From 39c6dd230e3bbe3da51f496c1ce8ab540f27c35b Mon Sep 17 00:00:00 2001 From: Tyler Smalley Date: Tue, 3 Aug 2021 10:34:03 -0700 Subject: [PATCH 1/2] Upgrade Kibana to 7.14.0 Signed-off-by: Tyler Smalley --- Dockerfile | 4 +- README.md | 6 +- bin/kibana-docker | 129 +++++++++++++++++++++++++++++++++------- hardening_manifest.yaml | 10 ++-- 4 files changed, 118 insertions(+), 31 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8b80c0f..56e4bd4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,8 +14,8 @@ RUN yum update --setopt=tsflags=nodocs -y && \ RUN mkdir /usr/share/kibana WORKDIR /usr/share/kibana -COPY --chown=1000:0 kibana-7.13.4-linux-x86_64.tar.gz . -RUN tar --strip-components=1 -zxf kibana-7.13.4-linux-x86_64.tar.gz +COPY --chown=1000:0 kibana-7.14.0-linux-x86_64.tar.gz . +RUN tar --strip-components=1 -zxf kibana-7.14.0-linux-x86_64.tar.gz # Ensure that group permissions are the same as user permissions. # This will help when relying on GID-0 to run Kibana, rather than UID-1000. diff --git a/README.md b/README.md index b208184..74bb49b 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ https://www.elastic.co/products/kibana. ### Installation instructions -Please follow the documentation on [running Kibana on Docker](https://www.elastic.co/guide/en/kibana/7.13/docker.html). +Please follow the documentation on [running Kibana on Docker](https://www.elastic.co/guide/en/kibana/7.14/docker.html). ### Where to file issues and PRs @@ -31,9 +31,9 @@ You can learn more about the Elastic Community and also understand how to get mo visiting [Elastic Community](https://www.elastic.co/community). This software is governed by the [Elastic -License](https://github.com/elastic/elasticsearch/blob/7.13/licenses/ELASTIC-LICENSE.txt), +License](https://github.com/elastic/elasticsearch/blob/7.14/licenses/ELASTIC-LICENSE.txt), and includes the full set of [free features](https://www.elastic.co/subscriptions). View the detailed release notes -[here](https://www.elastic.co/guide/en/elasticsearch/reference/7.13/es-release-notes.html). +[here](https://www.elastic.co/guide/en/elasticsearch/reference/7.14/es-release-notes.html). diff --git a/bin/kibana-docker b/bin/kibana-docker index 877be1a..c064298 100755 --- a/bin/kibana-docker +++ b/bin/kibana-docker @@ -31,6 +31,19 @@ kibana_vars=( csp.rules csp.strict csp.warnLegacyBrowsers + csp.script_src + csp.worker_src + csp.style_src + csp.connect_src + csp.default_src + csp.font_src + csp.frame_src + csp.img_src + csp.frame_ancestors + csp.report_uri + csp.report_to + data.autocomplete.valueSuggestions.terminateAfter + data.autocomplete.valueSuggestions.timeout elasticsearch.customHeaders elasticsearch.hosts elasticsearch.logQueries @@ -57,15 +70,26 @@ kibana_vars=( enterpriseSearch.accessCheckTimeoutWarning enterpriseSearch.enabled enterpriseSearch.host + externalUrl.policy i18n.locale interpreter.enableInVisualize kibana.autocompleteTerminateAfter kibana.autocompleteTimeout kibana.defaultAppId kibana.index + logging.appenders + logging.appenders.console + logging.appenders.file logging.dest logging.json + logging.loggers + logging.loggers.appenders + logging.loggers.level + logging.loggers.name logging.quiet + logging.root + logging.root.appenders + logging.root.level logging.rotate.enabled logging.rotate.everyBytes logging.rotate.keepFiles @@ -85,6 +109,7 @@ kibana_vars=( migrations.batchSize migrations.enableV2 migrations.pollInterval + migrations.retryAttempts migrations.scrollDuration migrations.skip monitoring.cluster_alerts.email_notifications.email_address @@ -101,6 +126,7 @@ kibana_vars=( monitoring.ui.elasticsearch.ssl.verificationMode monitoring.ui.elasticsearch.username monitoring.ui.enabled + monitoring.ui.logs.index monitoring.ui.max_bucket_size monitoring.ui.min_interval_seconds newsfeed.enabled @@ -110,26 +136,35 @@ kibana_vars=( path.data pid.file regionmap + savedObjects.maxImportExportSize + savedObjects.maxImportPayloadBytes security.showInsecureClusterWarning server.basePath server.compression.enabled server.compression.referrerWhitelist server.cors + server.cors.allowCredentials + server.cors.allowOrigin + server.cors.enabled server.cors.origin - server.securityResponseHeaders.strictTransportSecurity - server.securityResponseHeaders.xContentTypeOptions - server.securityResponseHeaders.referrerPolicy - server.securityResponseHeaders.permissionsPolicy - server.securityResponseHeaders.disableEmbedding server.customResponseHeaders server.defaultRoute server.host server.keepAliveTimeout - server.maxPayloadBytes server.maxPayload + server.maxPayloadBytes server.name server.port + server.publicBaseUrl + server.requestId.allowFromAnyIp + server.requestId.ipAllowlist server.rewriteBasePath + server.securityResponseHeaders.disableEmbedding + server.securityResponseHeaders.permissionsPolicy + server.securityResponseHeaders.referrerPolicy + server.securityResponseHeaders.strictTransportSecurity + server.securityResponseHeaders.xContentTypeOptions + server.shutdownTimeout server.socketTimeout server.ssl.cert server.ssl.certificate @@ -145,6 +180,8 @@ kibana_vars=( server.ssl.supportedProtocols server.ssl.truststore.password server.ssl.truststore.path + server.uuid + server.xsrf.allowlist server.xsrf.disableProtection server.xsrf.whitelist status.allowAnonymous @@ -160,31 +197,45 @@ kibana_vars=( tilemap.options.subdomains tilemap.url timelion.enabled + url_drilldown.enabled vega.enableExternalUrls + vis_type_vega.enableExternalUrls xpack.actions.allowedHosts + xpack.actions.customHostSettings xpack.actions.enabled xpack.actions.enabledActionTypes - xpack.actions.preconfiguredAlertHistoryEsIndex + xpack.actions.maxResponseContentLength xpack.actions.preconfigured + xpack.actions.preconfiguredAlertHistoryEsIndex + xpack.actions.proxyBypassHosts xpack.actions.proxyHeaders + xpack.actions.proxyOnlyHosts xpack.actions.proxyRejectUnauthorizedCertificates xpack.actions.proxyUrl - xpack.actions.proxyBypassHosts - xpack.actions.proxyOnlyHosts xpack.actions.rejectUnauthorized - xpack.actions.maxResponseContentLength xpack.actions.responseTimeout - xpack.alerts.healthCheck.interval - xpack.alerts.invalidateApiKeysTask.interval - xpack.alerts.invalidateApiKeysTask.removalDelay + xpack.actions.ssl.proxyVerificationMode + xpack.actions.ssl.verificationMode xpack.alerting.healthCheck.interval xpack.alerting.invalidateApiKeysTask.interval xpack.alerting.invalidateApiKeysTask.removalDelay + xpack.alerts.healthCheck.interval + xpack.alerts.invalidateApiKeysTask.interval + xpack.alerts.invalidateApiKeysTask.removalDelay xpack.apm.enabled + xpack.apm.maxServiceEnvironments + xpack.apm.searchAggregatedTransactions xpack.apm.serviceMapEnabled + xpack.apm.serviceMapFingerprintBucketSize + xpack.apm.serviceMapFingerprintGlobalBucketSize xpack.apm.ui.enabled xpack.apm.ui.maxTraceItems xpack.apm.ui.transactionGroupBucketSize + xpack.banners.backgroundColor + xpack.banners.disableSpaceBanners + xpack.banners.placement + xpack.banners.textColor + xpack.banners.textContent xpack.canvas.enabled xpack.code.disk.thresholdEnabled xpack.code.disk.watermarkLow @@ -197,15 +248,28 @@ kibana_vars=( xpack.code.ui.enabled xpack.code.updateRepoFrequencyMs xpack.code.verbose + xpack.data_enhanced.search.sessions.defaultExpiration + xpack.data_enhanced.search.sessions.enabled + xpack.data_enhanced.search.sessions.maxUpdateRetries + xpack.data_enhanced.search.sessions.notTouchedInProgressTimeout + xpack.data_enhanced.search.sessions.notTouchedTimeout + xpack.data_enhanced.search.sessions.pageSize + xpack.data_enhanced.search.sessions.trackingInterval + xpack.discoverEnhanced.actions.exploreDataInChart.enabled + xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled xpack.encryptedSavedObjects.encryptionKey xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys xpack.event_log.enabled xpack.event_log.indexEntries xpack.event_log.logEntries + xpack.fleet.agentPolicies xpack.fleet.agents.elasticsearch.host + xpack.fleet.agents.elasticsearch.hosts + xpack.fleet.agents.enabled + xpack.fleet.agents.fleet_server.hosts xpack.fleet.agents.kibana.host xpack.fleet.agents.tlsCheckDisabled - xpack.fleet.agentPolicies + xpack.fleet.enabled xpack.fleet.packages xpack.fleet.registryUrl xpack.graph.canEditDrillDownUrls @@ -229,7 +293,10 @@ kibana_vars=( xpack.maps.enabled xpack.maps.showMapVisualizationTypes xpack.ml.enabled + xpack.observability.annotations.index xpack.observability.unsafe.alertingExperience.enabled + xpack.observability.unsafe.cases.enabled + xpack.painless_lab.enabled xpack.reporting.capture.browser.autoDownload xpack.reporting.capture.browser.chromium.disableSandbox xpack.reporting.capture.browser.chromium.inspect @@ -241,9 +308,11 @@ kibana_vars=( xpack.reporting.capture.concurrency xpack.reporting.capture.loadDelay xpack.reporting.capture.maxAttempts + xpack.reporting.capture.networkPolicy xpack.reporting.capture.settleTime xpack.reporting.capture.timeout xpack.reporting.capture.timeouts.openUrl + xpack.reporting.capture.timeouts.openUrl xpack.reporting.capture.timeouts.renderComplete xpack.reporting.capture.timeouts.waitForElements xpack.reporting.capture.viewport.height @@ -273,24 +342,28 @@ kibana_vars=( xpack.reporting.queue.pollIntervalErrorMultiplier xpack.reporting.queue.timeout xpack.reporting.roles.allow + xpack.reporting.roles.enabled xpack.rollup.enabled - xpack.ruleRegistry.unsafe.write.enabled + xpack.ruleRegistry.write.enabled xpack.searchprofiler.enabled - xpack.security.audit.enabled - xpack.security.audit.appender.type - xpack.security.audit.appender.layout.type + xpack.security.audit.appender.fileName xpack.security.audit.appender.layout.highlight xpack.security.audit.appender.layout.pattern + xpack.security.audit.appender.layout.type xpack.security.audit.appender.legacyLoggingConfig - xpack.security.audit.appender.fileName - xpack.security.audit.appender.policy.type xpack.security.audit.appender.policy.interval xpack.security.audit.appender.policy.modulate xpack.security.audit.appender.policy.size - xpack.security.audit.appender.strategy.type + xpack.security.audit.appender.policy.type xpack.security.audit.appender.strategy.max xpack.security.audit.appender.strategy.pattern + xpack.security.audit.appender.strategy.type + xpack.security.audit.appender.type + xpack.security.audit.enabled xpack.security.audit.ignore_filters + xpack.security.authc.http.autoSchemesEnabled + xpack.security.authc.http.enabled + xpack.security.authc.http.schemes xpack.security.authc.oidc.realm xpack.security.authc.providers xpack.security.authc.saml.maxRedirectURLSize @@ -312,6 +385,18 @@ kibana_vars=( xpack.security.session.idleTimeout xpack.security.session.lifespan xpack.security.sessionTimeout + xpack.securitySolution.alertMergeStrategy + xpack.securitySolution.alertResultListDefaultDateRange + xpack.securitySolution.endpointResultListDefaultFirstPageIndex + xpack.securitySolution.endpointResultListDefaultPageSize + xpack.securitySolution.maxRuleImportExportSize + xpack.securitySolution.maxRuleImportPayloadBytes + xpack.securitySolution.maxTimelineImportExportSize + xpack.securitySolution.maxTimelineImportPayloadBytes + xpack.securitySolution.packagerTaskInterval + xpack.securitySolution.validateArtifactDownloads + xpack.securitySolution.prebuiltRulesFromFileSystem + xpack.securitySolution.prebuiltRulesFromSavedObjects xpack.spaces.enabled xpack.spaces.maxSpaces xpack.task_manager.enabled @@ -322,6 +407,8 @@ kibana_vars=( xpack.task_manager.monitored_aggregated_stats_refresh_rate xpack.task_manager.monitored_stats_required_freshness xpack.task_manager.monitored_stats_running_average_window + xpack.task_manager.monitored_stats_health_verbose_log.enabled + xpack.task_manager.monitored_stats_health_verbose_log.warn_delayed_task_start_in_seconds xpack.task_manager.monitored_task_execution_thresholds xpack.task_manager.poll_interval xpack.task_manager.request_capacity diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 5346cbe..3d84232 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: 'elastic/kibana/kibana' # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: - - '7.13.4' + - '7.14.0' - 'latest' # Build args passed to Dockerfile ARGs @@ -23,18 +23,18 @@ labels: org.opencontainers.image.licenses: 'Elastic License' org.opencontainers.image.url: 'https://www.elastic.co/products/kibana' org.opencontainers.image.vendor: 'Elastic' - org.opencontainers.image.version: '7.13.4' + org.opencontainers.image.version: '7.14.0' # mil.dso.ironbank.image.keywords: "" # mil.dso.ironbank.image.type: "commercial" mil.dso.ironbank.product.name: 'Kibana' # List of resources to make available to the offline build context resources: - - filename: kibana-7.13.4-linux-x86_64.tar.gz - url: https://artifacts.elastic.co/downloads/kibana/kibana-7.13.4-linux-x86_64.tar.gz + - filename: kibana-7.14.0-linux-x86_64.tar.gz + url: https://artifacts.elastic.co/downloads/kibana/kibana-7.14.0-linux-x86_64.tar.gz validation: type: sha512 - value: 1accd5d6933f3f2f54174e53da626bc275b99b2f102d5f8cfee934d3520ee55a97c9c545cca32ddffec06a96114ce284e2e128cf334538214566c6530d1d673e + value: 0ca36be3345bb2cec0739274d8f57b84775ec8f545d26cfc0556b1014c4bc99e0c015d85aa09f0ad105e2181fb2bad449819f6386caad2f2d9402383c5644473 - filename: tini url: https://github.com/krallin/tini/releases/download/v0.19.0/tini-amd64 validation: -- GitLab From f62e22833c45171105f351030cb1e27f5e1ff1d5 Mon Sep 17 00:00:00 2001 From: Sean Melissari Date: Wed, 4 Aug 2021 10:46:45 -0400 Subject: [PATCH 2/2] clamav false positive --- .gitlab/CODEOWNERS | 3 +++ clamav-whitelist | 1 + 2 files changed, 4 insertions(+) create mode 100644 clamav-whitelist diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS index 64a2c68..74d136c 100644 --- a/.gitlab/CODEOWNERS +++ b/.gitlab/CODEOWNERS @@ -4,3 +4,6 @@ [Gitlab Configuration Files] .gitlab/* @ironbank-notifications/cht + +[ClamAV Whitelist File] +clamav-whitelist @ironbank-security-team diff --git a/clamav-whitelist b/clamav-whitelist new file mode 100644 index 0000000..adbd76c --- /dev/null +++ b/clamav-whitelist @@ -0,0 +1 @@ +Multios.Trojan.ElectroRAT-9823393-0 -- GitLab