diff --git a/HOTFIX b/HOTFIX index d3f5a12fa..6e1406eb7 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index b98cdfb9b..d64b20075 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,17 +1,18 @@ -### 2.3.60 ISO image built on 2021/04/27 +### 2.3.60-ECSFIX ISO image built on 2021/07/02 + ### Download and Verify -2.3.60 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.60.iso +2.3.60-ECSFIX ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso -MD5: 0470325615C42C206B028EE37A1AD897 -SHA1: 496E70BD529D3B8A02D0B32F68B8F7527C953612 -SHA256: 417E34DFCD63D84A16FF2041DC712F02D9E0515C8B78BDF0EE1037DD13C32030 +MD5: BCD2C449BD3B65D96A0D1E479C0414F9 +SHA1: 18FB8F33C19980992B291E5A7EC23D5E13853933 +SHA256: AD3B750E7FC4CA0D58946D8FEB703AE9B01508E314967566B06CFE5D8A8086E9 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -25,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.60.iso.sig securityonion-2.3.60.iso +gpg --verify securityonion-2.3.60-ECSFIX.iso.sig securityonion-2.3.60-ECSFIX.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 01 Jul 2021 10:59:24 AM EDT using RSA key ID FE507013 +gpg: Signature made Fri 02 Jul 2021 10:15:04 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/VERSION b/VERSION index e183d6a6c..678d59d4f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.70 +2.3.60 diff --git a/salt/elasticsearch/files/ingest/ossec b/salt/elasticsearch/files/ingest/ossec index 1c5a0fd42..868de2798 100644 --- a/salt/elasticsearch/files/ingest/ossec +++ b/salt/elasticsearch/files/ingest/ossec @@ -63,8 +63,7 @@ { "rename": { "field": "fields.module", "target_field": "event.module", "ignore_failure": true, "ignore_missing": true } }, { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, { "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "name":"win.eventlogs" } }, - { "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.dataset", "value": "ossec.alert", "override": true } }, - { "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.kind", "value": "alert", "override": true } }, + { "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.dataset", "value": "alert", "override": true } }, { "pipeline": { "name": "common" } } ] } diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index cf2772305..e5e8560f8 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -53,8 +53,7 @@ { "set": { "if": "ctx.exiftool?.FileDirectory != null", "field": "file.directory", "value": "{{exiftool.FileDirectory}}", "ignore_failure": true }}, { "set": { "if": "ctx.exiftool?.Subsystem != null", "field": "host.subsystem", "value": "{{exiftool.Subsystem}}", "ignore_failure": true }}, { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "rule.name", "value": "{{scan.yara.matches.0}}" }}, - { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "dataset", "value": "strelka.alert", "override": true }}, - { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "event.kind", "value": "alert", "override": true }}, + { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "dataset", "value": "alert", "override": true }}, { "rename": { "field": "file.flavors.mime", "target_field": "file.mime_type", "ignore_missing": true }}, { "set": { "if": "ctx.rule?.name != null && ctx.rule?.score == null", "field": "event.severity", "value": 3, "override": true } }, { "convert" : { "if": "ctx.rule?.score != null", "field" : "rule.score","type": "integer"}}, diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index bfd08e4fe..cd6a8918c 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -36,6 +36,14 @@ {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} +{% if grains.role in ['so-heavynode'] %} + {% set EXTRAHOSTHOSTNAME = salt['grains.get']('host') %} + {% set EXTRAHOSTIP = salt['pillar.get']('sensor:mainip') %} +{% else %} + {% set EXTRAHOSTHOSTNAME = MANAGER %} + {% set EXTRAHOSTIP = MANAGERIP %} +{% endif %} + include: - elasticsearch @@ -145,7 +153,7 @@ so-logstash: - name: so-logstash - user: logstash - extra_hosts: - - {{ MANAGER }}:{{ MANAGERIP }} + - {{ EXTRAHOSTHOSTNAME }}:{{ EXTRAHOSTIP }} - environment: - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} - port_bindings: @@ -205,4 +213,4 @@ append_so-logstash_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja index 60229422b..35f77c5a0 100644 --- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja @@ -1,10 +1,13 @@ -{%- set MANAGER = salt['grains.get']('master') %} -{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} -{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} - +{%- if grains.role in ['so-heavynode'] %} + {%- set HOST = salt['grains.get']('host') %} +{%- else %} + {%- set HOST = salt['grains.get']('master') %} +{%- endif %} + {%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} +{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} input { redis { - host => '{{ MANAGER }}' + host => '{{ HOST }}' port => 9696 ssl => true data_type => 'list' diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index 626ed62c3..6b9c62e2f 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -1,8 +1,12 @@ -{%- set MANAGER = salt['grains.get']('master') %} -{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} +{%- if grains.role in ['so-heavynode'] %} + {%- set HOST = salt['grains.get']('host') %} +{%- else %} + {%- set HOST = salt['grains.get']('master') %} +{%- endif %} +{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} output { redis { - host => '{{ MANAGER }}' + host => '{{ HOST }}' port => 6379 data_type => 'list' key => 'logstash:unparsed' diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 5786437f6..f6cfaf4f4 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -9,6 +9,11 @@ {% set MAININT = salt['pillar.get']('host:mainint') %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} +{% if grains.role in ['so-heavynode'] %} + {% set COMMONNAME = salt['grains.get']('host') %} +{% else %} + {% set COMMONNAME = manager %} +{% endif %} {% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import', 'helixsensor'] %} {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %} @@ -83,10 +88,12 @@ removeesp12dir: - days_remaining: 0 - days_valid: 820 - backup: True +{% if grains.role not in ['so-heavynode'] %} - unless: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} - timeout: 30 - retry: attempts: 5 @@ -103,7 +110,7 @@ influxkeyperms: # Create a cert for Redis encryption /etc/pki/redis.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -123,14 +130,16 @@ influxkeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/redis.key - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - days_remaining: 0 - days_valid: 820 - backup: True +{% if grains.role not in ['so-heavynode'] %} - unless: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} - timeout: 30 - retry: attempts: 5 @@ -147,7 +156,7 @@ rediskeyperms: {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %} /etc/pki/filebeat.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -168,18 +177,16 @@ rediskeyperms: - ca_server: {{ ca_server }} - signing_policy: filebeat - public_key: /etc/pki/filebeat.key -{% if grains.role == 'so-heavynode' %} - - CN: {{grains.host}} -{% else %} - - CN: {{manager}} -{% endif %} + - CN: {{ COMMONNAME }} - days_remaining: 0 - days_valid: 820 - backup: True +{% if grains.role not in ['so-heavynode'] %} - unless: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} - timeout: 30 - retry: attempts: 5 @@ -315,7 +322,7 @@ miniokeyperms: # Create a cert for elasticsearch /etc/pki/elasticsearch.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -335,14 +342,16 @@ miniokeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/elasticsearch.key - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - days_remaining: 0 - days_valid: 820 - backup: True +{% if grains.role not in ['so-heavynode'] %} - unless: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} - timeout: 30 - retry: attempts: 5 @@ -462,7 +471,7 @@ fbcertdir: /opt/so/conf/filebeat/etc/pki/filebeat.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -483,18 +492,16 @@ fbcertdir: - ca_server: {{ ca_server }} - signing_policy: filebeat - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key -{% if grains.role == 'so-heavynode' %} - - CN: {{grains.id}} -{% else %} - - CN: {{manager}} -{% endif %} + - CN: {{ COMMONNAME }} - days_remaining: 0 - days_valid: 820 - backup: True +{% if grains.role not in ['so-heavynode'] %} - unless: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} - timeout: 30 - retry: attempts: 5 @@ -677,4 +684,4 @@ elastickeyperms: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 86be01e70..43485d652 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -630,8 +630,10 @@ {% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} [[inputs.elasticsearch]] servers = ["https://{{ NODEIP }}:9200"] +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ ES_USER }}" password = "{{ ES_PASS }}" +{% endif %} insecure_skip_verify = true {% endif %} diff --git a/sigs/securityonion-2.3.60-ECSFIX.iso.sig b/sigs/securityonion-2.3.60-ECSFIX.iso.sig new file mode 100644 index 000000000..cc55927fa Binary files /dev/null and b/sigs/securityonion-2.3.60-ECSFIX.iso.sig differ