diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index a6b5469f0d..7f71cd7ac6 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.4.30-20231113 ISO image released on 2023/11/13 +### 2.4.30-20231117 ISO image released on 2023/11/20 ### Download and Verify -2.4.30-20231113 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231113.iso +2.4.30-20231117 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231117.iso -MD5: 15EB5A74782E4C2D5663D29E275839F6 -SHA1: BBD4A7D77ADDA94B866F1EFED846A83DDFD34D73 -SHA256: 4509EB8E11DB49C6CD3905C74C5525BDB1F773488002179A846E00DE8E499988 +MD5: DF7E2540AFF2A233A9B0EEC78B37D0EA +SHA1: 93DB33A46C6F9C7D7CB8031C0A4F8738F4F14E89 +SHA256: 48C7BD1C664F545554490B8F191BCD7808C519488DCC85984760400F4F68E2DA Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231113.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231117.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231113.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231117.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231113.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231117.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.30-20231113.iso.sig securityonion-2.4.30-20231113.iso +gpg --verify securityonion-2.4.30-20231117.iso.sig securityonion-2.4.30-20231117.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 13 Nov 2023 09:23:21 AM EST using RSA key ID FE507013 +gpg: Signature made Sun 19 Nov 2023 08:11:53 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/HOTFIX b/HOTFIX index d3f5a12faa..57030dc85c 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +20231117 diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf index cb57cc640e..6f1b1f1720 100644 --- a/salt/ca/files/signing_policies.conf +++ b/salt/ca/files/signing_policies.conf @@ -37,7 +37,7 @@ x509_signing_policies: - ST: Utah - L: Salt Lake City - basicConstraints: "critical CA:false" - - keyUsage: "critical keyEncipherment" + - keyUsage: "critical keyEncipherment digitalSignature" - subjectKeyIdentifier: hash - authorityKeyIdentifier: keyid,issuer:always - extendedKeyUsage: serverAuth diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 282521d127..90b75b8c40 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -21,8 +21,10 @@ kibana: appenders: - default - file + migrations: + discardCorruptObjects: "8.10.4" telemetry: - enabled: False + enabled: False security: showInsecureClusterWarning: False xpack: diff --git a/salt/kibana/tools/sbin/so-kibana-api-check b/salt/kibana/tools/sbin/so-kibana-api-check new file mode 100644 index 0000000000..15cd85b192 --- /dev/null +++ b/salt/kibana/tools/sbin/so-kibana-api-check @@ -0,0 +1,20 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +echo "Checking to make sure that Kibana API is up & ready..." +RETURN_CODE=0 +wait_for_web_response "http://localhost:5601/api/fleet/settings" "fleet" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" +RETURN_CODE=$? +if [[ "$RETURN_CODE" != "0" ]]; then + echo "Kibana API not accessible, exiting script..." + exit 1 +fi + + + diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 42ea7e7648..b073f4a577 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -450,6 +450,11 @@ post_to_2.4.20() { post_to_2.4.30() { echo "Regenerating Elastic Agent Installers" /sbin/so-elastic-agent-gen-installers + salt-call state.apply ca queue=True + stop_salt_minion + mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old + mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old + systemctl_func "start" "salt-minion" POSTVERSION=2.4.30 } @@ -529,6 +534,16 @@ up_to_2.4.20() { } up_to_2.4.30() { + + # Remove older defend integration json & installed integration + rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json + + . $UPDATE_DIR/salt/elasticfleet/tools/sbin/so-elastic-fleet-common + elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints + + rm -f /opt/so/state/eaintegrations.txt + + # Elastic Update for this release, so download Elastic Agent files determine_elastic_agent_upgrade rm -f /opt/so/state/estemplates*.txt @@ -735,8 +750,21 @@ apply_hotfix() { . /usr/sbin/so-elastic-fleet-common elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend -# elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then -# 2_3_10_hotfix_1 + elif [[ "$INSTALLEDVERSION" == "2.4.30" ]] ; then + rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json + so-kibana-restart --force + so-kibana-api-check + . /usr/sbin/so-elastic-fleet-common + + elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints + rm -f /opt/so/state/eaintegrations.txt + salt-call state.apply ca queue=True + stop_salt_minion + mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old + mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old + systemctl_func "start" "salt-minion" + echo "Applying Salt Highstate" + salt-call state.highstate queue=True else echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" fi diff --git a/setup/so-verify b/setup/so-verify index 8133c0bf17..3c20d22b44 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -38,6 +38,8 @@ log_has_errors() { # may be requested by dependency only (it is configured to refuse manual start/stop). # Command failed with exit code is output during retry loops. + + # "remove failed" is caused by a warning generated by upgrade of libwbclient grep -E "FAILED|Failed|failed|ERROR|Result: False|Error is not recoverable" "$setup_log" | \ grep -vE "The Salt Master has cached the public key for this node" | \ @@ -53,6 +55,7 @@ log_has_errors() { grep -vE "code: 100" | \ grep -vE "/nsm/rules/sigma*" | \ grep -vE "/nsm/rules/yara*" | \ + grep -vE "remove failed" | \ grep -vE "Failed to restart snapd" | \ grep -vE "Login Failed Details" | \ grep -vE "response from daemon: unauthorized" | \ diff --git a/sigs/securityonion-2.4.30-20231117.iso.sig b/sigs/securityonion-2.4.30-20231117.iso.sig new file mode 100644 index 0000000000..debbc8364f Binary files /dev/null and b/sigs/securityonion-2.4.30-20231117.iso.sig differ