Merge pull request #15043 from Security-Onion-Solutions/2.4/dev

2.4.180

Author: dougburks

.github/DISCUSSION_TEMPLATE/2-4.yml

@@ -30,6 +30,7 @@ body:
         - 2.4.150
         - 2.4.160
         - 2.4.170
+        - 2.4.180
         - Other (please provide detail below)
     validations:
       required: true

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,17 +1,17 @@
-### 2.4.170-20250812 ISO image released on 2025/08/12
+### 2.4.180-20250916 ISO image released on 2025/09/17
 
 
 ### Download and Verify
 
-2.4.170-20250812 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.170-20250812.iso
+2.4.180-20250916 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.180-20250916.iso
 
-MD5: 50ECAAD05736298452DECEAE074FA773  
-SHA1: 1B1EB520DE61ECC4BF34E512DAFE307317D7666A  
-SHA256: 87D176A48A58BAD1C2D57196F999BED23DE9B526226E3754F0C166C866CCDC1A  
+MD5: DE93880E38DE4BE45D05A41E1745CB1F  
+SHA1: AEA6948911E50A4A38E8729E0E965C565402E3FC  
+SHA256: C9BD8CA071E43B048ABF9ED145B87935CB1D4BB839B2244A06FAD1BBA8EAC84A  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.170-20250812.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.180-20250916.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.170-20250812.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.180-20250916.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.170-20250812.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.180-20250916.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.170-20250812.iso.sig securityonion-2.4.170-20250812.iso
+gpg --verify securityonion-2.4.180-20250916.iso.sig securityonion-2.4.180-20250916.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Fri 08 Aug 2025 06:24:56 PM EDT using RSA key ID FE507013
+gpg: Signature made Tue 16 Sep 2025 06:30:19 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <[email protected]>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.4.170
+2.4.180

pillar/top.sls

@@ -262,6 +262,9 @@ base:
     - minions.adv_{{ grains.id }}
     - kafka.nodes
     - kafka.soc_kafka
+    - stig.soc_stig
+    - elasticfleet.soc_elasticfleet
+    - elasticfleet.adv_elasticfleet
 
   '*_import':
     - node_data.ips
@@ -319,10 +322,12 @@ base:
     - elasticfleet.adv_elasticfleet
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
+    - stig.soc_stig
 
   '*_hypervisor':
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
+    - stig.soc_stig
 
   '*_desktop':
     - minions.{{ grains.id }}

salt/allowed_states.map.jinja

@@ -143,6 +143,7 @@
         ),
         'so-fleet': (
             ssl_states +
+            stig_states +
             ['logstash', 'nginx', 'healthcheck', 'elasticfleet']
         ),
         'so-receiver': (

salt/elasticfleet/artifact_registry.sls

@@ -9,3 +9,6 @@ fleetartifactdir:
     - user: 947
     - group: 939
     - makedirs: True
+    - recurse:
+      - user
+      - group

salt/elasticfleet/config.sls

@@ -9,6 +9,9 @@
 {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 {% set node_data = salt['pillar.get']('node_data') %}
 
+include:
+  - elasticfleet.artifact_registry
+
 # Add EA Group
 elasticfleetgroup:
   group.present:

salt/elasticfleet/defaults.yaml

@@ -38,6 +38,7 @@ elasticfleet:
     - elasticsearch
     - endpoint
     - fleet_server
+    - filestream
     - http_endpoint
     - httpjson
     - log

salt/elasticfleet/enabled.sls

@@ -67,6 +67,8 @@ so-elastic-fleet-auto-configure-artifact-urls:
 elasticagent_syncartifacts:
   file.recurse:
     - name: /nsm/elastic-fleet/artifacts/beats
+    - user: 947
+    - group: 947
     - source: salt://beats
 {% endif %}
 

salt/elasticfleet/files/integrations/grid-nodes_general/elastic-agent-monitor.json

@@ -0,0 +1,48 @@
+{
+  "package": {
+    "name": "filestream",
+    "version": ""
+  },
+  "name": "agent-monitor",
+  "namespace": "",
+  "description": "",
+  "policy_ids": [
+    "so-grid-nodes_general"
+  ],
+  "output_id": null,
+  "vars": {},
+  "inputs": {
+    "filestream-filestream": {
+      "enabled": true,
+      "streams": {
+        "filestream.generic": {
+          "enabled": true,
+          "vars": {
+            "paths": [
+              "/opt/so/log/agents/agent-monitor.log"
+            ],
+            "data_stream.dataset": "agentmonitor",
+            "pipeline": "elasticagent.monitor",
+            "parsers": "",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
+            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- add_fields:\n    target: event\n    fields:\n        module: gridmetrics",
+            "tags": [],
+            "recursive_glob": true,
+            "ignore_older": "72h",
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": true,
+            "fingerprint_offset": 0,
+            "fingerprint_length": 64,
+            "file_identity_native": false,
+            "exclude_lines": [],
+            "include_lines": []
+          }
+        }
+      }
+    }
+  }
+}