Merge pull request #1529 from Security-Onion-Solutions/dev

2.3.0 GA!

README.md

@@ -1,37 +1,28 @@
-## Security Onion 2.2.0.rc3
+## Security Onion 2.3.0
 
-Security Onion 2.2.0 RC3 is here!
+Security Onion 2.3.0 is here!
 
-### Warnings and Disclaimers
-
-- If this breaks your system, you get to keep both pieces!  
-- This is a work in progress and is in constant flux.  
-- This configuration may change drastically over time leading up to the final release.  
-- Do NOT run this on a system that you care about!  
-- Do NOT run this on a system that has data that you care about!  
-- This script should only be run on a TEST box with TEST data!  
-- Use of this script may result in nausea, vomiting, or a burning sensation.  
 
 ### Release Notes
 
-https://docs.securityonion.net/en/2.2/release-notes.html
+https://docs.securityonion.net/en/2.3/release-notes.html
 
 ### Requirements
 
-https://docs.securityonion.net/en/2.2/hardware.html
+https://docs.securityonion.net/en/2.3/hardware.html
 
 ### Download
 
-https://docs.securityonion.net/en/2.2/download.html
+https://docs.securityonion.net/en/2.3/download.html
 
 ### Installation
 
-https://docs.securityonion.net/en/2.2/installation.html
+https://docs.securityonion.net/en/2.3/installation.html
 
 ### FAQ
 
-https://docs.securityonion.net/en/2.2/faq.html
+https://docs.securityonion.net/en/2.3/faq.html
 
 ### Feedback
 
-https://docs.securityonion.net/en/2.2/community-support.html
+https://docs.securityonion.net/en/2.3/community-support.html

VERIFY_ISO.md

@@ -1,16 +1,16 @@
-### 2.2.0-rc3 ISO image built on 2020/09/17
+### 2.3.0 ISO image built on 2020/10/15
 
 ### Download and Verify
 
-2.2.0-rc3 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.2.0-rc3.iso
+2.3.0 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.0.iso
 
-MD5: 051883501C905653ACBCEC513C294778  
-SHA1: 0A66F6636F53B268E7FFB743A3136AC5CC3E0E96  
-SHA256: 5A9F303954AF1B1D271CE526E5DCBFC28F3FFC0621B291A29F0F7F2E8EB11C43 
+MD5: E05B220E4FD7C054DF5C50906EE1375B
+SHA1: 55E93C6EAB140AB4A0F07873CC871EBFDC699CD6  
+SHA256: 57B96A6E0951143E123BFC0CD0404F7466776E69F3C115F5A0444C0C6D5A6E32 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.2.0-rc3.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.0.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -24,27 +24,27 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.2.0-rc3.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.0.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.2.0-rc3.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.0.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.2.0-rc3.iso.sig securityonion-2.2.0-rc3.iso
+gpg --verify securityonion-2.3.0.iso.sig securityonion-2.3.0.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Thu 17 Sep 2020 10:05:27 AM EDT using RSA key ID FE507013
+gpg: Signature made Thu 15 Oct 2020 08:06:28 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <[email protected]>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
 Primary key fingerprint: C804 A93D 36BE 0C73 3EA1  9644 7C10 60B7 FE50 7013
 ```
 
 Once you've verified the ISO image, you're ready to proceed to our Installation guide:  
-https://docs.securityonion.net/en/2.2/installation.html
+https://docs.securityonion.net/en/2.3/installation.html

VERSION

@@ -1 +1 @@
-2.2.0-rc.3
+2.3.0

files/salt/master/salt-master.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=The Salt Master Server
+Documentation=man:salt-master(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html
+After=network.target
+
+[Service]
+LimitNOFILE=100000
+Type=notify
+NotifyAccess=all
+ExecStart=/usr/bin/salt-master
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

pillar/elasticsearch/manager.sls

@@ -0,0 +1,13 @@
+elasticsearch:
+  templates:
+    - so/so-beats-template.json.jinja
+    - so/so-common-template.json
+    - so/so-firewall-template.json.jinja
+    - so/so-flow-template.json.jinja
+    - so/so-ids-template.json.jinja
+    - so/so-import-template.json.jinja
+    - so/so-osquery-template.json.jinja
+    - so/so-ossec-template.json.jinja
+    - so/so-strelka-template.json.jinja
+    - so/so-syslog-template.json.jinja
+    - so/so-zeek-template.json.jinja

pillar/logrotate/init.sls

@@ -0,0 +1,11 @@
+logrotate:
+  conf: | 
+    daily
+    rotate 14
+    missingok
+    copytruncate
+    compress
+    create
+    extension .log
+    dateext
+    dateyesterday

pillar/top.sls

@@ -1,6 +1,7 @@
 base:
   '*':
     - patch.needs_restarting
+    - logrotate
 
   '*_eval or *_helix or *_heavynode or *_sensor or *_standalone or *_import':
     - match: compound
@@ -13,22 +14,23 @@ base:
     - logstash.search
     - elasticsearch.search
 
-  '*_sensor':
-    - global
-    - zeeklogs
-    - healthcheck.sensor
-    - minions.{{ grains.id }}
+  '*_manager':
+    - logstash
+    - logstash.manager
+    - elasticsearch.manager
 
   '*_manager or *_managersearch':
     - match: compound
-    - global
     - data.*
     - secrets
+    - global
     - minions.{{ grains.id }}
 
-  '*_manager':
-    - logstash
-    - logstash.manager
+  '*_sensor':
+    - zeeklogs
+    - healthcheck.sensor
+    - global
+    - minions.{{ grains.id }}
 
   '*_eval':
     - data.*
@@ -56,29 +58,29 @@ base:
     - minions.{{ grains.id }}
 
   '*_heavynode':
-    - global
     - zeeklogs
+    - global
     - minions.{{ grains.id }}
 
   '*_helix':
-    - global
     - fireeye
     - zeeklogs
     - logstash
     - logstash.helix
+    - global
     - minions.{{ grains.id }}
 
   '*_fleet':
-    - global
     - data.*
     - secrets
+    - global
     - minions.{{ grains.id }}
 
   '*_searchnode':
-    - global
     - logstash
     - logstash.search
     - elasticsearch.search
+    - global
     - minions.{{ grains.id }}
 
   '*_import':

pillar/zeek/init.sls

@@ -52,4 +52,5 @@ zeek:
       - frameworks/signatures/detect-windows-shells
     redef:
       - LogAscii::use_json = T;
-      - LogAscii::json_timestamps = JSON::TS_ISO8601;
+      - LogAscii::json_timestamps = JSON::TS_ISO8601;
+      - CaptureLoss::watch_interval = 5 mins;

salt/_modules/so.py

@@ -1,4 +1,4 @@
 #!py
 
 def status():
-  return __salt__['cmd.run']('/sbin/so-status')
+  return __salt__['cmd.run']('/usr/sbin/so-status')

salt/common/cron/common-rotate

@@ -0,0 +1,2 @@
+#!/bin/bash
+logrotate -f /opt/so/conf/log-rotate.conf >/dev/null 2>&1

salt/common/files/log-rotate.conf

@@ -0,0 +1,23 @@
+{%- set logrotate_conf = salt['pillar.get']('logrotate:conf') %}
+
+/opt/so/log/aptcacher-ng/*.log
+/opt/so/log/idstools/*.log
+/opt/so/log/nginx/*.log
+/opt/so/log/soc/*.log
+/opt/so/log/kratos/*.log
+/opt/so/log/kibana/*.log
+/opt/so/log/influxdb/*.log
+/opt/so/log/elastalert/*.log
+/opt/so/log/soctopus/*.log
+/opt/so/log/curator/*.log
+/opt/so/log/fleet/*.log
+/opt/so/log/suricata/*.log
+/opt/so/log/mysql/*.log
+/opt/so/log/playbook/*.log
+/opt/so/log/logstash/*.log
+/opt/so/log/filebeat/*.log
+/opt/so/log/telegraf/*.log
+/opt/so/log/redis/*.log
+{
+    {{ logrotate_conf | indent(width=4) }}
+}

salt/common/init.sls

@@ -56,6 +56,12 @@ salttmp:
 
 # Install epel
 {% if grains['os'] == 'CentOS' %}
+repair_yumdb:
+  cmd.run:
+    - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all'
+    - onlyif:
+      - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"'
+
 epel:
   pkg.installed:
     - skip_suggestions: True
@@ -192,6 +198,40 @@ sensorrotateconf:
 
 {% endif %}
 
+commonlogrotatescript:
+  file.managed:
+    - name: /usr/local/bin/common-rotate
+    - source: salt://common/cron/common-rotate
+    - mode: 755
+
+commonlogrotateconf:
+  file.managed:
+    - name: /opt/so/conf/log-rotate.conf
+    - source: salt://common/files/log-rotate.conf
+    - template: jinja
+    - mode: 644
+
+/usr/local/bin/common-rotate:
+  cron.present:
+    - user: root
+    - minute: '1'
+    - hour: '0'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
+{% if role in ['eval', 'manager', 'managersearch', 'standalone'] %}
+# Add config backup
+/usr/sbin/so-config-backup > /dev/null 2>&1:
+  cron.present:
+    - user: root
+    - minute: '1'
+    - hour: '0'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+{% endif %}
+
 # Make sure Docker is always running
 docker:
   service.running:
@@ -203,4 +243,4 @@ common_state_not_allowed:
   test.fail_without_changes:
     - name: common_state_not_allowed
 
-{% endif %}
+{% endif %}