Merge pull request #13836 from Security-Onion-Solutions/issue/204

Issue/204

pillar/top.sls

@@ -16,6 +16,8 @@ base:
     - sensoroni.adv_sensoroni
     - telegraf.soc_telegraf
     - telegraf.adv_telegraf
+    - versionlock.soc_versionlock
+    - versionlock.adv_versionlock
 
   '* and not *_desktop':
     - firewall.soc_firewall

salt/logstash/map.jinja

@@ -1,5 +1,5 @@
 {# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
    https://securityonion.net/license; you may not use this file except in compliance with the
    Elastic License 2.0. #}
 
@@ -42,4 +42,4 @@
 {%       do LOGSTASH_MERGED.update({'enabled': False}) %}
 {%     endif %}
 {%   endif %}
-{% endif %}
+{% endif %}

salt/manager/tools/sbin/soup

@@ -404,6 +404,7 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.4.80 ]] && up_to_2.4.90
     [[ "$INSTALLEDVERSION" == 2.4.90 ]] && up_to_2.4.100
     [[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110
+    [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.120
     true
 }
 
@@ -425,6 +426,7 @@ postupgrade_changes() {
     [[ "$POSTVERSION"  == 2.4.80 ]] && post_to_2.4.90
     [[ "$POSTVERSION"  == 2.4.90 ]] && post_to_2.4.100
     [[ "$POSTVERSION"  == 2.4.100 ]] && post_to_2.4.110
+    [[ "$POSTVERSION"  == 2.4.110 ]] && post_to_2.4.120
     true
 }
 
@@ -517,6 +519,11 @@ post_to_2.4.110() {
   POSTVERSION=2.4.110
 }
 
+post_to_2.4.120() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.120
+}
+
 repo_sync() {
   echo "Sync the local repo."
   su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -694,17 +701,27 @@ up_to_2.4.90() {
 
   INSTALLEDVERSION=2.4.90
 }
+
 up_to_2.4.100() {
   # Elastic Update for this release, so download Elastic Agent files
   determine_elastic_agent_upgrade
   INSTALLEDVERSION=2.4.100
 }
+
 up_to_2.4.110() {
   echo "Nothing to do for 2.4.110"
 
   INSTALLEDVERSION=2.4.110
 }
 
+up_to_2.4.120() {
+  # this is needed for the new versionlock state
+  mkdir /opt/so/saltstack/local/pillar/versionlock
+  touch /opt/so/saltstack/local/pillar/versionlock/adv_versionlock.sls /opt/so/saltstack/local/pillar/versionlock/soc_versionlock.sls
+
+  INSTALLEDVERSION=2.4.120
+}
+
 add_detection_test_pillars() {
   if [[ -n "$SOUP_INTERNAL_TESTING" ]]; then
     echo "Adding detection pillar values for automated testing"

salt/top.sls

@@ -12,6 +12,7 @@ base:
   '*':
     - cron.running
     - repo.client
+    - versionlock
     - ntp
     - schedule
     - logrotate

salt/versionlock/defaults.yaml

@@ -0,0 +1,2 @@
+versionlock:
+  hold: []

salt/versionlock/init.sls

@@ -0,0 +1,18 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %}
+
+{% for pkg in VERSIONLOCKMERGED.hold %}
+{{pkg}}_held:
+  pkg.held:
+    - name: {{pkg}}
+{% endfor %}
+
+{% for pkg in VERSIONLOCKMERGED.UNHOLD %}
+{{pkg}}_unheld:
+  pkg.unheld:
+    - name: {{pkg}}
+{% endfor %}

salt/versionlock/map.jinja

@@ -0,0 +1,33 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %}
+{% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %}
+{% set HELD = salt['pkg.list_holds']() %}
+
+{# these are packages held / versionlock in other states #}
+{% set PACKAGES_HELD_IN_OTHER_STATES = [
+   'salt',
+   'salt-master',
+   'salt-minion',
+   'containerd.io',
+   'docker-ce',
+   'docker-ce-cli',
+   'docker-ce-rootless-extras'
+] %}
+
+{# remove packages held in other states from hold list #}
+{% do VERSIONLOCKMERGED.update({'hold': VERSIONLOCKMERGED['hold'] | unique | reject('in', PACKAGES_HELD_IN_OTHER_STATES) | list }) %}
+
+{# initiate VERSIONLOCKMERGED.UNHOLD #}
+{% do VERSIONLOCKMERGED.update({'UNHOLD': []}) %}
+
+{# if a package is currently held but not set to be held, unhold it #}
+{% for item in HELD %}
+    {% set base_name = item.rsplit('-', 2)[0] %}
+    {% if base_name not in VERSIONLOCKMERGED['hold'] and base_name not in PACKAGES_HELD_IN_OTHER_STATES and base_name not in VERSIONLOCKMERGED['UNHOLD'] %}
+        {% do VERSIONLOCKMERGED['UNHOLD'].append(base_name) %}
+    {% endif %}
+{% endfor %}

salt/versionlock/soc_versionlock.yaml

@@ -0,0 +1,7 @@
+versionlock:
+  hold:
+    description: List of packages to prevent from upgrading. To reduce the frequency of required reboots, add 'kernel' to this list.
+    global: True
+    forcedType: "[]string"
+    multiline: True
+    helpLink: versionlock.html

setup/so-functions

@@ -1404,7 +1404,7 @@ make_some_dirs() {
 	mkdir -p $local_salt_dir/salt/firewall/portgroups
 	mkdir -p $local_salt_dir/salt/firewall/ports
 
-	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert stig global kafka;do
+	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert stig global kafka versionlock; do
 	mkdir -p $local_salt_dir/pillar/$THEDIR
 	touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
 	touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls