Merge pull request #11854 from Security-Onion-Solutions/hotfix/2.4.30

Hotfix/2.4.30

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.4.30-20231113 ISO image released on 2023/11/13
+### 2.4.30-20231121 ISO image released on 2023/11/21
 
 
 
 ### Download and Verify
 
-2.4.30-20231113 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231113.iso
+2.4.30-20231121 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231121.iso
  
-MD5: 15EB5A74782E4C2D5663D29E275839F6  
-SHA1: BBD4A7D77ADDA94B866F1EFED846A83DDFD34D73  
-SHA256: 4509EB8E11DB49C6CD3905C74C5525BDB1F773488002179A846E00DE8E499988  
+MD5: 09DB0A6B3A75435C855E777272FC03F8  
+SHA1: A68868E67A3F86B77E01F54067950757EFD3BA72  
+SHA256: B3880C0302D9CDED7C974585B14355544FC9C3279F952EC79FC2BA9AEC7CB749  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231113.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231121.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231113.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231121.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231113.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231121.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.30-20231113.iso.sig securityonion-2.4.30-20231113.iso
+gpg --verify securityonion-2.4.30-20231121.iso.sig securityonion-2.4.30-20231121.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 13 Nov 2023 09:23:21 AM EST using RSA key ID FE507013
+gpg: Signature made Tue 21 Nov 2023 01:21:38 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

HOTFIX

@@ -1 +1 @@
-
+20231121

salt/ca/files/signing_policies.conf

@@ -37,7 +37,7 @@ x509_signing_policies:
     - ST: Utah
     - L: Salt Lake City
     - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "critical keyEncipherment digitalSignature"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
     - extendedKeyUsage: serverAuth

salt/kibana/defaults.yaml

@@ -21,8 +21,10 @@ kibana:
         appenders: 
           - default
           - file
+    migrations:
+      discardCorruptObjects: "8.10.4"
     telemetry:
-        enabled: False
+      enabled: False
     security:
       showInsecureClusterWarning: False
     xpack:

salt/kibana/tools/sbin/so-kibana-api-check

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-common
+
+echo "Checking to make sure that Kibana API is up & ready..."
+RETURN_CODE=0
+wait_for_web_response "http://localhost:5601/api/fleet/settings" "fleet" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
+RETURN_CODE=$?
+if [[ "$RETURN_CODE" != "0" ]]; then
+    echo "Kibana API not accessible, exiting script..."
+    exit 1
+fi
+
+
+

salt/manager/tools/sbin/soup

@@ -450,6 +450,13 @@ post_to_2.4.20() {
 post_to_2.4.30() {
   echo "Regenerating Elastic Agent Installers"
   /sbin/so-elastic-agent-gen-installers
+  salt-call state.apply ca queue=True
+  stop_salt_minion
+  mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+  mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
+  systemctl_func "start" "salt-minion"
+  salt-call state.apply nginx queue=True
+  enable_highstate
   POSTVERSION=2.4.30
 }
 
@@ -529,6 +536,16 @@ up_to_2.4.20() {
 }
 
 up_to_2.4.30() {
+
+  # Remove older defend integration json & installed integration
+  rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json
+
+  . $UPDATE_DIR/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
+  elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
+
+  rm -f /opt/so/state/eaintegrations.txt
+
+  # Elastic Update for this release, so download Elastic Agent files
   determine_elastic_agent_upgrade
   rm -f /opt/so/state/estemplates*.txt
 
@@ -735,8 +752,23 @@ apply_hotfix() {
     . /usr/sbin/so-elastic-fleet-common
     elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
     /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
-#  elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then
-#    2_3_10_hotfix_1
+  elif [[ "$INSTALLEDVERSION" == "2.4.30" ]] ; then
+    if [[ -f /etc/pki/managerssl.key.old ]]; then
+      echo "Skipping Certificate Generation"
+    else
+      rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json
+      so-kibana-restart --force
+      so-kibana-api-check
+      . /usr/sbin/so-elastic-fleet-common
+
+      elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
+      rm -f /opt/so/state/eaintegrations.txt
+      salt-call state.apply ca queue=True
+      stop_salt_minion
+      mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+      mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
+      systemctl_func "start" "salt-minion"
+    fi  
   else
    echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
   fi

setup/so-verify

@@ -38,6 +38,8 @@ log_has_errors() {
     # may be requested by dependency only (it is configured to refuse manual start/stop).
 
     # Command failed with exit code is output during retry loops.
+
+    # "remove failed" is caused by a warning generated by upgrade of libwbclient
     
     grep -E "FAILED|Failed|failed|ERROR|Result: False|Error is not recoverable" "$setup_log" | \
         grep -vE "The Salt Master has cached the public key for this node" | \
@@ -53,6 +55,7 @@ log_has_errors() {
         grep -vE "code: 100" | \
         grep -vE "/nsm/rules/sigma*" | \
         grep -vE "/nsm/rules/yara*" | \
+        grep -vE "remove failed" | \
         grep -vE "Failed to restart snapd" | \
         grep -vE "Login Failed Details" | \
         grep -vE "response from daemon: unauthorized" | \