mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-07-13 12:31:45 +02:00
Merge remote-tracking branch 'origin/3/dev' into saltthangs
This commit is contained in:
@@ -37,8 +37,7 @@
|
||||
'elasticfleet',
|
||||
'elasticfleet.manager',
|
||||
'elasticsearch.cluster',
|
||||
'elastic-fleet-package-registry',
|
||||
'utility'
|
||||
'elastic-fleet-package-registry'
|
||||
] %}
|
||||
|
||||
{% set sensor_states = [
|
||||
|
||||
@@ -70,7 +70,7 @@ wait_for_so-kibana:
|
||||
- ssl: True
|
||||
- verify_ssl: False
|
||||
- status: 200
|
||||
- wait_for: 300
|
||||
- wait_for: 600
|
||||
- request_interval: 15
|
||||
- require:
|
||||
- docker_container: so-kibana
|
||||
|
||||
@@ -11,8 +11,8 @@ name=Security Onion Repo repo
|
||||
mirrorlist=file:///opt/so/conf/reposync/mirror.txt
|
||||
enabled=1
|
||||
gpgcheck=1
|
||||
[securityonionkernel]
|
||||
name=Security Onion Repo repo
|
||||
[securityonionkernelsync]
|
||||
name=Security Onion Kernel Repo repo
|
||||
mirrorlist=file:///opt/so/conf/reposync/mirror-kernel.txt
|
||||
enabled=1
|
||||
gpgcheck=1
|
||||
|
||||
@@ -17,9 +17,9 @@ createrepo /nsm/repo
|
||||
# The kernel repo section is deployed to repodownload.conf by the manager highstate, which
|
||||
# runs AFTER this script during soup. On the first upgrade to a kernel-aware version the
|
||||
# on-disk config still predates the section, so guard on its presence to avoid dnf's
|
||||
# "Unknown repo: 'securityonionkernel'" aborting the sync (set -e). The next sync after the
|
||||
# "Unknown repo: 'securityonionkernelsync'" aborting the sync (set -e). The next sync after the
|
||||
# highstate deploys the section will pick it up.
|
||||
if grep -q '^\[securityonionkernel\]' /opt/so/conf/reposync/repodownload.conf; then
|
||||
dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionkernel --download-metadata -p /nsm/kernelrepo/
|
||||
if grep -q '^\[securityonionkernelsync\]' /opt/so/conf/reposync/repodownload.conf; then
|
||||
dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionkernelsync --download-metadata -p /nsm/kernelrepo/
|
||||
createrepo /nsm/kernelrepo
|
||||
fi
|
||||
|
||||
@@ -245,6 +245,7 @@ check_airgap() {
|
||||
UPDATE_DIR=/tmp/soagupdate/SecurityOnion
|
||||
AGDOCKER=/tmp/soagupdate/docker
|
||||
AGREPO=/tmp/soagupdate/minimal/Packages
|
||||
AGUEKREPO=/tmp/soagupdate/uek/Packages
|
||||
else
|
||||
is_airgap=1
|
||||
fi
|
||||
@@ -1021,13 +1022,19 @@ update_airgap_rules() {
|
||||
rsync -a $UPDATE_DIR/agrules/securityonion-resources/* /nsm/securityonion-resources/
|
||||
}
|
||||
|
||||
update_airgap_repo() {
|
||||
update_airgap_repos() {
|
||||
# Update the files in the repo
|
||||
echo "Syncing new updates to /nsm/repo"
|
||||
rsync -a $AGREPO/* /nsm/repo/
|
||||
echo "Creating repo"
|
||||
echo "Syncing new updates to /nsm/repo & /nsm/kernelrepo"
|
||||
# Airgap soup copies new files into the local repo, but doesn't remove old packages. Retaining the ability to rollback package updates
|
||||
rsync -a "$AGREPO"/ /nsm/repo/
|
||||
rsync -a "$AGUEKREPO"/ /nsm/kernelrepo/
|
||||
|
||||
dnf -y install yum-utils createrepo_c
|
||||
|
||||
echo "Running createrepo for /nsm/repo"
|
||||
createrepo /nsm/repo
|
||||
echo "Running createrepo for /nsm/kernelrepo"
|
||||
createrepo /nsm/kernelrepo
|
||||
}
|
||||
|
||||
update_salt_mine() {
|
||||
@@ -1783,7 +1790,7 @@ main() {
|
||||
set -e
|
||||
|
||||
if [[ $is_airgap -eq 0 ]]; then
|
||||
update_airgap_repo
|
||||
update_airgap_repos
|
||||
dnf clean all
|
||||
check_os_updates
|
||||
elif [[ $OS == 'oracle' ]]; then
|
||||
|
||||
@@ -66,10 +66,11 @@ so-suricata:
|
||||
- file: suriclassifications
|
||||
|
||||
surirulereload:
|
||||
cmd.run:
|
||||
cmd.run:
|
||||
- name: /usr/sbin/so-suricata-reload-rules >> /opt/so/log/suricata/reload.log 2>&1
|
||||
- onchanges:
|
||||
- onchanges:
|
||||
- file: surirulesync
|
||||
- onlyif: test -f /opt/so/rules/suricata/all-rulesets.rules
|
||||
- require:
|
||||
- docker_container: so-suricata
|
||||
|
||||
|
||||
@@ -11,13 +11,12 @@ RULES_FILE="/opt/so/rules/suricata/all-rulesets.rules"
|
||||
SOCKET="/var/run/suricata/suricata-command.socket"
|
||||
SURICATASC="docker exec so-suricata /opt/suricata/bin/suricatasc"
|
||||
|
||||
# Epoch mtime of the ruleset we need Suricata to have loaded. Captured once so a
|
||||
# file update mid-reload does not move the goalpost.
|
||||
target_mtime=$(stat -c %Y "$RULES_FILE") || fail "Could not stat the Suricata rules file: $RULES_FILE"
|
||||
|
||||
# Format an epoch as a human-readable local timestamp for log messages.
|
||||
fmt_time() { date -d "@$1" '+%Y-%m-%d %H:%M:%S %Z' 2>/dev/null; }
|
||||
|
||||
# Prefix each input line with the current timestamp.
|
||||
timestamp_lines() { while IFS= read -r line; do printf '%s %s\n' "$(date '+%Y-%m-%d %H:%M:%S %Z')" "$line"; done; }
|
||||
|
||||
# Epoch of Suricata's last *completed* ruleset reload; non-zero return on failure.
|
||||
suricata_reload_epoch() {
|
||||
local out ts
|
||||
@@ -53,4 +52,14 @@ reload_and_verify() {
|
||||
return 1
|
||||
}
|
||||
|
||||
retry 60 3 'reload_and_verify' || fail "Suricata did not load the current ruleset in time."
|
||||
# Run the reload/verify, timestamping every line of output (ours and the
|
||||
# retry/fail helpers') so reload.log shows when each step ran. The pipeline is
|
||||
# synchronous, so the log is fully flushed and ordered before we exit; the
|
||||
# script's real exit code is preserved via PIPESTATUS.
|
||||
{
|
||||
# Epoch mtime of the ruleset we need Suricata to have loaded. Captured once so
|
||||
# a file update mid-reload does not move the goalpost.
|
||||
target_mtime=$(stat -c %Y "$RULES_FILE") || fail "Could not stat the Suricata rules file: $RULES_FILE"
|
||||
retry 60 3 'reload_and_verify' || fail "Suricata did not load the current ruleset in time."
|
||||
} 2>&1 | timestamp_lines
|
||||
exit "${PIPESTATUS[0]}"
|
||||
|
||||
@@ -84,7 +84,6 @@ base:
|
||||
- zeek
|
||||
- strelka
|
||||
- elastalert
|
||||
- utility
|
||||
- elasticfleet
|
||||
- pcap.cleanup
|
||||
|
||||
@@ -114,7 +113,6 @@ base:
|
||||
- zeek
|
||||
- strelka
|
||||
- elastalert
|
||||
- utility
|
||||
- elasticfleet
|
||||
- stig
|
||||
- kafka
|
||||
@@ -142,7 +140,6 @@ base:
|
||||
- elastic-fleet-package-registry
|
||||
- kibana
|
||||
- elastalert
|
||||
- utility
|
||||
- elasticfleet
|
||||
- stig
|
||||
- kafka
|
||||
@@ -169,7 +166,6 @@ base:
|
||||
- elastic-fleet-package-registry
|
||||
- kibana
|
||||
- elastalert
|
||||
- utility
|
||||
- elasticfleet
|
||||
- kafka
|
||||
|
||||
@@ -199,7 +195,6 @@ base:
|
||||
- elastic-fleet-package-registry
|
||||
- kibana
|
||||
- elastalert
|
||||
- utility
|
||||
- elasticfleet
|
||||
- stig
|
||||
- kafka
|
||||
@@ -223,7 +218,6 @@ base:
|
||||
- elasticsearch
|
||||
- elastic-fleet-package-registry
|
||||
- kibana
|
||||
- utility
|
||||
- suricata
|
||||
- zeek
|
||||
- elasticfleet
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
#!/bin/bash
|
||||
# Wait for ElasticSearch to come up, so that we can query for version infromation
|
||||
echo -n "Waiting for ElasticSearch..."
|
||||
COUNT=0
|
||||
ELASTICSEARCH_CONNECTED="no"
|
||||
while [[ "$COUNT" -le 30 ]]; do
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://{{ GLOBALS.manager_ip }}:9200
|
||||
if [ $? -eq 0 ]; then
|
||||
ELASTICSEARCH_CONNECTED="yes"
|
||||
echo "connected!"
|
||||
break
|
||||
else
|
||||
((COUNT+=1))
|
||||
sleep 1
|
||||
echo -n "."
|
||||
fi
|
||||
done
|
||||
if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
|
||||
echo
|
||||
echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'docker ps' \n -running 'sudo so-elastic-restart'"
|
||||
echo
|
||||
|
||||
exit
|
||||
fi
|
||||
|
||||
echo "Applying cross cluster search config..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ GLOBALS.manager_ip }}:9200/_cluster/settings \
|
||||
-H 'Content-Type: application/json' \
|
||||
-d "{\"persistent\": {\"search\": {\"remote\": {\"{{ grains.host }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}"
|
||||
@@ -1,22 +0,0 @@
|
||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||
|
||||
{% if sls in allowed_states %}
|
||||
{% if grains['role'] in ['so-eval', 'so-import'] %}
|
||||
fixsearch:
|
||||
cmd.script:
|
||||
- shell: /bin/bash
|
||||
- cwd: /opt/so
|
||||
- source: salt://utility/bin/eval
|
||||
- template: jinja
|
||||
- defaults:
|
||||
GLOBALS: {{ GLOBALS }}
|
||||
{% endif %}
|
||||
|
||||
{% else %}
|
||||
|
||||
{{sls}}_state_not_allowed:
|
||||
test.fail_without_changes:
|
||||
- name: {{sls}}_state_not_allowed
|
||||
|
||||
{% endif %}
|
||||
Reference in New Issue
Block a user