Merge pull request #4411 from Security-Onion-Solutions/hotfix-0528

2.3.52

HOTFIX

@@ -0,0 +1 @@
+

README.md

@@ -1,6 +1,6 @@
-## Security Onion 2.3.50
+## Security Onion 2.3.52
 
-Security Onion 2.3.50 is here!
+Security Onion 2.3.52 is here!
 
 ## Screenshots
 

VERIFY_ISO.md

@@ -1,17 +1,17 @@
-### 2.3.50 ISO image built on 2021/04/27
+### 2.3.52 ISO image built on 2021/04/27
 
 
 ### Download and Verify
 
-2.3.50 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso
+2.3.52 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.52.iso
 
-MD5: C39CEA68B5A8AFC5CFFB2481797C0374  
-SHA1: 00AD9F29ABE3AB495136989E62EBB8FA00DA82C6  
-SHA256: D77AE370D7863837A989F6735413D1DD46B866D8D135A4C363B0633E3990387E 
+MD5: DF0CCCB0331780F472CC167AEAB55652  
+SHA1: 71FAE87E6C0AD99FCC27C50A5E5767D3F2332260  
+SHA256: 30E7C4206CC86E94D1657CBE420D2F41C28BC4CC63C51F27C448109EBAF09121 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.52.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.52.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.52.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.50.iso.sig securityonion-2.3.50.iso
+gpg --verify securityonion-2.3.52.iso.sig securityonion-2.3.52.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Tue 27 Apr 2021 02:17:25 PM EDT using RSA key ID FE507013
+gpg: Signature made Sat 05 Jun 2021 06:56:04 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.3.50
+2.3.52

pillar/docker/config.sls

@@ -1,208 +0,0 @@
-{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
-{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%}
-{% set WAZUH = salt['pillar.get']('manager:wazuh', '0') %}
-{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
-{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
-{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
-{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
-{% set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %}
-{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
-
-eval:
-  containers:
-    - so-nginx
-    - so-telegraf
-    {% if  GRAFANA == '1' %}
-    - so-influxdb
-    - so-grafana
-    {% endif %}
-    - so-dockerregistry
-    - so-soc
-    - so-kratos
-    - so-idstools
-    {% if FLEETMANAGER %}
-    - so-mysql
-    - so-fleet
-    - so-redis
-    {% endif %}
-    - so-elasticsearch
-    - so-logstash
-    - so-kibana
-    - so-steno
-    - so-suricata
-    - so-zeek
-    - so-curator
-    - so-elastalert
-    {% if WAZUH != '0' %}
-    - so-wazuh
-    {% endif %}
-    - so-soctopus
-    {% if THEHIVE != '0' %}
-    - so-thehive
-    - so-thehive-es
-    - so-cortex
-    {% endif %}
-    {% if PLAYBOOK != '0' %}
-    - so-playbook
-    {% endif %}
-    {% if FREQSERVER != '0' %}
-    - so-freqserver
-    {% endif %}
-    {% if DOMAINSTATS != '0' %}
-    - so-domainstats
-    {% endif %}
-heavy_node:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-redis
-    - so-logstash
-    - so-elasticsearch
-    - so-curator
-    - so-steno
-    - so-suricata
-    - so-wazuh
-    - so-filebeat
-    {% if ZEEKVER != 'SURICATA' %}
-    - so-zeek
-    {% endif %}
-helix:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-idstools
-    - so-steno
-    - so-zeek
-    - so-redis
-    - so-logstash
-    - so-filebeat
-hot_node:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-logstash
-    - so-elasticsearch
-    - so-curator
-manager_search:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-soc
-    - so-kratos
-    - so-acng
-    - so-idstools
-    - so-redis
-    - so-logstash
-    - so-elasticsearch
-    - so-curator
-    - so-kibana
-    - so-elastalert
-    - so-filebeat
-    - so-soctopus
-    {% if FLEETMANAGER %}
-    - so-mysql
-    - so-fleet
-    - so-redis
-    {% endif %}
-    {% if WAZUH != '0' %}
-    - so-wazuh
-    {% endif %}
-    - so-soctopus
-    {% if THEHIVE != '0' %}
-    - so-thehive
-    - so-thehive-es
-    - so-cortex
-    {% endif %}
-    {% if PLAYBOOK != '0' %}
-    - so-playbook
-    {% endif %}
-    {% if FREQSERVER != '0' %}
-    - so-freqserver
-    {% endif %}
-    {% if DOMAINSTATS != '0' %}
-    - so-domainstats
-    {% endif %}
-manager:
-  containers:
-    - so-dockerregistry
-    - so-nginx
-    - so-telegraf
-    {% if  GRAFANA == '1' %}
-    - so-influxdb
-    - so-grafana
-    {% endif %}
-    - so-soc
-    - so-kratos
-    - so-acng
-    - so-idstools
-    - so-redis
-    - so-elasticsearch
-    - so-logstash
-    - so-kibana
-    - so-elastalert
-    - so-filebeat
-    {% if FLEETMANAGER %}
-    - so-mysql
-    - so-fleet
-    - so-redis
-    {% endif %}
-    {% if WAZUH != '0' %}
-    - so-wazuh
-    {% endif %}
-    - so-soctopus
-    {% if THEHIVE != '0' %}
-    - so-thehive
-    - so-thehive-es
-    - so-cortex
-    {% endif %}
-    {% if PLAYBOOK != '0' %}
-    - so-playbook
-    {% endif %}
-    {% if FREQSERVER != '0' %}
-    - so-freqserver
-    {% endif %}
-    {% if DOMAINSTATS != '0' %}
-    - so-domainstats
-    {% endif %}
-parser_node:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-logstash
-search_node:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-logstash
-    - so-elasticsearch
-    - so-curator
-    - so-filebeat
-    {% if WAZUH != '0' %}
-    - so-wazuh
-    {% endif %}
-sensor:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-steno
-    - so-suricata
-    {% if ZEEKVER != 'SURICATA' %}
-    - so-zeek
-    {% endif %}
-    - so-wazuh
-    - so-filebeat
-warm_node:
-  containers:
-    - so-nginx
-    - so-telegraf
-    - so-elasticsearch
-fleet:
-  containers:
-    {% if FLEETNODE %}
-    - so-mysql
-    - so-fleet
-    - so-redis
-    - so-filebeat
-    - so-nginx
-    - so-telegraf
-    {% endif %}

salt/common/tools/sbin/so-airgap-hotfixapply

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+UPDATE_DIR=/tmp/sohotfixapply
+
+if [ -z "$1" ]; then
+  echo "No tarball given. Please provide the filename so I can run the hotfix"
+  echo "so-airgap-hotfixapply /path/to/sohotfix.tar" 
+  exit 1
+else
+  if [ ! -f "$1" ]; then
+    echo "Unable to find $1. Make sure your path is correct and retry."
+    exit 1
+  else
+    echo "Determining if we need to apply this hotfix"
+    rm -rf $UPDATE_DIR
+    mkdir -p $UPDATE_DIR
+    tar xvf $1 -C $UPDATE_DIR
+
+    # Compare some versions
+    NEWVERSION=$(cat $UPDATE_DIR/VERSION)
+    HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX)
+    CURRENTHOTFIX=$(cat /etc/sohotfix)
+    INSTALLEDVERSION=$(cat /etc/soversion)
+
+    if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
+      echo "Checking to see if there are hotfixes needed"
+      if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then
+        echo "You are already running the latest version of Security Onion."
+        rm -rf $UPDATE_DIR
+        exit 1
+      else
+        echo "We need to apply a hotfix"
+        copy_new_files
+        echo $HOTFIXVERSION > /etc/sohotfix
+        salt-call state.highstate -l info queue=True
+        echo "The Hotfix $HOTFIXVERSION has been applied"
+        # Clean up 
+        rm -rf $UPDATE_DIR
+        exit 0
+      fi
+    else
+      echo "This hotfix is not compatible with your current version. Download the latest ISO and run soup"
+      rm -rf $UPDATE_DIR
+    fi
+
+  fi
+fi

salt/common/tools/sbin/so-airgap-hotfixdownload

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Get the latest code
+rm -rf /tmp/sohotfix
+mkdir -p /tmp/sohotfix
+cd /tmp/sohotfix
+git clone https://github.com/Security-Onion-Solutions/securityonion
+if [ ! -d "/tmp/sohotfix/securityonion" ]; then
+  echo "I was unable to get the latest code. Check your internet and try again."
+  exit 1
+else
+  echo "Looks like we have the code lets create the tarball."
+  cd /tmp/sohotfix/securityonion
+  tar cvf /tmp/sohotfix/sohotfix.tar HOTFIX VERSION salt pillar
+  echo ""
+  echo "Copy /tmp/sohotfix/sohotfix.tar to portable media and then copy it to your airgap manager."
+  exit 0
+fi

salt/common/tools/sbin/so-common

@@ -15,6 +15,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+DEFAULT_SALT_DIR=/opt/so/saltstack/default
+
 # Check for prerequisites
 if [ "$(id -u)" -ne 0 ]; then
 	echo "This script must be run using sudo!"
@@ -122,6 +124,16 @@ check_elastic_license() {
 	fi  
 }
 
+copy_new_files() {
+  # Copy new files over to the salt dir
+  cd $UPDATE_DIR
+  rsync -a salt $DEFAULT_SALT_DIR/
+  rsync -a pillar $DEFAULT_SALT_DIR/
+  chown -R socore:socore $DEFAULT_SALT_DIR/
+  chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
+  cd /tmp
+}
+
 disable_fastestmirror() {
 	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
 }
@@ -475,6 +487,7 @@ wait_for_web_response() {
 	expected=$2
 	maxAttempts=${3:-300}
 	logfile=/root/wait_for_web_response.log
+	truncate -s 0 "$logfile"
 	attempt=0
 	while [[ $attempt -lt $maxAttempts ]]; do
 		attempt=$((attempt+1))

salt/common/tools/sbin/so-zeek-stats

@@ -24,11 +24,11 @@ show_stats() {
   echo
   echo "Average throughput:"
   echo
-  docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats'
+  docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin /opt/zeek/bin/zeekctl capstats
   echo
   echo "Average packet loss:"
   echo
-  docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'
+  docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin /opt/zeek/bin/zeekctl netstats
   echo
 }
 

salt/common/tools/sbin/soup

@@ -21,7 +21,6 @@ UPDATE_DIR=/tmp/sogh/securityonion
 INSTALLEDVERSION=$(cat /etc/soversion)
 POSTVERSION=$INSTALLEDVERSION
 INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk {'print $2'})
-DEFAULT_SALT_DIR=/opt/so/saltstack/default
 BATCHSIZE=5
 SOUP_LOG=/root/soup.log
 WHATWOULDYOUSAYYAHDOHERE=soup
@@ -214,21 +213,11 @@ clone_to_tmp() {
   fi
 }
 
-copy_new_files() {
-  # Copy new files over to the salt dir
-  cd $UPDATE_DIR
-  rsync -a salt $DEFAULT_SALT_DIR/
-  rsync -a pillar $DEFAULT_SALT_DIR/
-  chown -R socore:socore $DEFAULT_SALT_DIR/
-  chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
-  cd /tmp
-}
-
 generate_and_clean_tarballs() {
   local new_version
   new_version=$(cat $UPDATE_DIR/VERSION)
   [ -d /opt/so/repo ] || mkdir -p /opt/so/repo
-  tar -czf "/opt/so/repo/$new_version.tar.gz" "$UPDATE_DIR"
+  tar -czf "/opt/so/repo/$new_version.tar.gz" -C "$UPDATE_DIR" .
   find "/opt/so/repo" -type f -not -name "$new_version.tar.gz" -exec rm -rf {} \;
 }
 
@@ -572,16 +561,28 @@ update_version() {
   # Update the version to the latest
   echo "Updating the Security Onion version file."
   echo $NEWVERSION > /etc/soversion
+  echo $HOTFIXVERSION > /etc/sohotfix
   sed -i "/  soversion:/c\  soversion: $NEWVERSION" /opt/so/saltstack/local/pillar/global.sls
 }
 
 upgrade_check() {
   # Let's make sure we actually need to update.
   NEWVERSION=$(cat $UPDATE_DIR/VERSION)
+  HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX)
+  CURRENTHOTFIX=$(cat /etc/sohotfix 2>/dev/null)
   if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
-    echo "You are already running the latest version of Security Onion."
-    exit 0
+    echo "Checking to see if there are hotfixes needed"
+    if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then
+      echo "You are already running the latest version of Security Onion."
+      exit 0
+    else
+      echo "We need to apply a hotfix"
+      is_hotfix=true
+    fi
+  else
+    is_hotfix=false
   fi 
+
 }
 
 upgrade_check_salt() {
@@ -709,144 +710,156 @@ upgrade_space
 echo "Checking for Salt Master and Minion updates."
 upgrade_check_salt
 
-echo ""
-echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
-echo ""
-echo "Updating dockers to $NEWVERSION."
-if [ $is_airgap -eq 0 ]; then
-  airgap_update_dockers
-  update_centos_repo
-  yum clean all
-  check_os_updates
+
+if [ "$is_hotfix" == "true" ]; then
+  echo "Applying $HOTFIXVERSION" 
+  copy_new_files
+  echo ""
+  update_version
+  salt-call state.highstate -l info queue=True
+  
 else
-  update_registry
-  update_docker_containers "soup"
-fi
-
-echo ""
-echo "Stopping Salt Minion service."
-systemctl stop salt-minion
-echo "Killing any remaining Salt Minion processes."
-pkill -9 -ef /usr/bin/salt-minion
-echo ""
-echo "Stopping Salt Master service."
-systemctl stop salt-master
-echo ""
-
-preupgrade_changes_2.3.50_repo
-
-# Does salt need upgraded. If so update it.
-if [ "$UPGRADESALT" == "1" ]; then
-  echo "Upgrading Salt"
-  # Update the repo files so it can actually upgrade
-  upgrade_salt
-fi
-
-echo "Checking if Salt was upgraded."
-echo ""
-# Check that Salt was upgraded
-SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk {'print $2'})
-if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then
-  echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG."
-  echo "Once the issue is resolved, run soup again."
-  echo "Exiting."
   echo ""
-  exit 1
-else
-  echo "Salt upgrade success."
+  echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
   echo ""
-fi
 
-preupgrade_changes
-echo ""
-
-if [ $is_airgap -eq 0 ]; then
-  echo "Updating Rule Files to the Latest."
-  update_airgap_rules
-fi
-
-# Only update the repo if its airgap
-if [[ $is_airgap -eq 0 ]] && [[ "$UPGRADESALT" != "1" ]]; then
-update_centos_repo
-fi
-
-echo ""
-echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR."
-copy_new_files
-echo ""
-update_version
-
-echo ""
-echo "Locking down Salt Master for upgrade"
-masterlock
-
-echo ""
-echo "Starting Salt Master service."
-systemctl start salt-master
-
-# Only regenerate osquery packages if Fleet is enabled
-FLEET_MANAGER=$(lookup_pillar fleet_manager)
-FLEET_NODE=$(lookup_pillar fleet_node)
-if [[ "$FLEET_MANAGER" == "True" || "$FLEET_NODE" == "True" ]]; then
-  echo ""
-  echo "Regenerating Osquery Packages.... This will take several minutes."
-  salt-call state.apply fleet.event_gen-packages -l info queue=True
-  echo ""
-fi
-
-echo ""
-echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
-salt-call state.highstate -l info queue=True
-echo ""
-echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete."
-
-echo ""
-echo "Stopping Salt Master to remove ACL"
-systemctl stop salt-master
-
-masterunlock
-
-echo ""
-echo "Starting Salt Master service."
-systemctl start salt-master
-echo "Running a highstate. This could take several minutes."
-salt-call state.highstate -l info queue=True
-postupgrade_changes
-unmount_update
-thehive_maint
-
-if [ "$UPGRADESALT" == "1" ]; then
+  echo "Updating dockers to $NEWVERSION."
   if [ $is_airgap -eq 0 ]; then
+    airgap_update_dockers
+    update_centos_repo
+    yum clean all
+    check_os_updates
+  else
+    update_registry
+    update_docker_containers "soup"
+  fi
+
+  echo ""
+  echo "Stopping Salt Minion service."
+  systemctl stop salt-minion
+  echo "Killing any remaining Salt Minion processes."
+  pkill -9 -ef /usr/bin/salt-minion
+  echo ""
+  echo "Stopping Salt Master service."
+  systemctl stop salt-master
+  echo ""
+
+  preupgrade_changes_2.3.50_repo
+
+  # Does salt need upgraded. If so update it.
+  if [ "$UPGRADESALT" == "1" ]; then
+    echo "Upgrading Salt"
+    # Update the repo files so it can actually upgrade
+    upgrade_salt
+  fi
+
+  echo "Checking if Salt was upgraded."
+  echo ""
+  # Check that Salt was upgraded
+  SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk {'print $2'})
+  if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then
+    echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG."
+    echo "Once the issue is resolved, run soup again."
+    echo "Exiting."
     echo ""
-    echo "Cleaning repos on remote Security Onion nodes."
-    salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all"
+    exit 1
+  else
+    echo "Salt upgrade success."
     echo ""
   fi
-fi
 
-check_sudoers
+  preupgrade_changes
+  echo ""
 
-if [[ -n $lsl_msg ]]; then
-  case $lsl_msg in
-    'distributed')
-      echo "[INFO] The value of log_size_limit in any heavy node minion pillars may be incorrect."
-      echo " -> We recommend checking and adjusting the values as necessary."
-      echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/"
-    ;;
-    'single-node')
-      # We can assume the lsl_details array has been set if lsl_msg has this value
-      echo "[WARNING] The value of log_size_limit (${lsl_details[0]}) does not match the recommended value of ${lsl_details[1]}."
-      echo " -> We recommend checking and adjusting the value as necessary."
-      echo " -> File: /opt/so/saltstack/local/pillar/minions/${lsl_details[2]}.sls"
-    ;;
-  esac
-fi
+  if [ $is_airgap -eq 0 ]; then
+    echo "Updating Rule Files to the Latest."
+    update_airgap_rules
+  fi
 
-NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l)
+  # Only update the repo if its airgap
+  if [[ $is_airgap -eq 0 ]] && [[ "$UPGRADESALT" != "1" ]]; then
+  update_centos_repo
+  fi
+
+  echo ""
+  echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR."
+  copy_new_files
+  echo ""
+  update_version
+
+  echo ""
+  echo "Locking down Salt Master for upgrade"
+  masterlock
+
+  echo ""
+  echo "Starting Salt Master service."
+  systemctl start salt-master
+
+  # Only regenerate osquery packages if Fleet is enabled
+  FLEET_MANAGER=$(lookup_pillar fleet_manager)
+  FLEET_NODE=$(lookup_pillar fleet_node)
+  if [[ "$FLEET_MANAGER" == "True" || "$FLEET_NODE" == "True" ]]; then
+    echo ""
+    echo "Regenerating Osquery Packages.... This will take several minutes."
+    salt-call state.apply fleet.event_gen-packages -l info queue=True
+    echo ""
+  fi
+
+  echo ""
+  echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
+  salt-call state.highstate -l info queue=True
+  echo ""
+  echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete."
+
+  echo ""
+  echo "Stopping Salt Master to remove ACL"
+  systemctl stop salt-master
+
+  masterunlock
+
+  echo ""
+  echo "Starting Salt Master service."
+  systemctl start salt-master
+  echo "Running a highstate. This could take several minutes."
+  salt-call state.highstate -l info queue=True
+  postupgrade_changes
+  unmount_update
+  thehive_maint
+
+  if [ "$UPGRADESALT" == "1" ]; then
+    if [ $is_airgap -eq 0 ]; then
+      echo ""
+      echo "Cleaning repos on remote Security Onion nodes."
+      salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all"
+      echo ""
+    fi
+  fi
+
+  check_sudoers
+
+  if [[ -n $lsl_msg ]]; then
+    case $lsl_msg in
+      'distributed')
+        echo "[INFO] The value of log_size_limit in any heavy node minion pillars may be incorrect."
+        echo " -> We recommend checking and adjusting the values as necessary."
+        echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/"
+      ;;
+      'single-node')
+        # We can assume the lsl_details array has been set if lsl_msg has this value
+        echo "[WARNING] The value of log_size_limit (${lsl_details[0]}) does not match the recommended value of ${lsl_details[1]}."
+        echo " -> We recommend checking and adjusting the value as necessary."
+        echo " -> File: /opt/so/saltstack/local/pillar/minions/${lsl_details[2]}.sls"
+      ;;
+    esac
+  fi
+
+  NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l)
+
+  if [ $NUM_MINIONS -gt 1 ]; then
+
+    cat << EOF
     
-if [ $NUM_MINIONS -gt 1 ]; then
   
-	cat << EOF
   
 This appears to be a distributed deployment. Other nodes should update themselves at the next Salt highstate (typically within 15 minutes). Do not manually restart anything until you know that all the search/heavy nodes in your deployment are updated. This is especially important if you are using true clustering for Elasticsearch.
 
@@ -855,9 +868,12 @@ Each minion is on a random 15 minute check-in period and things like network ban
 If it looks like you’re missing data after the upgrade, please avoid restarting services and instead make sure at least one search node has completed its upgrade. The best way to do this is to run 'sudo salt-call state.highstate' from a search node and make sure there are no errors. Typically if it works on one node it will work on the rest. Forward nodes are less complex and will update as they check in so you can monitor those from the Grid section of SOC.
 
 For more information, please see https://docs.securityonion.net/en/2.3/soup.html#distributed-deployments.
+
 EOF
 
+  fi
 fi
+
 echo "### soup has been served at `date` ###"
 }
 

salt/grafana/init.sls

@@ -11,7 +11,7 @@
 {% set GRAFANA_SETTINGS = salt['grains.filter_by'](default_settings, default='grafana', merge=salt['pillar.get']('grafana', {})) %}
 
 
-{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %}
+{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %}
 
 # Grafana all the things
 grafanadir:

salt/influxdb/init.sls

@@ -6,7 +6,7 @@
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 
-{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %}
+{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %}
 
 # Influx DB
 influxconfdir:

salt/salt/minion.sls

@@ -43,12 +43,24 @@ hold_salt_packages:
 {% endfor %}
 {% endif %}
 
+remove_info_log_level_logfile:
+  file.line:
+    - name: /etc/salt/minion
+    - match: "log_level_logfile: info"
+    - mode: delete
+
+remove_info_log_level:
+  file.line:
+    - name: /etc/salt/minion
+    - match: "log_level: info"
+    - mode: delete
+
 set_log_levels:
   file.append:
     - name: /etc/salt/minion
     - text:
-      - "log_level: info"
-      - "log_level_logfile: info"
+      - "log_level: error"
+      - "log_level_logfile: error"
     - listen_in:
       - service: salt_minion_service
 

salt/sensoroni/files/sensoroni.json

@@ -15,6 +15,7 @@
   "logFilename": "/opt/sensoroni/logs/sensoroni.log",
   "logLevel":"info",
   "agent": {
+    "nodeId": "{{ grains.host | lower }}",
     "role": "{{ grains.role }}",
     "description": "{{ DESCRIPTION }}",
     "address": "{{ ADDRESS }}",

salt/soc/files/soc/soc.json

@@ -54,7 +54,7 @@
         "verifyCert": false
       },
       "influxdb": {
-{%- if grains['role'] in ['so-import'] %}
+{%- if grains['role'] in ['so-import'] or (grains['role'] == 'so-eval' and GRAFANA == 0) %}
         "hostUrl": "",
 {%- else %}
         "hostUrl": "https://{{ MANAGERIP }}:8086",

salt/telegraf/scripts/raid.sh

@@ -16,6 +16,8 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep)
+RAIDLOG=/var/log/raid/status.log
+RAIDSTATUS=$(cat /var/log/raid/status.log)
 
 if [ ! "$THEGREP" ]; then
 

salt/zeek/cron/packetloss.sh

@@ -1,2 +1,2 @@
 #!/bin/bash
-/usr/bin/docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats' | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1
+/usr/bin/docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1

salt/zeek/init.sls

@@ -78,6 +78,7 @@ zeekspoolownership:
   file.directory:
     - name: /nsm/zeek/spool
     - user: 937
+    - max_depth: 0
     - recurse:
       - user
 

setup/automation/distributed-iso-sensor

@@ -34,7 +34,7 @@ ZEEKVERSION=ZEEK
 # HELIXAPIKEY=
 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
 HNSENSOR=inherit
-HOSTNAME=distributed-sensor
+HOSTNAME=Distributed-Sensor
 install_type=SENSOR
 # LSINPUTBATCHCOUNT=
 # LSINPUTTHREADS=

setup/so-functions

@@ -1425,7 +1425,7 @@ generate_passwords(){
 
 generate_repo_tarball() {
 	mkdir /opt/so/repo
-	tar -czf /opt/so/repo/"$SOVERSION".tar.gz ../.
+	tar -czf /opt/so/repo/"$SOVERSION".tar.gz -C "$(pwd)/.." .
 }
 
 generate_sensor_vars() {

setup/so-whiptail

@@ -408,6 +408,7 @@ whiptail_enable_components() {
 	PLAYBOOK=0
 	STRELKA=0
 
+if [[ $is_eval ]]; then
 	COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
 	"Select Components to install:" 20 75 8 \
 	GRAFANA "Enable Grafana for system monitoring" ON \
@@ -416,6 +417,17 @@ whiptail_enable_components() {
 	THEHIVE "Enable TheHive" ON \
 	PLAYBOOK "Enable Playbook" ON \
 	STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3)
+else
+	COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
+	"Select Components to install:" 20 75 7 \
+	OSQUERY "Enable Fleet with osquery" ON \
+	WAZUH "Enable Wazuh" ON \
+	THEHIVE "Enable TheHive" ON \
+	PLAYBOOK "Enable Playbook" ON \
+	STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3)
+	export "GRAFANA=1"
+fi
+
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus