Merge pull request #6646 from Security-Onion-Solutions/patch/2.3.91

Patch/2.3.91

HOTFIX

@@ -1 +1 @@
-WAZUH
+

README.md

@@ -1,6 +1,6 @@
-## Security Onion 2.3.90-WAZUH
+## Security Onion 2.3.91
 
-Security Onion 2.3.90-WAZUH is here!
+Security Onion 2.3.91 is here!
 
 ## Screenshots
 

VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.3.90-WAZUH ISO image built on 2021/11/23
+### 2.3.91 ISO image built on 2021/12/20
 
 
 
 ### Download and Verify
 
-2.3.90-WAZUH ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.90-WAZUH.iso
+2.3.91 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.91.iso
 
-MD5: B7141C8627CDB45F4A8741B2ADE4A9F3  
-SHA1: 16087B385CA651659EC98F139AFDF90922430FB6  
-SHA256: 667AF11BBCFE3248AF59E45043703B55A543E059899AE387FF55EB8077304F04 
+MD5: CD979038EC60318B7C7F8BA278A12D04  
+SHA1: 9FB2AC07FCD24A4993B3F61FC2B2863510650520  
+SHA256: BAA8BEF574ECCB9ADC326D736A00C00AAF940FC6AD68CF491FF1F0AB6C5BAA64 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90-WAZUH.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.91.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90-WAZUH.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.91.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.90-WAZUH.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.91.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.90-WAZUH.iso.sig securityonion-2.3.90-WAZUH.iso
+gpg --verify securityonion-2.3.91.iso.sig securityonion-2.3.91.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Tue 23 Nov 2021 03:19:08 PM EST using RSA key ID FE507013
+gpg: Signature made Mon 20 Dec 2021 12:37:42 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.3.90
+2.3.91

salt/common/tools/sbin/soup

@@ -16,6 +16,7 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 . /usr/sbin/so-common
+export LC_CTYPE="en_US.UTF-8"
 
 UPDATE_DIR=/tmp/sogh/securityonion
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
@@ -599,18 +600,33 @@ up_to_2.3.80() {
 
 up_to_2.3.90() {
   for i in manager managersearch eval standalone; do
-    if compgen -G "/opt/so/saltstack/local/pillar/minions/*_$i.sls" > /dev/null; then
-      echo "soc:" >> /opt/so/saltstack/local/pillar/minions/*_$i.sls
-      sed -i "/^soc:/a \\  es_index_patterns: '*:so-*,*:endgame-*'" /opt/so/saltstack/local/pillar/minions/*_$i.sls
+    echo "Checking for compgen match of /opt/so/saltstack/local/pillar/minions/*_$i.sls"
+    if compgen -G "/opt/so/saltstack/local/pillar/minions/*_$i.sls"; then
+      echo "Found compgen match for /opt/so/saltstack/local/pillar/minions/*_$i.sls"
+      for f in $(compgen -G "/opt/so/saltstack/local/pillar/minions/*_$i.sls"); do
+        if grep -qozP "^soc:\n.*es_index_patterns: '\*:so-\*,\*:endgame-\*'" "$f"; then
+          echo "soc:es_index_patterns already present in $f"
+        else
+          echo "Appending soc pillar data to $f"
+          echo "soc:" >> "$f"
+          sed -i "/^soc:/a \\  es_index_patterns: '*:so-*,*:endgame-*'" "$f"
+        fi
+      done
     fi
   done
   
   # Create Endgame Hostgroup
-  so-firewall addhostgroup endgame
+  echo "Adding endgame hostgroup with so-firewall"
+  if so-firewall addhostgroup endgame 2>&1 | grep -q 'Already exists'; then
+    echo 'endgame hostgroup already exists'
+  else
+    echo 'endgame hostgroup added'
+  fi
   
   # Force influx to generate a new cert
-  mv /etc/pki/influxdb.crt /etc/pki/influxdb.crt.2390upgrade
-  mv /etc/pki/influxdb.key /etc/pki/influxdb.key.2390upgrade
+  echo "Moving influxdb.crt and influxdb.key to generate new certs"
+  mv -vf /etc/pki/influxdb.crt /etc/pki/influxdb.crt.2390upgrade
+  mv -vf /etc/pki/influxdb.key /etc/pki/influxdb.key.2390upgrade
   
   # remove old common ingest pipeline in default
   rm -vf /opt/so/saltstack/default/salt/elasticsearch/files/ingest/common
@@ -838,7 +854,7 @@ verify_latest_update_script() {
 }
 
 apply_hotfix() {
-  if [[ "$INSTALLEDVERSION" == "2.3.90" && "$HOTFIXVERSION" == "WAZUH" ]] ; then
+  if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then
     FILE="/nsm/wazuh/etc/ossec.conf"
     echo "Detecting if ossec.conf needs corrected..."
     if head -1 $FILE | grep -q "xml version"; then
@@ -849,7 +865,7 @@ apply_hotfix() {
       echo "$FILE does not have an XML header, so no changes are necessary."
     fi
   else
-    echo "Skipping ossec.conf check ($INSTALLEDVERSION/$HOTFIXVERSION)"
+    echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
   fi
 }
 
@@ -857,6 +873,7 @@ apply_hotfix() {
 main() {
   trap 'check_err $?' EXIT
   
+  echo "### Preparing soup at $(date) ###"
   check_pillar_items
 
   echo "Checking to see if this is an airgap install."
@@ -1168,5 +1185,4 @@ EOF
   read -r input
 fi
 
-echo "### Preparing soup at $(date) ###"
 main "$@" | tee -a $SOUP_LOG

salt/elasticsearch/files/scripts/so-catrust

@@ -24,9 +24,9 @@ set -e
 
 # Check to see if we have extracted the ca cert.
 if [ ! -f /opt/so/saltstack/local/salt/common/cacerts ]; then
-    docker run -v /etc/pki/ca.crt:/etc/pki/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} -keystore /etc/pki/ca-trust/extracted/java/cacerts -alias SOSCA -import -file /etc/pki/ca.crt -storepass changeit -noprompt
-    docker cp so-elasticsearchca:/etc/pki/ca-trust/extracted/java/cacerts /opt/so/saltstack/local/salt/common/cacerts
-    docker cp so-elasticsearchca:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
+    docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt
+    docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/common/cacerts
+    docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
     docker rm so-elasticsearchca
     echo "" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
     echo "sosca" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem

salt/elasticsearch/init.sls

@@ -131,6 +131,10 @@ esrolesdir:
     - group: 939
     - makedirs: True
 
+eslibdir:
+  file.absent:
+    - name: /opt/so/conf/elasticsearch/lib
+    
 esingestdynamicconf:
   file.recurse:
     - name: /opt/so/conf/elasticsearch/ingest
@@ -258,7 +262,7 @@ so-elasticsearch:
       {% if TRUECLUSTER is sameas false or (TRUECLUSTER is sameas true and not salt['pillar.get']('nodestab', {})) %}
       - discovery.type=single-node
       {% endif %}
-      - ES_JAVA_OPTS=-Xms{{ esheap }} -Xmx{{ esheap }} -Des.transport.cname_in_publish_address=true
+      - ES_JAVA_OPTS=-Xms{{ esheap }} -Xmx{{ esheap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
       ulimits:
       - memlock=-1:-1
       - nofile=65536:65536
@@ -271,7 +275,7 @@ so-elasticsearch:
       - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
       - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
       - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
-      - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
+      - /opt/so/conf/ca/cacerts:/usr/share/elasticsearch/jdk/lib/security/cacerts:ro
       {% if ismanager %}
       - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
       {% else %}
@@ -327,7 +331,7 @@ so-elasticsearch-pipelines-file:
 
 so-elasticsearch-pipelines:
  cmd.run:
-   - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }}
+   - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ grains.host }}
    - onchanges:
       - file: esingestconf
       - file: esingestdynamicconf

salt/kibana/bin/so-kibana-config-load

@@ -35,7 +35,7 @@ update() {
   wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}"  
   IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
   for i in "${LINES[@]}"; do
-    {{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.15.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i "
+    {{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.16.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i "
   done
 
 }

salt/kibana/files/config_saved_objects.ndjson

@@ -1 +1 @@
-{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "7.15.2","id": "7.15.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
+{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "7.16.2","id": "7.16.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}

salt/logstash/etc/jvm.options

@@ -0,0 +1 @@
+-Dlog4j2.formatMsgNoLookups=true

salt/logstash/init.sls

@@ -61,6 +61,10 @@ logstash:
     - gid: 931
     - home: /opt/so/conf/logstash
 
+lslibdir:
+  file.absent:
+    - name: /opt/so/conf/logstash/lib
+    
 lsetcdir:
   file.directory:
     - name: /opt/so/conf/logstash/etc

salt/repo/client/init.sls

@@ -65,6 +65,10 @@ yumconf:
     - mode: 644
     - template: jinja
     - show_changes: False
+
+cleanairgap:
+  file.absent:
+    - name: /etc/yum.repos.d/airgap_repo.repo
 {% endif %}
 
 cleanyum:

salt/thehive/init.sls

@@ -95,7 +95,7 @@ so-thehive-es:
       - /opt/so/conf/thehive/etc/es/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
       - /opt/so/log/thehive:/var/log/elasticsearch:rw
     - environment:
-      - ES_JAVA_OPTS=-Xms512m -Xmx512m
+      - ES_JAVA_OPTS=-Xms512m -Xmx512m -Dlog4j2.formatMsgNoLookups=true
     - port_bindings:
       - 0.0.0.0:9400:9400
       - 0.0.0.0:9500:9500

setup/so-functions

@@ -2016,10 +2016,10 @@ reinstall_init() {
 	{
 		if command -v salt-call &> /dev/null && grep -q "master:" /etc/salt/minion 2> /dev/null; then
 			# Disable schedule so highstate doesn't start running during the install
-			salt-call -l info schedule.disable
+			salt-call -l info schedule.disable --local
 
 			# Kill any currently running salt jobs, also to prevent issues with highstate.
-			salt-call -l info saltutil.kill_all_jobs
+			salt-call -l info saltutil.kill_all_jobs --local
 		fi
 
 		# Kill any salt processes (safely)

setup/so-setup

@@ -318,7 +318,7 @@ if ! [[ -f $install_opt_file ]]; then
 	elif [[ $is_minion && $is_iso ]]; then
 		$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1
 		airgap_check=$?
-		[[ $airgap_check ]] && is_airgap=true >> $setup_log 2>&1
+		[[ $airgap_check == 0 ]] && is_airgap=true >> $setup_log 2>&1
 	fi
 
 	reset_proxy