diff --git a/so-elastic-fleet-package-registry/Dockerfile b/so-elastic-fleet-package-registry/Dockerfile index a93c82a0..7a873906 100644 --- a/so-elastic-fleet-package-registry/Dockerfile +++ b/so-elastic-fleet-package-registry/Dockerfile @@ -16,6 +16,10 @@ ARG VERSION FROM docker.elastic.co/package-registry/distribution:$VERSION as original_image +# Remove unsupported packages +COPY scripts /scripts +RUN chmod +x /scripts/supported-integrations.sh && bash /scripts/supported-integrations.sh && rm -rf /scripts + # Cleanup unneeded packages, keeping the two most recent versons of each one # Except for endpoint packages, keep all versions RUN cd /packages/package-storage/ \ diff --git a/so-elastic-fleet-package-registry/scripts/supported-integrations.sh b/so-elastic-fleet-package-registry/scripts/supported-integrations.sh new file mode 100644 index 00000000..9181fca9 --- /dev/null +++ b/so-elastic-fleet-package-registry/scripts/supported-integrations.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +# This script removes unsupported packages from our self-hosted Elastic Package Repo container image. +# It is meant to be used during the image build process. + +cd /packages/package-storage/ +for file in * +do + PATTERN=$(echo $file | cut -d "-" -f 1)- + [[ ! $(grep -x "$PATTERN" /scripts/supported-integrations.txt) ]] && rm "$file" && echo "Deleted: $file..." +done + +exit 0 \ No newline at end of file diff --git a/so-elastic-fleet-package-registry/scripts/supported-integrations.txt b/so-elastic-fleet-package-registry/scripts/supported-integrations.txt new file mode 100644 index 00000000..31e72ad7 --- /dev/null +++ b/so-elastic-fleet-package-registry/scripts/supported-integrations.txt @@ -0,0 +1,64 @@ +apache- +auditd- +auth0- +aws- +azure- +barracuda- +carbonblack_edr- +checkpoint- +cisco_asa- +cisco_duo- +cisco_meraki- +cisco_umbrella- +cloudflare- +crowdstrike- +darktrace- +elasticsearch- +endpoint- +f5_bigip- +fim- +fireeye- +fleet_server- +fortinet- +fortinet_fortigate- +gcp- +github- +google_workspace- +http_endpoint- +httpjson- +juniper- +juniper_srx- +kafka_log- +lastpass- +log- +m365_defender- +microsoft_defender_endpoint- +microsoft_dhcp- +mimecast- +netflow- +o365- +okta- +osquery_manager- +panw- +pfsense- +pulse_connect_secure- +redis- +sentinel_one- +snyk- +sonicwall_firewall- +sophos- +sophos_central- +symantec_endpoint- +system- +tcp- +tenable_sc- +ti_abusech- +ti_misp- +ti_otx- +ti_recordedfuture- +udp- +vsphere- +windows- +zscaler_zia- +zscaler_zpa- +1password- diff --git a/so-influxdb/Dockerfile b/so-influxdb/Dockerfile index a38363d4..9ebde4ad 100644 --- a/so-influxdb/Dockerfile +++ b/so-influxdb/Dockerfile @@ -1,12 +1,12 @@ -ARG INFLUX_VERSION=2.6.1 +ARG INFLUX_VERSION=2.7.1 -FROM ghcr.io/security-onion-solutions/ubuntu:22.04 as builder +FROM ghcr.io/security-onion-solutions/ubuntu:23.04 as builder ARG INFLUX_VERSION -ARG NODE_VERSION=v18.14.0 +ARG NODE_VERSION=v20.8.1 ARG NODE_ARCH=linux-x64 -RUN apt update -y && apt install -y git wget xz-utils +RUN apt update -y && apt install -y git wget xz-utils RUN git clone https://github.com/influxdata/ui -b OSS-v$INFLUX_VERSION RUN wget https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-$NODE_ARCH.tar.xz -O /node.xz RUN tar -xJf /node.xz @@ -34,7 +34,7 @@ RUN chmod a+x /redirect_to_file.sh && groupmod -g 939 influxdb COPY --from=builder /ui/build /ui -RUN apt update -y && apt install netcat -y && apt clean -y +RUN apt update -y && apt install netcat-traditional -y && apt clean -y ENTRYPOINT ["/redirect_to_file.sh"] CMD ["/entrypoint.sh", "influxd"] \ No newline at end of file diff --git a/so-kibana/Dockerfile b/so-kibana/Dockerfile index 8ed38ebe..610573cd 100644 --- a/so-kibana/Dockerfile +++ b/so-kibana/Dockerfile @@ -34,6 +34,9 @@ RUN ln -s /usr/share/kibana /opt/kibana ENV PATH=/usr/share/kibana/bin:$PATH +# Disable hardcoded Integrations from showing up +RUN sed -i 's/"server": true,/"server": false,/g' /usr/share/kibana/node_modules/@kbn/custom-integrations-plugin/kibana.jsonc + # Copy over the dashboards RUN mkdir /usr/share/kibana/dashboards diff --git a/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml b/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml index 69180e05..3f18bcfd 100644 --- a/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml +++ b/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml @@ -232,8 +232,8 @@ fieldmappings: username: user.name uid: user.uid sid: rule.uuid - query: query answer: answers + query: dns.query.name src_ip: destination.ip.keyword src_port: source.port dst_ip: destination.ip.keyword diff --git a/so-suricata/Dockerfile b/so-suricata/Dockerfile index 8e7eeef8..8baa3f75 100644 --- a/so-suricata/Dockerfile +++ b/so-suricata/Dockerfile @@ -27,7 +27,7 @@ RUN dnf -y install autoconf automake diffutils file-devel gcc gcc-c++ git \ lua-devel lz4-devel make nss-devel pcre-devel pcre2-devel pkgconfig \ python3-devel python3-sphinx python3-yaml sudo which cargo \ zlib-devel luajit-devel cargo && cargo install --force cbindgen -ENV SURIVERSION=6.0.14 +ENV SURIVERSION=7.0.2 RUN mkdir /suricata WORKDIR /suricata @@ -55,6 +55,6 @@ RUN yum -y install epel-release bash libpcap iproute && \ ADD files/so-suricata.sh /usr/local/sbin/so-suricata.sh RUN chmod +x /usr/local/sbin/so-suricata.sh -RUN rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/fxlibpcap-1.9.1/fx-libpcap-1.9.1-1.el7.x86_64.rpm +RUN rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el7_9.x86_64.rpm ENTRYPOINT ["/usr/local/sbin/so-suricata.sh"] diff --git a/so-telegraf/Dockerfile b/so-telegraf/Dockerfile index 9b909a90..3bcc0538 100644 --- a/so-telegraf/Dockerfile +++ b/so-telegraf/Dockerfile @@ -1,10 +1,10 @@ -FROM ghcr.io/security-onion-solutions/telegraf:1.25.1-alpine +FROM ghcr.io/security-onion-solutions/telegraf:1.28.2-alpine LABEL maintainer "Security Onion Solutions, LLC" LABEL description="Telegraf running in Docker container for use with Security Onion" USER root -RUN apk add --no-cache redis curl jq +RUN apk add --no-cache redis curl jq bash ENTRYPOINT ["/entrypoint.sh"] CMD ["telegraf"] diff --git a/so-zeek/Dockerfile b/so-zeek/Dockerfile index 65f452cf..956f0d7c 100644 --- a/so-zeek/Dockerfile +++ b/so-zeek/Dockerfile @@ -13,11 +13,11 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -FROM ghcr.io/security-onion-solutions/oraclelinux:9 as builder +FROM ghcr.io/security-onion-solutions/oraclelinux:9 as builder RUN dnf -y install dnf-plugins-core && \ dnf config-manager --enable ol9_codeready_builder && \ - dnf update -y && \ + dnf update -y && \ dnf -y install epel-release bash libpcap iproute wget cmake swig && \ dnf -y install jemalloc numactl libnl3 libdnet gdb git && \ dnf -y install libpcap-devel openssl-devel zlib-devel jemalloc-devel python3-devel kernel-devel kernel-headers && \ @@ -32,8 +32,6 @@ RUN wget https://www.openssl.org/source/old/3.0/openssl-3.0.1.tar.gz && tar zxvf WORKDIR /opensslbuild/openssl-3.0.1 RUN dnf -y install perl && \ - echo 'yes' | cpan && \ - cpan Test::More && \ ./Configure --prefix=/usr/local/ssl --openssldir=/usr/local/ssl enable-fips && \ time make -j4 && \ time make install && \ @@ -41,7 +39,7 @@ RUN dnf -y install perl && \ WORKDIR / -ENV ZEEKVER=5.0.10 +ENV ZEEKVER=6.0.2 ARG BUILD_TYPE=Release RUN mkdir /zeekbuild @@ -51,12 +49,9 @@ WORKDIR /zeekbuild RUN wget https://download.zeek.org/zeek-$ZEEKVER.tar.gz && tar zxvf zeek-$ZEEKVER.tar.gz RUN cd zeek-$ZEEKVER && \ ./configure --prefix=/opt/zeek --spooldir=/nsm/zeek/spool --logdir=/nsm/zeek/logs --enable-jemalloc --build-type=$BUILD_TYPE --with-openssl=/usr/local/ssl && \ - time make -j4 && time make install && \ - fips-mode-setup --enable + time make -j4 && time make install RUN /opt/zeek/bin/zkg install --force ja3 && \ /opt/zeek/bin/zkg install --force hassh && \ - /opt/zeek/bin/zkg install --force https://github.com/TOoSmOotH/zeek-af_packet-plugin --version=master && \ - /opt/zeek/bin/zkg install --force zeek-community-id && \ /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/bzar --version=master && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-bacnet && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-bsap && \ @@ -68,11 +63,9 @@ RUN /opt/zeek/bin/zkg install --force ja3 && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-modbus && \ git clone https://github.com/cisagov/icsnpp-s7comm && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-s7comm && \ - git clone https://github.com/amzn/zeek-plugin-profinet && \ - /opt/zeek/bin/zkg install --force --skiptests zeek-plugin-profinet && \ - git clone https://github.com/amzn/zeek-plugin-tds && \ - /opt/zeek/bin/zkg install --force --skiptests zeek-plugin-tds && \ - /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \ + /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/zeek-plugin-profinet --version=master && \ + /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/zeek-plugin-tds --version=master && \ + /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \ /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-stun && \ /opt/zeek/bin/zkg install --force --skiptests https://github.com/iamckn/oui-logging && \ /bin/python3 /opt/zeek/share/zeek/site/oui-logging/oui.py /opt/zeek/share/zeek/site/oui-logging/oui.dat && \ @@ -84,11 +77,11 @@ RUN groupadd --gid 937 zeek && \ chown -R 937:937 /opt/zeek && \ chown -R 937:937 /nsm/zeek && \ chown -R 937:937 /usr/local/ssl - + FROM ghcr.io/security-onion-solutions/oraclelinux:9 LABEL maintainer "Security Onion Solutions, LLC" -LABEL description="Zeek running in a docker with AF_Packet 3.2.0 for use with Security Onion" +LABEL description="Zeek running in docker for use with Security Onion" # Common CentOS layer RUN dnf update -y && \ @@ -106,8 +99,8 @@ COPY --from=builder /usr/local/ssl/ /usr/local/ssl # Copy over the entry script. COPY files/zeek.sh /usr/local/sbin/zeek.sh RUN chmod +x /usr/local/sbin/zeek.sh -RUN rpm -Uvh --nofiledigest --nodigest https://github.com/axellioinc/fx-libpcap/releases/download/fxlibpcap-1.9.1/fx-libpcap-1.9.1-1.el7.x86_64.rpm +RUN rpm -Uvh https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el7_9.x86_64.rpm -HEALTHCHECK --interval=10m --timeout=2m CMD /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1)) +HEALTHCHECK --interval=10m --timeout=2m CMD runuser -u zeek -- /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1)) ENTRYPOINT ["/usr/local/sbin/zeek.sh"]