From b25b6f7bf2e45080b22f45e1ba2e3714985b69b4 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 18 Feb 2025 12:37:25 -0500
Subject: [PATCH 1/3] Support CLI changing of a user's password without
 disabling existing auth settings for that user

---
 salt/manager/tools/sbin/so-user | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user
index e6ac9eb1f..e6cf661dc 100755
--- a/salt/manager/tools/sbin/so-user
+++ b/salt/manager/tools/sbin/so-user
@@ -46,10 +46,11 @@ function usage() {
             Optional parameters: 
               --skip-sync               (defers the Elastic sync until the next scheduled time)
   
-  password: Updates a user's password and disables MFA
+  password: Updates a user's password and disables MFA, SSO, etc
             Required parameters: 
               --email <email>
             Optional parameters: 
+              --password-only           (only updates the password, does not disable MFA or SSO)
               --skip-sync               (defers the Elastic sync until the next scheduled time)
   
    profile: Updates a user's profile information
@@ -119,6 +120,8 @@ while [[ $# -gt 0 ]]; do
       note=$(echo $1 | sed 's/"/\\"/g')
       shift
       ;;
+    --password-only) 
+      passwordOnly=1
     --skip-sync) 
       SKIP_SYNC=1
       ;;
@@ -236,6 +239,11 @@ function updatePassword() {
     # Update DB with new hash
     echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
     [[ $? != 0 ]] && fail "Unable to update password"
+
+    if [[ $passwordOnly -eq 1 ]]; then
+      return
+    fi
+
     # Deactivate MFA
     echo "delete from identity_credential_identifiers where identity_credential_id in (select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id in (select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
     [[ $? != 0 ]] && fail "Unable to clear aal2 identity IDs"

From 23ab8983f72485a38f26f145c52c125f1793c51a Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 18 Feb 2025 12:41:41 -0500
Subject: [PATCH 2/3] Revert "Support CLI changing of a user's password without
 disabling existing auth settings for that user"

This reverts commit b25b6f7bf2e45080b22f45e1ba2e3714985b69b4.
---
 salt/manager/tools/sbin/so-user | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user
index e6cf661dc..e6ac9eb1f 100755
--- a/salt/manager/tools/sbin/so-user
+++ b/salt/manager/tools/sbin/so-user
@@ -46,11 +46,10 @@ function usage() {
             Optional parameters: 
               --skip-sync               (defers the Elastic sync until the next scheduled time)
   
-  password: Updates a user's password and disables MFA, SSO, etc
+  password: Updates a user's password and disables MFA
             Required parameters: 
               --email <email>
             Optional parameters: 
-              --password-only           (only updates the password, does not disable MFA or SSO)
               --skip-sync               (defers the Elastic sync until the next scheduled time)
   
    profile: Updates a user's profile information
@@ -120,8 +119,6 @@ while [[ $# -gt 0 ]]; do
       note=$(echo $1 | sed 's/"/\\"/g')
       shift
       ;;
-    --password-only) 
-      passwordOnly=1
     --skip-sync) 
       SKIP_SYNC=1
       ;;
@@ -239,11 +236,6 @@ function updatePassword() {
     # Update DB with new hash
     echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
     [[ $? != 0 ]] && fail "Unable to update password"
-
-    if [[ $passwordOnly -eq 1 ]]; then
-      return
-    fi
-
     # Deactivate MFA
     echo "delete from identity_credential_identifiers where identity_credential_id in (select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id in (select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
     [[ $? != 0 ]] && fail "Unable to clear aal2 identity IDs"

From 66a2ec7e2131a31325242fec493781eb6e13211f Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 21 Feb 2025 08:38:40 -0500
Subject: [PATCH 3/3] ES upgrade errors to ignore

---
 salt/common/tools/sbin/so-log-check | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check
index 91417171c..b9bc76f9f 100755
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -126,6 +126,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process already finished"     # Telegraf script finished just as the auto kill timeout kicked in
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|No shard available"           # Typical error when making a query before ES has finished loading all indices
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|responded with status-code 503" # telegraf getting 503 from ES during startup
 fi
 
 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
@@ -152,6 +153,7 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|is not an ip string literal"  # false positive (Open Canary logging out blank IP addresses)
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|syncing rule"                 # false positive (rule sync log line includes rule name which can contain 'error') 
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request_unauthorized"         # false positive (login failures to Hydra result in an 'error' log) 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index lifecycle policy" # false positive (elasticsearch policy names contain 'error') 
 fi
 
 if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
@@ -213,6 +215,7 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|syncErrors"                   # Detections: Not an actual error
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Initialized license manager"  # SOC log: before fields.status was changed to fields.licenseStatus
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|from NIC checksum offloading" # zeek reporter.log
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|marked for removal"           # docker container getting recycled
 fi
 
 RESULT=0