Merge remote-tracking branch 'remotes/origin/dev' into issue/4674

2025-12-06 17:22:49 +01:00 · 2021-07-08 14:12:26 -04:00
parent 56697fde19 70d7513f84
commit f56514ed7d
11 changed files with 67 additions and 44 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-
+ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES
--- a/VERIFY_ISO.md
+++ b/VERIFY_ISO.md
@@ -1,17 +1,18 @@
-### 2.3.60 ISO image built on 2021/04/27
+### 2.3.60-ECSFIX ISO image built on 2021/07/02
+


 ### Download and Verify

-2.3.60 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.60.iso
+2.3.60-ECSFIX ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso

-MD5: 0470325615C42C206B028EE37A1AD897  
-SHA1: 496E70BD529D3B8A02D0B32F68B8F7527C953612  
-SHA256: 417E34DFCD63D84A16FF2041DC712F02D9E0515C8B78BDF0EE1037DD13C32030 
+MD5: BCD2C449BD3B65D96A0D1E479C0414F9  
+SHA1: 18FB8F33C19980992B291E5A7EC23D5E13853933  
+SHA256: AD3B750E7FC4CA0D58946D8FEB703AE9B01508E314967566B06CFE5D8A8086E9 

 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig

 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -25,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma

 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig
 ```

 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso
 ```

 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.60.iso.sig securityonion-2.3.60.iso
+gpg --verify securityonion-2.3.60-ECSFIX.iso.sig securityonion-2.3.60-ECSFIX.iso
 ```

 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Thu 01 Jul 2021 10:59:24 AM EDT using RSA key ID FE507013
+gpg: Signature made Fri 02 Jul 2021 10:15:04 AM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/2
+++ b/2
@@ -1 +1 @@
-2.3.70
+2.3.60
--- a/salt/elasticsearch/files/ingest/ossec
+++ b/salt/elasticsearch/files/ingest/ossec
@@ -63,8 +63,7 @@
    { "rename":         { "field": "fields.module",              "target_field": "event.module",                  "ignore_failure": true, "ignore_missing": true  } },
    { "pipeline":      { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'",   "name": "sysmon"  }  },
    { "pipeline":      { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'",  "name":"win.eventlogs" }  },
-    { "set":           { "if": "ctx.rule != null && ctx.rule.name != null",   "field": "event.dataset", "value": "ossec.alert", "override": true }  },
-    { "set":           { "if": "ctx.rule != null && ctx.rule.name != null",   "field": "event.kind", "value": "alert", "override": true }  },
+    { "set":           { "if": "ctx.rule != null && ctx.rule.name != null",   "field": "event.dataset", "value": "alert", "override": true }  },
    { "pipeline":       { "name": "common" } }    
  ]
 }
--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -53,8 +53,7 @@
    { "set":         { "if": "ctx.exiftool?.FileDirectory != null", "field": "file.directory",        "value": "{{exiftool.FileDirectory}}", "ignore_failure": true }},
    { "set":         { "if": "ctx.exiftool?.Subsystem != null", "field": "host.subsystem",        "value": "{{exiftool.Subsystem}}", "ignore_failure": true }},
    { "set":         { "if": "ctx.scan?.yara?.matches != null", "field": "rule.name",        "value": "{{scan.yara.matches.0}}" }},
-    { "set":         { "if": "ctx.scan?.yara?.matches != null", "field": "dataset",        "value": "strelka.alert", "override": true }},
-    { "set":         { "if": "ctx.scan?.yara?.matches != null", "field": "event.kind",        "value": "alert", "override": true }},
+    { "set":         { "if": "ctx.scan?.yara?.matches != null", "field": "dataset",        "value": "alert", "override": true }},
    { "rename":         { "field": "file.flavors.mime", "target_field": "file.mime_type",        "ignore_missing": true }},
    { "set":         { "if": "ctx.rule?.name != null && ctx.rule?.score == null",   "field": "event.severity", "value": 3, "override": true }  },
    { "convert" :    { "if": "ctx.rule?.score != null", "field" : "rule.score","type": "integer"}},
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -36,6 +36,14 @@
 {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %}
 {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}

+{% if grains.role in ['so-heavynode'] %}
+  {% set EXTRAHOSTHOSTNAME = salt['grains.get']('host') %}
+  {% set EXTRAHOSTIP = salt['pillar.get']('sensor:mainip') %}
+{% else %}
+  {% set EXTRAHOSTHOSTNAME = MANAGER %}
+  {% set EXTRAHOSTIP = MANAGERIP %}
+{% endif %}
+
 include:
  - elasticsearch

@@ -145,7 +153,7 @@ so-logstash:
    - name: so-logstash
    - user: logstash
    - extra_hosts:
-      - {{ MANAGER }}:{{ MANAGERIP }}
+      - {{ EXTRAHOSTHOSTNAME }}:{{ EXTRAHOSTIP }}
    - environment:
      - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
    - port_bindings:
@@ -205,4 +213,4 @@ append_so-logstash_so-status.conf:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed

-{% endif %}
+{% endif %}
--- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
@@ -1,10 +1,13 @@
-{%- set MANAGER = salt['grains.get']('master') %}
-{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
-{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
-
+{%- if grains.role in ['so-heavynode'] %}
+  {%- set HOST = salt['grains.get']('host') %}
+{%- else %}
+  {%- set HOST = salt['grains.get']('master') %}
+{%- endif %}
+  {%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
+{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
 input {
 	redis {
-		host => '{{ MANAGER }}'
+		host => '{{ HOST }}'
 		port => 9696
 		ssl => true
 		data_type => 'list'
--- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
@@ -1,8 +1,12 @@
-{%- set MANAGER = salt['grains.get']('master') %}
-{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+{%- if grains.role in ['so-heavynode'] %}
+  {%- set HOST = salt['grains.get']('host') %}
+{%- else %}
+  {%- set HOST = salt['grains.get']('master') %}
+{%- endif %}
+{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
 output {
 	redis {
-		host => '{{ MANAGER }}'
+		host => '{{ HOST }}'
 		port => 6379
 		data_type => 'list'
 		key => 'logstash:unparsed'
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -9,6 +9,11 @@
 {% set MAININT = salt['pillar.get']('host:mainint') %}
 {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %}
+{% if grains.role in ['so-heavynode'] %}
+  {% set COMMONNAME = salt['grains.get']('host') %}
+{% else %}
+  {% set COMMONNAME = manager %}
+{% endif %}

 {% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import', 'helixsensor'] %}
    {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %}
@@ -83,10 +88,12 @@ removeesp12dir:
    - days_remaining: 0
    - days_valid: 820
    - backup: True
+{% if grains.role not in ['so-heavynode'] %}
    - unless:
      # https://github.com/saltstack/salt/issues/52167
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
    - timeout: 30
    - retry:
        attempts: 5
@@ -103,7 +110,7 @@ influxkeyperms:
 # Create a cert for Redis encryption
 /etc/pki/redis.key:
  x509.private_key_managed:
-    - CN: {{ manager }}
+    - CN: {{ COMMONNAME }}
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
@@ -123,14 +130,16 @@ influxkeyperms:
    - ca_server: {{ ca_server }}
    - signing_policy: registry
    - public_key: /etc/pki/redis.key
-    - CN: {{ manager }}
+    - CN: {{ COMMONNAME }}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
+{% if grains.role not in ['so-heavynode'] %}
    - unless:
      # https://github.com/saltstack/salt/issues/52167
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
    - timeout: 30
    - retry:
        attempts: 5
@@ -147,7 +156,7 @@ rediskeyperms:
 {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
 /etc/pki/filebeat.key:
  x509.private_key_managed:
-    - CN: {{ manager }}
+    - CN: {{ COMMONNAME }}
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
@@ -168,18 +177,16 @@ rediskeyperms:
    - ca_server: {{ ca_server }}
    - signing_policy: filebeat
    - public_key: /etc/pki/filebeat.key
-{% if grains.role == 'so-heavynode' %}
-    - CN: {{grains.host}}
-{% else %}
-    - CN: {{manager}}
-{% endif %}
+    - CN: {{ COMMONNAME }}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
+{% if grains.role not in ['so-heavynode'] %}
    - unless:
      # https://github.com/saltstack/salt/issues/52167
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
    - timeout: 30
    - retry:
        attempts: 5
@@ -315,7 +322,7 @@ miniokeyperms:
 # Create a cert for elasticsearch
 /etc/pki/elasticsearch.key:
  x509.private_key_managed:
-    - CN: {{ manager }}
+    - CN: {{ COMMONNAME }}
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
@@ -335,14 +342,16 @@ miniokeyperms:
    - ca_server: {{ ca_server }}
    - signing_policy: registry
    - public_key: /etc/pki/elasticsearch.key
-    - CN: {{ manager }}
+    - CN: {{ COMMONNAME }}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
+{% if grains.role not in ['so-heavynode'] %}
    - unless:
      # https://github.com/saltstack/salt/issues/52167
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
    - timeout: 30
    - retry:
        attempts: 5
@@ -462,7 +471,7 @@ fbcertdir:

 /opt/so/conf/filebeat/etc/pki/filebeat.key:
  x509.private_key_managed:
-    - CN: {{ manager }}
+    - CN: {{ COMMONNAME }}
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
@@ -483,18 +492,16 @@ fbcertdir:
    - ca_server: {{ ca_server }}
    - signing_policy: filebeat
    - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
-{% if grains.role == 'so-heavynode' %}
-    - CN: {{grains.id}}
-{% else %}
-    - CN: {{manager}}
-{% endif %}
+    - CN: {{ COMMONNAME }}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
+{% if grains.role not in ['so-heavynode'] %}
    - unless:
      # https://github.com/saltstack/salt/issues/52167
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
    - timeout: 30
    - retry:
        attempts: 5
@@ -677,4 +684,4 @@ elastickeyperms:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed

-{% endif %}
+{% endif %}
--- a/salt/telegraf/etc/telegraf.conf
+++ b/salt/telegraf/etc/telegraf.conf
@@ -630,8 +630,10 @@
 {% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode']  %}
 [[inputs.elasticsearch]]
   servers = ["https://{{ NODEIP }}:9200"]
+{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
   username = "{{ ES_USER }}"
   password = "{{ ES_PASS }}"
+{% endif %}
   insecure_skip_verify = true
 {% endif %}

--- a/sigs/securityonion-2.3.60-ECSFIX.iso.sig
+++ b/sigs/securityonion-2.3.60-ECSFIX.iso.sig
				`@@ -1 +1 @@`

				`ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES`
@@ -1 +1 @@
 .3.70
 .3.60