@ -21,8 +21,10 @@ kibana:
         appenders: 
           - default
           - file
+    migrations:
+      discardCorruptObjects: "8.10.4"
     telemetry:
-        enabled: False
+      enabled: False
     security:
       showInsecureClusterWarning: False
     xpack:

salt/kibana/tools/sbin/so-kibana-api-check

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-common
+
+echo "Checking to make sure that Kibana API is up & ready..."
+RETURN_CODE=0
+wait_for_web_response "http://localhost:5601/api/fleet/settings" "fleet" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
+RETURN_CODE=$?
+if [[ "$RETURN_CODE" != "0" ]]; then
+    echo "Kibana API not accessible, exiting script..."
+    exit 1
+fi
+
+
+

salt/manager/tools/sbin/soup

@@ -450,6 +450,11 @@ post_to_2.4.20() {
 post_to_2.4.30() {
   echo "Regenerating Elastic Agent Installers"
   /sbin/so-elastic-agent-gen-installers
+  salt-call state.apply ca queue=True
+  stop_salt_minion
+  mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+  mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
+  systemctl_func "start" "salt-minion"
   POSTVERSION=2.4.30
 }
 
@@ -529,6 +534,16 @@ up_to_2.4.20() {
 }
 
 up_to_2.4.30() {
+
+  # Remove older defend integration json & installed integration
+  rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json
+
+  . $UPDATE_DIR/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
+  elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
+
+  rm -f /opt/so/state/eaintegrations.txt
+
+  # Elastic Update for this release, so download Elastic Agent files
   determine_elastic_agent_upgrade
   rm -f /opt/so/state/estemplates*.txt
 
@@ -735,8 +750,21 @@ apply_hotfix() {
     . /usr/sbin/so-elastic-fleet-common
     elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
     /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
-#  elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then
-#    2_3_10_hotfix_1
+  elif [[ "$INSTALLEDVERSION" == "2.4.30" ]] ; then
+    rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json
+    so-kibana-restart --force
+    so-kibana-api-check
+    . /usr/sbin/so-elastic-fleet-common
+
+    elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
+    rm -f /opt/so/state/eaintegrations.txt
+    salt-call state.apply ca queue=True
+    stop_salt_minion
+    mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+    mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
+    systemctl_func "start" "salt-minion"
+    echo "Applying Salt Highstate"
+    salt-call state.highstate queue=True  
   else
    echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
   fi