Merge pull request #11879 from Security-Onion-Solutions/dev

2.3.280

.github/DISCUSSION_TEMPLATE/2-4.yml

@@ -0,0 +1,210 @@
+body:
+  - type: markdown
+    attributes:
+      value: >
+        ⚠️ This category is solely for conversations related to Security Onion 2.4 ⚠️
+  - type: dropdown
+    attributes:
+      label: Version
+      description: Which version of Security Onion 2.4.x are you asking about?
+      options:
+        -
+        - 2.4.0
+        - 2.4.1
+        - 2.4.2
+        - 2.4.3
+        - 2.4.4
+        - 2.4.5
+        - 2.4.10
+        - 2.4.20
+        - 2.4.30
+        - 2.4.40
+        - 2.4.50
+        - 2.4.60
+        - 2.4.70
+        - 2.4.80
+        - 2.4.90
+        - 2.4.100
+        - Other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Installation Method
+      description: How did you install Security Onion?
+      options:
+        -
+        - Security Onion ISO image
+        - Network installation on Red Hat derivative like Oracle, Rocky, Alma, etc.
+        - Network installation on Ubuntu
+        - Network installation on Debian
+        - Other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Description
+      description: >
+        Is this discussion about installation, configuration, upgrading, or other?
+      options:
+        -
+        - installation
+        - configuration
+        - upgrading
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Installation Type
+      description: >
+        When you installed, did you choose Import, Eval, Standalone, Distributed, or something else?
+      options:
+        -
+        - Import
+        - Eval
+        - Standalone
+        - Distributed
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Location
+      description: >
+        Is this deployment in the cloud, on-prem with Internet access, or airgap?
+      options:
+        -
+        - cloud
+        - on-prem with Internet access
+        - airgap
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Hardware Specs
+      description: >
+        Does your hardware meet or exceed the minimum requirements for your installation type as shown at https://docs.securityonion.net/en/2.4/hardware.html?
+      options:
+        -
+        - Meets minimum requirements
+        - Exceeds minimum requirements
+        - Does not meet minimum requirements
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: CPU
+      description: How many CPU cores do you have?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: RAM
+      description: How much RAM do you have?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Storage for /
+      description: How much storage do you have for the / partition?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Storage for /nsm
+      description: How much storage do you have for the /nsm partition?
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Network Traffic Collection
+      description: >
+        Are you collecting network traffic from a tap or span port?
+      options:
+        -
+        - tap
+        - span port
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Network Traffic Speeds
+      description: >
+        How much network traffic are you monitoring?
+      options:
+        -
+        - Less than 1Gbps
+        - 1Gbps to 10Gbps
+        - more than 10Gbps
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Status
+      description: >
+        Does SOC Grid show all services on all nodes as running OK?
+      options:
+        -
+        - Yes, all services on all nodes are running OK
+        - No, one or more services are failed (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Salt Status
+      description: >
+        Do you get any failures when you run "sudo salt-call state.highstate"?
+      options:
+        -
+        - Yes, there are salt failures (please provide detail below)
+        - No, there are no failures
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Logs
+      description: >
+        Are there any additional clues in /opt/so/log/?
+      options:
+        -
+        - Yes, there are additional clues in /opt/so/log/ (please provide detail below)
+        - No, there are no additional clues
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Detail
+      description: Please read the placeholder and then provide detailed information to help us help you.
+      placeholder: >-
+        STOP! Please read these guidelines in their entirety before typing!
+        
+        Community Support is considered best effort and there are no guarantees and no SLAs. If you need private, priority, or enterprise support, please consider purchasing support from Security Onion Solutions.
+        
+        Please review the Github Community Guidelines (see link on the right side of the page).
+        
+        Please be patient, courteous, and respectful. Disrespectful messages can result in being banned.
+        
+        Before posting for help, check the Help, FAQ, and other sections of the documentation (https://docs.securityonion.net/) to see if your question has already been answered there.
+        
+        Please do not tag an individual in a discussion unless that individual has already volunteered to help you in that discussion.
+        
+        When creating your discussion, please put a relevant and descriptive title in the Title field and avoid generic titles like Help. When copying text from your Security Onion deployment to the discussion, please copy as plain text when possible rather than taking a screenshot of the text. This allows others to search for and find your text.
+        
+        Avoid typing in ALL CAPS as this looks like YELLING!
+        
+        If you need to include a large section of output, please do so as an attached file or Github gist rather than including the output directly in the reply itself. 
+        
+        If you attach files, please make sure they are plain text format. No Word docs or PDFs please.
+
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Guidelines
+      options:
+        - label: I have read the above statement and can confirm my post is relevant to Security Onion 2.4.
+          required: true

README.md

@@ -2,6 +2,20 @@
 
 Security Onion 2.3 is here!
 
+## End Of Life Warning
+
+Security Onion 2.3 reaches End Of Life (EOL) on April 6, 2024:
+
+https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html
+
+For new installations, please see the 2.4 branch of this repo:
+
+https://github.com/Security-Onion-Solutions/securityonion/tree/2.4/main
+
+If you have an existing 2.3 installation and would like to migrate to 2.4, please see:
+
+https://docs.securityonion.net/en/2.4/appendix.html
+
 ## Screenshots
 
 Alerts

VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.3.260-20230620 ISO image built on 2023/06/20
+### 2.3.280-20231128 ISO image built on 2023/11/28
 
 
 
 ### Download and Verify
 
-2.3.260-20230620 ISO image:  
+2.3.280-20231128 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.260-20230620.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.3.280-20231128.iso
 
-MD5: E09BB9800BAE84E84511516952264F33  
+MD5: 0BC68BD73547B7E2FBA6F53BEC174590  
-SHA1: DBDDFCE58B87F61F40BCE03840A749D8054B7AF1  
+SHA1: 1D33C565D37772FE7A3C3FE3ECB05FC1AC1EBFF1  
-SHA256: 06ED74278587B09167FBAC1E5796B666FC24AD15D06EA3CC36419D07967E06DD 
+SHA256: ADBD9DC9E1B266B18E0FDBDF084073EF926C565041858060D283CDAEF021EE11 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.260-20230620.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.280-20231128.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.260-20230620.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.280-20231128.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.260-20230620.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.280-20231128.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.260-20230620.iso.sig securityonion-2.3.260-20230620.iso
+gpg --verify securityonion-2.3.280-20231128.iso.sig securityonion-2.3.280-20231128.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Fri 16 Jun 2023 02:58:22 PM EDT using RSA key ID FE507013
+gpg: Signature made Mon 27 Nov 2023 05:09:34 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.3.260
+2.3.280

pillar/zeek/init.sls

@@ -42,12 +42,13 @@ zeek:
       - frameworks/files/hash-all-files
       - frameworks/files/detect-MHR
       - policy/frameworks/notice/extend-email/hostnames
+      - policy/frameworks/notice/community-id
+      - policy/protocols/conn/community-id-logging
       - ja3
       - hassh
       - intel
       - cve-2020-0601
       - securityonion/bpfconf
-      - securityonion/communityid
       - securityonion/file-extraction
       - oui-logging
       - icsnpp-modbus

salt/ca/files/signing_policies.conf

@@ -37,7 +37,7 @@ x509_signing_policies:
     - ST: Utah
     - L: Salt Lake City
     - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "critical keyEncipherment, digitalSignature"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
     - extendedKeyUsage: serverAuth

salt/common/tools/sbin/soup

@@ -17,9 +17,30 @@
 
 . /usr/sbin/so-common
 
+INSTALLEDVERSION=$(cat /etc/soversion)
+
+if [[ $INSTALLEDVERSION == "2.4.4" ]]; then
+
+  echo "Initiating supersoup mode"
+  mkdir -p /tmp/supersoup
+  cd /tmp/supersoup
+  echo "Updating soup..."
+  wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/salt/manager/tools/sbin/soup
+  cp soup /opt/so/saltstack/default/salt/manager/tools/sbin
+  echo "Updating soup..."
+  salt-call state.apply manager
+  echo "Please run soup a second time."
+
+  exit 0
+fi
+
+if [ "$INSTALLEDVERSION" = '2.4.3' ] || [ "$INSTALLEDVERSION" = '2.4.2' ] || [ "$INSTALLEDVERSION" = '2.4.1' ] || [ "$INSTALLEDVERSION" = '2.4.0' ]; then
+  echo "soup is not supported on $INSTALLEDVERSION. Please install the latest 2.4 release."
+  exit 1
+fi
+
 UPDATE_DIR=/tmp/sogh/securityonion
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
-INSTALLEDVERSION=$(cat /etc/soversion)
 POSTVERSION=$INSTALLEDVERSION
 INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk '{print $2}')
 BATCHSIZE=5
@@ -558,6 +579,8 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.3.230 ]] && up_to_2.3.240
     [[ "$INSTALLEDVERSION" == 2.3.240 ]] && up_to_2.3.250
     [[ "$INSTALLEDVERSION" == 2.3.250 ]] && up_to_2.3.260
+    [[ "$INSTALLEDVERSION" == 2.3.260 ]] && up_to_2.3.270
+    [[ "$INSTALLEDVERSION" == 2.3.270 ]] && up_to_2.3.280
     
     true
 }
@@ -589,6 +612,8 @@ postupgrade_changes() {
     [[ "$POSTVERSION" == 2.3.230 ]] && post_to_2.3.240
     [[ "$POSTVERSION" == 2.3.240 ]] && post_to_2.3.250
     [[ "$POSTVERSION" == 2.3.250 ]] && post_to_2.3.260
+    [[ "$POSTVERSION" == 2.3.260 ]] && post_to_2.3.270
+    [[ "$POSTVERSION" == 2.3.270 ]] && post_to_2.3.280
 
     true
 }
@@ -742,6 +767,24 @@ post_to_2.3.260() {
   POSTVERSION=2.3.260
 }
 
+post_to_2.3.270() {
+  echo "Pruning unused docker volumes on all nodes - This process will run in the background."
+  salt --async \* cmd.run "docker volume prune -f"
+
+  POSTVERSION=2.3.270
+}
+
+post_to_2.3.280() {
+  salt-call state.apply ca queue=True
+  stop_salt_minion
+  mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+  mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
+  systemctl_func "start" "salt-minion"
+  enable_highstate
+  POSTVERSION=2.3.280
+}
+
+
 stop_salt_master() {
     # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
     set +e
@@ -1102,6 +1145,16 @@ up_to_2.3.260() {
   INSTALLEDVERSION=2.3.260
 }
 
+up_to_2.3.270() {
+  echo "Upgrading to 2.3.270"
+  INSTALLEDVERSION=2.3.270
+}
+
+up_to_2.3.280() {
+  echo "Upgrading to 2.3.280"
+  INSTALLEDVERSION=2.3.280
+}
+
 verify_upgradespace() {
   CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
   if [ "$CURRENTSPACE" -lt "10" ]; then
@@ -1685,8 +1738,12 @@ if [[ -z $UNATTENDED ]]; then
 
 SOUP - Security Onion UPdater
 
+**WARNING** Security Onion 2.3 reaches End Of Life (EOL) on April 6, 2024.
+Please make plans to migrate to Security Onion 2.4:
+https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html
+
 Please review the following for more information about the update process and recent updates:
-https://docs.securityonion.net/soup
+https://docs.securityonion.net/en/2.3/soup.html
 https://blog.securityonion.net
 
 EOF

salt/kibana/bin/so-kibana-config-load

@@ -59,7 +59,7 @@ update() {
 
     IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
     for i in "${LINES[@]}"; do
-      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.7.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
+      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.10.4" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
       echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
     done
  

salt/kibana/files/config_saved_objects.ndjson

@@ -1 +1 @@
-{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.7.1","id": "8.7.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
+{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.10.4","id": "8.10.4","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}

salt/nginx/init.sls

@@ -118,6 +118,10 @@ so-nginx:
     - watch:
       - file: nginxconf
       - file: nginxconfdir
+  {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import', 'so-fleet'] %}
+      - x509: managerssl_key
+      - x509: managerssl_crt
+  {% endif %}
     - require:
       - file: nginxconf
   {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import', 'so-fleet'] %}

salt/playbook/init.sls

@@ -84,6 +84,14 @@ playbook_password_none:
 
 {% else %}
 
+playbookfilesdir:
+  file.directory:
+    - name: /opt/so/conf/playbook/redmine-files
+    - dir_mode: 775
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 so-playbook:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-playbook:{{ VERSION }}
@@ -91,6 +99,7 @@ so-playbook:
     - name: so-playbook
     - binds:
       - /opt/so/log/playbook:/playbook/log:rw
+      - /opt/so/conf/playbook/redmine-files:/usr/src/redmine/files:rw
     - environment:
       - REDMINE_DB_MYSQL={{ MANAGERIP }}
       - REDMINE_DB_DATABASE=playbook

salt/redis/init.sls

@@ -52,6 +52,13 @@ redisconf:
     - group: 939
     - template: jinja
 
+redisdatadir:
+  file.directory:
+    - name: /nsm/redis/data
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 so-redis:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }}
@@ -64,6 +71,7 @@ so-redis:
       - /opt/so/log/redis:/var/log/redis:rw
       - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro
       - /opt/so/conf/redis/working:/redis:rw
+      - /nsm/redis/data:/data:rw
       - /etc/pki/redis.crt:/certs/redis.crt:ro
       - /etc/pki/redis.key:/certs/redis.key:ro
   {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}

salt/strelka/init.sls

@@ -194,9 +194,25 @@ filcheck_history_clean:
     - minute: '33'
 # End Filecheck Section
 
+strelkagkredisdatadir:
+  file.directory:
+    - name: /nsm/strelka/gk-redis-data
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkacoordredisdatadir:
+  file.directory:
+    - name: /nsm/strelka/coord-redis-data
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 strelka_coordinator:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }}
+    - binds:
+      - /nsm/strelka/coord-redis-data:/data:rw
     - name: so-strelka-coordinator
     - entrypoint: redis-server --save "" --appendonly no
     - port_bindings:
@@ -210,6 +226,8 @@ append_so-strelka-coordinator_so-status.conf:
 strelka_gatekeeper:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }}
+    - binds:
+      - /nsm/strelka/gk-redis-data:/data:rw
     - name: so-strelka-gatekeeper
     - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
     - port_bindings:

salt/suricata/afpacket.map.jinja

@@ -1,6 +1,6 @@
 {% load_yaml as afpacket %}
 af-packet:
-  - interface: {{ salt['pillar.get']('sensor:interface', 'bond0') }}
+  - interface: {{ None if grains.role == 'so-import' else salt['pillar.get']('sensor:interface', 'bond0') }}
     cluster-id: 59
     cluster-type: cluster_flow
     defrag: yes
@@ -8,8 +8,4 @@ af-packet:
     threads: {{ salt['pillar.get']('sensor:suriprocs', salt['pillar.get']('sensor:suripins') | length) }}
     tpacket-v3: yes
     ring-size: {{ salt['pillar.get']('sensor:suriringsize', '5000') }}
-  - interface: default
-    #threads: auto
-    #use-mmap: no
-    #tpacket-v3: yes
 {% endload %}