Merge pull request #11832 from Security-Onion-Solutions/jertel/hfm

Merge hoftix back to 2.4/dev
2025-12-06 09:12:45 +01:00 · 2023-11-20 15:32:40 -05:00
parent 67f116daed b2ea7138f3
commit f31e288005
7 changed files with 68 additions and 15 deletions
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,18 +1,18 @@
-### 2.4.30-20231113 ISO image released on 2023/11/13
+### 2.4.30-20231117 ISO image released on 2023/11/20



 ### Download and Verify

-2.4.30-20231113 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231113.iso
+2.4.30-20231117 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231117.iso
 
-MD5: 15EB5A74782E4C2D5663D29E275839F6  
-SHA1: BBD4A7D77ADDA94B866F1EFED846A83DDFD34D73  
-SHA256: 4509EB8E11DB49C6CD3905C74C5525BDB1F773488002179A846E00DE8E499988  
+MD5: DF7E2540AFF2A233A9B0EEC78B37D0EA  
+SHA1: 93DB33A46C6F9C7D7CB8031C0A4F8738F4F14E89  
+SHA256: 48C7BD1C664F545554490B8F191BCD7808C519488DCC85984760400F4F68E2DA  

 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231113.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231117.iso.sig

 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.

 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231113.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231117.iso.sig
 ```

 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231113.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231117.iso
 ```

 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.30-20231113.iso.sig securityonion-2.4.30-20231113.iso
+gpg --verify securityonion-2.4.30-20231117.iso.sig securityonion-2.4.30-20231117.iso
 ```

 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 13 Nov 2023 09:23:21 AM EST using RSA key ID FE507013
+gpg: Signature made Sun 19 Nov 2023 08:11:53 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -37,7 +37,7 @@ x509_signing_policies:
    - ST: Utah
    - L: Salt Lake City
    - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "critical keyEncipherment digitalSignature"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - extendedKeyUsage: serverAuth
--- a/salt/kibana/defaults.yaml
+++ b/salt/kibana/defaults.yaml
@@ -21,6 +21,8 @@ kibana:
        appenders: 
          - default
          - file
+    migrations:
+      discardCorruptObjects: "8.10.4"
    telemetry:
      enabled: False
    security:
--- a/salt/kibana/tools/sbin/so-kibana-api-check
+++ b/salt/kibana/tools/sbin/so-kibana-api-check
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-common
+
+echo "Checking to make sure that Kibana API is up & ready..."
+RETURN_CODE=0
+wait_for_web_response "http://localhost:5601/api/fleet/settings" "fleet" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
+RETURN_CODE=$?
+if [[ "$RETURN_CODE" != "0" ]]; then
+    echo "Kibana API not accessible, exiting script..."
+    exit 1
+fi
+
+
+
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -450,6 +450,11 @@ post_to_2.4.20() {
 post_to_2.4.30() {
  echo "Regenerating Elastic Agent Installers"
  /sbin/so-elastic-agent-gen-installers
+  salt-call state.apply ca queue=True
+  stop_salt_minion
+  mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+  mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
+  systemctl_func "start" "salt-minion"
  POSTVERSION=2.4.30
 }

@@ -529,6 +534,16 @@ up_to_2.4.20() {
 }

 up_to_2.4.30() {
+
+  # Remove older defend integration json & installed integration
+  rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json
+
+  . $UPDATE_DIR/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
+  elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
+
+  rm -f /opt/so/state/eaintegrations.txt
+
+  # Elastic Update for this release, so download Elastic Agent files
  determine_elastic_agent_upgrade
  rm -f /opt/so/state/estemplates*.txt

@@ -735,8 +750,21 @@ apply_hotfix() {
    . /usr/sbin/so-elastic-fleet-common
    elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
    /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
-#  elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then
-#    2_3_10_hotfix_1
+  elif [[ "$INSTALLEDVERSION" == "2.4.30" ]] ; then
+    rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json
+    so-kibana-restart --force
+    so-kibana-api-check
+    . /usr/sbin/so-elastic-fleet-common
+
+    elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
+    rm -f /opt/so/state/eaintegrations.txt
+    salt-call state.apply ca queue=True
+    stop_salt_minion
+    mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+    mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
+    systemctl_func "start" "salt-minion"
+    echo "Applying Salt Highstate"
+    salt-call state.highstate queue=True  
  else
   echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
  fi
--- a/setup/so-verify
+++ b/setup/so-verify
@@ -39,6 +39,8 @@ log_has_errors() {

    # Command failed with exit code is output during retry loops.

+    # "remove failed" is caused by a warning generated by upgrade of libwbclient
+    
    grep -E "FAILED|Failed|failed|ERROR|Result: False|Error is not recoverable" "$setup_log" | \
        grep -vE "The Salt Master has cached the public key for this node" | \
        grep -vE "Minion failed to authenticate with the master" | \
@@ -53,6 +55,7 @@ log_has_errors() {
        grep -vE "code: 100" | \
        grep -vE "/nsm/rules/sigma*" | \
        grep -vE "/nsm/rules/yara*" | \
+        grep -vE "remove failed" | \
        grep -vE "Failed to restart snapd" | \
        grep -vE "Login Failed Details" | \
        grep -vE "response from daemon: unauthorized" | \
--- a/sigs/securityonion-2.4.30-20231117.iso.sig
+++ b/sigs/securityonion-2.4.30-20231117.iso.sig