CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into vlb2

Browse Source
This commit is contained in:
Josh Patterson
2025-03-27 11:26:32 -04:00
parent 269919b980 056a29ea89
commit f9bf4e4130
26 changed files with 967 additions and 2236 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/DISCUSSION_TEMPLATE/2-4.yml vendored
View File

@@ -26,6 +26,7 @@ body:
- 2.4.120 - 2.4.120
- 2.4.130 - 2.4.130
- 2.4.140 - 2.4.140
- 2.4.150
- Other (please provide detail below) - Other (please provide detail below)
validations: validations:
required: true required: true

22
DOWNLOAD_AND_VERIFY_ISO.md
View File

@@ -1,17 +1,17 @@
### 2.4.130-20250311 ISO image released on 2025/03/11 ### 2.4.140-20250324 ISO image released on 2025/03/24
### Download and Verify ### Download and Verify
2.4.130-20250311 ISO image: 2.4.140-20250324 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.130-20250311.iso https://download.securityonion.net/file/securityonion/securityonion-2.4.140-20250324.iso
MD5: 4641CA710570CCE18CD7D50653373DC0 MD5: 36393200A5CEEC5B58277691DDAFF247
SHA1: 786EF73F7945FDD80126C9AE00BDD29E58743715 SHA1: 48655378C732CF47A6B3290F6F07F4F3162BE054
SHA256: 48C7A042F20C46B8087BAE0F971696DADE9F9364D52F416718245C16E7CCB977 SHA256: 470E00245EBAD83C045743CFB27885CEC3E1F057D91081906B240A38B6D3759A
Signature for ISO image: Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.130-20250311.iso.sig https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.140-20250324.iso.sig
Signing key: Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
Download the signature file for the ISO: Download the signature file for the ISO:
``` ```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.130-20250311.iso.sig wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.140-20250324.iso.sig
``` ```
Download the ISO image: Download the ISO image:
``` ```
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.130-20250311.iso wget https://download.securityonion.net/file/securityonion/securityonion-2.4.140-20250324.iso
``` ```
Verify the downloaded ISO image using the signature file: Verify the downloaded ISO image using the signature file:
``` ```
gpg --verify securityonion-2.4.130-20250311.iso.sig securityonion-2.4.130-20250311.iso gpg --verify securityonion-2.4.140-20250324.iso.sig securityonion-2.4.140-20250324.iso
``` ```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below: The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
``` ```
gpg: Signature made Mon 10 Mar 2025 06:30:49 PM EDT using RSA key ID FE507013 gpg: Signature made Sun 23 Mar 2025 08:37:47 PM EDT using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>" gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature! gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. gpg: There is no indication that the signature belongs to the owner.

2
VERSION
View File

@@ -1 +1 @@
2.4.140 2.4.150

4
pillar/node_data/ips.sls
View File

@@ -24,6 +24,7 @@
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% if node_types %}
node_data: node_data:
{% for node_type, host_values in node_types.items() %} {% for node_type, host_values in node_types.items() %}
{% for hostname, details in host_values.items() %} {% for hostname, details in host_values.items() %}
@@ -33,3 +34,6 @@ node_data:
role: {{node_type}} role: {{node_type}}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% else %}
node_data: False
{% endif %}

6
pillar/top.sls
View File

@@ -25,10 +25,10 @@ base:
- firewall.adv_firewall - firewall.adv_firewall
- nginx.soc_nginx - nginx.soc_nginx
- nginx.adv_nginx - nginx.adv_nginx
- node_data.ips
'*_manager or *_managersearch or *_managerhype': '*_manager or *_managersearch or *_managerhype':
- match: compound - match: compound
- node_data.ips
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
- elasticsearch.auth - elasticsearch.auth
{% endif %} {% endif %}
@@ -92,6 +92,7 @@ base:
- stig.soc_stig - stig.soc_stig
'*_eval': '*_eval':
- node_data.ips
- secrets - secrets
- healthcheck.eval - healthcheck.eval
- elasticsearch.index_templates - elasticsearch.index_templates
@@ -139,6 +140,7 @@ base:
- minions.adv_{{ grains.id }} - minions.adv_{{ grains.id }}
'*_standalone': '*_standalone':
- node_data.ips
- logstash.nodes - logstash.nodes
- logstash.soc_logstash - logstash.soc_logstash
- logstash.adv_logstash - logstash.adv_logstash
@@ -257,6 +259,7 @@ base:
- kafka.soc_kafka - kafka.soc_kafka
'*_import': '*_import':
- node_data.ips
- secrets - secrets
- elasticsearch.index_templates - elasticsearch.index_templates
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
@@ -301,6 +304,7 @@ base:
- minions.adv_{{ grains.id }} - minions.adv_{{ grains.id }}
'*_fleet': '*_fleet':
- node_data.ips
- backup.soc_backup - backup.soc_backup
- backup.adv_backup - backup.adv_backup
- logstash.nodes - logstash.nodes

13
salt/common/soup_scripts.sls
View File

@@ -64,6 +64,12 @@ copy_so-repo-sync_manager_tools_sbin:
- source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-repo-sync - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-repo-sync
- preserve: True - preserve: True
copy_bootstrap-salt_manager_tools_sbin:
file.copy:
- name: /opt/so/saltstack/default/salt/salt/scripts/bootstrap-salt.sh
- source: {{UPDATE_DIR}}/salt/salt/scripts/bootstrap-salt.sh
- preserve: True
# This section is used to put the new script in place so that it can be called during soup. # This section is used to put the new script in place so that it can be called during soup.
# It is faster than calling the states that normally manage them to put them in place. # It is faster than calling the states that normally manage them to put them in place.
copy_so-common_sbin: copy_so-common_sbin:
@@ -108,6 +114,13 @@ copy_so-repo-sync_sbin:
- force: True - force: True
- preserve: True - preserve: True
copy_bootstrap-salt_sbin:
file.copy:
- name: /usr/sbin/bootstrap-salt.sh
- source: {{UPDATE_DIR}}/salt/salt/scripts/bootstrap-salt.sh
- force: True
- preserve: True
{# this is added in 2.4.120 to remove salt repo files pointing to saltproject.io to accomodate the move to broadcom and new bootstrap-salt script #} {# this is added in 2.4.120 to remove salt repo files pointing to saltproject.io to accomodate the move to broadcom and new bootstrap-salt script #}
{% if salt['pkg.version_cmp'](SOVERSION, '2.4.120') == -1 %} {% if salt['pkg.version_cmp'](SOVERSION, '2.4.120') == -1 %}
{% set saltrepofile = '/etc/yum.repos.d/salt.repo' %} {% set saltrepofile = '/etc/yum.repos.d/salt.repo' %}

2
salt/common/tools/sbin/so-log-check
View File

@@ -127,6 +127,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process already finished" # Telegraf script finished just as the auto kill timeout kicked in EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process already finished" # Telegraf script finished just as the auto kill timeout kicked in
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|No shard available" # Typical error when making a query before ES has finished loading all indices EXCLUDED_ERRORS="$EXCLUDED_ERRORS|No shard available" # Typical error when making a query before ES has finished loading all indices
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|responded with status-code 503" # telegraf getting 503 from ES during startup EXCLUDED_ERRORS="$EXCLUDED_ERRORS|responded with status-code 503" # telegraf getting 503 from ES during startup
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process_cluster_event_timeout_exception" # logstash waiting for elasticsearch to start
fi fi
if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
@@ -155,6 +156,7 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request_unauthorized" # false positive (login failures to Hydra result in an 'error' log) EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request_unauthorized" # false positive (login failures to Hydra result in an 'error' log)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index lifecycle policy" # false positive (elasticsearch policy names contain 'error') EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index lifecycle policy" # false positive (elasticsearch policy names contain 'error')
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding ingest pipeline" # false positive (elasticsearch ingest pipeline names contain 'error') EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding ingest pipeline" # false positive (elasticsearch ingest pipeline names contain 'error')
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|updating index template" # false positive (elasticsearch index or template names contain 'error')
fi fi
if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then

2
salt/elasticfleet/tools/sbin/so-elastic-fleet-common
View File

@@ -108,7 +108,7 @@ elastic_fleet_package_is_installed() {
} }
elastic_fleet_installed_packages() { elastic_fleet_installed_packages() {
curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET -H 'kbn-xsrf: true' -H 'Content-Type: application/json' "localhost:5601/api/fleet/epm/packages/installed?perPage=300" curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET -H 'kbn-xsrf: true' -H 'Content-Type: application/json' "localhost:5601/api/fleet/epm/packages/installed?perPage=500"
} }
elastic_fleet_agent_policy_ids() { elastic_fleet_agent_policy_ids() {

20
salt/elasticsearch/files/ingest/zeek.ldap_search
View File

@@ -1,9 +1,25 @@
{ {
"description":"zeek.ldap_search", "description":"zeek.ldap_search",
"processors":[ "processors":[
{"pipeline": {"name": "zeek.ldap", "ignore_missing_pipeline":true,"ignore_failure":true}},
{"set": {"field": "event.dataset", "value":"ldap_search"}}, {"set": {"field": "event.dataset", "value":"ldap_search"}},
{"remove": {"field": "tags", "ignore_missing":true}}, {"json": {"field": "message", "target_field": "message2", "ignore_failure": true}},
{"rename": {"field": "message2.message_id", "target_field": "ldap.message_id", "ignore_missing": true}},
{"rename": {"field": "message2.opcode", "target_field": "ldap.opcode", "ignore_missing": true}},
{"rename": {"field": "message2.result", "target_field": "ldap.result", "ignore_missing": true}},
{"rename": {"field": "message2.diagnostic_message", "target_field": "ldap.diagnostic_message", "ignore_missing": true}},
{"rename": {"field": "message2.version", "target_field": "ldap.version", "ignore_missing": true}},
{"rename": {"field": "message2.object", "target_field": "ldap.object", "ignore_missing": true}},
{"rename": {"field": "message2.argument", "target_field": "ldap.argument", "ignore_missing": true}},
{"rename": {"field": "message2.scope", "target_field": "ldap_search.scope", "ignore_missing":true}},
{"rename": {"field": "message2.deref_aliases", "target_field": "ldap_search.deref_aliases", "ignore_missing":true}},
{"rename": {"field": "message2.base_object", "target_field": "ldap.object", "ignore_missing":true}},
{"rename": {"field": "message2.result_count", "target_field": "ldap_search.result_count", "ignore_missing":true}},
{"rename": {"field": "message2.filter", "target_field": "ldap_search.filter", "ignore_missing":true}},
{"rename": {"field": "message2.attributes", "target_field": "ldap_search.attributes", "ignore_missing":true}},
{"script": {"source": "if (ctx.containsKey('ldap') && ctx.ldap.containsKey('diagnostic_message') && ctx.ldap.diagnostic_message != null) {\n String message = ctx.ldap.diagnostic_message;\n\n // get user and property from SASL success\n if (message.toLowerCase().contains(\"sasl(0): successful result\")) {\n Pattern pattern = /user:\\s*([^ ]+)\\s*property:\\s*([^ ]+)/i;\n Matcher matcher = pattern.matcher(message);\n if (matcher.find()) {\n ctx.ldap.user_email = matcher.group(1); // Extract user email\n ctx.ldap.property = matcher.group(2); // Extract property\n }\n }\n if (message.toLowerCase().contains(\"ldaperr:\")) {\n Pattern pattern = /comment:\\s*([^,]+)/i;\n Matcher matcher = pattern.matcher(message);\n\n if (matcher.find()) {\n ctx.ldap.comment = matcher.group(1);\n }\n }\n }","ignore_failure": true}},
{"script": {"source": "if (ctx.containsKey('ldap') && ctx.ldap.containsKey('object') && ctx.ldap.object != null) {\n String message = ctx.ldap.object;\n\n // parse common name from ldap object\n if (message.toLowerCase().contains(\"cn=\")) {\n Pattern pattern = /cn=([^,]+)/i;\n Matcher matcher = pattern.matcher(message);\n if (matcher.find()) {\n ctx.ldap.common_name = matcher.group(1); // Extract CN\n }\n }\n // build domain from ldap object\n if (message.toLowerCase().contains(\"dc=\")) {\n Pattern dcPattern = /dc=([^,]+)/i;\n Matcher dcMatcher = dcPattern.matcher(message);\n\n StringBuilder domainBuilder = new StringBuilder();\n while (dcMatcher.find()) {\n if (domainBuilder.length() > 0 ){\n domainBuilder.append(\".\");\n }\n domainBuilder.append(dcMatcher.group(1));\n }\n if (domainBuilder.length() > 0) {\n ctx.ldap.domain = domainBuilder.toString();\n }\n }\n // create list of any organizational units from ldap object\n if (message.toLowerCase().contains(\"ou=\")) {\n Pattern ouPattern = /ou=([^,]+)/i;\n Matcher ouMatcher = ouPattern.matcher(message);\n ctx.ldap.organizational_unit = [];\n\n while (ouMatcher.find()) {\n ctx.ldap.organizational_unit.add(ouMatcher.group(1));\n }\n if(ctx.ldap.organizational_unit.isEmpty()) {\n ctx.remove(\"ldap.organizational_unit\");\n }\n }\n}\n","ignore_failure": true}},
{"remove": {"field": "message2.tags", "ignore_failure": true}},
{"remove": {"field": ["host"], "ignore_failure": true}},
{"pipeline": {"name": "zeek.common"}} {"pipeline": {"name": "zeek.common"}}
] ]
} }

51
salt/manager/tools/sbin/soup
View File

@@ -407,6 +407,8 @@ preupgrade_changes() {
[[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.111 [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.111
[[ "$INSTALLEDVERSION" == 2.4.111 ]] && up_to_2.4.120 [[ "$INSTALLEDVERSION" == 2.4.111 ]] && up_to_2.4.120
[[ "$INSTALLEDVERSION" == 2.4.120 ]] && up_to_2.4.130 [[ "$INSTALLEDVERSION" == 2.4.120 ]] && up_to_2.4.130
[[ "$INSTALLEDVERSION" == 2.4.130 ]] && up_to_2.4.140
[[ "$INSTALLEDVERSION" == 2.4.140 ]] && up_to_2.4.150
true true
} }
@@ -431,6 +433,8 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111 [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111
[[ "$POSTVERSION" == 2.4.111 ]] && post_to_2.4.120 [[ "$POSTVERSION" == 2.4.111 ]] && post_to_2.4.120
[[ "$POSTVERSION" == 2.4.120 ]] && post_to_2.4.130 [[ "$POSTVERSION" == 2.4.120 ]] && post_to_2.4.130
[[ "$POSTVERSION" == 2.4.130 ]] && post_to_2.4.140
[[ "$POSTVERSION" == 2.4.140 ]] && post_to_2.4.150
true true
} }
@@ -553,6 +557,16 @@ post_to_2.4.130() {
POSTVERSION=2.4.130 POSTVERSION=2.4.130
} }
post_to_2.4.140() {
echo "Nothing to apply"
POSTVERSION=2.4.140
}
post_to_2.4.150() {
echo "Nothing to apply"
POSTVERSION=2.4.150
}
repo_sync() { repo_sync() {
echo "Sync the local repo." echo "Sync the local repo."
su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -773,6 +787,18 @@ up_to_2.4.130() {
INSTALLEDVERSION=2.4.130 INSTALLEDVERSION=2.4.130
} }
up_to_2.4.140() {
echo "Nothing to do for 2.4.140"
INSTALLEDVERSION=2.4.140
}
up_to_2.4.150() {
echo "Nothing to do for 2.4.150"
INSTALLEDVERSION=2.4.150
}
add_hydra_pillars() { add_hydra_pillars() {
mkdir -p /opt/so/saltstack/local/pillar/hydra mkdir -p /opt/so/saltstack/local/pillar/hydra
touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
@@ -1085,7 +1111,7 @@ upgrade_check() {
} }
upgrade_check_salt() { upgrade_check_salt() {
NEWSALTVERSION=$(grep version: $UPDATE_DIR/salt/salt/master.defaults.yaml | awk '{print $2}') NEWSALTVERSION=$(grep "version:" $UPDATE_DIR/salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
if [ "$INSTALLEDSALTVERSION" == "$NEWSALTVERSION" ]; then if [ "$INSTALLEDSALTVERSION" == "$NEWSALTVERSION" ]; then
echo "You are already running the correct version of Salt for Security Onion." echo "You are already running the correct version of Salt for Security Onion."
else else
@@ -1231,26 +1257,6 @@ failed_soup_restore_items() {
masterunlock masterunlock
} }
#upgrade salt to 3004.1
#2_3_10_hotfix_1() {
# systemctl_func "stop" "$cron_service_name"
# # update mine items prior to stopping salt-minion and salt-master
# update_salt_mine
# stop_salt_minion
# stop_salt_master
# update_repo
# # Does salt need upgraded. If so update it.
# if [[ $UPGRADESALT -eq 1 ]]; then
# echo "Upgrading Salt"
# # Update the repo files so it can actually upgrade
# upgrade_salt
# fi
# systemctl_func "start" "salt-master"
# systemctl_func "start" "salt-minion"
# systemctl_func "start" "$cron_service_name"
#}
main() { main() {
trap 'check_err $?' EXIT trap 'check_err $?' EXIT
@@ -1446,6 +1452,9 @@ main() {
# Stop long-running scripts to allow potentially updated scripts to load on the next execution. # Stop long-running scripts to allow potentially updated scripts to load on the next execution.
killall salt-relay.sh killall salt-relay.sh
# ensure the mine is updated and populated before highstates run, following the salt-master restart
update_salt_mine
highstate highstate
postupgrade_changes postupgrade_changes
[[ $is_airgap -eq 0 ]] && unmount_update [[ $is_airgap -eq 0 ]] && unmount_update

7
salt/pcap/config.sls
View File

@@ -79,13 +79,6 @@ pcaptmpdir:
- group: 941 - group: 941
- makedirs: True - makedirs: True
pcapoutdir:
file.directory:
- name: /nsm/pcapout
- user: 939
- group: 939
- makedirs: True
pcapindexdir: pcapindexdir:
file.directory: file.directory:
- name: /nsm/pcapindex - name: /nsm/pcapindex

7
salt/pcap/init.sls
View File

@@ -24,3 +24,10 @@ pcapdir:
- user: 941 - user: 941
- group: 941 - group: 941
- makedirs: True - makedirs: True
pcapoutdir:
file.directory:
- name: /nsm/pcapout
- user: 939
- group: 939
- makedirs: True

7
salt/salt/map.jinja
View File

@@ -4,7 +4,8 @@
Elastic License 2.0. #} Elastic License 2.0. #}
{% import_yaml 'salt/minion.defaults.yaml' as saltminion %} {% import_yaml 'salt/minion.defaults.yaml' as saltminion %}
{% set SALTVERSION = saltminion.salt.minion.version %} {% set SALTVERSION = saltminion.salt.minion.version | string %}
{% set INSTALLEDSALTVERSION = grains.saltversion | string %}
{% if grains.os_family == 'Debian' %} {% if grains.os_family == 'Debian' %}
{% set SPLITCHAR = '+' %} {% set SPLITCHAR = '+' %}
@@ -16,9 +17,7 @@
{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %} {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
{% endif %} {% endif %}
{% set INSTALLEDSALTVERSION = grains.saltversion %} {% if INSTALLEDSALTVERSION != SALTVERSION %}
{% if grains.saltversion|string != SALTVERSION|string %}
{% if grains.os_family|lower == 'redhat' %} {% if grains.os_family|lower == 'redhat' %}
{% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -s 120 -r -F stable ' ~ SALTVERSION %} {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -s 120 -r -F stable ' ~ SALTVERSION %}
{% elif grains.os_family|lower == 'debian' %} {% elif grains.os_family|lower == 'debian' %}

2
salt/salt/master.defaults.yaml
View File

@@ -1,4 +1,4 @@
# version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
salt: salt:
master: master:
version: 3006.9 version: '3006.9'

26
salt/salt/master/mine_update_highstate.sls Normal file
View File

@@ -0,0 +1,26 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
# This state should only be run on managers and should never be run manually
{% set MINION_ID = grains.id %}
# Run mine.update on all minions
salt.master.mine_update_highstate.update_mine_all_minions:
salt.function:
- name: mine.update
- tgt: '*'
- batch: 50
- retry:
attempts: 3
interval: 1
# Run highstate on the original minion
# we can use concurrent on this highstate because no other highstate would be running when this is called
salt.master.mine_update_highstate.run_highstate_on_{{ MINION_ID }}:
salt.state:
- tgt: {{ MINION_ID }}
- highstate: True
- concurrent: True

3
salt/salt/minion.defaults.yaml
View File

@@ -1,6 +1,5 @@
# version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
salt: salt:
minion: minion:
version: 3006.9 version: '3006.9'
check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
service_start_delay: 30 # in seconds.

4
salt/salt/minion.sls
View File

@@ -5,10 +5,10 @@
{% from 'salt/map.jinja' import SALTPACKAGES %} {% from 'salt/map.jinja' import SALTPACKAGES %}
{% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %} {% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %}
{% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %} {% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %}
{% set service_start_delay = SALTMINION.salt.minion.service_start_delay %}
include: include:
- salt.python_modules - salt.python_modules
- salt.patch.x509_v2
- salt - salt
- systemd.reload - systemd.reload
- repo.client - repo.client
@@ -91,8 +91,6 @@ salt_minion_service_unit_file:
- name: {{ SYSTEMD_UNIT_FILE }} - name: {{ SYSTEMD_UNIT_FILE }}
- source: salt://salt/service/salt-minion.service.jinja - source: salt://salt/service/salt-minion.service.jinja
- template: jinja - template: jinja
- defaults:
service_start_delay: {{ service_start_delay }}
- onchanges_in: - onchanges_in:
- module: systemd_reload - module: systemd_reload

6
salt/salt/patch/x509_v2/init.sls Normal file
View File

@@ -0,0 +1,6 @@
patch_x509_v2_state_module:
file.replace:
- name: /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py
- pattern: 'res = __salt__\["state.single"\]\("file.managed", name, test=test, \*\*kwargs\)'
- repl: 'res = __salt__["state.single"]("file.managed", name, test=test, concurrent=True, **kwargs)'
- backup: .bak

893
salt/salt/scripts/bootstrap-salt.sh
View File

File diff suppressed because it is too large Load Diff

3
salt/salt/service/salt-minion.service.jinja
View File

@@ -8,8 +8,9 @@ KillMode=process
Type=notify Type=notify
NotifyAccess=all NotifyAccess=all
LimitNOFILE=8192 LimitNOFILE=8192
ExecStartPre=/bin/bash -c 'until /sbin/ip -4 addr show dev {{ salt["pillar.get"]("host:mainint") }} | grep -q "inet "; do sleep 1; done'
ExecStart=/usr/bin/salt-minion ExecStart=/usr/bin/salt-minion
ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }} TimeoutStartSec=120
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

9
salt/soc/files/bin/salt-relay.sh
View File

@@ -89,7 +89,7 @@ function manage_user() {
add) add)
email=$(echo "$request" | jq -r .email) email=$(echo "$request" | jq -r .email)
password=$(echo "$request" | jq -r .password) password=$(echo "$request" | jq -r .password)
perm=$(echo "$request" | jq -r .role) role=$(echo "$request" | jq -r .role)
firstName=$(echo "$request" | jq -r .firstName) firstName=$(echo "$request" | jq -r .firstName)
lastName=$(echo "$request" | jq -r .lastName) lastName=$(echo "$request" | jq -r .lastName)
note=$(echo "$request" | jq -r .note) note=$(echo "$request" | jq -r .note)
@@ -283,7 +283,7 @@ function send_file() {
log "encrypting..." log "encrypting..."
password=$(lookup_pillar_secret import_pass) password=$(lookup_pillar_secret import_pass)
response=$(gpg --passphrase "$password" --batch --symmetric --cipher-algo AES256 "$from") response=$(gpg --passphrase "$password" --batch --yes --symmetric --cipher-algo AES256 "$from")
log Response:$'\n'"$response" log Response:$'\n'"$response"
fromgpg="$from.gpg" fromgpg="$from.gpg"
@@ -329,12 +329,11 @@ function import_file() {
log "decrypting..." log "decrypting..."
password=$(lookup_pillar_secret import_pass) password=$(lookup_pillar_secret import_pass)
decrypt_cmd="gpg --passphrase $password -o $file.tmp --batch --decrypt $filegpg" decrypt_cmd="gpg --passphrase $password -o $file --batch --yes --decrypt $filegpg"
salt "$node" cmd.run "\"$decrypt_cmd\"" salt "$node" cmd.run "\"$decrypt_cmd\""
decrypt_code=$? decrypt_code=$?
if [[ $decrypt_code -eq 0 ]]; then if [[ $decrypt_code -eq 0 ]]; then
mv "$file.tmp" "$file"
log "importing..." log "importing..."
case $importer in case $importer in
pcap) pcap)
@@ -357,7 +356,7 @@ function import_file() {
exit_code=$decrypt_code exit_code=$decrypt_code
fi fi
rm -f "$file" "$filegpg" salt "$node" cmd.run "rm -f \"$file\" \"$filegpg\""
log Response:$'\n'"$response" log Response:$'\n'"$response"
log "Exit Code: $exit_code" log "Exit Code: $exit_code"

201
salt/top.sls
View File

@@ -21,12 +21,17 @@ base:
- schedule - schedule
- logrotate - logrotate
'not G@saltversion:{{saltversion}}': 'I@node_data:False and ( *_manager* or *_eval or *_import or *_standalone )':
- match: compound
- salt.minion
- salt.master.mine_update_highstate
'not G@saltversion:{{saltversion}} and not I@node_data:False':
- match: compound - match: compound
- salt.minion-state-apply-test - salt.minion-state-apply-test
- salt.minion - salt.minion
'* and G@saltversion:{{saltversion}}': '* and G@saltversion:{{saltversion}} and not I@node_data:False':
- match: compound - match: compound
- salt.minion - salt.minion
- patch.os.schedule - patch.os.schedule
@@ -37,23 +42,7 @@ base:
- docker - docker
- docker_clean - docker_clean
'*_sensor and G@saltversion:{{saltversion}}': '*_eval and G@saltversion:{{saltversion}} and not I@node_data:False':
- match: compound
- sensor
- ssl
- sensoroni
- telegraf
- firewall
- nginx
- pcap
- suricata
- healthcheck
- zeek
- strelka
- elasticfleet.install_agent_grid
- stig
'*_eval and G@saltversion:{{saltversion}}':
- match: compound - match: compound
- salt.master - salt.master
- sensor - sensor
@@ -85,7 +74,43 @@ base:
- utility - utility
- elasticfleet - elasticfleet
'*_manager or *_managerhype and G@saltversion:{{saltversion}}': '*_standalone and G@saltversion:{{saltversion}} and not I@node_data:False':
- match: compound
- salt.master
- sensor
- ca
- ssl
- registry
- manager
- backup.config_backup
- nginx
- influxdb
- soc
- kratos
- hydra
- firewall
- sensoroni
- telegraf
- idstools
- suricata.manager
- healthcheck
- elasticsearch
- logstash
- redis
- elastic-fleet-package-registry
- kibana
- pcap
- suricata
- zeek
- strelka
- curator.disabled
- elastalert
- utility
- elasticfleet
- stig
- kafka
'*_manager or *_managerhype and G@saltversion:{{saltversion}} and not I@node_data:False':
- match: compound - match: compound
- salt.master - salt.master
- ca - ca
@@ -120,56 +145,7 @@ base:
- match: compound - match: compound
- manager.hypervisor - manager.hypervisor
'*_standalone and G@saltversion:{{saltversion}}': '*_managersearch and G@saltversion:{{saltversion}} and not I@node_data:False':
- match: compound
- salt.master
- sensor
- ca
- ssl
- registry
- manager
- backup.config_backup
- nginx
- influxdb
- soc
- kratos
- hydra
- firewall
- sensoroni
- telegraf
- idstools
- suricata.manager
- healthcheck
- elasticsearch
- logstash
- redis
- elastic-fleet-package-registry
- kibana
- pcap
- suricata
- zeek
- strelka
- curator.disabled
- elastalert
- utility
- elasticfleet
- stig
- kafka
'*_searchnode and G@saltversion:{{saltversion}}':
- match: compound
- firewall
- ssl
- elasticsearch
- logstash
- sensoroni
- telegraf
- nginx
- elasticfleet.install_agent_grid
- stig
- kafka
'*_managersearch and G@saltversion:{{saltversion}}':
- match: compound - match: compound
- salt.master - salt.master
- ca - ca
@@ -200,6 +176,63 @@ base:
- stig - stig
- kafka - kafka
'*_import and G@saltversion:{{saltversion}} and not I@node_data:False':
- match: compound
- salt.master
- sensor
- ca
- ssl
- registry
- manager
- nginx
- influxdb
- strelka.manager
- soc
- kratos
- hydra
- sensoroni
- telegraf
- firewall
- idstools
- suricata.manager
- pcap
- elasticsearch
- elastic-fleet-package-registry
- kibana
- utility
- suricata
- zeek
- elasticfleet
'*_searchnode and G@saltversion:{{saltversion}}':
- match: compound
- firewall
- ssl
- elasticsearch
- logstash
- sensoroni
- telegraf
- nginx
- elasticfleet.install_agent_grid
- stig
- kafka
'*_sensor and G@saltversion:{{saltversion}}':
- match: compound
- sensor
- ssl
- sensoroni
- telegraf
- firewall
- nginx
- pcap
- suricata
- healthcheck
- zeek
- strelka
- elasticfleet.install_agent_grid
- stig
'*_heavynode and G@saltversion:{{saltversion}}': '*_heavynode and G@saltversion:{{saltversion}}':
- match: compound - match: compound
- sensor - sensor
@@ -219,34 +252,6 @@ base:
- elasticfleet.install_agent_grid - elasticfleet.install_agent_grid
- elasticagent - elasticagent
'*_import and G@saltversion:{{saltversion}}':
- match: compound
- salt.master
- sensor
- ca
- ssl
- registry
- manager
- nginx
- influxdb
- strelka.manager
- soc
- kratos
- hydra
- sensoroni
- telegraf
- firewall
- idstools
- suricata.manager
- pcap
- elasticsearch
- elastic-fleet-package-registry
- kibana
- utility
- suricata
- zeek
- elasticfleet
'*_receiver and G@saltversion:{{saltversion}}': '*_receiver and G@saltversion:{{saltversion}}':
- match: compound - match: compound
- ssl - ssl

1
salt/zeek/soc_zeek.yaml
View File

@@ -63,4 +63,5 @@ zeek:
duplicates: True duplicates: True
file_extraction: file_extraction:
description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENSION"} description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENSION"}
forcedType: "[]{}"
helpLink: zeek.html helpLink: zeek.html

1814
setup/files/patch/states/x509_v2.py
View File

File diff suppressed because it is too large Load Diff

13
setup/so-functions
View File

@@ -95,7 +95,7 @@ analyze_system() {
desktop_salt_local() { desktop_salt_local() {
SALTVERSION=$(egrep 'version: [0-9]{4}' ../salt/salt/master.defaults.yaml | sed 's/^.*version: //') SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
# Install everything using local salt # Install everything using local salt
# Set the repo # Set the repo
securityonion_repo securityonion_repo
@@ -1860,7 +1860,7 @@ securityonion_repo() {
} }
repo_sync_local() { repo_sync_local() {
SALTVERSION=$(egrep 'version: [0-9]{4}' ../salt/salt/master.defaults.yaml | sed 's/^.*version: //') SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
info "Repo Sync" info "Repo Sync"
if [[ $is_supported ]]; then if [[ $is_supported ]]; then
# Sync the repo from the the SO repo locally. # Sync the repo from the the SO repo locally.
@@ -1921,7 +1921,7 @@ repo_sync_local() {
saltify() { saltify() {
info "Installing Salt" info "Installing Salt"
SALTVERSION=$(egrep 'version: [0-9]{4}' ../salt/salt/master.defaults.yaml | sed 's/^.*version: //') SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
if [[ $is_deb ]]; then if [[ $is_deb ]]; then
DEBIAN_FRONTEND=noninteractive retry 150 20 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup DEBIAN_FRONTEND=noninteractive retry 150 20 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup
@@ -2003,11 +2003,8 @@ salt_install_module_deps() {
} }
salt_patch_x509_v2() { salt_patch_x509_v2() {
# this can be removed when https://github.com/saltstack/salt/issues/64195 is resolved # this can be removed when https://github.com/saltstack/salt/issues/66929 is resolved
if [ $SALTVERSION == "3006.1" ]; then logCmd "salt-call state.apply salt.patch.x509_v2 --local --file-root=../salt/"
info "Salt version 3006.1 found. Patching /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py"
\cp -v ./files/patch/states/x509_v2.py /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py
fi
} }
# Create an secrets pillar so that passwords survive re-install # Create an secrets pillar so that passwords survive re-install

BIN
sigs/securityonion-2.4.140-20250324.iso.sig Normal file
View File

Binary file not shown.