From 9a1092ab0118dab8ab286c4bf64dd149a5145ddb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 19 Jul 2022 10:21:36 -0400 Subject: [PATCH 1/7] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index d3f5a12faa..8ab213017c 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +20220719 From 07b8785f3d223da16f317a126897fb31fa0801bd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 19 Jul 2022 10:23:10 -0400 Subject: [PATCH 2/7] Update soup --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 527bf1fc2b..1532dd02ca 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -825,6 +825,7 @@ up_to_2.3.130() { } up_to_2.3.140() { + so-elastalert-stop ## Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ## echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." # Wait for ElasticSearch to initialize From 4a7c994b662bddbdaf0bca2419f973b1caf7be11 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 19 Jul 2022 14:31:45 +0000 Subject: [PATCH 3/7] Revise Elastalert index check deletion logic --- salt/common/tools/sbin/soup | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 1532dd02ca..8559607371 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -852,13 +852,33 @@ up_to_2.3.140() { fi # Delete Elastalert indices - for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elasticsearch-query $i -XDELETE; done - # Check to ensure Elastalert indices have been deleted - RESPONSE=$(so-elasticsearch-query elastalert*) - if [[ "$RESPONSE" == "{}" ]]; then - echo "Elastalert indices have been deleted." - else - fail "Something went wrong. Could not delete the Elastalert indices. Exiting." + for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); + do + so-elasticsearch-query $i -XDELETE; + done + + # Check to ensure Elastalert indices are deleted + COUNT=0 + ELASTALERT_INDICES_DELETED="no" + while [[ "$COUNT" -le 240 ]]; do + RESPONSE=$(so-elasticsearch-query elastalert*) + if [[ "$RESPONSE" == "{}" ]]; then + ELASTALERT_INDICES_DELETED="yes" + echo "Elastalert indices successfully deleted." + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + + # If we were unable to delete the Elastalert indices, exit the script + if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then + echo + echo -e "Unable to connect to delete Elastalert indices. Exiting." + echo + exit 1 fi ## INSTALLEDVERSION=2.3.140 From f3a0ab0b2d8816bdbe1b862bf258051da57924db Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 19 Jul 2022 14:48:19 +0000 Subject: [PATCH 4/7] Perform Elastalert index check twice --- salt/common/tools/sbin/soup | 43 ++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 8559607371..9982d2dc60 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -850,28 +850,31 @@ up_to_2.3.140() { echo exit 1 fi - - # Delete Elastalert indices - for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); - do - so-elasticsearch-query $i -XDELETE; + CHECK_COUNT=0 + while [[ "$CHECK_COUNT" -le 2 ]]; do + # Delete Elastalert indices + for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do + so-elasticsearch-query $i -XDELETE; + done + + # Check to ensure Elastalert indices are deleted + COUNT=0 + ELASTALERT_INDICES_DELETED="no" + while [[ "$COUNT" -le 240 ]]; do + RESPONSE=$(so-elasticsearch-query elastalert*) + if [[ "$RESPONSE" == "{}" ]]; then + ELASTALERT_INDICES_DELETED="yes" + echo "Elastalert indices successfully deleted." + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + ((CHECK_COUNT+=1)) done - # Check to ensure Elastalert indices are deleted - COUNT=0 - ELASTALERT_INDICES_DELETED="no" - while [[ "$COUNT" -le 240 ]]; do - RESPONSE=$(so-elasticsearch-query elastalert*) - if [[ "$RESPONSE" == "{}" ]]; then - ELASTALERT_INDICES_DELETED="yes" - echo "Elastalert indices successfully deleted." - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi - done # If we were unable to delete the Elastalert indices, exit the script if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then From 5ceff527960cf0c897f7fe374ef6ce49a8bafee1 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 19 Jul 2022 14:54:39 +0000 Subject: [PATCH 5/7] Move Elastalert indices check to function and call from beginning of soup and during pre-upgrade to 2.3.140 --- salt/common/tools/sbin/soup | 128 ++++++++++++++++++++---------------- 1 file changed, 70 insertions(+), 58 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 9982d2dc60..e6f54fe4e5 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -371,6 +371,74 @@ clone_to_tmp() { fi } +elastalert_indices_check() { + + # Stop Elastalert to prevent Elastalert indices from being re-created + so-elastalert-stop + + # Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ## + echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." + + # Wait for ElasticSearch to initialize + echo -n "Waiting for ElasticSearch..." + COUNT=0 + ELASTICSEARCH_CONNECTED="no" + while [[ "$COUNT" -le 240 ]]; do + so-elasticsearch-query / -k --output /dev/null + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + + # Unable to connect to Elasticsearch + if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo + exit 1 + fi + + # Check Elastalert indices + CHECK_COUNT=0 + while [[ "$CHECK_COUNT" -le 2 ]]; do + # Delete Elastalert indices + for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do + so-elasticsearch-query $i -XDELETE; + done + + # Check to ensure Elastalert indices are deleted + COUNT=0 + ELASTALERT_INDICES_DELETED="no" + while [[ "$COUNT" -le 240 ]]; do + RESPONSE=$(so-elasticsearch-query elastalert*) + if [[ "$RESPONSE" == "{}" ]]; then + ELASTALERT_INDICES_DELETED="yes" + echo "Elastalert indices successfully deleted." + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + ((CHECK_COUNT+=1)) + done + + # If we were unable to delete the Elastalert indices, exit the script + if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then + echo + echo -e "Unable to connect to delete Elastalert indices. Exiting." + echo + exit 1 + fi +} + enable_highstate() { echo "Enabling highstate." salt-call state.enable highstate -l info --local @@ -825,64 +893,7 @@ up_to_2.3.130() { } up_to_2.3.140() { - so-elastalert-stop - ## Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ## - echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." - # Wait for ElasticSearch to initialize - echo -n "Waiting for ElasticSearch..." - COUNT=0 - ELASTICSEARCH_CONNECTED="no" - while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query / -k --output /dev/null - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi - done - if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then - echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" - echo - exit 1 - fi - CHECK_COUNT=0 - while [[ "$CHECK_COUNT" -le 2 ]]; do - # Delete Elastalert indices - for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do - so-elasticsearch-query $i -XDELETE; - done - - # Check to ensure Elastalert indices are deleted - COUNT=0 - ELASTALERT_INDICES_DELETED="no" - while [[ "$COUNT" -le 240 ]]; do - RESPONSE=$(so-elasticsearch-query elastalert*) - if [[ "$RESPONSE" == "{}" ]]; then - ELASTALERT_INDICES_DELETED="yes" - echo "Elastalert indices successfully deleted." - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi - done - ((CHECK_COUNT+=1)) - done - - - # If we were unable to delete the Elastalert indices, exit the script - if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then - echo - echo -e "Unable to connect to delete Elastalert indices. Exiting." - echo - exit 1 - fi + elastalert_indices_check ## INSTALLEDVERSION=2.3.140 } @@ -1202,6 +1213,7 @@ main() { verify_latest_update_script es_version_check es_indices_check + elastalert_indices_check echo "" set_palette check_elastic_license From 340dbe8547d64cbe87c38ca39f7a1d8eaa095ea7 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 19 Jul 2022 13:25:09 -0400 Subject: [PATCH 6/7] Check to see if Elastalert is enabled before trying to run 'so-elastalert-stop'. Also suppress error output for when so-elastalert container is not present. --- salt/common/tools/sbin/soup | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e6f54fe4e5..d41fcdfcf5 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -374,10 +374,9 @@ clone_to_tmp() { elastalert_indices_check() { # Stop Elastalert to prevent Elastalert indices from being re-created - so-elastalert-stop - - # Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ## - echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." + if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then + so-elastalert-stop || true + fi # Wait for ElasticSearch to initialize echo -n "Waiting for ElasticSearch..." @@ -403,8 +402,9 @@ elastalert_indices_check() { echo exit 1 fi - + # Check Elastalert indices + echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." CHECK_COUNT=0 while [[ "$CHECK_COUNT" -le 2 ]]; do # Delete Elastalert indices From dd48d66c1c4c9d6c4da43f454a96501072d10057 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 19 Jul 2022 14:39:44 -0400 Subject: [PATCH 7/7] 2.3.140 Hotfix --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.140-20220719.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.140-20220719.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index d48743291c..73735f3b78 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.140-20220718 ISO image built on 2022/07/18 +### 2.3.140-20220719 ISO image built on 2022/07/19 ### Download and Verify -2.3.140-20220718 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso +2.3.140-20220719 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220719.iso -MD5: 9570065548DBFA6230F28FF623A8B61A -SHA1: D48B2CC81DF459C3EBBC0C54BD9AAFAB4327CB75 -SHA256: 0E31E15EDFD3392B9569FCCAF1E4518432ECB0D7A174CCA745F2F22CDAC4A034 +MD5: 68768DF9861B93BB8CC9637C80239803 +SHA1: F15421C045227B334C7044E5F7F309A2BC7AEB19 +SHA256: 4736E3E80E28EFBAB1923C121A3F78DBDBCBBBF65D715924A88B2E96EB3C6093 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220719.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220719.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220719.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.140-20220718.iso.sig securityonion-2.3.140-20220718.iso +gpg --verify securityonion-2.3.140-20220719.iso.sig securityonion-2.3.140-20220719.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 18 Jul 2022 10:16:05 AM EDT using RSA key ID FE507013 +gpg: Signature made Tue 19 Jul 2022 02:00:29 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.140-20220719.iso.sig b/sigs/securityonion-2.3.140-20220719.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..6bcf9fd7d913ab61331e801daa6fbc2b83218f35 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;E$@jUB#DwD$r?do1-L2*#KDrTwJtC zB)1IOca$F#HNYs^V@S)ncI@FWZ1FX?! z36n>7`GB2HPN&bP%U;Dtm|dcLVsbe%XQvV6O{ZsGD)cL|J!kO>vEeSsZRJRk;il1@ z9Kt)zveuC8igQTpqmCoo3rI0F{?N}Dzs}W)&4*(IN7z-uPKMVWF@-6Huml@#i4TFD z1~Sh-@(3nui2^I9W!6bv*JT1P>y?H3VIO6Gs#`cHT?!|xiwZnzZA2(?#uT>W4T*VJ z8$WT!>>BR*5pf(ykUDP}HN4x8Dx6~BC9%6yTcfc)xHQ6uMe*}CS=$0Q`2%$fzMN@g z!B?%%j>6>~!NhU^AC({wRQSrT6yADtfVE!^$_aV#vRb3|qSBH$;hO`OlA91_rG6DSP9=z&?H=y}#qo0o(up literal 0 HcmV?d00001