From a18c89d804ef2b8640da0ba6d5cf430a6d428759 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 21 Dec 2020 11:42:03 -0500 Subject: [PATCH 01/32] fix typo in so-analyst-install warning --- salt/common/tools/sbin/so-analyst-install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-analyst-install b/salt/common/tools/sbin/so-analyst-install index e97aca0df..a76fd4784 100755 --- a/salt/common/tools/sbin/so-analyst-install +++ b/salt/common/tools/sbin/so-analyst-install @@ -84,7 +84,7 @@ while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do echo "## ##" echo "## Installing the Security Onion ##" echo "## analyst node on this device will ##" - echo "## make permanenet changes to ##" + echo "## make permanent changes to ##" echo "## the system. ##" echo "## ##" echo "###########################################" From f2d8c7f10d0aec869bc73f55142adc614ac7421e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 21 Dec 2020 16:53:30 -0500 Subject: [PATCH 02/32] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 69484413e..3b31fa0ce 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.20 \ No newline at end of file +2.3.21 From aecde2dd54e9d3f830eca4292d2eeeff9b0417cf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 21 Dec 2020 16:54:10 -0500 Subject: [PATCH 03/32] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 87cbefbf6..5f133b5aa 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.20 +## Security Onion 2.3.21 -Security Onion 2.3.20 is here! +Security Onion 2.3.21 is here! ## Screenshots From b49355d3464b2f1fe2e39b629c34676abd2e895d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 21 Dec 2020 16:54:55 -0500 Subject: [PATCH 04/32] Update changes.json --- salt/soc/files/soc/changes.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 2736e73b8..e986a6953 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -1,5 +1,5 @@ { - "title": "Security Onion 2.3.20 is here!", + "title": "Security Onion 2.3.21 is here!", "changes": [ { "summary": "soup has been refactored. You will need to run it a few times to get all the changes properly. We are working on making this even easier for future releases."}, { "summary": "soup now has awareness of Elastic Features and now downloads the appropriate Docker containers."}, From 7116c2103b6c209992c81551aa3a9790545d1b31 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 21 Dec 2020 17:06:14 -0500 Subject: [PATCH 05/32] Update Docker Clean --- salt/docker_clean/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index 9c5ce0d17..c29151664 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -1,6 +1,6 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0','2.3.1','2.3.2']%} +{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0','2.3.1','2.3.2','2.3.20']%} {% for VERSION in OLDVERSIONS %} remove_images_{{ VERSION }}: From 88bfe7c49c630af991cf2fd9ca307e8e8ef76edb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 21 Dec 2020 19:52:31 -0500 Subject: [PATCH 06/32] Update VERIFY_ISO.md --- VERIFY_ISO.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index e28513cef..f023a7300 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,16 +1,16 @@ -### 2.3.20 ISO image built on 2020/12/20 +### 2.3.21 ISO image built on 2020/12/21 ### Download and Verify -2.3.20 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso +2.3.21 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.21.iso -MD5: E348FA65A46FD3FBA0D574D9C1A0582D -SHA1: 4A6E6D4E0B31ECA1B72E642E3DB2C186B59009D6 -SHA256: 25DE77097903640771533FA13094D0720A032B70223875F8C77A92F5C44CA687 +MD5: 7B8BC5B241B7220C011215BCE852FF78 +SHA1: 541C9689D8F8E8D3F25E169ED34A3F683851975B +SHA256: 7647FD67BA6AC85CCB1308789FFF7DAB19A841621FDA9AE41B89A0A79618F068 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.21.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.21.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.21.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.20.iso.sig securityonion-2.3.20.iso +gpg --verify securityonion-2.3.21.iso.sig securityonion-2.3.21.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Sun 20 Dec 2020 11:11:28 AM EST using RSA key ID FE507013 +gpg: Signature made Mon 21 Dec 2020 06:27:53 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. From 3a3182a51fcbf16e5f57cec3906e16ac7fefe3c1 Mon Sep 17 00:00:00 2001 From: TOoSmOotH Date: Tue, 22 Dec 2020 08:32:58 -0500 Subject: [PATCH 07/32] 2.3.21 ISO sig --- sigs/securityonion-2.3.21.iso.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/securityonion-2.3.21.iso.sig diff --git a/sigs/securityonion-2.3.21.iso.sig b/sigs/securityonion-2.3.21.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..6c49a939152480627ca47d805d574e3d5f1f2d98 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5;FL?k82@re`V7LBIa1)vF5B(dalxN4t5kM7KsTA`5 zP%19=-L{U3i<^)x>XgXS$`EbG|uqt`lL>2)%qr(=PT@_Z?cOgG{oaJ)f9$26h@fNc}y_F#IFDa!u zd60jQ3hur@rJH`pAwW4-_o`Z20VH{d95za62n^%*Di&f{95c)zgS`lx5_sNm1B_SM zO6?VTh&WpF%DEUZK8dc8Ujb;!?H-JCat1x!-U4yGm`_D83QkK_Cy%&9ih4Q*@2R`f z^C+yiCy?sUN=J6xKT4{XZ_cwO8z4tFo|}ho!C|H~A)oO`jRR7=u-`(jbRyC30F>0= zW*y0`reaqIII|U1o>5#nE|!_#%sr2Bgo*!y6SGK=-DLf?kp)@~uLK092Qe!<*88$g za!pHZWs<~OMrYr)?}^w|l(=eONCb!D5wyYA%J)To4dS?B!97bUT$#zx_VcuwA8tUJ z7Fp05)YJIn4sEHwxM7a*Lv}_kI-eBRtDUIO^eQDRzHq|#g*uG@IgZ-5&93K9o3M_q z_iX(RNO_ZF2?YB<%g}IGreI;5#Oy9{z5h+mnY0s10zb@1?)&%$j`M>N;5hLS?%p^q hPAv^$_DZuH&LCJ&T3BSaGxgdG~=BlujVDpk6)|Ih#c literal 0 HcmV?d00001 From 5678e66b399c86af9b126492ead664bcf611ff73 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 26 Feb 2021 08:33:24 -0500 Subject: [PATCH 08/32] Fix so-playbook-sigma-refresh --- salt/common/tools/sbin/so-playbook-sigma-refresh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-playbook-sigma-refresh b/salt/common/tools/sbin/so-playbook-sigma-refresh index 10697bc2f..7445786f9 100644 --- a/salt/common/tools/sbin/so-playbook-sigma-refresh +++ b/salt/common/tools/sbin/so-playbook-sigma-refresh @@ -17,4 +17,11 @@ . /usr/sbin/so-common -docker exec so-soctopus python3 playbook_play-update.py \ No newline at end of file +# Regenerate ElastAlert & update Plays +docker exec so-soctopus python3 playbook_play-update.py + +# Delete current Elastalert Rules +rm /opt/so/rules/elastalert/playbook/*.yaml + +# Regenerate Elastalert Rules +so-playbook-sync \ No newline at end of file From 333a7e6173bd763158df1ff3ff3e01ff2ed308a2 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 26 Feb 2021 09:14:30 -0500 Subject: [PATCH 09/32] [fix] Change logic for collecting fleet custom hostname --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 52865b5f1..8213cd516 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -331,7 +331,7 @@ collect_es_space_limit() { collect_fleet_custom_hostname_inputs() { whiptail_fleet_custom_hostname - while ! valid_fqdn "$FLEETCUSTOMHOSTNAME" || [[ $FLEETCUSTOMHOSTNAME != "" ]]; do + while [[ -n $FLEETCUSTOMHOSTNAME ]] && ! valid_fqdn "$FLEETCUSTOMHOSTNAME"; do whiptail_invalid_input whiptail_fleet_custom_hostname "$FLEETCUSTOMHOSTNAME" done From be1f641bf0e5dd93178521874568f6904ba86405 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 26 Feb 2021 10:27:14 -0500 Subject: [PATCH 10/32] [refactor] Make default route message a warning Don't force users to exit setup if the default route and management NIC's IP don't match, just warn them --- setup/so-functions | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 8213cd516..5d4dff0fc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -754,19 +754,23 @@ compare_main_nic_ip() { if ! [[ $MNIC =~ ^(tun|wg|vpn).*$ ]]; then if [[ "$MAINIP" != "$MNIC_IP" ]]; then read -r -d '' message <<- EOM - The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). + The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). - This is not a supported configuration, please remediate and rerun setup. - EOM - whiptail --title "Security Onion Setup" --msgbox "$message" 10 75 - kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 - fi + This has been known to cause installs to fail in some scenarios. + + Please select whether to continue the install or exit setup to remediate any potential issues. + EOM + whiptail --title "Security Onion Setup" \ + --yesno "$message" 10 75 \ + --yes-button "Continue" --no-button "Exit" --defaultno + + kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 + fi else # Setup uses MAINIP, but since we ignore the equality condition when using a VPN # just set the variable to the IP of the VPN interface MAINIP=$MNIC_IP fi - } compare_versions() { From 4a03862fc42eb4d7f9945f6bd13b28cc0031294b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 26 Feb 2021 14:26:28 -0500 Subject: [PATCH 11/32] Add suricata distributed automations --- ...> distributed-net-ubuntu-suricata-manager} | 0 .../distributed-net-ubuntu-suricata-search | 78 +++++++++++++++++++ .../distributed-net-ubuntu-suricata-sensor | 78 +++++++++++++++++++ 3 files changed, 156 insertions(+) rename setup/automation/{distributed-net-ubuntu-manager-suricata => distributed-net-ubuntu-suricata-manager} (100%) create mode 100644 setup/automation/distributed-net-ubuntu-suricata-search create mode 100644 setup/automation/distributed-net-ubuntu-suricata-sensor diff --git a/setup/automation/distributed-net-ubuntu-manager-suricata b/setup/automation/distributed-net-ubuntu-suricata-manager similarity index 100% rename from setup/automation/distributed-net-ubuntu-manager-suricata rename to setup/automation/distributed-net-ubuntu-suricata-manager diff --git a/setup/automation/distributed-net-ubuntu-suricata-search b/setup/automation/distributed-net-ubuntu-suricata-search new file mode 100644 index 000000000..3914a6d1c --- /dev/null +++ b/setup/automation/distributed-net-ubuntu-suricata-search @@ -0,0 +1,78 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +# ALLOW_CIDR=0.0.0.0/0 +# ALLOW_ROLE=a +# BASICZEEK=7 +# BASICSURI=7 +# BLOGS= +# BNICS=eth1 +# ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +# GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=distributed-search +install_type=SEARCHNODE +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +# MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=ens18 +# MSEARCH= +MSRV=distributed-manager +MSRVIP=10.66.166.66 +# MTU= +# NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +# OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +# PLAYBOOK=1 +# REDIRECTHOST= +# REDIRECTINFO=IP +# RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +# STRELKA=1 +# THEHIVE=1 +# WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-net-ubuntu-suricata-sensor b/setup/automation/distributed-net-ubuntu-suricata-sensor new file mode 100644 index 000000000..2d5e15f15 --- /dev/null +++ b/setup/automation/distributed-net-ubuntu-suricata-sensor @@ -0,0 +1,78 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +# ALLOW_CIDR=0.0.0.0/0 +# ALLOW_ROLE=a +BASICZEEK=2 +BASICSURI=2 +# BLOGS= +BNICS=ens19 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +# GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=distributed-sensor +install_type=SENSOR +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +# MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=ens18 +# MSEARCH= +MSRV=distributed-manager +MSRVIP=10.66.166.66 +# MTU= +# NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +# NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +# OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +# PLAYBOOK=1 +# REDIRECTHOST= +# REDIRECTINFO=IP +# RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +# STRELKA=1 +# THEHIVE=1 +# WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r From fd877a225683d66c384159096397a603b7c5104a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 26 Feb 2021 15:40:20 -0500 Subject: [PATCH 12/32] Fix logic for configure network option in setup --- setup/so-setup | 2 +- setup/so-whiptail | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 20eeeee08..65fbbe16e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -191,7 +191,7 @@ if ! [[ -f $install_opt_file ]]; then fi if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then whiptail_first_menu_iso - if [[ $option == "Configure Network" ]]; then + if [[ $option == "CONFIGURENETWORK" ]]; then network_init_whiptail whiptail_management_interface_setup network_init diff --git a/setup/so-whiptail b/setup/so-whiptail index eef2aba66..2e22b91a5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -652,6 +652,8 @@ whiptail_first_menu_iso() { ) local exitstatus=$? whiptail_check_exitstatus $exitstatus + + option=$(echo "${option^^}" | tr -d ' ') } whiptail_make_changes() { From 9631327c71f56e6ac4505bfb5d08ee17ed98bbba Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 26 Feb 2021 18:11:13 -0500 Subject: [PATCH 13/32] Add changes.json for 2.3.30 --- salt/soc/files/soc/changes.json | 94 +++++++++++++++------------------ 1 file changed, 44 insertions(+), 50 deletions(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 2736e73b8..607825c8a 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -1,54 +1,48 @@ { - "title": "Security Onion 2.3.20 is here!", + "title": "Security Onion 2.3.30 is here!", "changes": [ - { "summary": "soup has been refactored. You will need to run it a few times to get all the changes properly. We are working on making this even easier for future releases."}, - { "summary": "soup now has awareness of Elastic Features and now downloads the appropriate Docker containers."}, - { "summary": "The Sensors interface has been renamed to Grid. This interface now includes all Security Onion nodes."}, - { "summary": "Grid interface now includes the status of the node. The status currently shows either Online (blue) or Offline (orange). If a node does not check-in on time then it will be marked as Offline."}, - { "summary": "Grid interface now includes the IP and Role of each node in the grid."}, - { "summary": "Grid interface includes a new Filter search input to filter the visible list of grid nodes to a desired subset. As an example, typing in “sensor” will hide all nodes except those that behave as a sensor."}, - { "summary": "The Grid description field can now be customized via the local minion pillar file for each node."}, - { "summary": "SOC will now draw attention to an unhealthy situation within the grid or with the connection between the user’s browser and the manager node. For example, when the Grid has at least one Offline node the SOC interface will show an exclamation mark in front of the browser tab’s title and an exclamation mark next to the Grid menu option in SOC. Additionally, the favicon will show an orange marker in the top-right corner (dynamic favicons not supported in Safari). Additionally, if the user’s web browser is unable to communicate with the manager the unhealth indicators appear along with a message at the top of SOC that states there is a connection problem."}, - { "summary": "Docker has been upgraded to the latest version."}, - { "summary": "Docker should be more reliable now as Salt is now managing daemon.json."}, - { "summary": "You can now install Elastic in a traditional cluster. When setting up the manager select Advanced and follow the prompts. Replicas are controlled in global.sls."}, - { "summary": "You can now use Hot and Warm routing with Elastic in a traditional cluster. You can change the box.type in the minion’s sls file. You will need to create a curator job to re-tag the indexes based on your criteria."}, - { "summary": "Telegraf has been updated to version 1.16.3."}, - { "summary": "Grafana has been updated to 7.3.4 to resolve some XSS vulnerabilities."}, - { "summary": "Grafana graphs have been changed to graphs vs guages so alerting can be set up."}, - { "summary": "Grafana is now completely pillarized, allowing users to customize alerts and making it customizable for email, Slack, etc. See the docs here."}, - { "summary": "Yara rules now should properly install on non-airgap installs. Previously, users had to wait for an automated job to place them in the correct location."}, - { "summary": "Strelka backend will not stop itself any more. Previously, its behavior was to shut itself down after fifteen minutes and wait for Salt to restart it to look for work before shutting down again."}, - { "summary": "Strelka daily rule updates are now logged to /nsm/strelka/log/yara-update.log"}, - { "summary": "Several changes to the setup script to improve install reliability."}, - { "summary": "Airgap now supports the import node type."}, - { "summary": "Custom Zeek file extraction values in the pillar now work properly."}, - { "summary": "TheHive has been updated to support Elastic 7."}, - { "summary": "Cortex image now includes whois package to correct an issue with the CERTatPassiveDNS analyzer."}, - { "summary": "Hunt and Alert quick action menu has been refactored into submenus."}, - { "summary": "New clipboard quick actions now allow for copying fields or entire events to the clipboard."}, - { "summary": "PCAP Add Job form now retains previous job details for quickly adding additional jobs. A new Clear button now exists at the bottom of this form to clear out these fields and forget the previous job details."}, - { "summary": "PCAP Add Job form now allows users to perform arbitrary PCAP lookups of imported PCAP data (data imported via the so-import-pcap script)."}, - { "summary": "Downloads page now allows direct download of Wazuh agents for Linux, Mac, and Windows from the manager, and shows the version of Wazuh and Elastic installed with Security Onion."}, - { "summary": "PCAP job interface now shows additional job filter criteria when expanding the job filter details."}, - { "summary": "Upgraded authentication backend to Kratos 0.5.5."}, - { "summary": "SOC tables with the “Rows per Page” dropdown no longer show truncated page counts."}, - { "summary": "Several Hunt errors are now more descriptive, particularly those around malformed queries."}, - { "summary": "SOC Error banner has been improved to avoid showing raw HTML syntax, making connection and server-side errors more readable."}, - { "summary": "Hunt and Alerts interfaces will now allow pivoting to PCAP from a group of results if the grouped results contain a network.community_id field."}, - { "summary": "New “Correlate” quick action will pivot to a new Hunt search for all events that can be correlated by at least one of various event IDs."}, - { "summary": "Fixed bug that caused some Hunt queries to not group correctly without a .keyword suffix. This has been corrected so that the .keyword suffix is no longer necessary on those groupby terms."}, - { "summary": "Fixed issue where PCAP interface loses formatting and color coding when opening multiple PCAP tabs."}, - { "summary": "Alerts interface now has a Refresh button that allows users to refresh the current alerts view without refreshing the entire SOC application."}, - { "summary": "Hunt and Alerts interfaces now have an auto-refresh dropdown that will automatically refresh the current view at the selected frequency."}, - { "summary": "The so-elastalert-test script has been refactored to work with Security Onion 2.3."}, - { "summary": "The included Logstash image now includes Kafka plugins."}, - { "summary": "Wazuh agent registration process has been improved to support slower hardware and networks."}, - { "summary": "An Elasticsearch ingest pipeline has been added for suricata.ftp_data."}, - { "summary": "Elasticsearch’s indices.query.bool.max_clause_count value has been increased to accommodate a slightly larger number of fields (1024 -> 1500) when querying using a wildcard."}, - { "summary": "On nodes being added to an existing grid, setup will compare the version currently being installed to the manager (>=2.3.20), pull the correct Security Onion version from the manager if there is a mismatch, and run that version."}, - { "summary": "Setup will gather any errors found during a failed install into /root/errors.log for easy copy/paste and debugging."}, - { "summary": "Selecting Suricata as the metadata engine no longer results in the install failing."}, - { "summary": "so-rule-update now accepts arguments to idstools. For example, so-rule-update -f will force idstools to pull rules, ignoring the default 15-minute pull limit."} + { "summary": "Zeek is now at version 3.0.13." }, + { "summary": "CyberChef is now at version 9.27.2." }, + { "summary": "Elastic components are now at version 7.10.2. This is the last version that uses the Apache license." }, + { "summary": "Suricata is now at version 6.0.1." }, + { "summary": "Suricata metadata parsing is now vastly improved." }, + { "summary": "If you choose Suricata for metadata parsing, it will now extract files from the network and send them to Strelka. You can add additional mime types here." }, + { "summary": "It is now possible to filter Suricata events from being written to the logs. This is a new Suricata 6 feature. We have included some examples here." }, + { "summary": "The Kratos docker container will now perform DNS lookups locally before reaching out to the network DNS provider." }, + { "summary": "Network configuration is now more compatible with manually configured OpenVPN or Wireguard VPN interfaces." }, + { "summary": "
so-sensor-clean
will no longer spawn multiple instances." }, + { "summary": "Suricata eve.json logs will now be cleaned up after 7 days. This can be changed via the pillar setting." }, + { "summary": "The automated backup script on the manager now backs up all keys along with the salt configurations. Backup retention is now set to 7 days." }, + { "summary": "Strelka logs are now being rotated properly." }, + { "summary": "Elastalert can now be customized via a pillar." }, + { "summary": "Introduced new script 
so-monitor-add
that allows the user to easily add interfaces to the bond for monitoring." }, + { "summary": "Setup now validates all user input fields to give up-front feedback if an entered value is invalid." }, + { "summary": "There have been several changes to improve install reliability. Many install steps have had their validation processes reworked to ensure that required tasks have been completed before moving on to the next step of the install." }, + { "summary": "Users are now warned if they try to set securityonion as their hostname." }, + { "summary": "The ISO should now identify xvda and nvme devices as install targets." }, + { "summary": "At the end of the first stage of the ISO setup, the ISO device should properly unmount and eject." }, + { "summary": "The text selection of choosing Suricata vs Zeek for metadata is now more descriptive." }, + { "summary": "The logic for properly setting the 
LOG_SIZE_LIMIT
variable has been improved." }, + { "summary": "When installing on Ubuntu, Setup will now wait for cloud init to complete before trying to start the install of packages." }, + { "summary": "The firewall state runs considerably faster now." }, + { "summary": "ICMP timestamps are now disabled." }, + { "summary": "Copyright dates on all Security Onion specific files have been updated." }, + { "summary": "
so-tcpreplay
(and indirectly 
so-test
) should now work properly." }, + { "summary": "The Zeek packet loss script is now more accurate." }, + { "summary": "Grafana now includes an estimated EPS graph for events ingested on the manager." }, + { "summary": "Updated Elastalert to release 0.2.4-alt2 based on the jertel/elastalert alt branch." }, + { "summary": "Pivots from Alerts/Hunts to action links will properly URI encode values." }, + { "summary": "Hunt timeline graph will properly scale the data point interval based on the search date range." }, + { "summary": "Grid interface will properly show Search as the node type instead of so-node." }, + { "summary": "Import node now supports airgap environments." }, + { "summary": "The so-mysql container will now show healthy when viewing the docker ps output." }, + { "summary": "The Soctopus configuration now uses private IPs instead of public IPs, allowing network communications to succeed within the grid." }, + { "summary": "The Correlate action in Hunt now groups the OR filters together to ensure subsequent user-added filters are correctly ANDed to the entire OR group." }, + { "summary": "Add support to 
so-firewall
script to display existing port groups and host groups." }, + { "summary": "TheHive initialization during Security Onion setup will now properly check for a running ES instance and will retry connectivity checks to TheHive before proceeding." }, + { "summary": "Changes to the .security analyzer yields more accurate query results when using Playbook." }, + { "summary": "Several Hunt queries have been updated." }, + { "summary": "The pfSense firewall log parser has been updated to improve compatibility." }, + { "summary": "Kibana dashboard hyperlinks have been updated for faster navigation." } ] } From 7451aa990bce49a62db87ad90928b0d4ea3221f9 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sat, 27 Feb 2021 08:14:44 -0500 Subject: [PATCH 14/32] Improve formatting of changes list --- salt/soc/files/soc/changes.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 607825c8a..0d2bc29b6 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -10,24 +10,24 @@ { "summary": "It is now possible to filter Suricata events from being written to the logs. This is a new Suricata 6 feature. We have included some examples here." }, { "summary": "The Kratos docker container will now perform DNS lookups locally before reaching out to the network DNS provider." }, { "summary": "Network configuration is now more compatible with manually configured OpenVPN or Wireguard VPN interfaces." }, - { "summary": "
so-sensor-clean
will no longer spawn multiple instances." }, + { "summary": "so-sensor-clean will no longer spawn multiple instances." }, { "summary": "Suricata eve.json logs will now be cleaned up after 7 days. This can be changed via the pillar setting." }, { "summary": "The automated backup script on the manager now backs up all keys along with the salt configurations. Backup retention is now set to 7 days." }, { "summary": "Strelka logs are now being rotated properly." }, { "summary": "Elastalert can now be customized via a pillar." }, - { "summary": "Introduced new script 
so-monitor-add
that allows the user to easily add interfaces to the bond for monitoring." }, + { "summary": "Introduced new script so-monitor-add that allows the user to easily add interfaces to the bond for monitoring." }, { "summary": "Setup now validates all user input fields to give up-front feedback if an entered value is invalid." }, { "summary": "There have been several changes to improve install reliability. Many install steps have had their validation processes reworked to ensure that required tasks have been completed before moving on to the next step of the install." }, { "summary": "Users are now warned if they try to set securityonion as their hostname." }, { "summary": "The ISO should now identify xvda and nvme devices as install targets." }, { "summary": "At the end of the first stage of the ISO setup, the ISO device should properly unmount and eject." }, { "summary": "The text selection of choosing Suricata vs Zeek for metadata is now more descriptive." }, - { "summary": "The logic for properly setting the 
LOG_SIZE_LIMIT
variable has been improved." }, + { "summary": "The logic for properly setting the LOG_SIZE_LIMIT variable has been improved." }, { "summary": "When installing on Ubuntu, Setup will now wait for cloud init to complete before trying to start the install of packages." }, { "summary": "The firewall state runs considerably faster now." }, { "summary": "ICMP timestamps are now disabled." }, { "summary": "Copyright dates on all Security Onion specific files have been updated." }, - { "summary": "
so-tcpreplay
(and indirectly 
so-test
) should now work properly." }, + { "summary": "so-tcpreplay (and indirectly so-test) should now work properly." }, { "summary": "The Zeek packet loss script is now more accurate." }, { "summary": "Grafana now includes an estimated EPS graph for events ingested on the manager." }, { "summary": "Updated Elastalert to release 0.2.4-alt2 based on the jertel/elastalert alt branch." }, @@ -38,7 +38,7 @@ { "summary": "The so-mysql container will now show healthy when viewing the docker ps output." }, { "summary": "The Soctopus configuration now uses private IPs instead of public IPs, allowing network communications to succeed within the grid." }, { "summary": "The Correlate action in Hunt now groups the OR filters together to ensure subsequent user-added filters are correctly ANDed to the entire OR group." }, - { "summary": "Add support to 
so-firewall
script to display existing port groups and host groups." }, + { "summary": "Add support to so-firewall script to display existing port groups and host groups." }, { "summary": "TheHive initialization during Security Onion setup will now properly check for a running ES instance and will retry connectivity checks to TheHive before proceeding." }, { "summary": "Changes to the .security analyzer yields more accurate query results when using Playbook." }, { "summary": "Several Hunt queries have been updated." }, From 810ffbdaf5229f03aa76eaa0d9e428218d489f08 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 1 Mar 2021 08:41:19 -0500 Subject: [PATCH 15/32] Add max to MTU input validation to encompass default + jumbo frames --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 5d4dff0fc..35c6ed9fa 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -446,7 +446,7 @@ collect_mngr_hostname() { collect_mtu() { whiptail_bond_nics_mtu "1500" - while ! valid_int "$MTU" "68"; do + while ! valid_int "$MTU" "68" "10000"; do whiptail_invalid_input whiptail_bond_nics_mtu "$MTU" done From 6113bcc2617449ffb6680ca05e921f7f07d37f60 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 1 Mar 2021 09:16:51 -0500 Subject: [PATCH 16/32] [fix] Increase max integer value --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index a706831fa..b76ad05ff 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -333,7 +333,7 @@ valid_ip4() { valid_int() { local num=$1 local min=${2:-1} - local max=${3:-1000} + local max=${3:-1000000000} [[ $num =~ ^[0-9]*$ ]] && [[ $num -ge $min ]] && [[ $num -le $max ]] && return 0 || return 1 } From cf9be3521d7db357e6574931d3320a2738c51aab Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 1 Mar 2021 09:17:36 -0500 Subject: [PATCH 17/32] [fix] Don't validate LS/ES heap sizes * Also remove comments + fix indent --- setup/so-functions | 30 ++++++++++-------------------- 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5d4dff0fc..9441e28bc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -271,7 +271,7 @@ collect_adminuser_inputs() { collect_cur_close_days() { whiptail_cur_close_days "$CURCLOSEDAYS" - while ! valid_int "$CURCLOSEDAYS" "1"; do + while ! valid_int "$CURCLOSEDAYS"; do whiptail_invalid_input whiptail_cur_close_days "$CURCLOSEDAYS" done @@ -322,7 +322,7 @@ collect_es_cluster_name() { collect_es_space_limit() { whiptail_log_size_limit "$log_size_limit" - while ! valid_int "$log_size_limit" "1"; do # Upper/lower bounds? + while ! valid_int "$log_size_limit"; do # Upper/lower bounds? whiptail_invalid_input whiptail_log_size_limit "$log_size_limit" done @@ -368,7 +368,7 @@ collect_gateway() { } collect_helix_key() { - whiptail_helix_apikey # validate? + whiptail_helix_apikey } collect_homenet_mngr() { @@ -398,7 +398,6 @@ collect_hostname() { whiptail_set_hostname "$HOSTNAME" - if [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once if ! (whiptail_avoid_default_hostname); then whiptail_set_hostname @@ -454,20 +453,10 @@ collect_mtu() { collect_node_es_heap() { whiptail_node_es_heap "$ES_HEAP_SIZE" - - while ! valid_int "$NODE_ES_HEAP_SIZE"; do - whiptail_invalid_input - whiptail_node_es_heap "$NODE_ES_HEAP_SIZE" - done } collect_node_ls_heap() { whiptail_node_ls_heap "$LS_HEAP_SIZE" - - while ! valid_int "$NODE_LS_HEAP_SIZE"; do - whiptail_invalid_input - whiptail_node_ls_heap "$NODE_LS_HEAP_SIZE" - done } collect_node_ls_input() { @@ -500,7 +489,7 @@ collect_node_ls_pipeline_worker_count() { collect_oinkcode() { whiptail_oinkcode - while ! valid_string "$OINKCODE" "" "128"; do #TODO: verify max length here + while ! valid_string "$OINKCODE" "" "128"; do whiptail_invalid_input whiptail_oinkcode "$OINKCODE" done @@ -569,6 +558,7 @@ collect_so_allow() { collect_soremote_inputs() { whiptail_create_soremote_user SCMATCH=no + while [[ $SCMATCH != yes ]]; do whiptail_create_soremote_user_password1 whiptail_create_soremote_user_password2 @@ -596,11 +586,11 @@ collect_webuser_inputs() { WPMATCH=no while [[ $WPMATCH != yes ]]; do - whiptail_create_web_user_password1 - while ! check_password "$WEBPASSWD1"; do - whiptail_invalid_pass_characters_warning - whiptail_create_web_user_password1 - done + whiptail_create_web_user_password1 + while ! check_password "$WEBPASSWD1"; do + whiptail_invalid_pass_characters_warning + whiptail_create_web_user_password1 + done if echo "$WEBPASSWD1" | so-user valpass >> "$setup_log" 2>&1; then whiptail_create_web_user_password2 check_web_pass From def3637bf665b7b6dffb796564bf71953d5ee119 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 1 Mar 2021 09:46:28 -0500 Subject: [PATCH 18/32] Revert "[refactor] Make default route message a warning" This reverts commit be1f641bf0e5dd93178521874568f6904ba86405. --- setup/so-functions | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index fc476aa8d..21602f320 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -744,23 +744,19 @@ compare_main_nic_ip() { if ! [[ $MNIC =~ ^(tun|wg|vpn).*$ ]]; then if [[ "$MAINIP" != "$MNIC_IP" ]]; then read -r -d '' message <<- EOM - The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). + The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). - This has been known to cause installs to fail in some scenarios. - - Please select whether to continue the install or exit setup to remediate any potential issues. - EOM - whiptail --title "Security Onion Setup" \ - --yesno "$message" 10 75 \ - --yes-button "Continue" --no-button "Exit" --defaultno - - kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 - fi + This is not a supported configuration, please remediate and rerun setup. + EOM + whiptail --title "Security Onion Setup" --msgbox "$message" 10 75 + kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 + fi else # Setup uses MAINIP, but since we ignore the equality condition when using a VPN # just set the variable to the IP of the VPN interface MAINIP=$MNIC_IP fi + } compare_versions() { From 1ae46b82ecbb562ba49d76f388819b545851be24 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 1 Mar 2021 09:58:39 -0500 Subject: [PATCH 19/32] Update changes for 2.3.30 --- salt/soc/files/soc/changes.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 0d2bc29b6..3e302c0e6 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -5,6 +5,7 @@ { "summary": "CyberChef is now at version 9.27.2." }, { "summary": "Elastic components are now at version 7.10.2. This is the last version that uses the Apache license." }, { "summary": "Suricata is now at version 6.0.1." }, + { "summary": "Salt is now at version 3002.5." }, { "summary": "Suricata metadata parsing is now vastly improved." }, { "summary": "If you choose Suricata for metadata parsing, it will now extract files from the network and send them to Strelka. You can add additional mime types here." }, { "summary": "It is now possible to filter Suricata events from being written to the logs. This is a new Suricata 6 feature. We have included some examples here." }, @@ -12,6 +13,7 @@ { "summary": "Network configuration is now more compatible with manually configured OpenVPN or Wireguard VPN interfaces." }, { "summary": "so-sensor-clean will no longer spawn multiple instances." }, { "summary": "Suricata eve.json logs will now be cleaned up after 7 days. This can be changed via the pillar setting." }, + { "summary": "Fixed a security issue where the backup directory had improper file permissions." }, { "summary": "The automated backup script on the manager now backs up all keys along with the salt configurations. Backup retention is now set to 7 days." }, { "summary": "Strelka logs are now being rotated properly." }, { "summary": "Elastalert can now be customized via a pillar." }, @@ -43,6 +45,8 @@ { "summary": "Changes to the .security analyzer yields more accurate query results when using Playbook." }, { "summary": "Several Hunt queries have been updated." }, { "summary": "The pfSense firewall log parser has been updated to improve compatibility." }, - { "summary": "Kibana dashboard hyperlinks have been updated for faster navigation." } + { "summary": "Kibana dashboard hyperlinks have been updated for faster navigation." }, + { "summary": "Added a new so-rule script to make it easier to disable, enable, and modify SIDs." }, + { "summary": "ISO now gives the option to just configure the network during setup." } ] } From bfa7c85e277ee8bdc24332dbae942f6ebce92a23 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 1 Mar 2021 10:40:41 -0500 Subject: [PATCH 20/32] Release 2.3.30 --- VERIFY_ISO.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index e28513cef..0b2a3aab6 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,16 +1,16 @@ -### 2.3.20 ISO image built on 2020/12/20 +### 2.3.30 ISO image built on 2021/03/01 ### Download and Verify -2.3.20 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso +2.3.30 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.30.iso -MD5: E348FA65A46FD3FBA0D574D9C1A0582D -SHA1: 4A6E6D4E0B31ECA1B72E642E3DB2C186B59009D6 -SHA256: 25DE77097903640771533FA13094D0720A032B70223875F8C77A92F5C44CA687 +MD5: 7716A56E0F46FA29422B07B30235417B +SHA1: D01C26E4391C80FF690384C1DB77550EA4C1E239 +SHA256: 3BB0CE7F3F84A0D26B00EAF30F7AEB42A3B5C7E9D8E3BA7E160577B1FA3830F6 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.30.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.30.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.30.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.20.iso.sig securityonion-2.3.20.iso +gpg --verify securityonion-2.3.30.iso.sig securityonion-2.3.30.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Sun 20 Dec 2020 11:11:28 AM EST using RSA key ID FE507013 +gpg: Signature made Mon 01 Mar 2021 10:23:05 AM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. From 1a1e3caec8fa1e1282770e4d981b8b0f0e0214ca Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 1 Mar 2021 10:48:22 -0500 Subject: [PATCH 21/32] Release 2.3.30 sig --- sigs/securityonion-2.3.30.iso.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/securityonion-2.3.30.iso.sig diff --git a/sigs/securityonion-2.3.30.iso.sig b/sigs/securityonion-2.3.30.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..b8c8e0734d1966a34ea0a9613a1002d135f7130d GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;6_2H5}#2@re`V7LBIa1%~`5C2%hKP>eFBLTo&$6Mm! zfz!M*GmT+zUC==+<`~Bla!PHQu)l!j5}2n!V#XMN#r#)oUMCC_-js|u#MY{PouY{# z^#=;;J2CBL8;*@ z;lFylYpt^0x!XG%&U$0}jJGL=skK{cji*ny=tfdK&MVM<1N`%p3+^LNCH?;pe9DFD zi~)#3(9&sco4RIB-=|CEVZM5R-9D~%6>1#^CyA`@RvaLOe!s(wFG)ofZ@dK){bc4) zD8&F>Rl#NRjgCk`D!UsNet{q7-8;Z!RnliH?&B-59U)qDcTZgtvw3_*4QX7np=b-@ z#uE-ff6kpRK0`jwY(fR)k5)#Ur_7;%R3l@VI$X@7c9k9(?yiLU_^t(GOB}VCzJMDx z{B)KO6H!VJzPG}|3gtYg)2h{+@{sF|FN;|%@`c60)P467_|{ILC$ZP_r}@}_Ez hGGl6b literal 0 HcmV?d00001 From 85e059a76658e5b78452121db4469b49e65e2266 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 1 Mar 2021 12:16:46 -0500 Subject: [PATCH 22/32] Update VERSION file to 2.3.40 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index ad0b729ff..0f1c3e555 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.30 +2.3.40 From 3983e08fe538c9ebccfa51d54bb0db55556b23e0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 1 Mar 2021 13:31:05 -0500 Subject: [PATCH 23/32] exclude zeekcaptureloss when suricata metadata selected https://github.com/Security-Onion-Solutions/securityonion/issues/3206 --- salt/telegraf/etc/telegraf.conf | 10 ++++++++++ salt/telegraf/init.sls | 3 +++ 2 files changed, 13 insertions(+) diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 31be621a0..0c447172f 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -684,8 +684,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", + {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", + {% endif %} "/scripts/oldpcap.sh", "/scripts/raid.sh" ] @@ -697,8 +699,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", + {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", + {% endif %} "/scripts/oldpcap.sh", "/scripts/eps.sh", "/scripts/raid.sh" @@ -713,8 +717,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", + {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", + {% endif %} "/scripts/oldpcap.sh", "/scripts/eps.sh", "/scripts/raid.sh" @@ -728,8 +734,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", + {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", + {% endif %} "/scripts/oldpcap.sh", "/scripts/influxdbsize.sh", "/scripts/raid.sh" @@ -742,8 +750,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", + {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", + {% endif %} "/scripts/oldpcap.sh", "/scripts/helixeps.sh" ] diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 81513eee2..2814eb159 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -29,6 +29,9 @@ tgrafsyncscripts: - file_mode: 700 - template: jinja - source: salt://telegraf/scripts +{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'SURICATA' %} + - exclude_pat: zeekcaptureloss.sh +{% endif %} tgrafconf: file.managed: From a197d5addfacd1bf0a6f733d7e6a25858483f831 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 1 Mar 2021 13:58:04 -0500 Subject: [PATCH 24/32] revert version to 2.3.30 https://github.com/Security-Onion-Solutions/securityonion/issues/3206 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 0f1c3e555..ad0b729ff 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.40 +2.3.30 From 64b37cedc75b4f2a585c0e25779bd751a0d4f650 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 1 Mar 2021 14:45:51 -0500 Subject: [PATCH 25/32] Update Signatures --- VERIFY_ISO.md | 8 ++++---- sigs/securityonion-2.3.30.iso.sig | Bin 543 -> 543 bytes 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 0b2a3aab6..bc8793798 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -5,9 +5,9 @@ 2.3.30 ISO image: https://download.securityonion.net/file/securityonion/securityonion-2.3.30.iso -MD5: 7716A56E0F46FA29422B07B30235417B -SHA1: D01C26E4391C80FF690384C1DB77550EA4C1E239 -SHA256: 3BB0CE7F3F84A0D26B00EAF30F7AEB42A3B5C7E9D8E3BA7E160577B1FA3830F6 +MD5: 65202BA0F7661A5E27087F097B8E571E +SHA1: 14E842E39EDBB55A104263281CF25BF88A2E9D67 +SHA256: 210B37B9E3DFC827AFE2940E2C87B175ADA968EDD04298A5926F63D9269847B7 Signature for ISO image: https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.30.iso.sig @@ -39,7 +39,7 @@ gpg --verify securityonion-2.3.30.iso.sig securityonion-2.3.30.iso The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 01 Mar 2021 10:23:05 AM EST using RSA key ID FE507013 +gpg: Signature made Mon 01 Mar 2021 02:15:28 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.30.iso.sig b/sigs/securityonion-2.3.30.iso.sig index b8c8e0734d1966a34ea0a9613a1002d135f7130d..b89b2364a5380530639a3a52ca29c360d7ccf9cf 100644 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;6_Jx~A&2@re`V7LBIa1#`|5C3}SY0h7lG>C5B+6vX3-0w6Ep585QWujv^j0PV9{N=A1@t+NBaKQ={>Hba6>LK_iS<|#2NQ|K>( z&~3dKcX&Jt1>=N=JZ4Y4D-w~g{SZ#2v&Mr;qR;nakoqKi0(9H1*#ulM(kUAcaRDcDK>NxFI4`gT(&Q@@?~&BbDOiPU0YCxI zHJQkfKlOvTuGFLf4z?AbK8;x==&UD*Pjq3YpFYVCiKA_u|_Tl z+3PzEzfm8^Mfm@;d6O;RV84#p)1!3s4Y6ws@I?|vMz=Mu;<^EUu*36QnBmeGHB9)f zq^6N&7wN{Z-*wS=2S~@(L+p)u=Dj>e?xN5%rJ~C+P6A}y>JEUO3 hhBhLBoAoYWc8)1D<6hv__^>KbSk{m&8KPAJTGKgu0zd!& literal 543 zcmV+)0^t3L0vrSY0RjL91p;6_2H5}#2@re`V7LBIa1%~`5C2%hKP>eFBLTo&$6Mm! zfz!M*GmT+zUC==+<`~Bla!PHQu)l!j5}2n!V#XMN#r#)oUMCC_-js|u#MY{PouY{# z^#=;;J2CBL8;*@ z;lFylYpt^0x!XG%&U$0}jJGL=skK{cji*ny=tfdK&MVM<1N`%p3+^LNCH?;pe9DFD zi~)#3(9&sco4RIB-=|CEVZM5R-9D~%6>1#^CyA`@RvaLOe!s(wFG)ofZ@dK){bc4) zD8&F>Rl#NRjgCk`D!UsNet{q7-8;Z!RnliH?&B-59U)qDcTZgtvw3_*4QX7np=b-@ z#uE-ff6kpRK0`jwY(fR)k5)#Ur_7;%R3l@VI$X@7c9k9(?yiLU_^t(GOB}VCzJMDx z{B)KO6H!VJzPG}|3gtYg)2h{+@{sF|FN;|%@`c60)P467_|{ILC$ZP_r}@}_Ez hGGl6b From 2c75cb74db52a194594a370d28bca9fa15e187d6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 1 Mar 2021 15:17:38 -0500 Subject: [PATCH 26/32] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index ad0b729ff..0f1c3e555 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.30 +2.3.40 From b37d5ae15feed36d0756f91ac1db6ca1b787331c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 1 Mar 2021 15:54:29 -0500 Subject: [PATCH 27/32] Enable advanced setup for some search/sensor installs --- setup/automation/distributed-iso-search | 2 +- setup/automation/distributed-iso-sensor | 2 +- setup/automation/distributed-net-ubuntu-suricata-search | 2 +- setup/automation/distributed-net-ubuntu-suricata-sensor | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/automation/distributed-iso-search b/setup/automation/distributed-iso-search index d95d7ff44..cb5721055 100644 --- a/setup/automation/distributed-iso-search +++ b/setup/automation/distributed-iso-search @@ -55,7 +55,7 @@ MSRVIP=10.66.166.42 # NODE_ES_HEAP_SIZE= # NODE_LS_HEAP_SIZE= NODESETUP=NODEBASIC -NSMSETUP=BASIC +NSMSETUP=ADVANCED NODEUPDATES=MANAGER # OINKCODE= # OSQUERY=1 diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor index f932c80b4..5df368336 100644 --- a/setup/automation/distributed-iso-sensor +++ b/setup/automation/distributed-iso-sensor @@ -55,7 +55,7 @@ MSRVIP=10.66.166.42 # NODE_ES_HEAP_SIZE= # NODE_LS_HEAP_SIZE= # NODESETUP=NODEBASIC -NSMSETUP=BASIC +NSMSETUP=ADVANCED NODEUPDATES=MANAGER # OINKCODE= # OSQUERY=1 diff --git a/setup/automation/distributed-net-ubuntu-suricata-search b/setup/automation/distributed-net-ubuntu-suricata-search index 3914a6d1c..010ddcef3 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-search +++ b/setup/automation/distributed-net-ubuntu-suricata-search @@ -55,7 +55,7 @@ MSRVIP=10.66.166.66 # NODE_ES_HEAP_SIZE= # NODE_LS_HEAP_SIZE= NODESETUP=NODEBASIC -NSMSETUP=BASIC +NSMSETUP=ADVANCED NODEUPDATES=MANAGER # OINKCODE= # OSQUERY=1 diff --git a/setup/automation/distributed-net-ubuntu-suricata-sensor b/setup/automation/distributed-net-ubuntu-suricata-sensor index 2d5e15f15..6aa32c03d 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-sensor +++ b/setup/automation/distributed-net-ubuntu-suricata-sensor @@ -27,7 +27,7 @@ BASICZEEK=2 BASICSURI=2 # BLOGS= BNICS=ens19 -ZEEKVERSION=ZEEK +ZEEKVERSION=SURICATA # CURCLOSEDAYS= # EVALADVANCED=BASIC # GRAFANA=1 @@ -55,7 +55,7 @@ MSRVIP=10.66.166.66 # NODE_ES_HEAP_SIZE= # NODE_LS_HEAP_SIZE= # NODESETUP=NODEBASIC -NSMSETUP=BASIC +NSMSETUP=ADVANCED NODEUPDATES=MANAGER # OINKCODE= # OSQUERY=1 From 61611b8de288b429f25ef0bad986d0d9f88d8435 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 2 Mar 2021 10:23:04 -0500 Subject: [PATCH 28/32] Fix Elasticsearch disk space prompt Resolves #3205 --- setup/so-whiptail | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 390cd70a5..0d976558c 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -631,11 +631,23 @@ whiptail_invalid_hostname() { whiptail_log_size_limit() { [ -n "$TESTING" ] && return - - log_size_limit=$(whiptail --title "Security Onion Setup" --inputbox \ - "Please specify the amount of disk space (in GB) you would like to allocate for Elasticsearch data storage: \n\ - By default, this is set to 80% of the disk space allotted for /nsm." 10 75 "$log_size_limit" 3>&1 1>&2 2>&3) + case $install_type in + STANDALONE | EVAL | HEAVYNODE) + percentage=50 + ;; + *) + percentage=80 + ;; + esac + + read -r -d '' message <<- EOM + Please specify the amount of disk space (in GB) you would like to allocate for Elasticsearch data storage. + + By default, this is set to ${percentage}% of the disk space allotted for /nsm. + EOM + + log_size_limit=$(whiptail --title "Security Onion Setup" --inputbox "$message" 11 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus From d39b3280c8b3aaa9834f36f9b46a72f3a48451d3 Mon Sep 17 00:00:00 2001 From: doug Date: Wed, 3 Mar 2021 14:04:32 -0500 Subject: [PATCH 29/32] FIX: Custom Kibana settings are not being applied properly on upgrades #3254 --- salt/kibana/files/saved_objects.ndjson | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/salt/kibana/files/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson index 325cfa2ec..947d7a526 100644 --- a/salt/kibana/files/saved_objects.ndjson +++ b/salt/kibana/files/saved_objects.ndjson @@ -459,10 +459,7 @@ {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"z16.04 - Sysmon - Logs","version":1},"id":"6d189680-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"3072c750-6d71-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"29611940-6d75-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHHk1sxQT5EBNmq43Y","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1NSwxXQ=="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Action (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.8.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1NiwxXQ=="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.8.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1NywxXQ=="} -{"attributes":{"buildNum":29118,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"id":"7.6.1","migrationVersion":{"config":"7.9.0"},"references":[],"type":"config","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1OCwxXQ=="} -{"attributes":{"buildNum":30896,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"id":"7.7.1","migrationVersion":{"config":"7.9.0"},"references":[],"type":"config","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1OSwxXQ=="} -{"attributes":{"buildNum":33813,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"id":"7.9.0","migrationVersion":{"config":"7.9.0"},"references":[],"type":"config","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ2MCwxXQ=="} -{"attributes":{"buildNum":33984,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"id":"7.9.2","migrationVersion":{"config":"7.9.0"},"references":[],"type":"config","updated_at":"2020-10-13T17:09:42.724Z","version":"WzcyNCwyXQ=="} +{"attributes":{"buildNum":33984,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"id":"7.11.1","migrationVersion":{"config":"7.9.0"},"references":[],"type":"config","updated_at":"2020-10-13T17:09:42.724Z","version":"WzcyNCwyXQ=="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - MIME Flavors","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.8.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ2MSwxXQ=="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_9KpxQT5EBNmq4Oo","migrationVersion":{"visualization":"7.8.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ2MiwxXQ=="} {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"z16.04 - Bro - Modbus","version":1},"id":"70c005f0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"178209e0-6e1b-11e7-b553-7f80727663c1","name":"panel_5","type":"visualization"},{"id":"AWDG_9KpxQT5EBNmq4Oo","name":"panel_6","type":"visualization"},{"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ2MywxXQ=="} From a0a8d125267a3c8d1190a43654ac0be701d233dc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 4 Mar 2021 10:08:28 -0500 Subject: [PATCH 30/32] Enable SSL and Features --- salt/elasticsearch/files/elasticsearch.yml | 37 ++++++++++------------ salt/elasticsearch/init.sls | 9 +----- salt/filebeat/init.sls | 8 +---- salt/kibana/init.sls | 8 +---- salt/logstash/init.sls | 9 +----- 5 files changed, 21 insertions(+), 50 deletions(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 25bb6cb02..282f5fa93 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -1,6 +1,5 @@ {%- set NODE_ROUTE_TYPE = salt['pillar.get']('elasticsearch:node_route_type', 'hot') %} {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip') %} -{%- set FEATURES = salt['pillar.get']('elastic:features', False) %} {%- set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} {%- if TRUECLUSTER is sameas true %} {%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:true_cluster_name') %} @@ -25,26 +24,24 @@ cluster.routing.allocation.disk.threshold_enabled: true cluster.routing.allocation.disk.watermark.low: 95% cluster.routing.allocation.disk.watermark.high: 98% cluster.routing.allocation.disk.watermark.flood_stage: 98% -{%- if FEATURES is sameas true %} xpack.ml.enabled: false -#xpack.security.enabled: false -#xpack.security.transport.ssl.enabled: true -#xpack.security.transport.ssl.verification_mode: none -#xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key -#xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt -#xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ] -#{%- if grains['role'] in ['so-node','so-heavynode'] %} -#xpack.security.http.ssl.enabled: true -#xpack.security.http.ssl.client_authentication: none -#xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key -#xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt -#xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt -#{%- endif %} -#xpack.security.authc: -# anonymous: -# username: anonymous_user -# roles: superuser -# authz_exception: true +xpack.security.enabled: false +xpack.security.transport.ssl.enabled: true +xpack.security.transport.ssl.verification_mode: none +xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key +xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt +xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ] +{%- if grains['role'] in ['so-node','so-heavynode'] %} +xpack.security.http.ssl.enabled: true +xpack.security.http.ssl.client_authentication: none +xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key +xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt +xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt +xpack.security.authc: + anonymous: + username: anonymous_user + roles: superuser + authz_exception: true {%- endif %} node.name: {{ grains.host }} script.max_compilations_rate: 1000/1m diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 82fc7c77d..debb37512 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -18,17 +18,10 @@ {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} {% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} {% set MANAGERIP = salt['pillar.get']('global:managerip') %} -{% if FEATURES is sameas true %} - {% set FEATUREZ = "-features" %} -{% else %} - {% set FEATUREZ = '' %} -{% endif %} - {% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import'] %} {% set esclustername = salt['pillar.get']('manager:esclustername') %} {% set esheap = salt['pillar.get']('manager:esheap') %} @@ -186,7 +179,7 @@ eslogdir: so-elasticsearch: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}{{ FEATUREZ }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index f280309f0..91c6cdbb8 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -21,12 +21,6 @@ {% set LOCALHOSTIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% set MANAGER = salt['grains.get']('master') %} {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} -{% set FEATURES = salt['pillar.get']('elastic:features', False) %} -{%- if FEATURES is sameas true %} - {% set FEATURES = "-features" %} -{% else %} - {% set FEATURES = '' %} -{% endif %} filebeatetcdir: file.directory: - name: /opt/so/conf/filebeat/etc @@ -64,7 +58,7 @@ filebeatconfsync: OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} so-filebeat: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }} - hostname: so-filebeat - user: root - extra_hosts: {{ MANAGER }}:{{ MANAGERIP }},{{ LOCALHOSTNAME }}:{{ LOCALHOSTIP }} diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 10b799e80..fe579ffaa 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -4,12 +4,6 @@ {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set FEATURES = salt['pillar.get']('elastic:features', False) %} -{%- if FEATURES is sameas true %} - {% set FEATURES = "-features" %} -{% else %} - {% set FEATURES = '' %} -{% endif %} # Add ES Group kibanasearchgroup: @@ -73,7 +67,7 @@ kibanabin: # Start the kibana docker so-kibana: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }} - hostname: kibana - user: kibana - environment: diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 61f533865..2c2c89626 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -19,13 +19,6 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set MANAGERIP = salt['pillar.get']('global:managerip') %} -{% set FEATURES = salt['pillar.get']('elastic:features', False) %} - -{%- if FEATURES is sameas true %} - {% set FEATURES = "-features" %} -{% else %} - {% set FEATURES = '' %} -{% endif %} # Logstash Section - Decide which pillar to use {% set lsheap = salt['pillar.get']('logstash_settings:lsheap', '') %} @@ -146,7 +139,7 @@ lslogdir: so-logstash: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }} - hostname: so-logstash - name: so-logstash - user: logstash From c2b347e4bb752db7d4551c10c4f4ebae86419b0c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 4 Mar 2021 10:52:01 -0500 Subject: [PATCH 31/32] Security Enable for only nodes and heavy --- salt/elasticsearch/files/elasticsearch.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 282f5fa93..2e20a878b 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -25,7 +25,11 @@ cluster.routing.allocation.disk.watermark.low: 95% cluster.routing.allocation.disk.watermark.high: 98% cluster.routing.allocation.disk.watermark.flood_stage: 98% xpack.ml.enabled: false +{%- if grains['role'] in ['so-node','so-heavynode'] %} +xpack.security.enabled: true +{%- else %} xpack.security.enabled: false +{%- endif %} xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: none xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key From 61a7efeeab323cb255d907ba4c38c41cb5313c54 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 5 Mar 2021 10:54:01 -0500 Subject: [PATCH 32/32] fix: syntax error in reserved ports configuration; ensure ports are reserved prior to setup --- salt/common/files/99-reserved-ports.conf | 2 +- setup/so-functions | 10 ++++++++++ setup/so-setup | 2 ++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/salt/common/files/99-reserved-ports.conf b/salt/common/files/99-reserved-ports.conf index a578ab9a5..a846341a5 100644 --- a/salt/common/files/99-reserved-ports.conf +++ b/salt/common/files/99-reserved-ports.conf @@ -1 +1 @@ -net.ipv4.ip_local_reserved_ports="55000,57314" +net.ipv4.ip_local_reserved_ports=55000,57314 diff --git a/setup/so-functions b/setup/so-functions index 21602f320..c48f08819 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1792,6 +1792,16 @@ reserve_group_ids() { groupadd -g 946 cyberchef } +reserve_ports() { + # These are also set via salt but need to be set pre-install to avoid conflicts before salt runs + if ! sysctl net.ipv4.ip_local_reserved_ports | grep 55000 | grep 57314; then + echo "Reserving ephemeral ports used by Security Onion components to avoid collisions" + sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314" + else + echo "Ephemeral ports already reserved" + fi +} + reinstall_init() { info "Putting system in state to run setup again" diff --git a/setup/so-setup b/setup/so-setup index 65fbbe16e..0af49af53 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -550,6 +550,8 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' + reserve_ports + set_path if [[ $is_reinstall ]]; then