Skip to content

Commit

Permalink
Merge pull request #11827 from Security-Onion-Solutions/hotfix/2.4.30
Browse files Browse the repository at this point in the history
Hotfix 2.4.30
  • Loading branch information
TOoSmOotH authored Nov 20, 2023
2 parents f036623 + c20004c commit 4b0033c
Show file tree
Hide file tree
Showing 8 changed files with 69 additions and 16 deletions.
22 changes: 11 additions & 11 deletions DOWNLOAD_AND_VERIFY_ISO.md
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
### 2.4.30-20231113 ISO image released on 2023/11/13
### 2.4.30-20231117 ISO image released on 2023/11/20



### Download and Verify

2.4.30-20231113 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231113.iso
2.4.30-20231117 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231117.iso

MD5: 15EB5A74782E4C2D5663D29E275839F6
SHA1: BBD4A7D77ADDA94B866F1EFED846A83DDFD34D73
SHA256: 4509EB8E11DB49C6CD3905C74C5525BDB1F773488002179A846E00DE8E499988
MD5: DF7E2540AFF2A233A9B0EEC78B37D0EA
SHA1: 93DB33A46C6F9C7D7CB8031C0A4F8738F4F14E89
SHA256: 48C7BD1C664F545554490B8F191BCD7808C519488DCC85984760400F4F68E2DA

Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231113.iso.sig
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231117.iso.sig

Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS
Expand All @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.

Download the signature file for the ISO:
```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231113.iso.sig
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231117.iso.sig
```

Download the ISO image:
```
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231113.iso
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231117.iso
```

Verify the downloaded ISO image using the signature file:
```
gpg --verify securityonion-2.4.30-20231113.iso.sig securityonion-2.4.30-20231113.iso
gpg --verify securityonion-2.4.30-20231117.iso.sig securityonion-2.4.30-20231117.iso
```

The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
```
gpg: Signature made Mon 13 Nov 2023 09:23:21 AM EST using RSA key ID FE507013
gpg: Signature made Sun 19 Nov 2023 08:11:53 PM EST using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Expand Down
2 changes: 1 addition & 1 deletion HOTFIX
Original file line number Diff line number Diff line change
@@ -1 +1 @@

20231117
2 changes: 1 addition & 1 deletion salt/ca/files/signing_policies.conf
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ x509_signing_policies:
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:false"
- keyUsage: "critical keyEncipherment"
- keyUsage: "critical keyEncipherment digitalSignature"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- extendedKeyUsage: serverAuth
Expand Down
4 changes: 3 additions & 1 deletion salt/kibana/defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,10 @@ kibana:
appenders:
- default
- file
migrations:
discardCorruptObjects: "8.10.4"
telemetry:
enabled: False
enabled: False
security:
showInsecureClusterWarning: False
xpack:
Expand Down
20 changes: 20 additions & 0 deletions salt/kibana/tools/sbin/so-kibana-api-check
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.

. /usr/sbin/so-common

echo "Checking to make sure that Kibana API is up & ready..."
RETURN_CODE=0
wait_for_web_response "http://localhost:5601/api/fleet/settings" "fleet" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
RETURN_CODE=$?
if [[ "$RETURN_CODE" != "0" ]]; then
echo "Kibana API not accessible, exiting script..."
exit 1
fi



32 changes: 30 additions & 2 deletions salt/manager/tools/sbin/soup
Original file line number Diff line number Diff line change
Expand Up @@ -450,6 +450,11 @@ post_to_2.4.20() {
post_to_2.4.30() {
echo "Regenerating Elastic Agent Installers"
/sbin/so-elastic-agent-gen-installers
salt-call state.apply ca queue=True
stop_salt_minion
mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
systemctl_func "start" "salt-minion"
POSTVERSION=2.4.30
}

Expand Down Expand Up @@ -529,6 +534,16 @@ up_to_2.4.20() {
}

up_to_2.4.30() {

# Remove older defend integration json & installed integration
rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json

. $UPDATE_DIR/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints

rm -f /opt/so/state/eaintegrations.txt

# Elastic Update for this release, so download Elastic Agent files
determine_elastic_agent_upgrade
rm -f /opt/so/state/estemplates*.txt

Expand Down Expand Up @@ -735,8 +750,21 @@ apply_hotfix() {
. /usr/sbin/so-elastic-fleet-common
elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
/usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
# elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then
# 2_3_10_hotfix_1
elif [[ "$INSTALLEDVERSION" == "2.4.30" ]] ; then
rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json
so-kibana-restart --force
so-kibana-api-check
. /usr/sbin/so-elastic-fleet-common

elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
rm -f /opt/so/state/eaintegrations.txt
salt-call state.apply ca queue=True
stop_salt_minion
mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
systemctl_func "start" "salt-minion"
echo "Applying Salt Highstate"
salt-call state.highstate queue=True
else
echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
fi
Expand Down
3 changes: 3 additions & 0 deletions setup/so-verify
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ log_has_errors() {
# may be requested by dependency only (it is configured to refuse manual start/stop).

# Command failed with exit code is output during retry loops.

# "remove failed" is caused by a warning generated by upgrade of libwbclient

grep -E "FAILED|Failed|failed|ERROR|Result: False|Error is not recoverable" "$setup_log" | \
grep -vE "The Salt Master has cached the public key for this node" | \
Expand All @@ -53,6 +55,7 @@ log_has_errors() {
grep -vE "code: 100" | \
grep -vE "/nsm/rules/sigma*" | \
grep -vE "/nsm/rules/yara*" | \
grep -vE "remove failed" | \
grep -vE "Failed to restart snapd" | \
grep -vE "Login Failed Details" | \
grep -vE "response from daemon: unauthorized" | \
Expand Down
Binary file added sigs/securityonion-2.4.30-20231117.iso.sig
Binary file not shown.

0 comments on commit 4b0033c

Please sign in to comment.