Merge pull request #11832 from Security-Onion-Solutions/jertel/hfm

Merge hoftix back to 2.4/dev

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.4.30-20231113 ISO image released on 2023/11/13
+### 2.4.30-20231117 ISO image released on 2023/11/20
 
 
 
 ### Download and Verify
 
-2.4.30-20231113 ISO image:  
+2.4.30-20231117 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231113.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231117.iso
  
-MD5: 15EB5A74782E4C2D5663D29E275839F6  
+MD5: DF7E2540AFF2A233A9B0EEC78B37D0EA  
-SHA1: BBD4A7D77ADDA94B866F1EFED846A83DDFD34D73  
+SHA1: 93DB33A46C6F9C7D7CB8031C0A4F8738F4F14E89  
-SHA256: 4509EB8E11DB49C6CD3905C74C5525BDB1F773488002179A846E00DE8E499988  
+SHA256: 48C7BD1C664F545554490B8F191BCD7808C519488DCC85984760400F4F68E2DA  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231113.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231117.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231113.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231117.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231113.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231117.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.30-20231113.iso.sig securityonion-2.4.30-20231113.iso
+gpg --verify securityonion-2.4.30-20231117.iso.sig securityonion-2.4.30-20231117.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 13 Nov 2023 09:23:21 AM EST using RSA key ID FE507013
+gpg: Signature made Sun 19 Nov 2023 08:11:53 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

salt/ca/files/signing_policies.conf

@@ -37,7 +37,7 @@ x509_signing_policies:
     - ST: Utah
     - L: Salt Lake City
     - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "critical keyEncipherment digitalSignature"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
     - extendedKeyUsage: serverAuth

salt/kibana/defaults.yaml

@@ -21,6 +21,8 @@ kibana:
         appenders: 
           - default
           - file
+    migrations:
+      discardCorruptObjects: "8.10.4"
     telemetry:
       enabled: False
     security:

salt/kibana/tools/sbin/so-kibana-api-check

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-common
+
+echo "Checking to make sure that Kibana API is up & ready..."
+RETURN_CODE=0
+wait_for_web_response "http://localhost:5601/api/fleet/settings" "fleet" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
+RETURN_CODE=$?
+if [[ "$RETURN_CODE" != "0" ]]; then
+    echo "Kibana API not accessible, exiting script..."
+    exit 1
+fi
+
+
+

salt/manager/tools/sbin/soup

@@ -450,6 +450,11 @@ post_to_2.4.20() {
 post_to_2.4.30() {
   echo "Regenerating Elastic Agent Installers"
   /sbin/so-elastic-agent-gen-installers
+  salt-call state.apply ca queue=True
+  stop_salt_minion
+  mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+  mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
+  systemctl_func "start" "salt-minion"
   POSTVERSION=2.4.30
 }
 
@@ -529,6 +534,16 @@ up_to_2.4.20() {
 }
 
 up_to_2.4.30() {
+
+  # Remove older defend integration json & installed integration
+  rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json
+
+  . $UPDATE_DIR/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
+  elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
+
+  rm -f /opt/so/state/eaintegrations.txt
+
+  # Elastic Update for this release, so download Elastic Agent files
   determine_elastic_agent_upgrade
   rm -f /opt/so/state/estemplates*.txt
 
@@ -735,8 +750,21 @@ apply_hotfix() {
     . /usr/sbin/so-elastic-fleet-common
     elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
     /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
-#  elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then
+  elif [[ "$INSTALLEDVERSION" == "2.4.30" ]] ; then
-#    2_3_10_hotfix_1
+    rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json
+    so-kibana-restart --force
+    so-kibana-api-check
+    . /usr/sbin/so-elastic-fleet-common
+
+    elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
+    rm -f /opt/so/state/eaintegrations.txt
+    salt-call state.apply ca queue=True
+    stop_salt_minion
+    mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+    mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
+    systemctl_func "start" "salt-minion"
+    echo "Applying Salt Highstate"
+    salt-call state.highstate queue=True  
   else
    echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
   fi

setup/so-verify

@@ -39,6 +39,8 @@ log_has_errors() {
 
     # Command failed with exit code is output during retry loops.
 
+    # "remove failed" is caused by a warning generated by upgrade of libwbclient
+    
     grep -E "FAILED|Failed|failed|ERROR|Result: False|Error is not recoverable" "$setup_log" | \
         grep -vE "The Salt Master has cached the public key for this node" | \
         grep -vE "Minion failed to authenticate with the master" | \
@@ -53,6 +55,7 @@ log_has_errors() {
         grep -vE "code: 100" | \
         grep -vE "/nsm/rules/sigma*" | \
         grep -vE "/nsm/rules/yara*" | \
+        grep -vE "remove failed" | \
         grep -vE "Failed to restart snapd" | \
         grep -vE "Login Failed Details" | \
         grep -vE "response from daemon: unauthorized" | \