Merge pull request #537 from Security-Onion-Solutions/2.4/dev

2.4.70

so-elastic-agent-builder/source/so-elastic-agent.go

@@ -29,6 +29,8 @@ var fleetHostURLsList = ""
 var fleetHostFlag string
 
 var enrollmentToken, enrollmentTokenFlag string
+var delayEnrollFlag bool
+var timeoutFlag time.Duration
 
 func check(err error, context string) {
 	if err != nil {
@@ -93,6 +95,8 @@ func main() {
 	// Allow runtime configuration
 	flag.StringVar(&enrollmentTokenFlag, "token", "", "Override default Enrollment Token")
 	flag.StringVar(&fleetHostFlag, "fleet", "", "Override default Fleet Host")
+	flag.BoolVar(&delayEnrollFlag, "delay-enroll", false, "Add delay enroll flag")
+	flag.DurationVar(&timeoutFlag, "timeout", 5*time.Minute, "Set the timeout duration (default: 5 minutes)")
 	flag.Parse()
 
 	if enrollmentTokenFlag != "" {
@@ -184,13 +188,17 @@ func main() {
 	arg4 := "--certificate-authorities=" + installPath + "soca.crt"
 	arg5 := "-n"
 
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute*3)
+	args := []string{arg1, arg2, arg3, arg4, arg5}
+	if delayEnrollFlag {
+		args = append(args, "--delay-enroll")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeoutFlag)
 	defer cancel()
 
-	cmd := exec.CommandContext(ctx, prg, arg1, arg2, arg3, arg4, arg5)
+	cmd := exec.CommandContext(ctx, prg, args...)
 
-	//strings.join the following
-	statusLogs("Executing the following: " + prg + " " + arg1 + " " + arg2 + " " + arg3 + " " + arg4 + " " + arg5)
+	statusLogs("Executing the following: " + prg + " " + strings.Join(args, " "))
 
 	output, err := cmd.CombinedOutput()
 	check(err, string(output))
@@ -199,5 +207,4 @@ func main() {
 
 	statusLogs("Elastic Agent installation completed")
 	fmt.Println("\n\nInstallation completed successfully.")
-
 }

so-elastic-fleet-package-registry/scripts/supported-integrations.txt

@@ -5,6 +5,7 @@ aws-
 azure-
 barracuda-
 carbonblack_edr-
+cef-
 checkpoint-
 cisco_asa-
 cisco_duo-

so-kafka/Dockerfile

@@ -0,0 +1,31 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+FROM ghcr.io/security-onion-solutions/kafka:3.7.0
+
+LABEL maintainer "Security Onion Solutions, LLC"
+LABEL description="Kafka running in a docker container for use with Security Onion"
+
+ARG JOLOKIA_VERSION=2.0.2
+ARG JOLOKIA_DOWNLOAD=https://github.com/jolokia/jolokia/releases/download/v${JOLOKIA_VERSION}/jolokia-${JOLOKIA_VERSION}-bin.tar.gz
+
+WORKDIR /opt
+
+USER root
+
+RUN addgroup -g 960 kafka && \
+    adduser -D --uid 960 --ingroup kafka kafka && \
+    wget ${JOLOKIA_DOWNLOAD} && \
+    tar -xzf jolokia-${JOLOKIA_VERSION}-bin.tar.gz && \
+    rm -f jolokia-${JOLOKIA_VERSION}-bin.tar.gz && \
+    mv jolokia-${JOLOKIA_VERSION} jolokia && \
+    chown -R 960:960 kafka && \
+    chown -R 960:960 jolokia
+
+USER kafka
+
+ADD files/jolokia.xml /opt/jolokia/jolokia.xml
+
+ENTRYPOINT ["/opt/kafka/bin/kafka-server-start.sh", "/opt/kafka/config/kraft/server.properties"]

so-kafka/files/jolokia.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<restrict>
+
+  <commands>
+    <command>read</command>
+  </commands>
+
+  <deny>
+    <mbean>
+      <name>com.mchange.v2.c3p0:type=PooledDataSource,*</name>
+      <attribute>properties</attribute>
+    </mbean>
+    <mbean>
+      <name>jdk.management.jfr:type=FlightRecorder</name>
+      <attribute>*</attribute>
+      <operation>*</operation>
+    </mbean>
+  </deny>
+
+</restrict>

so-nginx/Dockerfile

@@ -36,7 +36,7 @@ HEALTHCHECK --interval=5m --timeout=3s CMD curl --fail http://localhost/ || exit
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Security Onion Core Functions Docker"
 
-ARG CYBERCHEF_VERSION=10.8.2
+ARG CYBERCHEF_VERSION=10.17.0
 
 RUN mkdir -p /opt/socore/html/navigator
 COPY --from=navigator-builder /attack-navigator/nav-app/dist /opt/socore/html/navigator

so-suricata/Dockerfile

@@ -27,7 +27,7 @@ RUN dnf -y install autoconf automake diffutils file-devel gcc gcc-c++ git \
                lua-devel lz4-devel make nss-devel pcre-devel pcre2-devel pkgconfig \
                python3-devel python3-sphinx python3-yaml sudo which cargo \
                zlib-devel luajit-devel cargo && cargo install --force cbindgen
-ENV SURIVERSION=7.0.4
+ENV SURIVERSION=7.0.5
 RUN mkdir /suricata
 
 WORKDIR /suricata
@@ -55,6 +55,6 @@ RUN yum -y install epel-release bash libpcap iproute && \
 ADD files/so-suricata.sh /usr/local/sbin/so-suricata.sh
 
 RUN chmod +x /usr/local/sbin/so-suricata.sh
-RUN rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el7_9.x86_64.rpm
+RUN rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/fxlibpcap-1.9.1/fx-libpcap-1.9.1-1.el9.x86_64.rpm
 
 ENTRYPOINT ["/usr/local/sbin/so-suricata.sh"]

so-zeek/Dockerfile

@@ -39,7 +39,7 @@ RUN dnf -y install perl && \
 
 WORKDIR /
 
-ENV ZEEKVER=6.0.3
+ENV ZEEKVER=6.0.4
 ARG BUILD_TYPE=Release
 
 RUN mkdir /zeekbuild
@@ -99,7 +99,7 @@ COPY --from=builder /usr/local/ssl/ /usr/local/ssl
 # Copy over the entry script.
 COPY files/zeek.sh /usr/local/sbin/zeek.sh
 RUN chmod +x /usr/local/sbin/zeek.sh
-RUN rpm -Uvh https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el7_9.x86_64.rpm
+RUN rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/fxlibpcap-1.9.1/fx-libpcap-1.9.1-1.el9.x86_64.rpm
 
 HEALTHCHECK --interval=10m --timeout=2m CMD runuser -u zeek -- /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1))