diff --git a/HOTFIX b/HOTFIX index e69de29bb..6711b0853 100644 --- a/HOTFIX +++ b/HOTFIX @@ -0,0 +1 @@ +04012022 diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 300428636..08e02da0f 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.110-20220309 ISO image built on 2022/03/09 +### 2.3.110-20220401 ISO image built on 2022/04/04 ### Download and Verify -2.3.110-20220309 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220309.iso +2.3.110-20220401 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220401.iso -MD5: 537564F8B56633E2D46E5E7C4E2BF18A -SHA1: 1E1B42EDB711AC8B5963B3460056770B91AE6BFC -SHA256: 4D73E5BE578DA43DCFD3C1B5F9AF07A7980D8DF90ACDDFEF6CEA177F872EECA0 +MD5: 17625039D4ED23EC217589A1681C4FDA +SHA1: 8244A7BE12F27E71721ADC699950BB27C5C03BF2 +SHA256: 76C135C3FDA8A28C13A142B944BE72E67192AC7C4BC85838230EFF45E8978BD1 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220309.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220401.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220309.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220401.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220309.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220401.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.110-20220309.iso.sig securityonion-2.3.110-20220309.iso +gpg --verify securityonion-2.3.110-20220401.iso.sig securityonion-2.3.110-20220401.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Wed 09 Mar 2022 10:20:47 AM EST using RSA key ID FE507013 +gpg: Signature made Mon 04 Apr 2022 02:08:59 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 42c7b43bf..5e813c2c8 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -93,8 +93,7 @@ check_err() { fi set +e systemctl_func "start" "$cron_service_name" - echo "Ensuring highstate is enabled." - salt-call state.enable highstate --local + enable_highstate exit $exit_code fi @@ -366,6 +365,12 @@ clone_to_tmp() { fi } +enable_highstate() { + echo "Enabling highstate." + salt-call state.enable highstate -l info --local + echo "" +} + generate_and_clean_tarballs() { local new_version new_version=$(cat $UPDATE_DIR/VERSION) @@ -492,10 +497,10 @@ stop_salt_master() { set +e echo "" echo "Killing all Salt jobs across the grid." - salt \* saltutil.kill_all_jobs + salt \* saltutil.kill_all_jobs >> $SOUP_LOG 2>&1 echo "" echo "Killing any queued Salt jobs on the manager." - pkill -9 -ef "/usr/bin/python3 /bin/salt" + pkill -9 -ef "/usr/bin/python3 /bin/salt" >> $SOUP_LOG 2>&1 set -e echo "" @@ -889,11 +894,27 @@ upgrade_salt() { apt-mark hold "salt-master" apt-mark hold "salt-minion" fi + + echo "Checking if Salt was upgraded." + echo "" + # Check that Salt was upgraded + SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}') + if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then + echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." + echo "Once the issue is resolved, run soup again." + echo "Exiting." + echo "" + exit 0 + else + echo "Salt upgrade success." + echo "" + fi + } update_repo() { - echo "Performing repo changes." if [[ "$OS" == "centos" ]]; then + echo "Performing repo changes." # Import GPG Keys gpg_rpm_import echo "Disabling fastestmirror." @@ -945,6 +966,8 @@ verify_latest_update_script() { apply_hotfix() { if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then fix_wazuh + elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then + 2_3_10_hotfix_1 else echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" fi @@ -966,6 +989,28 @@ fix_wazuh() { fi } +#upgrade salt to 3004.1 +2_3_10_hotfix_1() { + systemctl_func "stop" "$cron_service_name" + # update mine items prior to stopping salt-minion and salt-master + update_salt_mine + stop_salt_minion + stop_salt_master + update_repo + # Does salt need upgraded. If so update it. + if [[ $UPGRADESALT -eq 1 ]]; then + echo "Upgrading Salt" + # Update the repo files so it can actually upgrade + upgrade_salt + fi + rm -f /opt/so/state/influxdb_continuous_query.py.patched /opt/so/state/influxdbmod.py.patched /opt/so/state/influxdb_retention_policy.py.patched + systemctl_func "start" "salt-master" + salt-call state.apply salt.python3-influxdb -l info + systemctl_func "start" "salt-minion" + systemctl_func "start" "$cron_service_name" + +} + main() { trap 'check_err $?' EXIT @@ -1041,6 +1086,7 @@ main() { apply_hotfix echo "Hotfix applied" update_version + enable_highstate salt-call state.highstate -l info queue=True else echo "" @@ -1080,21 +1126,6 @@ main() { echo "Upgrading Salt" # Update the repo files so it can actually upgrade upgrade_salt - - echo "Checking if Salt was upgraded." - echo "" - # Check that Salt was upgraded - SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}') - if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then - echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." - echo "Once the issue is resolved, run soup again." - echo "Exiting." - echo "" - exit 0 - else - echo "Salt upgrade success." - echo "" - fi fi preupgrade_changes @@ -1150,9 +1181,7 @@ main() { echo "" fi - echo "Enabling highstate." - salt-call state.enable highstate -l info --local - echo "" + enable_highstate echo "" echo "Running a highstate. This could take several minutes." diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index 8d5e85e15..a07f22865 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3004 + version: 3004.1 diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index ef7bfe37c..68e044db8 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,6 +2,6 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3004 + version: 3004.1 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default service_start_delay: 30 # in seconds. diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index cf26c1249..a35746db7 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -31,6 +31,22 @@ install_salt_minion: exec 1>&- # close stdout exec 2>&- # close stderr nohup /bin/sh -c '{{ UPGRADECOMMAND }}' & + + {# if we are the salt master #} + {% if grains.id.split('_')|first == grains.master %} +remove_influxdb_continuous_query_state_file: + file.absent: + - name: /opt/so/state/influxdb_continuous_query.py.patched + +remove_influxdbmod_state_file: + file.absent: + - name: /opt/so/state/influxdbmod.py.patched + +remove_influxdb_retention_policy_state_file: + file.absent: + - name: /opt/so/state/influxdb_retention_policy.py.patched + {% endif %} + {% endif %} {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %} diff --git a/setup/so-functions b/setup/so-functions index b71648fbe..0047fe4a2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2277,13 +2277,13 @@ saltify() { # Download Ubuntu Keys in case manager updates = 1 logCmd "mkdir -vp /opt/so/gpg" if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004" + logCmd "yum -y install salt-master-3004.1" fi logCmd "systemctl enable salt-master" ;; @@ -2295,7 +2295,7 @@ saltify() { fi set_progress_str 8 'Installing salt-minion & python modules' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi logCmd "systemctl enable salt-minion" @@ -2334,8 +2334,8 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -2343,7 +2343,7 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 @@ -2356,7 +2356,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3004+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-master=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 ;; *) @@ -2367,14 +2367,14 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3004+ds-1 salt-common=3004+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-minion=3004.1+ds-1 salt-common=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1 fi diff --git a/sigs/securityonion-2.3.110-20220404.iso.sig b/sigs/securityonion-2.3.110-20220404.iso.sig new file mode 100644 index 000000000..bd8215953 Binary files /dev/null and b/sigs/securityonion-2.3.110-20220404.iso.sig differ