WIP

2026-01-16 05:01:31 +01:00 · 2026-01-07 14:03:19 -06:00
9 changed files with 44 additions and 99 deletions
--- a/.github/DISCUSSION_TEMPLATE/2-4.yml
+++ b/.github/DISCUSSION_TEMPLATE/2-4.yml
@@ -33,7 +33,6 @@ body:
        - 2.4.180
        - 2.4.190
        - 2.4.200
-        - 2.4.201
        - 2.4.210
        - Other (please provide detail below)
    validations:
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,17 +1,17 @@
-### 2.4.201-20260114 ISO image released on 2026/1/15
+### 2.4.200-20251216 ISO image released on 2025/12/16


 ### Download and Verify

-2.4.201-20260114 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.201-20260114.iso
+2.4.200-20251216 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.200-20251216.iso
 
-MD5: 20E926E433203798512EF46E590C89B9  
-SHA1: 779E4084A3E1A209B494493B8F5658508B6014FA  
-SHA256: 3D10E7C885AEC5C5D4F4E50F9644FF9728E8C0A2E36EBB8C96B32569685A7C40  
+MD5: 07B38499952D1F2FD7B5AF10096D0043  
+SHA1: 7F3A26839CA3CAEC2D90BB73D229D55E04C7D370  
+SHA256: 8D3AC735873A2EA8527E16A6A08C34BD5018CBC0925AC4096E15A0C99F591D5F  

 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.201-20260114.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.200-20251216.iso.sig

 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.

 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.201-20260114.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.200-20251216.iso.sig
 ```

 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.201-20260114.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.200-20251216.iso
 ```

 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.201-20260114.iso.sig securityonion-2.4.201-20260114.iso
+gpg --verify securityonion-2.4.200-20251216.iso.sig securityonion-2.4.200-20251216.iso
 ```

 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Wed 14 Jan 2026 05:23:39 PM EST using RSA key ID FE507013
+gpg: Signature made Mon 15 Dec 2025 05:24:11 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/2
+++ b/2
@@ -1 +1 @@
-2.4.210
+2.4.0-foxtrot
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -130,7 +130,6 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process_cluster_event_timeout_exception" # logstash waiting for elasticsearch to start
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not configured for GeoIP"     # SO does not bundle the maxminddb with Zeek
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found"          # Salt loops until Kratos returns 200, during startup Kratos may not be ready
-    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart
 fi

 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
@@ -161,7 +160,6 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding ingest pipeline"       # false positive (elasticsearch ingest pipeline names contain 'error') 
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|updating index template"      # false positive (elasticsearch index or template names contain 'error') 
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|updating component template"  # false positive (elasticsearch index or template names contain 'error') 
-    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|upgrading component template"  # false positive (elasticsearch index or template names contain 'error')
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|upgrading composable template" # false positive (elasticsearch composable template names contain 'error')
 fi

--- a/salt/elasticsearch/tools/sbin_jinja/so-catrust
+++ b/salt/elasticsearch/tools/sbin_jinja/so-catrust
@@ -14,9 +14,8 @@ set -e
 # Check to see if we have extracted the ca cert.
 if [ ! -f /opt/so/saltstack/local/salt/elasticsearch/cacerts ]; then
    docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:$ELASTIC_AGENT_TARBALL_VERSION -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt
-    # Make sure symbolic links are followed when copying from container
-    docker cp -L so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts
-    docker cp -L so-elasticsearchca:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
+    docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts
+    docker cp so-elasticsearchca:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
    docker rm so-elasticsearchca
    echo "" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
    echo "sosca" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
--- a/salt/kibana/defaults.yaml
+++ b/salt/kibana/defaults.yaml
@@ -25,10 +25,11 @@ kibana:
      discardCorruptObjects: "8.18.8"
    telemetry:
      enabled: False
+    security:
+      showInsecureClusterWarning: False
    xpack:
      security:
        secureCookies: true
-        showInsecureClusterWarning: false
      reporting:
        kibanaServer:
          hostname: localhost
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -433,8 +433,7 @@ preupgrade_changes() {
    [[ "$INSTALLEDVERSION" == 2.4.170 ]] && up_to_2.4.180
    [[ "$INSTALLEDVERSION" == 2.4.180 ]] && up_to_2.4.190
    [[ "$INSTALLEDVERSION" == 2.4.190 ]] && up_to_2.4.200
-    [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.201
-    [[ "$INSTALLEDVERSION" == 2.4.201 ]] && up_to_2.4.210
+    [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.210
    true
 }

@@ -449,26 +448,25 @@ postupgrade_changes() {
    [[ "$POSTVERSION" == 2.4.10 ]] && post_to_2.4.20
    [[ "$POSTVERSION" == 2.4.20 ]] && post_to_2.4.30
    [[ "$POSTVERSION" == 2.4.30 ]] && post_to_2.4.40
-    [[ "$POSTVERSION" == 2.4.40 ]] && post_to_2.4.50
-    [[ "$POSTVERSION" == 2.4.50 ]] && post_to_2.4.60
-    [[ "$POSTVERSION" == 2.4.60 ]] && post_to_2.4.70
-    [[ "$POSTVERSION" == 2.4.70 ]] && post_to_2.4.80
-    [[ "$POSTVERSION" == 2.4.80 ]] && post_to_2.4.90
-    [[ "$POSTVERSION" == 2.4.90 ]] && post_to_2.4.100
-    [[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110
+    [[ "$POSTVERSION"  == 2.4.40 ]] && post_to_2.4.50
+    [[ "$POSTVERSION"  == 2.4.50 ]] && post_to_2.4.60
+    [[ "$POSTVERSION"  == 2.4.60 ]] && post_to_2.4.70
+    [[ "$POSTVERSION"  == 2.4.70 ]] && post_to_2.4.80
+    [[ "$POSTVERSION"  == 2.4.80 ]] && post_to_2.4.90
+    [[ "$POSTVERSION"  == 2.4.90 ]] && post_to_2.4.100
+    [[ "$POSTVERSION"  == 2.4.100 ]] && post_to_2.4.110
    [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111
-    [[ "$POSTVERSION" == 2.4.111 ]] && post_to_2.4.120
-    [[ "$POSTVERSION" == 2.4.120 ]] && post_to_2.4.130
-    [[ "$POSTVERSION" == 2.4.130 ]] && post_to_2.4.140
-    [[ "$POSTVERSION" == 2.4.140 ]] && post_to_2.4.141
-    [[ "$POSTVERSION" == 2.4.141 ]] && post_to_2.4.150
-    [[ "$POSTVERSION" == 2.4.150 ]] && post_to_2.4.160
-    [[ "$POSTVERSION" == 2.4.160 ]] && post_to_2.4.170
-    [[ "$POSTVERSION" == 2.4.170 ]] && post_to_2.4.180
-    [[ "$POSTVERSION" == 2.4.180 ]] && post_to_2.4.190
-    [[ "$POSTVERSION" == 2.4.190 ]] && post_to_2.4.200
-    [[ "$POSTVERSION" == 2.4.200 ]] && post_to_2.4.201
-    [[ "$POSTVERSION" == 2.4.201 ]] && post_to_2.4.210
+    [[ "$POSTVERSION"  == 2.4.111 ]] && post_to_2.4.120
+    [[ "$POSTVERSION"  == 2.4.120 ]] && post_to_2.4.130
+    [[ "$POSTVERSION"  == 2.4.130 ]] && post_to_2.4.140
+    [[ "$POSTVERSION"  == 2.4.140 ]] && post_to_2.4.141
+    [[ "$POSTVERSION"  == 2.4.141 ]] && post_to_2.4.150
+    [[ "$POSTVERSION"  == 2.4.150 ]] && post_to_2.4.160
+    [[ "$POSTVERSION"  == 2.4.160 ]] && post_to_2.4.170
+    [[ "$POSTVERSION"  == 2.4.170 ]] && post_to_2.4.180
+    [[ "$POSTVERSION"  == 2.4.180 ]] && post_to_2.4.190
+    [[ "$POSTVERSION"  == 2.4.190 ]] && post_to_2.4.200
+    [[ "$POSTVERSION"  == 2.4.200 ]] && post_to_2.4.210
    true
 }

@@ -652,11 +650,6 @@ post_to_2.4.200() {
  POSTVERSION=2.4.200
 }

-post_to_2.4.201() {
-  echo "Nothing to apply"
-  POSTVERSION=2.4.201
-}
-
 post_to_2.4.210() {
  echo "Rolling over Kratos index to apply new index template"

@@ -942,12 +935,6 @@ up_to_2.4.200() {
  INSTALLEDVERSION=2.4.200
 }

-up_to_2.4.201() {
-  echo "Nothing to do for 2.4.201"
-
-  INSTALLEDVERSION=2.4.201
-}
-
 up_to_2.4.210() {
  # Elastic Update for this release, so download Elastic Agent files
  determine_elastic_agent_upgrade
@@ -1694,11 +1681,9 @@ verify_es_version_compatibility() {
        create_intermediate_upgrade_verification_script $es_verification_script
    fi

-    local es_required_version_statefile_value=$(cat $es_required_version_statefile)
-    echo -e "\n##############################################################################################################################\n"
-    echo "A previously required intermediate Elasticsearch upgrade was detected. Verifying that all Searchnodes/Heavynodes have successfully upgraded Elasticsearch to $es_required_version_statefile_value before proceeding with soup to avoid potential data loss!"
    # create script using version in statefile
-    timeout --foreground 4000 bash "$es_verification_script" "$es_required_version_statefile_value" "$es_required_version_statefile"
+    local es_required_version_statefile_value=$(cat $es_required_version_statefile)
+    timeout --foreground 3600 bash "$es_verification_script" "$es_required_version_statefile_value" "$es_required_version_statefile"
    if [[ $? -ne 0 ]]; then
        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"

@@ -1707,7 +1692,7 @@ verify_es_version_compatibility() {
        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
        exit 161
    fi
-    echo -e "\n##############################################################################################################################\n"
+
  fi

  if [[ " ${es_upgrade_map[$es_version]} " =~ " $target_es_version " || "$es_version" == "$target_es_version" ]]; then
@@ -1743,7 +1728,7 @@ verify_es_version_compatibility() {
      exec bash -c "BRANCH=$next_step_so_version soup -y && BRANCH=$next_step_so_version soup -y && \
       echo -e \"\n##############################################################################################################################\n\" && \
       echo -e \"Verifying Elasticsearch was successfully upgraded to ${compatible_versions##* } across the grid. This part can take a while as Searchnodes/Heavynodes sync up with the Manager! \n\nOnce verification completes the next soup will begin automatically. If verification takes longer than 1 hour it will stop waiting and your grid will remain at $next_step_so_version. Allowing for all Searchnodes/Heavynodes to upgrade Elasticsearch to the required version on their own time.\n\" \
-       && timeout --foreground 4000 bash /tmp/so_intermediate_upgrade_verification.sh ${compatible_versions##* } $es_required_version_statefile && \
+       && timeout --foreground 3600 bash /tmp/so_intermediate_upgrade_verification.sh ${compatible_versions##* } $es_required_version_statefile && \
       echo -e \"\n##############################################################################################################################\n\" \
       && BRANCH=$originally_requested_so_version soup -y && BRANCH=$originally_requested_so_version soup -y"
    fi
@@ -1785,10 +1770,10 @@ create_intermediate_upgrade_verification_script() {
        local retries=20
        local retry_count=0
        local delay=180
-
+        local success=1
        while [[ $retry_count -lt $retries ]]; do
            # keep stderr with variable for logging
-            heavynode_versions=$(salt -C 'G@role:so-heavynode' cmd.run 'so-elasticsearch-query / --retry 3 --retry-delay 10 | jq ".version.number"' shell=/bin/bash --out=json 2> /dev/null)
+            heavynode_versions=$(salt -C 'G@role:so-heavynode' cmd.run 'so-elasticsearch-query / --retry 3 --retry-delay 10 | jq ".version.number"' shell=/bin/bash --out=json 2>&1)
            local exit_status=$?

            # Check that all heavynodes returned good data
@@ -1804,7 +1789,7 @@ create_intermediate_upgrade_verification_script() {

                    return 0
                else
-                    echo "One or more heavynodes are not at the expected Elasticsearch version $EXPECTED_ES_VERSION. Rechecking in $delay seconds. Attempt $((retry_count + 1)) of $retries."
+                    echo "One or more heavynodes is not at the expected Elasticsearch version $EXPECTED_ES_VERSION. Rechecking in $delay seconds. Attempt $((retry_count + 1)) of $retries."
                    ((retry_count++))
                    sleep $delay

@@ -1829,10 +1814,11 @@ create_intermediate_upgrade_verification_script() {
        local retries=20
        local retry_count=0
        local delay=180
+        local success=1

        while [[ $retry_count -lt $retries ]]; do
            # keep stderr with variable for logging
-            cluster_versions=$(so-elasticsearch-query _nodes/_all/version --retry 5 --retry-delay 10 --fail 2>&1)
+            cluster_versions=$(so-elasticsearch-query _nodes/_all/version --retry 5 --retry-delay 10 2>&1)
            local exit_status=$?

            if [[ $exit_status -ne 0 ]]; then
--- a/salt/sensoroni/files/templates/reports/standard/case_report.md
+++ b/salt/sensoroni/files/templates/reports/standard/case_report.md
@@ -130,42 +130,4 @@ Security Onion Case Report
 | ---- | ---- | ------ | --------- |
 {{ range sortHistory "CreateTime" "asc" .History -}}
 | {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}} | {{getUserDetail "email" .UserId}} | {{.Kind}} | {{.Operation}} |
-{{end}}
-
-## Attached Onion AI Sessions
-
-{{ range $idx, $session := sortAssistantSessionDetails "CreateTime" "desc" .AssistantSessions }}
-
-#### Session {{ add $idx 1 }}
-
-**Session ID:** {{$session.Session.SessionId}}
-
-**Title:** {{$session.Session.Title}}
-
-**User ID:** {{getUserDetail "email" $session.Session.UserId}}
-
-**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.CreateTime}}
-
-**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.UpdateTime}}
-
-{{ if $session.Session.DeleteTime }}
-**Deleted:** {{ formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.DeleteTime}}
-{{ end }}
-
-#### Messages
-
-{{ range $index, $msg := sortAssistantMessages "CreateTime" "asc" $session.History }}
-{{ range $i, $block := $msg.Message.ContentBlocks }}
-
-{{ if eq $block.Type "text" }}
-
-**Role:** {{$msg.Message.Role}}
-
-{{ stripEmoji $block.Text }}
-
---
-
-{{ end }}{{ end }}
-
-{{end}}
 {{end}}
--- a/sigs/securityonion-2.4.201-20260114.iso.sig
+++ b/sigs/securityonion-2.4.201-20260114.iso.sig