Merge pull request #9857 from Security-Onion-Solutions/dev

2.3.220

VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.3.200-20230113 ISO image built on 2023/01/13
+### 2.3.220-20230224 ISO image built on 2023/02/24
 
 
 
 ### Download and Verify
 
-2.3.200-20230113 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.200-20230113.iso
+2.3.220-20230224 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.220-20230224.iso
 
-MD5: 70291FFE925E2751559589E749B12164  
-SHA1: EFD3C7BA6F4EF6774F4F18ECD667A13F7FDF5CFF  
-SHA256: 7794C1325F9B72856FC2A47691F7E0292CA28976711A18F550163E3B58E7A401 
+MD5: 74CDCE07BC5787567E07C1CAC64DC381  
+SHA1: 8DA0E8541C46CBDCFA0FB9B60F3C95D027D4BB37  
+SHA256: E5EDB011693AC33C40CAB483400F72FAF9615053867FD9C80DDD1AACAD9100B3 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.200-20230113.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.220-20230224.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.200-20230113.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.220-20230224.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.200-20230113.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.220-20230224.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.200-20230113.iso.sig securityonion-2.3.200-20230113.iso
+gpg --verify securityonion-2.3.220-20230224.iso.sig securityonion-2.3.220-20230224.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Fri 13 Jan 2023 11:11:11 AM EST using RSA key ID FE507013
+gpg: Signature made Fri 24 Feb 2023 02:32:08 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.3.200
+2.3.220

salt/common/init.sls

@@ -110,7 +110,6 @@ commonpkgs:
       - libssl-dev
       - python3-dateutil
       - python3-m2crypto
-      - python3-mysqldb
       - python3-packaging
       - python3-lxml
       - git
@@ -153,7 +152,6 @@ commonpkgs:
       - python36-docker
       - python36-dateutil
       - python36-m2crypto
-      - python36-mysql
       - python36-packaging
       - python36-lxml
       - yum-utils
@@ -170,6 +168,7 @@ heldpackages:
       - docker-ce: 3:20.10.5-3.el7
       - docker-ce-cli: 1:20.10.5-3.el7
       - docker-ce-rootless-extras: 20.10.5-3.el7
+      - python36-mysql: 1.3.12-2.el7
     - hold: True
     - update_holds: True
 {% endif %}

salt/common/tools/sbin/so-fleet-user-add

@@ -53,8 +53,10 @@ if [[ $? -ne 0 ]]; then
     exit 2
 fi
 
+TEMPPW=$FLEET_SA_PW!
+
 # Create New User
-CREATE_OUTPUT=$(docker exec so-fleet fleetctl user create --email $USER_EMAIL --name $USER_EMAIL --password $USER_PASS --global-role admin 2>&1)
+CREATE_OUTPUT=$(docker exec so-fleet fleetctl user create --email $USER_EMAIL --name $USER_EMAIL --password $TEMPPW --global-role admin 2>&1)
 
 if [[ $? -eq 0 ]]; then
     echo "Successfully added user to Fleet"
@@ -64,6 +66,9 @@ else
     exit 2
 fi
 
+# Reset New User Password to user supplied password
+echo "$USER_PASS" | so-fleet-user-update "$USER_EMAIL"
+
 # Disable forced password reset
 MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PW fleet -e \
 "UPDATE users SET admin_forced_password_reset = 0 WHERE email = '$USER_EMAIL'" 2>&1)

salt/common/tools/sbin/soup

@@ -552,6 +552,8 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.3.181 ]] && up_to_2.3.182
     [[ "$INSTALLEDVERSION" == 2.3.182 ]] && up_to_2.3.190
     [[ "$INSTALLEDVERSION" == 2.3.190 ]] && up_to_2.3.200
+    [[ "$INSTALLEDVERSION" == 2.3.200 ]] && up_to_2.3.210
+    [[ "$INSTALLEDVERSION" == 2.3.210 ]] && up_to_2.3.220
     true
 }
 
@@ -576,6 +578,8 @@ postupgrade_changes() {
     [[ "$POSTVERSION" == 2.3.181 ]] && post_to_2.3.182
     [[ "$POSTVERSION" == 2.3.182 ]] && post_to_2.3.190
     [[ "$POSTVERSION" == 2.3.190 ]] && post_to_2.3.200
+    [[ "$POSTVERSION" == 2.3.200 ]] && post_to_2.3.210
+    [[ "$POSTVERSION" == 2.3.210 ]] && post_to_2.3.220
 
     true
 }
@@ -699,6 +703,16 @@ post_to_2.3.200() {
   POSTVERSION=2.3.200
 }
 
+post_to_2.3.210() {
+  echo "Nothing to do for .210"
+  POSTVERSION=2.3.210
+}
+
+post_to_2.3.220() {
+  echo "Nothing to do for .220"
+  POSTVERSION=2.3.220
+}
+
 stop_salt_master() {
     # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
     set +e
@@ -1029,6 +1043,16 @@ up_to_2.3.200() {
   INSTALLEDVERSION=2.3.200
 }
 
+up_to_2.3.210() {
+  echo "Upgrading to 2.3.210"
+  INSTALLEDVERSION=2.3.210
+}
+
+up_to_2.3.220() {
+  echo "Upgrading to 2.3.220"
+  INSTALLEDVERSION=2.3.220
+}
+
 verify_upgradespace() {
   CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
   if [ "$CURRENTSPACE" -lt "10" ]; then

salt/elasticsearch/files/ingest/suricata.dhcp

@@ -1,15 +1,17 @@
 {
   "description" : "suricata.dhcp",
   "processors" : [
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 	"target_field": "network.protocol",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.assigned_ip",	"target_field": "dhcp.assigned_ip",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.client_ip", 	"target_field": "client.address",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.client_mac", 	"target_field": "host.mac",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.dhcp_type", 	"target_field": "dhcp.message_types",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.hostname", 	"target_field": "host.hostname",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.type", 	"target_field": "dhcp.type",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.id", 		"target_field": "dhcp.id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.app_proto",	"target_field": "network.protocol",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.assigned_ip",	"target_field": "dhcp.assigned_ip",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.client_ip", 	"target_field": "client.address",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.client_mac", 	"target_field": "host.mac",		"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.dhcp_type", 	"target_field": "dhcp.message_types",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.hostname", 	"target_field": "host.hostname",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.type",	"target_field": "dhcp.type",		"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.id", 		"target_field": "dhcp.id",		"ignore_missing": true		} },
+    { "set":		{ "if": "ctx.dhcp?.type == 'request'",	"field": "server.address",		"value": "{{destination.ip}}"	} },
+    { "set":		{ "if": "ctx.dhcp?.type == 'reply'",	"field": "server.address",		"value": "{{source.ip}}"	} },
     { "pipeline": { "name": "common" } }
   ]
 }

salt/fleet/files/packs/osquery-config.conf

@@ -26,9 +26,6 @@ spec:
         distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
         enable_windows_events_publisher: true
         enable_windows_events_subscriber: true
-        logger_plugin: tls
-        logger_tls_endpoint: /api/v1/osquery/log
-        logger_tls_period: 10
         pack_delimiter: _
   host_settings:
     enable_software_inventory: false

salt/kibana/bin/so-kibana-config-load

@@ -59,7 +59,7 @@ update() {
 
     IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
     for i in "${LINES[@]}"; do
-      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.5.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
+      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.6.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
       echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
     done
  

salt/kibana/files/config_saved_objects.ndjson

@@ -1 +1 @@
-{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.5.3","id": "8.5.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
+{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.2","id": "8.6.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}

salt/nginx/etc/nginx.conf

@@ -319,7 +319,7 @@ http {
 		{%- if fleet_node %}
 
 		location /fleet/ {
-			return 307 https://{{ fleet_ip }}/fleet;
+			return 307 https://{{ fleet_ip }}/fleet/dashboard;
 		}
 
 		{%- else %}

salt/soc/files/soc/dashboards.queries.json

@@ -15,7 +15,7 @@
             { "name": "Zeek Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
             { "name": "Connections", "description": "Network connection metadata", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui"},
             { "name": "DCE_RPC", "description": "DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata", "query": "event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
-            { "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address"},
+            { "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address | groupby host.domain"},
             { "name": "DNS", "description": "DNS (Domain Name System) queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
             { "name": "DPD", "description": "DPD (Dynamic Protocol Detection) errors", "query": "event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
             { "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name"},

salt/soc/files/soc/tools.json

@@ -3,6 +3,6 @@
   { "name": "toolGrafana",   "description": "toolGrafanaHelp",   "icon": "fa-external-link-alt", "target": "so-grafana",   "link": "/grafana/d/so_overview" },
   { "name": "toolCyberchef", "description": "toolCyberchefHelp", "icon": "fa-external-link-alt", "target": "so-cyberchef", "link": "/cyberchef/" },
   { "name": "toolPlaybook",  "description": "toolPlaybookHelp",  "icon": "fa-external-link-alt", "target": "so-playbook",  "link": "/playbook/projects/detection-playbooks/issues/" },
-  { "name": "toolFleet",     "description": "toolFleetHelp",     "icon": "fa-external-link-alt", "target": "so-fleet",     "link": "/fleet/" },
+  { "name": "toolFleet",     "description": "toolFleetHelp",     "icon": "fa-external-link-alt", "target": "so-fleet",     "link": "/fleet/dashboard" },
   { "name": "toolNavigator", "description": "toolNavigatorHelp", "icon": "fa-external-link-alt", "target": "so-navigator", "link": "/navigator/" }
-]
+]

salt/strelka/defaults.yaml

@@ -16,3 +16,4 @@ strelka:
     - gen_sign_anomalies.yar
     - gen_susp_xor.yar
     - gen_webshells_ext_vars.yar
+    - configured_vulns_ext_vars.yar

setup/so-functions

@@ -145,7 +145,7 @@ analyst_salt_local() {
 	securityonion_repo
 	gpg_rpm_import
 	# Install salt
-	logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
+	logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql-1.3.12-2.el7.x86_64 python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
 	logCmd "yum -y update --exclude=salt*"
 
 	salt-call state.apply workstation --local --file-root=../salt/ -l info 2>&1 | tee -a outfile
@@ -1511,7 +1511,7 @@ generate_passwords(){
   PLAYBOOKADMINPASS=$(get_random_value)
   PLAYBOOKAUTOMATIONPASS=$(get_random_value)
   FLEETPASS=$(get_random_value)
-  FLEETSAPASS=$(get_random_value)
+  FLEETSAPASS="$(get_random_value)!1"
   FLEETJWT=$(get_random_value)
   GRAFANAPASS=$(get_random_value)
   SENSORONIKEY=$(get_random_value)
@@ -2291,7 +2291,7 @@ saltify() {
 		fi
 		set_progress_str 8 'Installing salt-minion & python modules'
 			if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then
-				logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
+				logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql-1.3.12-2.el7.x86_64 python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
 				logCmd "yum -y update --exclude=salt*"
 			fi
 		logCmd "systemctl enable salt-minion"