Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2.4.60 #12616

Merged
merged 205 commits into from
Mar 20, 2024
Merged

2.4.60 #12616

Changes from 2 commits
Commits
Show all changes
205 commits
Select commit Hold shift + click to select a range
762a3be
Defaults and Annotations
TOoSmOotH Jan 25, 2024
1a2245a
Add so-minion modifications
TOoSmOotH Jan 29, 2024
5b05aec
Target sspecific minion
TOoSmOotH Jan 29, 2024
0c96931
Add Globals
TOoSmOotH Jan 29, 2024
88c01a2
Add annotation logic
TOoSmOotH Jan 29, 2024
ab551a7
Threads placeholder logic
TOoSmOotH Jan 29, 2024
88d2ddb
add placeholder for telegraf
TOoSmOotH Jan 29, 2024
d118ff4
add GLOBALS.pcap_engine
m0duspwnens Jan 29, 2024
37dcb84
add missing comma
m0duspwnens Jan 30, 2024
0522dc1
map pcap dir to container. enable pcap-log in map
m0duspwnens Jan 30, 2024
8ed66ea
disable stenographer if suricata is pcap engine
m0duspwnens Jan 30, 2024
f32cb1f
fix find to work with steno and suri pcap
m0duspwnens Jan 30, 2024
8b503e2
telegraf dont run stenoloss script if suricata is pcap engine
m0duspwnens Jan 30, 2024
8a25748
grammar
m0duspwnens Jan 30, 2024
0fa4d92
socsigmarepo
coreyogburn Oct 19, 2023
4be1214
pcap engine logic for sensoroni
m0duspwnens Jan 30, 2024
858166b
WIP: Detections Changes
coreyogburn Jan 30, 2024
00289c2
fix pcap paths
TOoSmOotH Jan 31, 2024
0d01d09
fix pcap paths
TOoSmOotH Jan 31, 2024
585147d
Added so-detection mapping in elasticsearch
coreyogburn Jan 31, 2024
db057b4
Merge pull request #12296 from Security-Onion-Solutions/cogburn/detec…
defensivedepth Jan 31, 2024
881d6b3
Update VERSION - kilo
defensivedepth Jan 31, 2024
49b5788
add bindings
defensivedepth Feb 1, 2024
fe196b5
Add SOC Config for Detections
defensivedepth Feb 1, 2024
8f81c9e
Updating config for Detection(s)
coreyogburn Feb 2, 2024
378c99a
Fix bindings
defensivedepth Feb 2, 2024
b7b501d
Add Sigma pipelines
defensivedepth Feb 7, 2024
7e3187c
Fixup sigma pipelines
defensivedepth Feb 7, 2024
81a3e95
Fixup sigma pipelines
defensivedepth Feb 7, 2024
2917456
WIP: Updated Detection Mappings, Changed Engine to Language
coreyogburn Feb 8, 2024
64f6d0f
Updated Detection's ES Mappings
coreyogburn Feb 9, 2024
5a4e11b
Update soup
TOoSmOotH Feb 12, 2024
5102269
Update defaults
defensivedepth Feb 12, 2024
ea80469
Detection Default queries
defensivedepth Feb 13, 2024
0c6c6ba
Various UI tweaks
defensivedepth Feb 13, 2024
0d29727
DetectionComment Mapping Defined
coreyogburn Feb 13, 2024
c933627
Merge branch 'kilo' of github.com:security-onion-solutions/securityon…
coreyogburn Feb 13, 2024
031ee07
socsigmarepo
coreyogburn Oct 19, 2023
8800b7e
WIP: Detections Changes
coreyogburn Jan 30, 2024
f321e73
Added so-detection mapping in elasticsearch
coreyogburn Jan 31, 2024
a5db9f8
Merge branch 'kilo' into cogburn/detection_playbooks
coreyogburn Feb 13, 2024
686304f
Merge remote-tracking branch 'origin/2.4/dev' into kilo
defensivedepth Feb 15, 2024
c64f37a
sigmaRulePackages is now a string array
coreyogburn Feb 15, 2024
e4dcb4a
Merge remote-tracking branch 'origin/cogburn/detection_playbooks' int…
defensivedepth Feb 15, 2024
ffb3cc8
Default ruleset; Descriptions
defensivedepth Feb 16, 2024
07fcfab
Update VERSION
TOoSmOotH Feb 20, 2024
ed07736
Merge pull request #12385 from Security-Onion-Solutions/TOoSmOotH-pat…
TOoSmOotH Feb 20, 2024
4b314c8
replace correlate icon to avoid confusion with searcheng.in
jertel Feb 20, 2024
78d41c5
Merge pull request #12386 from Security-Onion-Solutions/jertel/corricon
jertel Feb 20, 2024
89010da
Merge pull request #12348 from Security-Onion-Solutions/TOoSmOotH-pat…
TOoSmOotH Feb 20, 2024
6c6a362
add lock threads
jertel Feb 21, 2024
2977843
Merge pull request #12396 from Security-Onion-Solutions/jertel/glm
jertel Feb 21, 2024
9ca0f58
Manage the repos
TOoSmOotH Feb 21, 2024
1952f0f
Merge remote-tracking branch 'origin/2.4/dev' into kilo
defensivedepth Feb 21, 2024
25570e6
add missing template
jertel Feb 21, 2024
152e793
Merge pull request #12408 from Security-Onion-Solutions/jertel/24temp…
jertel Feb 21, 2024
1627855
nest under policy
m0duspwnens Feb 21, 2024
927ea0c
Update VERSION
defensivedepth Feb 21, 2024
eb3432f
Merge pull request #12412 from Security-Onion-Solutions/kilo
coreyogburn Feb 21, 2024
d2f7946
Merge pull request #12411 from Security-Onion-Solutions/issue/12382
m0duspwnens Feb 21, 2024
0a9022b
Add hash mappings
defensivedepth Feb 21, 2024
c886e72
Imphash mappings
defensivedepth Feb 22, 2024
759b2ff
Manage the repos
TOoSmOotH Feb 22, 2024
e7914fc
Update stenoloss.sh
TOoSmOotH Feb 22, 2024
1824d7b
Merge pull request #12416 from Security-Onion-Solutions/TOoSmOotH-pat…
TOoSmOotH Feb 22, 2024
d04aa06
Fix source.ip
defensivedepth Feb 22, 2024
b8baca4
add endpoint_x_events_x_process to defaults.yaml
dougburks Feb 23, 2024
573d565
convert _x_ to . for soc ui to config
m0duspwnens Feb 23, 2024
65cdc1d
Merge pull request #12423 from Security-Onion-Solutions/jppfiec
dougburks Feb 23, 2024
7da0ccf
add more endpoint.events.x entries to merged.map.jinja
dougburks Feb 23, 2024
b7ef1e8
add more endpoint.events.x fields to soc_soc.yaml
dougburks Feb 23, 2024
58f4fb8
fix new eventFields in soc_soc.yaml
dougburks Feb 23, 2024
daf96d7
fix new eventFields in merged.map.jinja
dougburks Feb 23, 2024
d6cb8ab
update events_x_process in defaults.yaml
dougburks Feb 23, 2024
77cb574
Merge pull request #12430 from Security-Onion-Solutions/feature/sigma…
defensivedepth Feb 26, 2024
a6bb721
Add Detection AutoUpdate config
defensivedepth Feb 26, 2024
66b815d
Merge pull request #12431 from Security-Onion-Solutions/feature/browe…
defensivedepth Feb 26, 2024
ca24931
FEATURE: Add new SOC action for Process Info #12421
dougburks Feb 26, 2024
4df2114
FEATURE: Add default columns for endpoint.events datasets #12425
dougburks Feb 26, 2024
c8a95a8
FEATURE: Add new endpoint dashboards #12428
dougburks Feb 26, 2024
9a7e215
add classification.config
m0duspwnens Feb 26, 2024
f8424f3
Update defaults.yaml
dougburks Feb 26, 2024
1d099f9
Update pattern for endpoint diagnostic template
weslambert Feb 26, 2024
acf7dbd
Merge pull request #12432 from Security-Onion-Solutions/fix/endpoint_…
weslambert Feb 26, 2024
52580fb
Merge pull request #12434 from Security-Onion-Solutions/feature/impro…
dougburks Feb 26, 2024
466dac3
soup for classifications
m0duspwnens Feb 26, 2024
8b7f793
suricata container watch classification.config
m0duspwnens Feb 26, 2024
c6baa4b
Airgap Support - Detections module
defensivedepth Feb 26, 2024
a817bae
Merge pull request #12437 from Security-Onion-Solutions/feature/detec…
defensivedepth Feb 26, 2024
59af547
Fix download location
defensivedepth Feb 27, 2024
fcc0f9d
redo classifications
m0duspwnens Feb 27, 2024
d5fc6dd
Merge pull request #12449 from Security-Onion-Solutions/issue/12391
m0duspwnens Feb 27, 2024
df3943b
Daily rollover
weslambert Feb 27, 2024
d1e55d5
Merge pull request #12450 from Security-Onion-Solutions/fix/suricata_…
weslambert Feb 27, 2024
e2dd0f8
Only update rule files if AG
defensivedepth Feb 28, 2024
aa3b917
Merge pull request #12456 from Security-Onion-Solutions/feature/detec…
defensivedepth Feb 28, 2024
1fe8f3d
Merge pull request #12405 from Security-Onion-Solutions/repochange
TOoSmOotH Feb 29, 2024
53761d4
FIX: EA installers not downloadable from SOC + fix stg logging
reyesj2 Feb 29, 2024
d911b7b
Merge pull request #12469 from Security-Onion-Solutions/reyesj2-patch-4
reyesj2 Feb 29, 2024
b017157
Add antivirus mapping
defensivedepth Mar 1, 2024
d832158
Drop Hashes field
defensivedepth Mar 1, 2024
f3dce66
Merge pull request #12482 from Security-Onion-Solutions/2.4/sigma-pip…
defensivedepth Mar 1, 2024
f28f269
Fix FIM
defensivedepth Mar 4, 2024
9fd1653
Merge pull request #12487 from Security-Onion-Solutions/2.4/elastic-a…
defensivedepth Mar 4, 2024
018e099
Modify setup
TOoSmOotH Mar 4, 2024
fe23875
Fix df
TOoSmOotH Mar 4, 2024
58d2222
Merge pull request #12271 from Security-Onion-Solutions/suripcap
TOoSmOotH Mar 4, 2024
b64d610
Add AWS Cloudfront template
weslambert Mar 5, 2024
1514f12
Add AWS GuardDuty template
weslambert Mar 5, 2024
d85ac39
Add AWS Inspector template
weslambert Mar 5, 2024
d8e8933
Add AWS Security Hub template
weslambert Mar 5, 2024
2a7e5b0
Change version for foxtrot
weslambert Mar 5, 2024
bed4220
Add journald integration
weslambert Mar 5, 2024
08f2b82
add GLOBALS.is_sensor
m0duspwnens Mar 5, 2024
1a58aa6
only import pcap and suricata if sensor
m0duspwnens Mar 5, 2024
c0d19e1
fix } placement
m0duspwnens Mar 5, 2024
781f96a
Merge pull request #12497 from Security-Onion-Solutions/jppsensoroni
m0duspwnens Mar 5, 2024
b9ebe6c
Update VERSION
weslambert Mar 5, 2024
6eb608c
Update so-minion
TOoSmOotH Mar 5, 2024
a686d46
Update so-minion
TOoSmOotH Mar 5, 2024
b9707fc
Merge pull request #12502 from Security-Onion-Solutions/TOoSmOotH-pat…
TOoSmOotH Mar 5, 2024
185a160
Merge pull request #12500 from Security-Onion-Solutions/feature/addit…
weslambert Mar 5, 2024
4b5f00c
fix oinkcodes with leading zeros
jertel Mar 5, 2024
d5b0814
Merge pull request #12507 from Security-Onion-Solutions/jertel/annota…
jertel Mar 5, 2024
5687fdc
fix pcapspace function
m0duspwnens Mar 5, 2024
ac9db8a
Merge branch '2.4/dev' into jppsensoroni
m0duspwnens Mar 5, 2024
eaef076
Update so-minion
m0duspwnens Mar 5, 2024
73b45cf
Merge pull request #12508 from Security-Onion-Solutions/jppsensoroni
m0duspwnens Mar 5, 2024
1b47537
Add Exclusion toggle
defensivedepth Mar 6, 2024
12653ee
add new pcap annotations
jertel Mar 6, 2024
0f12297
add new pcap annotations
jertel Mar 6, 2024
5acefb5
Merge pull request #12511 from Security-Onion-Solutions/jertel/annota…
jertel Mar 6, 2024
f58c104
Update so-minion
TOoSmOotH Mar 6, 2024
a63fca7
Update soc_suricata.yaml
TOoSmOotH Mar 6, 2024
f836d6a
Update so-minion
TOoSmOotH Mar 6, 2024
4dfa1a5
Move Suricata around
TOoSmOotH Mar 6, 2024
9e67162
Merge pull request #12510 from Security-Onion-Solutions/2.4/excludede…
defensivedepth Mar 6, 2024
167aff2
detections annotations
jertel Mar 6, 2024
ad12093
Fix percent calc
TOoSmOotH Mar 6, 2024
1cbac11
detections annotations
jertel Mar 6, 2024
8f36a8a
Merge pull request #12514 from Security-Onion-Solutions/jertel/annota…
jertel Mar 6, 2024
9a413a2
Fix location of repo
TOoSmOotH Mar 6, 2024
7f1e786
Consolidate PCAP settings
TOoSmOotH Mar 6, 2024
cf23253
move suricata.pcap to suricata.config.outputs.pcap-log
m0duspwnens Mar 6, 2024
5832272
fix max-files calc
m0duspwnens Mar 6, 2024
17a75d5
Run stig post remediate scan against default ol9 scap-security-guide.
reyesj2 Mar 6, 2024
70f3ce0
change how maxfiles is calculated
m0duspwnens Mar 6, 2024
b5f1733
Merge pull request #12513 from Security-Onion-Solutions/newsuripcap
TOoSmOotH Mar 7, 2024
005930f
Add error.message mapping for system.syslog
weslambert Mar 7, 2024
1633527
Merge pull request #12519 from Security-Onion-Solutions/fix/error_mes…
weslambert Mar 7, 2024
fffef9b
gracefully handle status check failure on ubuntu
jertel Mar 7, 2024
e2567dc
Merge pull request #12521 from Security-Onion-Solutions/jertel/status
jertel Mar 7, 2024
4057498
unswap files
jertel Mar 7, 2024
06257b9
Update so-minion
TOoSmOotH Mar 7, 2024
6d06aa8
Merge pull request #12526 from Security-Onion-Solutions/jertel/status
jertel Mar 7, 2024
3eb6fe2
allow managersearch to receiver redis and 5644
m0duspwnens Mar 8, 2024
7ec887a
Merge pull request #12537 from Security-Onion-Solutions/issue/12535
m0duspwnens Mar 8, 2024
4e32935
Add Strelka config back
weslambert Mar 8, 2024
fc66a54
Add Strelka download and update scripts back
weslambert Mar 8, 2024
e8ae609
Add Strelka rules watch back
weslambert Mar 8, 2024
6680e02
Update soc_pcap.yaml
dougburks Mar 8, 2024
e1b27a9
Merge pull request #12540 from Security-Onion-Solutions/dougburks-pat…
dougburks Mar 8, 2024
b6b6fc4
Merge pull request #12527 from Security-Onion-Solutions/TOoSmOotH-pat…
dougburks Mar 8, 2024
6f05c39
Updated RulesRepo for New Strelka Structure
coreyogburn Mar 8, 2024
68ba9a8
Merge pull request #12542 from Security-Onion-Solutions/cogburn/yara-…
coreyogburn Mar 8, 2024
4a9e826
Merge remote-tracking branch 'origin/2.4/dev' into kilo
defensivedepth Mar 8, 2024
a55e04e
pcap improvements
jertel Mar 8, 2024
a892352
Update soc_pcap.yaml
dougburks Mar 8, 2024
b622cf8
Merge pull request #12545 from Security-Onion-Solutions/dougburks-pat…
dougburks Mar 8, 2024
f4725bf
Merge pull request #12553 from Security-Onion-Solutions/reyesj2-patch…
reyesj2 Mar 11, 2024
34d5954
Fix indent
weslambert Mar 11, 2024
a8403c6
Create local salt dir for stig
reyesj2 Mar 11, 2024
2ca96c7
Merge pull request #12555 from Security-Onion-Solutions/reyesj2-patch…
reyesj2 Mar 11, 2024
4355d5b
Merge pull request #12544 from Security-Onion-Solutions/jertel/status
m0duspwnens Mar 11, 2024
907cf9f
transition pcap
m0duspwnens Mar 11, 2024
b5d8df7
auto-convert email addresses to lowercase during setup
jertel Mar 11, 2024
cd28c00
auto-convert email addresses to lowercase during setup
jertel Mar 11, 2024
8c54a19
Merge pull request #12560 from Security-Onion-Solutions/jertel/email
jertel Mar 11, 2024
ba32b3e
fix bpf for transition
m0duspwnens Mar 11, 2024
61a183b
Add regex defaults
defensivedepth Mar 11, 2024
b7f058a
Merge pull request #12561 from Security-Onion-Solutions/jppnocap
m0duspwnens Mar 11, 2024
47ab1f5
Merge pull request #12563 from Security-Onion-Solutions/kilo
defensivedepth Mar 11, 2024
0f41f07
Merge remote-tracking branch 'origin/2.4/dev' into 2.4/detections-def…
defensivedepth Mar 11, 2024
72acb11
Update soc_suricata.yaml
TOoSmOotH Mar 11, 2024
197791f
Merge pull request #12565 from Security-Onion-Solutions/2.4/detection…
defensivedepth Mar 12, 2024
5deebe0
Merge pull request #12564 from Security-Onion-Solutions/TOoSmOotH-pat…
TOoSmOotH Mar 12, 2024
3e0fb3f
Update so-saltstack-update
TOoSmOotH Mar 12, 2024
6034831
Merge pull request #12567 from Security-Onion-Solutions/TOoSmOotH-pat…
TOoSmOotH Mar 12, 2024
06013e2
Gen packages post-SOUP
defensivedepth Mar 13, 2024
dc3eace
Merge pull request #12576 from Security-Onion-Solutions/2.4/regenpack…
defensivedepth Mar 13, 2024
1a82919
remove modules if detections disabled
m0duspwnens Mar 13, 2024
292ab0e
Merge pull request #12577 from Security-Onion-Solutions/jppsocerino
m0duspwnens Mar 13, 2024
b9702d0
Update init.sls
m0duspwnens Mar 13, 2024
3d33c99
Merge pull request #12579 from Security-Onion-Solutions/m0duspwnens-p…
m0duspwnens Mar 13, 2024
275a678
removed unused property
jertel Mar 13, 2024
cc1356c
Merge pull request #12581 from Security-Onion-Solutions/jertel/suripcap
jertel Mar 13, 2024
927fe90
handle airgap when detections not enabled
jertel Mar 14, 2024
844cfe5
handle airgap when detections not enabled
jertel Mar 14, 2024
09bff01
Merge pull request #12584 from Security-Onion-Solutions/jertel/suripcap
jertel Mar 14, 2024
284e0d8
Update soc_suricata.yaml
TOoSmOotH Mar 14, 2024
fd835f6
Update soc_suricata.yaml
TOoSmOotH Mar 14, 2024
4237210
Merge pull request #12587 from Security-Onion-Solutions/TOoSmOotH-pat…
TOoSmOotH Mar 14, 2024
bb3bbd7
2.4.260
TOoSmOotH Mar 20, 2024
68ea283
Merge pull request #12615 from Security-Onion-Solutions/2.4.60
TOoSmOotH Mar 20, 2024
7779a95
Merge pull request #12617 from Security-Onion-Solutions/2.4/main
TOoSmOotH Mar 20, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 0 additions & 61 deletions salt/manager/tools/sbin/soup
Original file line number Diff line number Diff line change
@@ -247,67 +247,6 @@ check_sudoers() {
fi
}

check_log_size_limit() {
local num_minion_pillars
num_minion_pillars=$(find /opt/so/saltstack/local/pillar/minions/ -type f | wc -l)

if [[ $num_minion_pillars -gt 1 ]]; then
if find /opt/so/saltstack/local/pillar/minions/ -type f | grep -q "_heavynode"; then
lsl_msg='distributed'
fi
else
local minion_id
minion_id=$(lookup_salt_value "id" "" "grains" "" "local")

local minion_arr
IFS='_' read -ra minion_arr <<< "$minion_id"

local node_type="${minion_arr[0]}"

local current_limit
# since it is possible for the salt-master service to be stopped when this is run, we need to check the pillar values locally
# we need to combine default local and default pillars before doing this so we can define --pillar-root in salt-call
local epoch_date=$(date +%s%N)
mkdir -vp /opt/so/saltstack/soup_tmp_${epoch_date}/
cp -r /opt/so/saltstack/default/pillar/ /opt/so/saltstack/soup_tmp_${epoch_date}/
# use \cp here to overwrite any pillar files from default with those in local for the tmp directory
\cp -r /opt/so/saltstack/local/pillar/ /opt/so/saltstack/soup_tmp_${epoch_date}/
current_limit=$(salt-call pillar.get elasticsearch:log_size_limit --local --pillar-root=/opt/so/saltstack/soup_tmp_${epoch_date}/pillar --out=newline_values_only)
rm -rf /opt/so/saltstack/soup_tmp_${epoch_date}/

local percent
case $node_type in
'standalone' | 'eval')
percent=50
;;
*)
percent=80
;;
esac

local disk_dir="/"
if [ -d /nsm ]; then
disk_dir="/nsm"
fi

local disk_size_1k
disk_size_1k=$(df $disk_dir | grep -v "^Filesystem" | awk '{print $2}')

local ratio="1048576"

local disk_size_gb
disk_size_gb=$( echo "$disk_size_1k" "$ratio" | awk '{print($1/$2)}' )

local new_limit
new_limit=$( echo "$disk_size_gb" "$percent" | awk '{printf("%.0f", $1 * ($2/100))}')

if [[ $current_limit != "$new_limit" ]]; then
lsl_msg='single-node'
lsl_details=( "$current_limit" "$new_limit" "$minion_id" )
fi
fi
}

check_os_updates() {
# Check to see if there are OS updates
echo "Checking for OS updates."