CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7703 from Security-Onion-Solutions/hotfix/2.3.110

Browse Source 
Hotfix/2.3.110
This commit is contained in:
Doug Burks
2022-04-04 23:37:28 -04:00
committed by GitHub
parent 3725130128 f5073243f9
commit 1e187f0c44
8 changed files with 91 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
HOTFIX
View File

@@ -0,0 +1 @@
04012022

22
VERIFY_ISO.md
View File

@@ -1,18 +1,18 @@
### 2.3.110-20220309 ISO image built on 2022/03/09 ### 2.3.110-20220401 ISO image built on 2022/04/04
### Download and Verify ### Download and Verify
2.3.110-20220309 ISO image: 2.3.110-20220401 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220309.iso https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220401.iso
MD5: 537564F8B56633E2D46E5E7C4E2BF18A MD5: 17625039D4ED23EC217589A1681C4FDA
SHA1: 1E1B42EDB711AC8B5963B3460056770B91AE6BFC SHA1: 8244A7BE12F27E71721ADC699950BB27C5C03BF2
SHA256: 4D73E5BE578DA43DCFD3C1B5F9AF07A7980D8DF90ACDDFEF6CEA177F872EECA0 SHA256: 76C135C3FDA8A28C13A142B944BE72E67192AC7C4BC85838230EFF45E8978BD1
Signature for ISO image: Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220309.iso.sig https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220401.iso.sig
Signing key: Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
Download the signature file for the ISO: Download the signature file for the ISO:
``` ```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220309.iso.sig wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220401.iso.sig
``` ```
Download the ISO image: Download the ISO image:
``` ```
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220309.iso wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220401.iso
``` ```
Verify the downloaded ISO image using the signature file: Verify the downloaded ISO image using the signature file:
``` ```
gpg --verify securityonion-2.3.110-20220309.iso.sig securityonion-2.3.110-20220309.iso gpg --verify securityonion-2.3.110-20220401.iso.sig securityonion-2.3.110-20220401.iso
``` ```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below: The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
``` ```
gpg: Signature made Wed 09 Mar 2022 10:20:47 AM EST using RSA key ID FE507013 gpg: Signature made Mon 04 Apr 2022 02:08:59 PM EDT using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>" gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature! gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. gpg: There is no indication that the signature belongs to the owner.

75
salt/common/tools/sbin/soup
View File

@@ -93,8 +93,7 @@ check_err() {
fi fi
set +e set +e
systemctl_func "start" "$cron_service_name" systemctl_func "start" "$cron_service_name"
echo "Ensuring highstate is enabled." enable_highstate
salt-call state.enable highstate --local
exit $exit_code exit $exit_code
fi fi
@@ -366,6 +365,12 @@ clone_to_tmp() {
fi fi
} }
enable_highstate() {
echo "Enabling highstate."
salt-call state.enable highstate -l info --local
echo ""
}
generate_and_clean_tarballs() { generate_and_clean_tarballs() {
local new_version local new_version
new_version=$(cat $UPDATE_DIR/VERSION) new_version=$(cat $UPDATE_DIR/VERSION)
@@ -492,10 +497,10 @@ stop_salt_master() {
set +e set +e
echo "" echo ""
echo "Killing all Salt jobs across the grid." echo "Killing all Salt jobs across the grid."
salt \* saltutil.kill_all_jobs salt \* saltutil.kill_all_jobs >> $SOUP_LOG 2>&1
echo "" echo ""
echo "Killing any queued Salt jobs on the manager." echo "Killing any queued Salt jobs on the manager."
pkill -9 -ef "/usr/bin/python3 /bin/salt" pkill -9 -ef "/usr/bin/python3 /bin/salt" >> $SOUP_LOG 2>&1
set -e set -e
echo "" echo ""
@@ -889,11 +894,27 @@ upgrade_salt() {
apt-mark hold "salt-master" apt-mark hold "salt-master"
apt-mark hold "salt-minion" apt-mark hold "salt-minion"
fi fi
echo "Checking if Salt was upgraded."
echo ""
# Check that Salt was upgraded
SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}')
if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then
echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG."
echo "Once the issue is resolved, run soup again."
echo "Exiting."
echo ""
exit 0
else
echo "Salt upgrade success."
echo ""
fi
} }
update_repo() { update_repo() {
echo "Performing repo changes."
if [[ "$OS" == "centos" ]]; then if [[ "$OS" == "centos" ]]; then
echo "Performing repo changes."
# Import GPG Keys # Import GPG Keys
gpg_rpm_import gpg_rpm_import
echo "Disabling fastestmirror." echo "Disabling fastestmirror."
@@ -945,6 +966,8 @@ verify_latest_update_script() {
apply_hotfix() { apply_hotfix() {
if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then
fix_wazuh fix_wazuh
elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then
2_3_10_hotfix_1
else else
echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
fi fi
@@ -966,6 +989,28 @@ fix_wazuh() {
fi fi
} }
#upgrade salt to 3004.1
2_3_10_hotfix_1() {
systemctl_func "stop" "$cron_service_name"
# update mine items prior to stopping salt-minion and salt-master
update_salt_mine
stop_salt_minion
stop_salt_master
update_repo
# Does salt need upgraded. If so update it.
if [[ $UPGRADESALT -eq 1 ]]; then
echo "Upgrading Salt"
# Update the repo files so it can actually upgrade
upgrade_salt
fi
rm -f /opt/so/state/influxdb_continuous_query.py.patched /opt/so/state/influxdbmod.py.patched /opt/so/state/influxdb_retention_policy.py.patched
systemctl_func "start" "salt-master"
salt-call state.apply salt.python3-influxdb -l info
systemctl_func "start" "salt-minion"
systemctl_func "start" "$cron_service_name"
}
main() { main() {
trap 'check_err $?' EXIT trap 'check_err $?' EXIT
@@ -1041,6 +1086,7 @@ main() {
apply_hotfix apply_hotfix
echo "Hotfix applied" echo "Hotfix applied"
update_version update_version
enable_highstate
salt-call state.highstate -l info queue=True salt-call state.highstate -l info queue=True
else else
echo "" echo ""
@@ -1080,21 +1126,6 @@ main() {
echo "Upgrading Salt" echo "Upgrading Salt"
# Update the repo files so it can actually upgrade # Update the repo files so it can actually upgrade
upgrade_salt upgrade_salt
echo "Checking if Salt was upgraded."
echo ""
# Check that Salt was upgraded
SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}')
if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then
echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG."
echo "Once the issue is resolved, run soup again."
echo "Exiting."
echo ""
exit 0
else
echo "Salt upgrade success."
echo ""
fi
fi fi
preupgrade_changes preupgrade_changes
@@ -1150,9 +1181,7 @@ main() {
echo "" echo ""
fi fi
echo "Enabling highstate." enable_highstate
salt-call state.enable highstate -l info --local
echo ""
echo "" echo ""
echo "Running a highstate. This could take several minutes." echo "Running a highstate. This could take several minutes."

2
salt/salt/master.defaults.yaml
View File

@@ -2,4 +2,4 @@
# When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions
salt: salt:
master: master:
version: 3004 version: 3004.1

2
salt/salt/minion.defaults.yaml
View File

@@ -2,6 +2,6 @@
# When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions
salt: salt:
minion: minion:
version: 3004 version: 3004.1
check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
service_start_delay: 30 # in seconds. service_start_delay: 30 # in seconds.

16
salt/salt/minion.sls
View File

@@ -31,6 +31,22 @@ install_salt_minion:
exec 1>&- # close stdout exec 1>&- # close stdout
exec 2>&- # close stderr exec 2>&- # close stderr
nohup /bin/sh -c '{{ UPGRADECOMMAND }}' & nohup /bin/sh -c '{{ UPGRADECOMMAND }}' &
{# if we are the salt master #}
{% if grains.id.split('_')|first == grains.master %}
remove_influxdb_continuous_query_state_file:
file.absent:
- name: /opt/so/state/influxdb_continuous_query.py.patched
remove_influxdbmod_state_file:
file.absent:
- name: /opt/so/state/influxdbmod.py.patched
remove_influxdb_retention_policy_state_file:
file.absent:
- name: /opt/so/state/influxdb_retention_policy.py.patched
{% endif %}
{% endif %} {% endif %}
{% if INSTALLEDSALTVERSION|string == SALTVERSION|string %} {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}

18
setup/so-functions
View File

@@ -2277,13 +2277,13 @@ saltify() {
# Download Ubuntu Keys in case manager updates = 1 # Download Ubuntu Keys in case manager updates = 1
logCmd "mkdir -vp /opt/so/gpg" logCmd "mkdir -vp /opt/so/gpg"
if [[ ! $is_airgap ]]; then if [[ ! $is_airgap ]]; then
logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub"
logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg"
logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH"
fi fi
set_progress_str 7 'Installing salt-master' set_progress_str 7 'Installing salt-master'
if [[ ! $is_iso ]]; then if [[ ! $is_iso ]]; then
logCmd "yum -y install salt-master-3004" logCmd "yum -y install salt-master-3004.1"
fi fi
logCmd "systemctl enable salt-master" logCmd "systemctl enable salt-master"
;; ;;
@@ -2295,7 +2295,7 @@ saltify() {
fi fi
set_progress_str 8 'Installing salt-minion & python modules' set_progress_str 8 'Installing salt-minion & python modules'
if [[ ! $is_iso ]]; then if [[ ! $is_iso ]]; then
logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
logCmd "yum -y update --exclude=salt*" logCmd "yum -y update --exclude=salt*"
fi fi
logCmd "systemctl enable salt-minion" logCmd "systemctl enable salt-minion"
@@ -2334,8 +2334,8 @@ saltify() {
'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR')
# Add saltstack repo(s) # Add saltstack repo(s)
wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1
echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
# Add Docker repo # Add Docker repo
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1
@@ -2343,7 +2343,7 @@ saltify() {
# Get gpg keys # Get gpg keys
mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 mkdir -p /opt/so/gpg >> "$setup_log" 2>&1
wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1
wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1
@@ -2356,7 +2356,7 @@ saltify() {
set_progress_str 6 'Installing various dependencies' set_progress_str 6 'Installing various dependencies'
retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1
set_progress_str 7 'Installing salt-master' set_progress_str 7 'Installing salt-master'
retry 50 10 "apt-get -y install salt-master=3004+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install salt-master=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1
retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1
;; ;;
*) *)
@@ -2367,14 +2367,14 @@ saltify() {
echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1
apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1
echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log"
;; ;;
esac esac
retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1
set_progress_str 8 'Installing salt-minion & python modules' set_progress_str 8 'Installing salt-minion & python modules'
retry 50 10 "apt-get -y install salt-minion=3004+ds-1 salt-common=3004+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install salt-minion=3004.1+ds-1 salt-common=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1
retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1
retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1
fi fi

BIN
sigs/securityonion-2.3.110-20220404.iso.sig Normal file
View File

Binary file not shown.