Merge branch 'splunk:develop' into develop

.github/dependabot.yml

@@ -6,3 +6,7 @@ updates:
     interval: daily
     time: "14:00"
   open-pull-requests-limit: 10
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"

.github/workflows/build_attack_destroy_aws.yml

@@ -10,19 +10,19 @@ jobs:
     steps:
 
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Install System Packages
         run: |
           sudo apt update -qq
           sudo apt install -y openssh-client
       
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.9' #Available versions here - https://github.com/actions/python-versions/releases  easy to change/make a matrix/use pypy
           architecture: 'x64' # optional x64 or x86. Defaults to x64 if not specified
 
-      - uses: aws-actions/configure-aws-credentials@v1
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -36,7 +36,7 @@ jobs:
           known_hosts: unnecessary
           if_key_exists: fail 
 
-      - uses: hashicorp/setup-terraform@v1
+      - uses: hashicorp/setup-terraform@v3
 
       - name: Install Packer
         run: |

.github/workflows/build_attack_destroy_azure.yml

@@ -10,19 +10,19 @@ jobs:
     steps:
 
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Install System Packages
         run: |
           sudo apt update -qq
           sudo apt install -y openssh-client
       
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.9' #Available versions here - https://github.com/actions/python-versions/releases  easy to change/make a matrix/use pypy
           architecture: 'x64' # optional x64 or x86. Defaults to x64 if not specified
 
-      - uses: Azure/login@v1
+      - uses: Azure/login@v2
         with:
           creds: '{"clientId":"${{ secrets.CLIENT_ID }}","clientSecret":"${{ secrets.CLIENT_SECRET }}","subscriptionId":"${{ secrets.SUBSCRIPTION_ID }}","tenantId":"${{ secrets.TENANT_ID }}"}'
 
@@ -38,7 +38,7 @@ jobs:
         run: |
           echo ${{ secrets.AR_SSH_PUBLIC_KEY }} > ~/.ssh/ar-github-actions.pub
 
-      - uses: hashicorp/setup-terraform@v1
+      - uses: hashicorp/setup-terraform@v3
 
       - name: Install Packer
         run: |

.github/workflows/destroy_old_attack_ranges.yml

@@ -10,18 +10,18 @@ jobs:
     steps:
 
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Install System Packages
         run: |
           sudo apt update -qq
       
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.9' #Available versions here - https://github.com/actions/python-versions/releases  easy to change/make a matrix/use pypy
           architecture: 'x64' # optional x64 or x86. Defaults to x64 if not specified
 
-      - uses: aws-actions/configure-aws-credentials@v1
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

.github/workflows/publish-docker-image.yml

@@ -13,24 +13,24 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: 'develop'
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
           context: docker/
           platforms: linux/amd64,linux/arm64

.github/workflows/release.yml

@@ -43,7 +43,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     steps:
         - name: Checkout repo
-          uses: actions/checkout@v2
+          uses: actions/checkout@v4
           with:
             ref: 'develop'
 
@@ -60,7 +60,7 @@ jobs:
         #Upload all of the release artifacts that we have created using the third party
         #action recommended bu Github
         - name: Upload Release Artifacts
-          uses: softprops/action-gh-release@v1
+          uses: softprops/action-gh-release@v2
           with:
             files: |
               ../attack-range-${{ steps.vars.outputs.tag }}.tar.gz
@@ -75,18 +75,18 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           ref: 'develop'
 
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Setup Docker Build and Push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
         with:
           push: true 
           context: docker/ #do the build in the docker directory, not current working directory

modules/configuration.py

@@ -53,7 +53,7 @@ def create_key_pair_aws(region):
     epoch_time = str(int(time.time()))
     ssh_key_name = getpass.getuser() + "-" + epoch_time[-5:] + ".key"
     # create ssh keys
-    response = client.create_key_pair(KeyType='ed25519', KeyName=str(ssh_key_name)[:-4])
+    response = client.create_key_pair(KeyType='rsa', KeyName=str(ssh_key_name)[:-4])
     with open(ssh_key_name, "w") as ssh_key:
         ssh_key.write(response['KeyMaterial'])
     os.chmod(ssh_key_name, 0o600)

packer/ansible/roles/linux_sysmon/files/inputs.conf

@@ -6,4 +6,4 @@ journalctl-exclude-fields = __MONOTONIC_TIMESTAMP,__SOURCE_REALTIME_TIMESTAMP
 journalctl-filter = _SYSTEMD_UNIT=sysmon.service
 index = unix
 source = Syslog:Linux-Sysmon/Operational
-sourcetype = sysmon_linux
+sourcetype = sysmon:linux

packer/ansible/roles/splunk_server/tasks/main.yml

@@ -22,7 +22,7 @@
     - "splunk-machine-learning-toolkit_541.tgz"
     - "splunk-security-essentials_380.tgz"
     - "splunk-add-on-for-sysmon_400.tgz "
-    - "add-on-for-linux-sysmon_104.tgz"
+    - "splunk-add-on-for-sysmon-for-linux_100.tgz"
     - "splunk-add-on-for-amazon-web-services-aws_760.tgz"
     - "splunk-add-on-for-microsoft-office-365_451.tgz"
     - "splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz"

packer/ansible/roles/sysmon_linux/files/deb_template_inputs.conf

@@ -6,4 +6,4 @@ journalctl-exclude-fields = __MONOTONIC_TIMESTAMP,__SOURCE_REALTIME_TIMESTAMP
 journalctl-filter = _SYSTEMD_UNIT=sysmon.service
 index = unix
 source = Syslog:Linux-Sysmon/Operational
-sourcetype = sysmon_linux
+sourcetype = sysmon:linux

pyproject.toml

@@ -26,6 +26,12 @@ questionary = "^1.10.0"
 Jinja2 = "^3.1.2"
 python-vagrant = "^1.0.0"
 
+# Fix issue with docutils ".post1" release
+# https://github.com/python-poetry/poetry/issues/9293#issuecomment-2048205226
+[[tool.poetry.source]]
+name = "pypi-public"
+url = "https://pypi.org/simple/"
+
 [tool.poetry.dev-dependencies]
 
 [build-system]