From 73ce5264676705802a4e1db90bd42695020c4a2e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 16 Oct 2024 17:06:03 -0400 Subject: [PATCH 1/4] allow users to lock pkgs from upgrade --- pillar/top.sls | 2 ++ salt/versionlock/defaults.yaml | 3 +++ salt/versionlock/init.sls | 13 +++++++++++ salt/versionlock/map.jinja | 32 +++++++++++++++++++++++++++ salt/versionlock/soc_versionlock.yaml | 10 +++++++++ 5 files changed, 60 insertions(+) create mode 100644 salt/versionlock/defaults.yaml create mode 100644 salt/versionlock/init.sls create mode 100644 salt/versionlock/map.jinja create mode 100644 salt/versionlock/soc_versionlock.yaml diff --git a/pillar/top.sls b/pillar/top.sls index 131b39a99..9ae7e1e44 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -16,6 +16,8 @@ base: - sensoroni.adv_sensoroni - telegraf.soc_telegraf - telegraf.adv_telegraf + - versionlock.soc_versionlock + - versionlock.adv_versionlock '* and not *_desktop': - firewall.soc_firewall diff --git a/salt/versionlock/defaults.yaml b/salt/versionlock/defaults.yaml new file mode 100644 index 000000000..b7bce6c48 --- /dev/null +++ b/salt/versionlock/defaults.yaml @@ -0,0 +1,3 @@ +versionlock: + kernel: False + hold: [] diff --git a/salt/versionlock/init.sls b/salt/versionlock/init.sls new file mode 100644 index 000000000..ac27d69d7 --- /dev/null +++ b/salt/versionlock/init.sls @@ -0,0 +1,13 @@ +{% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %} + +{% for pkg in VERSIONLOCKMERGED.hold %} +{{pkg}}_held: + pkg.held: + - name: {{pkg}} +{% endfor %} + +{% for pkg in VERSIONLOCKMERGED.UNHOLD %} +{{pkg}}_unheld: + pkg.unheld: + - name: {{pkg}} +{% endfor %} diff --git a/salt/versionlock/map.jinja b/salt/versionlock/map.jinja new file mode 100644 index 000000000..79ef1c45c --- /dev/null +++ b/salt/versionlock/map.jinja @@ -0,0 +1,32 @@ +{% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %} +{% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %} +{% set HELD = salt['pkg.list_holds']() %} + +{% set PACKAGES_HELD_IN_OTHER_STATES = [ + 'salt', + 'salt-master', + 'salt-minion', + 'containerd.io', + 'docker-ce', + 'docker-ce-cli', + 'docker-ce-rootless-extras' +] %} + +{% if VERSIONLOCKMERGED.kernel %} + {% do VERSIONLOCKMERGED['hold'].append('kernel') %} +{% endif %} + +{# remove packages held in other states from hold list #} +{% do VERSIONLOCKMERGED.update({'hold': VERSIONLOCKMERGED['hold'] | unique | reject('in', PACKAGES_HELD_IN_OTHER_STATES) | list }) %} + +{% do VERSIONLOCKMERGED.update({'UNHOLD': []}) %} + +{# if a package is currently held but not set to be held, unhold it #} +{% for item in HELD %} + {% set base_name = item.rsplit('-', 2)[0] %} + {% if base_name not in VERSIONLOCKMERGED['hold'] + and base_name not in PACKAGES_HELD_IN_OTHER_STATES + and base_name not in VERSIONLOCKMERGED['UNHOLD'] %} + {% do VERSIONLOCKMERGED['UNHOLD'].append(base_name) %} + {% endif %} +{% endfor %} diff --git a/salt/versionlock/soc_versionlock.yaml b/salt/versionlock/soc_versionlock.yaml new file mode 100644 index 000000000..b5f25c3a7 --- /dev/null +++ b/salt/versionlock/soc_versionlock.yaml @@ -0,0 +1,10 @@ +versionlock: + kernel: + description: Lock the kernel to prevent upgrade. + global: True + forcedType: bool + hold: + description: List of packages to hold + global: True + forcedType: "[]string" + multiline: True From 5fb660bc9ad082cf478d1b6fed842a803294616b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 17 Oct 2024 09:29:03 -0400 Subject: [PATCH 2/4] remove kernel bool option, just use list --- salt/logstash/map.jinja | 4 ++-- salt/top.sls | 1 + salt/versionlock/defaults.yaml | 1 - salt/versionlock/init.sls | 5 +++++ salt/versionlock/map.jinja | 15 ++++++++------- salt/versionlock/soc_versionlock.yaml | 7 ++----- setup/so-functions | 2 +- 7 files changed, 19 insertions(+), 16 deletions(-) diff --git a/salt/logstash/map.jinja b/salt/logstash/map.jinja index 8fc3291e5..da2bc341a 100644 --- a/salt/logstash/map.jinja +++ b/salt/logstash/map.jinja @@ -1,5 +1,5 @@ {# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one - or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at https://securityonion.net/license; you may not use this file except in compliance with the Elastic License 2.0. #} @@ -42,4 +42,4 @@ {% do LOGSTASH_MERGED.update({'enabled': False}) %} {% endif %} {% endif %} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/top.sls b/salt/top.sls index d876806f2..cffd1ebc8 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -12,6 +12,7 @@ base: '*': - cron.running - repo.client + - versionlock - ntp - schedule - logrotate diff --git a/salt/versionlock/defaults.yaml b/salt/versionlock/defaults.yaml index b7bce6c48..cacd1d7bb 100644 --- a/salt/versionlock/defaults.yaml +++ b/salt/versionlock/defaults.yaml @@ -1,3 +1,2 @@ versionlock: - kernel: False hold: [] diff --git a/salt/versionlock/init.sls b/salt/versionlock/init.sls index ac27d69d7..278809aee 100644 --- a/salt/versionlock/init.sls +++ b/salt/versionlock/init.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %} {% for pkg in VERSIONLOCKMERGED.hold %} diff --git a/salt/versionlock/map.jinja b/salt/versionlock/map.jinja index 79ef1c45c..e078ff22d 100644 --- a/salt/versionlock/map.jinja +++ b/salt/versionlock/map.jinja @@ -1,7 +1,13 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + {% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %} {% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %} {% set HELD = salt['pkg.list_holds']() %} +{# these are packages held / versionlock in other states #} {% set PACKAGES_HELD_IN_OTHER_STATES = [ 'salt', 'salt-master', @@ -12,21 +18,16 @@ 'docker-ce-rootless-extras' ] %} -{% if VERSIONLOCKMERGED.kernel %} - {% do VERSIONLOCKMERGED['hold'].append('kernel') %} -{% endif %} - {# remove packages held in other states from hold list #} {% do VERSIONLOCKMERGED.update({'hold': VERSIONLOCKMERGED['hold'] | unique | reject('in', PACKAGES_HELD_IN_OTHER_STATES) | list }) %} +{# initiate VERSIONLOCKMERGED.UNHOLD #} {% do VERSIONLOCKMERGED.update({'UNHOLD': []}) %} {# if a package is currently held but not set to be held, unhold it #} {% for item in HELD %} {% set base_name = item.rsplit('-', 2)[0] %} - {% if base_name not in VERSIONLOCKMERGED['hold'] - and base_name not in PACKAGES_HELD_IN_OTHER_STATES - and base_name not in VERSIONLOCKMERGED['UNHOLD'] %} + {% if base_name not in VERSIONLOCKMERGED['hold'] and base_name not in PACKAGES_HELD_IN_OTHER_STATES and base_name not in VERSIONLOCKMERGED['UNHOLD'] %} {% do VERSIONLOCKMERGED['UNHOLD'].append(base_name) %} {% endif %} {% endfor %} diff --git a/salt/versionlock/soc_versionlock.yaml b/salt/versionlock/soc_versionlock.yaml index b5f25c3a7..24b8676a9 100644 --- a/salt/versionlock/soc_versionlock.yaml +++ b/salt/versionlock/soc_versionlock.yaml @@ -1,10 +1,7 @@ versionlock: - kernel: - description: Lock the kernel to prevent upgrade. - global: True - forcedType: bool hold: - description: List of packages to hold + description: List of packages to hold. To reduce the frequency of required reboots, add 'kernel' to this list. global: True forcedType: "[]string" multiline: True + helpLink: versionlock.html diff --git a/setup/so-functions b/setup/so-functions index 5ebf76c17..8e83f822d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1404,7 +1404,7 @@ make_some_dirs() { mkdir -p $local_salt_dir/salt/firewall/portgroups mkdir -p $local_salt_dir/salt/firewall/ports - for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert stig global kafka;do + for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert stig global kafka versionlock; do mkdir -p $local_salt_dir/pillar/$THEDIR touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls From 76ff0c56cd2570fd97194990fa7d5d02d041100b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 17 Oct 2024 10:06:40 -0400 Subject: [PATCH 3/4] create versionlock pillar dir/files during soup to 120 --- salt/manager/tools/sbin/soup | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index c592dffe4..3569029ac 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -404,6 +404,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.80 ]] && up_to_2.4.90 [[ "$INSTALLEDVERSION" == 2.4.90 ]] && up_to_2.4.100 [[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110 + [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.120 true } @@ -425,6 +426,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.80 ]] && post_to_2.4.90 [[ "$POSTVERSION" == 2.4.90 ]] && post_to_2.4.100 [[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110 + [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.120 true } @@ -517,6 +519,11 @@ post_to_2.4.110() { POSTVERSION=2.4.110 } +post_to_2.4.120() { + echo "Nothing to apply" + POSTVERSION=2.4.120 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -694,17 +701,27 @@ up_to_2.4.90() { INSTALLEDVERSION=2.4.90 } + up_to_2.4.100() { # Elastic Update for this release, so download Elastic Agent files determine_elastic_agent_upgrade INSTALLEDVERSION=2.4.100 } + up_to_2.4.110() { echo "Nothing to do for 2.4.110" INSTALLEDVERSION=2.4.110 } +up_to_2.4.120() { + # this is needed for the new versionlock state + mkdir /opt/so/saltstack/local/pillar/versionlock + touch /opt/so/saltstack/local/pillar/versionlock/adv_versionlock.sls /opt/so/saltstack/local/pillar/versionlock/soc_versionlock.sls + + INSTALLEDVERSION=2.4.120 +} + add_detection_test_pillars() { if [[ -n "$SOUP_INTERNAL_TESTING" ]]; then echo "Adding detection pillar values for automated testing" From 39230159aecccc4613dea7695758dcfd93e98694 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 17 Oct 2024 12:10:49 -0400 Subject: [PATCH 4/4] update description --- salt/versionlock/soc_versionlock.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/versionlock/soc_versionlock.yaml b/salt/versionlock/soc_versionlock.yaml index 24b8676a9..f1e864d7d 100644 --- a/salt/versionlock/soc_versionlock.yaml +++ b/salt/versionlock/soc_versionlock.yaml @@ -1,6 +1,6 @@ versionlock: hold: - description: List of packages to hold. To reduce the frequency of required reboots, add 'kernel' to this list. + description: List of packages to prevent from upgrading. To reduce the frequency of required reboots, add 'kernel' to this list. global: True forcedType: "[]string" multiline: True