-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathCHANGELOG
406 lines (323 loc) · 16.3 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
## [2.1.12] - 2024-11-13
### Fixed
- [CLOUD_INIT] Avoid automatic cache invalidation when datasources change on a machine
## [2.1.11] - 2024-09-12
### Changed
- [RSYSLOG_TEMPLATES] Control uuid generation in bulkid-template
## [2.1.10] - 2024-04-25
### Fixed
- [UPDATE_SYSTEM] Don't upgrade secadm-kmod in jails
### Changed
- [JAILS] Don't install Kernel in jails
## [2.1.9]- 2024-03-04
### Removed
- [JAILS] remove now-useless mkjail-* scripts
- [BASE_SUDOERS] mentions of mkjail-*
### Changed
- [SCRIPTS] Update Redis/Sentinel's announce-ip through redis commands when changing Vulture management IP
- [SYSTEM] [CSHRC] Add usefull keyboard bindings
- [UPDATE_SYSTEM] Stop vultured service during upgrades
- [UPDATE_SYSTEM] Install kernel/base in a separate Boot Environment
### Fixed
- [CLUSTER_JOIN] Fix wrong ca.key after cluster_join
- [NETWORK_IPS] Init pf rules before redis access
- [HOSTNAME] Restart gunicorn after db migration
## [2.1.8] - 2024-01-10
### Removed
- [UPDATE_SYSTEM] Don't upgrade/restart Darwin service specifically
### Changed
- [MISC] Some code cleanups and minor fixes
### Fixed
- [UPDATE_SYSTEM] Avoid linker errors during pkg upgrades by deactivating harden_rtld during upgrade
## [2.1.7] - 2023-09-12
### Fixed
- [UPGRADE_TO_13] Put the Node into MAINTENANCE mode during upgrades
- [UPGRADE_TO_13] Ensure Node is completely restarted before continuing
## [2.1.6] - 2023-08-22
### Added
- [UPDATE_SYSTEM] Updating toggle maintenance
- [RSYSLOG_TEMPLATES] bulkid-template for ELS datastream support
### Fixed
- [UPGRADE_TO_13] Motd template
- [UPDATE_SYSTEM] Force maintenance state during update
## [2.1.5] - 2023-07-20
### Added
- [UPDATE_SYSTEM] Add timestamps in logs when starting/stopping an upgrade
### Changed
- [HAPROXY] [RSYSLOG_TEMPLATES] Update templates to use new <name>_json versions
### Removed
- [SYSCTL] Obsolete parameter 'net.inet.ip.rfc1122_strong_es'
## [2.1.4] - 2023-07-11
### Fixed
- [PROXY.SH] Remove scheme from provided proxy value
## [2.1.3] - 2023-07-10
### Changed
- [UPDATE_SYSTEM] Lock/unlock vulture packages between upgrades
- [UPDATE_SYSTEM] Properly stop crontabs during upgrades
### Fixed
- [UPDATE_SYSTEM] Ensure secadm version stays up-to-date with the kernel version
- [UPGRADE_TO_13] Use Boot Environments to have a safer upgrade
## [2.1.2] - 2023-05-24
### Fixed
- [UPGRADE_TO_13] Use a Boot Environment to avoid problems during system upgrade
### Changed
- [LOADER] Update loader.conf to reflect changes made on Vulture OS/release
- [ADMIN] Deprecate use of mkjail_* scripts
- [CLUSTER_CREATE] Improve script by returning status code
- [CLUSTER_CREATE] Correctly handle vultured start/restart at the end of the script
## [2.1.1] - 2023-03-30
### Changed
- [UPDATE] [SYSTEM] Default base upgrade merge strategy is now 'mine-full' (keep local versions)
### Fixed
- [UPDATE] [SYSTEM] Ensure options used during hbsd-update are all kept for jails' upgrades
## [2.1.0] - 2023-03-16
### Added
- [UPGRADE] [HBSD13] Add a script to register new Vulture's HBSD13 own repositories (and disable previous ones)
- [UPGRADE] [HBSD13] Add an upgrade script to go from HBSD12 to HBSD13 (and switch to Vulture's own repositories)
### Changed
- [SYSTEM] [MOTD] Updated MOTD to notify about new script to upgrade to HBSD13
### Fixed
- [UPDATE] [SYSTEM] Ensure system update is downloaded before trying to upgrade the system or a jail
## [2.0.11] - 2023-03-01
### Fixed
- [HAPROXY] [SYSTEM_LOGGING] Internal Haproxy logging through Rsyslog didn't work
## [2.0.10] - 2023-03-01
### Changed
- [LOGROTATE] decrease retention time of /var/log/pf/pf.log files to 7
- [MKJAIL_RSYSLOG] Mount /var/log/pf as RW in Rsyslog jail
- [MOTD] Adapt Vulture MOTD to HBSD13
### Added
- [LOGROTATE] Add log rotation for new /zroot/rsyslog/var/log/internal/pf.conf parsed pf logs
### Removed
- [SYSTEM] Don't package a custom netif script anymore
## [2.0.9] - 2023-02-16
### Changed
- [UPDATE_SYSTEM] Reload Haproxy after an upgrade instead of stopping/starting it
- [SYSTEM] [RC] Set system network config in /etc/rc.conf instead of /etc/rc.conf.d/network
### Added
- [RSYSLOG] [CONFIG] new static ruleset for haproxy global logs parsing and writing
### Fixed
- [LOGROTATE] [CONFIG] Wrong extension '.gz.gz' on logrotated haproxy log files
## [2.0.8] - 2023-01-18
### Fixed
- [UPDATE_SYSTEM] Don't use the jail's hbsd-update.conf file for jail system upgrades
### Changed
- [LOADER] Update zfs options to increase ARC size and increase disk performances
## [2.0.7] - 2022-12-21
### Fixed
- [SCRIPTS] [PROXY.SH] Correctly reload PF configuration when changing proxy settings
## [2.0.6] - 2022-12-15
### Fixed
- [SCRIPTS] [PROXY.SH] Wrong proxy configuration set in pkg.conf
- [SCRIPTS] Remove several references to removed apache24 package
## [2.0.5] - 2022-12-09
### Removed
- [JAIL] [APACHE] Disable and uninstall apache from jail
### Fixed
[CLUSTER_JOIN] Correctly stop and restart local services during cluster join
[CLUSTER_JOIN] Correctly add the master's hostname/ip in /etc/hosts
### Added
- [JAIL] [APACHE] Install nginx and gunicorn in the apache jail
- [JAIL] [APACHE] Ensure python is installed in the apache jail
- [SYSTEM] Create a new /var/sockets/gui folder and mount it RW in the apache jail
- [SUDO] Allow vlt-os to manage gunicorn/nginx services
- [UPDATE_SYSTEM] stop gunicorn services before upgrading vulture-gui
### Changed
- [UPDATE_SYSTEM] stop/start/reload nginx/gunicorn during system updates
- [LOGROTATE] reload nginx and gunicorn in the apache jail after rotating gui logs
## [2.0.4] - 2022-11-21
### Added
- [CLOUD_INIT] Default logging configuration
- [SYSTEM] [CSHRC] Additional bindings for terminal manipulation
## [2.0.3] - 2022-11-10
### Changed
- [CLOUD_INIT] Support for 'NoCloud' datasource in replacement of (unused) ConfigDrive
- [CLOUD_INIT] add support for more partition names for growpart module
- [CLUSTER_SCRIPTS] Allow calling cluster_* scripts with parameters
### Added
- [UPDATE_SYSTEM.SH] jail update support for new appliances (common jail base)
- [PROXY.SH] Set proxy settings in pkg.conf to use proxy transparently
### Fixed
- [PFCTL_INIT] Reload pf rules after rewriting them
## [2.0.2] - 2022-10-27
### Fixed
- [SCRIPTS] resolve formatting and typing mistakes in network-ips.sh
## [2.0.1] - 2022-10-19
### Removed
- [DENYHOSTS] Completely remove denyhosts for the time being
### Changed
- [MKJAIL] Use hbsd-update instead of manual download/check/untar of update archives when creating jails
- [DEPENDENCY] Changed installations from package name to origin which considers the default python version of the HBSD image
- [DEPENDENCY] Changed uses of python 3.8 binary to python3 to accommodate systems' default version of python
## [2.0.0] - 2022-09-07
### Removed
- [DEPRECATED] [UPDATE_SCRIPTS] Removed update_system_lite.sh (update_system.sh can be used to get the same result with the '-u' flag)
- [PF] [INIT CONFIGURATION] useless NAT rules for DNS
- [PREDATOR] reputation.sh script to get reputation databases from predator
- [DASHBOARD] vulture-dashboard does not exist anymore
- [DEPRECATED] [DOCUMENTATION] GUI/API documentation has been removed
- [DEPRECATED] [DEFENDER] mod_defender capabilities have been removed
- [DEPRECATED] [VM] VM capabilities (through bhyve) have been removed
- [NETWORK] tap0/vm_public interfaces have been removed
### Changed
- [HAPROXY] [RSYSLOG TEMPLATES] Updated templates to use correct and updated fields
- [DNSMASQ] [CONFIGURATION] Several changes to the service configuration file
- remove useless DHCP settings
- bind service on lo0 instead of tap0
- remove 'bind-interfaces' setting
- [NODE] [STATUS] replaced .node_ok and .install files with database/manage.py checks
- [JAILS] [RESOLUTION] Update jails' resolv.conf to use loopback interface instead of tap0
- [JAILS] [CONFIG FILES] Dissociate apache and portal jails' configuration in package
- [ADMIN][MANAGEMENT] Changed the use of management.ip file to using rc configuration
- [ADMIN][MANAGEMENT] Added options in the CLI to change:
- internet_ip
- backends_outgoing_ip
- logom_outgoing_ip
- [ADMIN][MANAGEMENT] Modified management.sh to change the above ips
- [ADMIN][MANAGEMENT] Renamed management.sh to network-ips.sh
- [NETWORK-IPS][APACHE] Changed from reloading configuration to reloading the service
### Added
- [UPDATE] Restart dnsmasq at the end of the update process, and after upgrading vulture-gui/vulture-base
- [CLUSTER_CREATE] Restart apache at the end of the cluster creation to reload cluster status in loaded code
- [RSYSLOG] [TEMPLATES] Missing elastic templates for haproxy log output templates
- [CHANGELOG] Created file with past known releases
### Fixed
- [SYSCTL] Renamed sysctl variable 'net.inet.ip.check_interface' into new 'net.inet.ip.rfc1122_strong_es'
- [SYSCTL] Removed sysctl variable 'net.inet.tcp.recvbuf_inc=131072'
- [NETCONFIG] Improved detection of DHCP-enabled interfaces on which to reload dhcp client during network configuration changes
- [UPDATE_SYSTEM] Ensure no cronjobs are running or can start during upgrades
## [1.3.2] - 2022-08-05
### Removed
- [DOC] Do not specify installing vulture-libtensorflow package in installation instructions
- [DEPENDENCIES] do not depend on vulture-libtensorflow anymore
## [1.3.1] - 2022-06-30
### Removed
- [ZAP] all zap files, services and integrations (`deprecated`)
### Fixed
- [MKJAIL][APACHE] create timeouts.conf file in apache jail if absent
- [UPDATE_SYSTEM] use `yes` (/usr/bin/yes) instead of echo to automatically resolve hbsd-update/etcupdate interactive requests during system upgrades
- [CLOUDINIT] Enable Ec2 datasource (was disabled by default)
## [1.3.0] - 2022-06-17
### Fixed
- [MKJAIL][PORTAL] add missing python38 package in the portal jail during jail creation
### Changed
- [SYSTEM][UPGRADE] Complete rework of update_system.sh
- ability to only download packages and system upgrades on a temporary directory
- ability to remove/keep temporary directory used during upgrade
- ability to use a custom version while upgrading system (compatible with HardenedBSD only)
- ability to clean pkg cache (system and jails) after a successful upgrade
- ability to specify if DNSSEC should be used during system upgrade (default NO)
- ability to only upgrade packages, not system (equivalent to update_system_lite)
- ability to only upgrade system and jails, not packages
- ability to specify a custom temporary directory
- ability to specify an 'automatic' resolution process during HardenedBSD system upgrades (etcupdate resolve strategy) for non-interactive upgrades
- WARNING: the script no longer tries system upgrade package validation with DNSSEC, user SHOULD use -d to activate DNSSEC validation when necessary
- OBSOLETE: update_system_lite.sh will be obsoleted in the next release
### Added
- [CLOUDINIT] basic configuration files for cloud-init integration
## [1.2.3] - 2022-06-15
### Added
- [FRONTEND][HAPROXY-LOGS] Add missing fields and microseconds in timestamp
## [1.2.2] - 2022-03-31
### Added
- [UPGRADE_SCRIPT][MONGO] ensure secadm exceptions are enforced for `mongo` executable in mongodb jail
- [BOOTSTRAP] Install vulture-haproxy binary dependencies to apache jail (pcre2)
- [BOOTSTRAP] copy haproxy binary and libraries from vulture-haproxy package to apache jail
### Removed
- [BOOTSTRAP] Don't install haproxy package to apache jail
## [1.2.1] - 2022-02-21
### Added
- [UPGRADE SCRIPT] force disable **mprotect** and **pageexec** protections on mongo executable in mongodb jail
## [1.2.0] - 2022-02-03
### Added
- [ADMIN][Restriction] Prevent (mis)use of `pkg upgrade` (use `update_system(_lite).sh` instead)
### Changed
- [PORTAL] Use **[gunicorn](https://docs.gunicorn.org/en/stable/)** instead of **[apache wsgi](https://pypi.org/project/mod-wsgi/)** to host portal engine
## [1.1.9] - 2022-01-04
### Fixed
- [LOGROTATE] : Use copytruncate for python logs (/var/log/vulture/os/**.log -> some logs where lost -> django crontabs continued to write into rotated file
## [1.1.8] - 2021-11-29
### Changed
- [UPGRADE][SCRIPTS] Completely disable Secadm rules on host and in jails before upgrading anything, reactivate the rules at the end
### Fixed
- [BOOTSTRAP] Correct name for package 'openldap-client' -> 'openldap24-client'
## [1.1.7] - 2021-08-25
### Fixed
- [UPGRADE SCRIPTS] disable secadm rules temporarily on host before updating gui to prevent errors while reinstalling python env
## [1.1.6] - 2021-08-09
### Added
- [Sudoers] : Add needed rules for filebeat service management
- [Filebeat] : Add "filebeat_enable=YES" into Rsyslog make-jail script
### Fixed
- [Netconfig] : Remove duplicated lines in generated /etc/rc.conf.d/network file
- [Cluster_join] : Fix script for IPv6 master joining
- [Admin.sh/time] : Fix ntp configuration reuse
- [Dnsmasq] : Remove useless 'local=/lan/' directive - which caused resolution bugs on *.lan domains
- [LogRotate] : Fix permissions on Darwin rotated log files
### Removed
- [Apache/Portal] : Remove obsolete "jpeg" package : replaced by jpeg-turbo
### Changed
- [Admin.sh/upgrade] : Do not use dnssec validation when archive has already been downloaded
- [PYTHON] Upgrade python version from 3.7 to 3.8
## [1.1.3] - 2021-04-16
### Fixed
- Rsyslog template : Add missing defender_score field in Rsyslog template for haproxy logs sent to Mongodb database
- Update : Upgrade darwin before vulture-gui in update_system & update_system_lite, to handle configuration changes
- Jails : Install missing needed packages into jails
## [1.1.1] - 2021-02-03
### Removed
- [HAPROXY LOG TEMPLATES] remove obsoleted/unused fields (haproxy 'http_{receive,response}_time' and 'tcp_request_time')
- [HAPROXY LOG TEMPLATES] remove obsolete darwin_* fields
### Fixed
- [HAPROXY LOG TEMPLATES] safe representation of fields for json format
- [HAPROXY LOG TEMPLATES] numbers are represented without quotes
- [HAPROXY LOG TEMPLATES] add missing quotes in some fields
- [IMPCAP LOG TEMPLATES] safe representation of fields for json format
- [IMPCAP LOG TEMPLATES] numbers are represented without quotes
- [IMPCAP LOG TEMPLATES] add missing quotes in some fields
### Added
- [HAPROXY LOG TEMPLATES] add redis templates for Darwin context caching
- [HAPROXY LOG TEMPLATES] add 'advens' enrichment field
- [IMPCAP LOG TEMPLATES] add 'advens' enrichment field
## [1.0.2] - 2020-03-09
### Added
- Add OWASP ZAP scanner
- Add Java dependencies
- Add dashboard update mechanism
- Add host's secadm rules
## [1.0.1] - 2020-02-27
### Added
- KERNEL : Add support for Kernel tools in install-kernel
- KERNEL : Add secadm service (packaged into vulture-kernel)
- KERNEL : Add pax exception for node binary
- KERNEL : Add pax exception for python binary
- APACHE : Add libucl in ApacheJail + secadm support
- RSYSLOG : add template for new rsyslog's omhiredis 'set' option
### Changed
- ADMIN.SH : Reload apache config if management ip has changed
- ADMIN.SH : Do not start vultured if upgrade is done before install
- APACHE : Install radiusclient instead of freeradius-client in Apache/Portal jails (freeradius-client is unfetchable now)
- JAILS : Install Hardened base.txz into all jails
- JAILS : Install openssl instead of openssl111 into Apache,Portal,Rsyslog jails
- KERNEL : Install-kernel now updates gptzfsboot, needed to decrypt ZFS partitions
- LOADER.CONF : Load kernel module if_tap (not built-in in Hardened kernel)
- PKG : A node support into apache jail for vulture-dashboard
- PYTHON : Upgrade python version 3.6 -> 3.7
- REDIS : Use /var/db/vulture-redis for database save path (issue with default /var/db/redis path)
- RSYSLOG : Install libgcrypt into Rsyslog jail
- SHELLINABOX : Rename shellinabox service files to vulture-shellinabox to prevent overwrite by shellinabox official package
- VULTURED : Check vultured service status with pid file and not with ps (by default), to solve 'not running' with old python3 env
### Removed
- RSYSLOG : Remove 98-pstats conf file, it's a template in vulture-gui now
### Fixed
- ADMIN.SH : Fix creation of '2' files in vlt-adm HOME, caused by dialog
- ADMIN.SH : Fix darwin upgrade for version 1.2.1-2
- LOGROTATE : Add missing pstats-sec rotation conf
- MKJAILS : Add missing option in virtualenv creation
- SYSCTL : Fix erroneous oid
- SYSCTL : Fix invalid parameter 'kern.timecounter.hardware'