Skip to content

Commit

Permalink
Merge pull request #12353 from Security-Onion-Solutions/2.4/dev
Browse files Browse the repository at this point in the history
2.4.50
  • Loading branch information
TOoSmOotH authored Feb 20, 2024
2 parents aa294a7 + 5c96e30 commit 84c5fa6
Show file tree
Hide file tree
Showing 70 changed files with 247,196 additions and 496 deletions.
3 changes: 1 addition & 2 deletions .github/.gitleaks.toml
Original file line number Diff line number Diff line change
Expand Up @@ -536,11 +536,10 @@ secretGroup = 4

[allowlist]
description = "global allow lists"
regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''']
regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''', '''.*:.*StrelkaHexDump.*''', '''.*:.*PLACEHOLDER.*''']
paths = [
'''gitleaks.toml''',
'''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',
'''(go.mod|go.sum)$''',

'''salt/nginx/files/enterprise-attack.json'''
]
22 changes: 11 additions & 11 deletions DOWNLOAD_AND_VERIFY_ISO.md
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
### 2.4.40-20240116 ISO image released on 2024/01/17
### 2.4.50-20240220 ISO image released on 2024/02/20


### Download and Verify

2.4.40-20240116 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.40-20240116.iso
2.4.50-20240220 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.50-20240220.iso

MD5: AC55D027B663F3CE0878FEBDAD9DD78B
SHA1: C2B51723B17F3DC843CC493EB80E93B123E3A3E1
SHA256: C5F135FCF45A836BBFF58C231F95E1EA0CD894898322187AD5FBFCD24BC2F123
MD5: BCA6476EF1BF79773D8EFB11700FDE8E
SHA1: 9FF0A304AA368BCD2EF2BE89AD47E65650241927
SHA256: 49D7695EFFF6F3C4840079BF564F3191B585639816ADE98672A38017F25E9570

Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.40-20240116.iso.sig
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.50-20240220.iso.sig

Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS
Expand All @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.

Download the signature file for the ISO:
```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.40-20240116.iso.sig
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.50-20240220.iso.sig
```

Download the ISO image:
```
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.40-20240116.iso
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.50-20240220.iso
```

Verify the downloaded ISO image using the signature file:
```
gpg --verify securityonion-2.4.40-20240116.iso.sig securityonion-2.4.40-20240116.iso
gpg --verify securityonion-2.4.50-20240220.iso.sig securityonion-2.4.50-20240220.iso
```

The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
```
gpg: Signature made Tue 16 Jan 2024 07:34:40 PM EST using RSA key ID FE507013
gpg: Signature made Fri 16 Feb 2024 11:36:25 AM EST using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Expand Down
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.4.40
2.4.50
3 changes: 2 additions & 1 deletion files/salt/master/master
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,8 @@ file_roots:
base:
- /opt/so/saltstack/local/salt
- /opt/so/saltstack/default/salt

- /nsm/elastic-fleet/artifacts
- /opt/so/rules/nids

# The master_roots setting configures a master-only copy of the file_roots dictionary,
# used by the state compiler.
Expand Down
6 changes: 6 additions & 0 deletions pillar/top.sls
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ base:
- soctopus.adv_soctopus
- minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
- stig.soc_stig

'*_sensor':
- healthcheck.sensor
Expand All @@ -80,6 +81,8 @@ base:
- suricata.adv_suricata
- minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
- stig.soc_stig
- soc.license

'*_eval':
- secrets
Expand Down Expand Up @@ -180,6 +183,7 @@ base:
- suricata.adv_suricata
- minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
- stig.soc_stig

'*_heavynode':
- elasticsearch.auth
Expand Down Expand Up @@ -222,6 +226,8 @@ base:
- redis.adv_redis
- minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
- stig.soc_stig
- soc.license

'*_receiver':
- logstash.nodes
Expand Down
16 changes: 11 additions & 5 deletions salt/allowed_states.map.jinja
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,8 @@
'utility',
'schedule',
'soctopus',
'docker_clean'
'docker_clean',
'stig'
],
'so-managersearch': [
'salt.master',
Expand All @@ -123,15 +124,17 @@
'utility',
'schedule',
'soctopus',
'docker_clean'
'docker_clean',
'stig'
],
'so-searchnode': [
'ssl',
'nginx',
'telegraf',
'firewall',
'schedule',
'docker_clean'
'docker_clean',
'stig'
],
'so-standalone': [
'salt.master',
Expand All @@ -156,7 +159,8 @@
'schedule',
'soctopus',
'tcpreplay',
'docker_clean'
'docker_clean',
'stig'
],
'so-sensor': [
'ssl',
Expand All @@ -168,13 +172,15 @@
'healthcheck',
'schedule',
'tcpreplay',
'docker_clean'
'docker_clean',
'stig'
],
'so-fleet': [
'ssl',
'telegraf',
'firewall',
'logstash',
'nginx',
'healthcheck',
'schedule',
'elasticfleet',
Expand Down
13 changes: 12 additions & 1 deletion salt/common/init.sls
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
- common.soup_scripts
- common.packages
{% if GLOBALS.role in GLOBALS.manager_roles %}
- manager.elasticsearch # needed for elastic_curl_config state
Expand Down Expand Up @@ -134,6 +133,18 @@ common_sbin_jinja:
- file_mode: 755
- template: jinja
{% if not GLOBALS.is_manager%}
# prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
# these two states remove the scripts from non manager nodes
remove_soup:
file.absent:
- name: /usr/sbin/soup
remove_so-firewall:
file.absent:
- name: /usr/sbin/so-firewall
{% endif %}
so-status_script:
file.managed:
- name: /usr/sbin/so-status
Expand Down
93 changes: 70 additions & 23 deletions salt/common/soup_scripts.sls
Original file line number Diff line number Diff line change
@@ -1,23 +1,70 @@
# Sync some Utilities
soup_scripts:
file.recurse:
- name: /usr/sbin
- user: root
- group: root
- file_mode: 755
- source: salt://common/tools/sbin
- include_pat:
- so-common
- so-image-common

soup_manager_scripts:
file.recurse:
- name: /usr/sbin
- user: root
- group: root
- file_mode: 755
- source: salt://manager/tools/sbin
- include_pat:
- so-firewall
- so-repo-sync
- soup
{% import_yaml '/opt/so/saltstack/local/pillar/global/soc_global.sls' as SOC_GLOBAL %}
{% if SOC_GLOBAL.global.airgap %}
{% set UPDATE_DIR='/tmp/soagupdate/SecurityOnion' %}
{% else %}
{% set UPDATE_DIR='/tmp/sogh/securityonion' %}
{% endif %}

remove_common_soup:
file.absent:
- name: /opt/so/saltstack/default/salt/common/tools/sbin/soup

remove_common_so-firewall:
file.absent:
- name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall

copy_so-common_common_tools_sbin:
file.copy:
- name: /opt/so/saltstack/default/salt/common/tools/sbin/so-common
- source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-common
- force: True
- preserve: True

copy_so-image-common_common_tools_sbin:
file.copy:
- name: /opt/so/saltstack/default/salt/common/tools/sbin/so-image-common
- source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-image-common
- force: True
- preserve: True

copy_soup_manager_tools_sbin:
file.copy:
- name: /opt/so/saltstack/default/salt/manager/tools/sbin/soup
- source: {{UPDATE_DIR}}/salt/manager/tools/sbin/soup
- force: True
- preserve: True

copy_so-firewall_manager_tools_sbin:
file.copy:
- name: /opt/so/saltstack/default/salt/manager/tools/sbin/so-firewall
- source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-firewall
- force: True
- preserve: True

copy_so-common_sbin:
file.copy:
- name: /usr/sbin/so-common
- source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-common
- force: True
- preserve: True

copy_so-image-common_sbin:
file.copy:
- name: /usr/sbin/so-image-common
- source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-image-common
- force: True
- preserve: True

copy_soup_sbin:
file.copy:
- name: /usr/sbin/soup
- source: {{UPDATE_DIR}}/salt/manager/tools/sbin/soup
- force: True
- preserve: True

copy_so-firewall_sbin:
file.copy:
- name: /usr/sbin/so-firewall
- source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-firewall
- force: True
- preserve: True
15 changes: 15 additions & 0 deletions salt/common/tools/sbin/so-common
Original file line number Diff line number Diff line change
Expand Up @@ -366,6 +366,13 @@ is_feature_enabled() {
return 1
}

read_feat() {
if [ -f /opt/so/log/sostatus/lks_enabled ]; then
lic_id=$(cat /opt/so/saltstack/local/pillar/soc/license.sls | grep license_id: | awk '{print $2}')
echo "$lic_id/$(cat /opt/so/log/sostatus/lks_enabled)/$(cat /opt/so/log/sostatus/fps_enabled)"
fi
}

require_manager() {
if is_manager_node; then
echo "This is a manager, so we can proceed."
Expand Down Expand Up @@ -559,6 +566,14 @@ status () {
printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n"
}

sync_options() {
set_version
set_os
salt_minion_count

echo "$VERSION/$OS/$(uname -r)/$MINIONCOUNT/$(read_feat)"
}

systemctl_func() {
local action=$1
local echo_action=$1
Expand Down
51 changes: 49 additions & 2 deletions salt/common/tools/sbin/so-common-status-check
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import sys
import subprocess
import os
import json

sys.path.append('/opt/saltstack/salt/lib/python3.10/site-packages/')
import salt.config
Expand Down Expand Up @@ -36,17 +37,63 @@ def check_needs_restarted():
with open(outfile, 'w') as f:
f.write(val)

def check_for_fps():
feat = 'fps'
feat_full = feat.replace('ps', 'ips')
fps = 0
try:
result = subprocess.run([feat_full + '-mode-setup', '--is-enabled'], stdout=subprocess.PIPE)
if result.returncode == 0:
fps = 1
except FileNotFoundError:
fn = '/proc/sys/crypto/' + feat_full + '_enabled'
with open(fn, 'r') as f:
contents = f.read()
if '1' in contents:
fps = 1

with open('/opt/so/log/sostatus/lks_enabled', 'w') as f:
f.write(str(fps))

def check_for_lks():
feat = 'Lks'
feat_full = feat.replace('ks', 'uks')
lks = 0
result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
data = json.loads(result.stdout)
for device in data['blockdevices']:
if 'children' in device:
for gc in device['children']:
if 'children' in gc:
try:
arg = 'is' + feat_full
result = subprocess.run(['cryptsetup', arg, gc['name']], stdout=subprocess.PIPE)
if result.returncode == 0:
lks = 1
except FileNotFoundError:
for ggc in gc['children']:
if 'crypt' in ggc['type']:
lks = 1
if lks:
break
with open('/opt/so/log/sostatus/fps_enabled', 'w') as f:
f.write(str(lks))

def fail(msg):
print(msg, file=sys.stderr)
sys.exit(1)


def main():
proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
if proc.stdout.strip() != "0":
fail("This program must be run as root")

# Ensure that umask is 0022 so that files created by this script have rw-r-r permissions
org_umask = os.umask(0o022)
check_needs_restarted()
check_for_fps()
check_for_lks()
# Restore umask to whatever value was set before this script was run. SXIG sets to 0077 rw---
os.umask(org_umask)

if __name__ == "__main__":
main()
Loading

0 comments on commit 84c5fa6

Please sign in to comment.