Merge remote-tracking branch 'remotes/origin/dev' into issue/1831

salt/common/tools/sbin/so-docker-refresh

@@ -40,9 +40,11 @@ version_check() {
 
 manager_check
 version_check
+operating_system
 
 # Use the hostname
 HOSTNAME=$(hostname)
 # List all the containers
 container_list
+CURLTYPE=refresh
 update_docker_containers

salt/common/tools/sbin/so-features-enable

@@ -51,22 +51,61 @@ manager_check() {
 }
 
 manager_check
+
+# Let's make sure we have the public key
+curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import -
+  
+CONTAINER_REGISTRY=quay.io
+SIGNPATH=/root/sosigs
+rm -rf $SIGNPATH
+mkdir -p $SIGNPATH
+if [ -z "$BRANCH" ]; then
+  BRANCH="master"
+fi
+
 VERSION=$(lookup_pillar soversion) 
 # Modify global.sls to enable Features
-sed -i 's/features: False/features: True/' $local_salt_dir/pillar/global.sls
 SUFFIX="-features"
 TRUSTED_CONTAINERS=( \
-  "so-elasticsearch:$VERSION$SUFFIX" \
-  "so-filebeat:$VERSION$SUFFIX" \
-  "so-kibana:$VERSION$SUFFIX" \
-  "so-logstash:$VERSION$SUFFIX" )
+  "so-elasticsearch" \
+  "so-filebeat" \
+  "so-kibana" \
+  "so-logstash" )
 
 for i in "${TRUSTED_CONTAINERS[@]}"
 do
     # Pull down the trusted docker image
     echo "Downloading $i"
-    docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i
-    # Tag it with the new registry destination
-    docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
-    docker push $HOSTNAME:5000/$IMAGEREPO/$i
+    docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$SUFFIX
+    
+    # Get signature
+    curl https://sigs.securityonion.net/$VERSION/$i:$VERSION$SUFFIX.sig --output $SIGNPATH/$i:$VERSION$SUFFIX.sig
+    if [[ $? -ne 0 ]]; then
+      echo "Unable to pull signature file for $i:$VERSION$SUFFIX"
+      exit 1
+    fi
+    # Dump our hash values
+    DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$SUFFIX)
+       
+    echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$i:$VERSION$SUFFIX.txt
+    echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$i:$VERSION$SUFFIX.txt
+        
+    if [[ $? -ne 0 ]]; then
+      echo "Unable to inspect $i:$VERSION:$SUFFIX"
+      exit 1
+    fi
+    GPGTEST=$(gpg --verify $SIGNPATH/$i:$VERSION$SUFFIX.sig $SIGNPATH/$i:$VERSION$SUFFIX.txt 2>&1)
+    if [[ $? -eq 0 ]]; then
+      # Tag it with the new registry destination
+      docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$SUFFIX $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION$SUFFIX
+      docker push $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION$SUFFIX
+    else
+      echo "There is a problem downloading the $i:$VERSION$SUFFIX image. Details: "
+      echo ""
+      echo $GPGTEST
+      exit 1
+    fi
+    
+
 done
+sed -i 's/features: False/features: True/' $local_salt_dir/pillar/global.sls

salt/common/tools/sbin/so-image-common

@@ -87,6 +87,14 @@ container_list() {
     fi
 }
 
+operating_system() {
+  if [ -f /etc/redhat-release ]; then
+    OS=centos
+  else
+    OS=ubuntu
+  fi
+}
+
 update_docker_containers() {
   # Let's make sure we have the public key
   curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import -
@@ -95,9 +103,7 @@ update_docker_containers() {
   SIGNPATH=/root/sosigs
   rm -rf $SIGNPATH
   mkdir -p $SIGNPATH
-  if [ -z "$BRANCH" ]; then
-    BRANCH="master"
-  fi
+
   # Download the containers from the interwebs
   for i in "${TRUSTED_CONTAINERS[@]}"
   do
@@ -106,22 +112,28 @@ update_docker_containers() {
     docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION
     
     # Get signature
-    curl https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/$BRANCH/sigs/images/$VERSION/$i.sig --output $SIGNPATH/$i.sig
+    curl -A "$CURLTYPE/$OS/$(uname -r)" https://sigs.securityonion.net/$VERSION/$i:$VERSION.sig --output $SIGNPATH/$i:$VERSION.sig
     if [[ $? -ne 0 ]]; then
       echo "Unable to pull signature file for $i:$VERSION"
       exit 1
     fi
     # Dump our hash values
-    docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION | jq '.[0].Created, .[0].RepoDigests, .[0].RootFS.Layers' > $SIGNPATH/$i.txt
+    DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION)
+       
+    echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$i:$VERSION.txt
+    echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$i:$VERSION.txt
+        
     if [[ $? -ne 0 ]]; then
       echo "Unable to inspect $i:$VERSION"
       exit 1
     fi
-    GPGTEST=$(gpg --verify $SIGNPATH/$i.sig $SIGNPATH/$i.txt 2>&1)
+    GPGTEST=$(gpg --verify $SIGNPATH/$i:$VERSION.sig $SIGNPATH/$i:$VERSION.txt 2>&1)
     if [[ $? -eq 0 ]]; then
-      # Tag it with the new registry destination
-      docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION
-      docker push $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION
+      if [[ -z "$SKIP_TAGPUSH" ]]; then
+        # Tag it with the new registry destination
+        docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION
+        docker push $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION
+      fi
     else
       echo "There is a problem downloading the $i:$VERSION image. Details: "
       echo ""
@@ -130,4 +142,4 @@ update_docker_containers() {
     fi
   done
   
-}
+}

salt/common/tools/sbin/so-playbook-reset

@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+salt-call state.apply playbook.db_init,playbook,playbook.automation_user_create
+
+/usr/sbin/so-soctopus-restart
+
+echo "Importing Plays - this will take some time...."
+wait 5
+/usr/sbin/so-playbook-ruleupdate

salt/common/tools/sbin/so-ssh-harden

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+. /usr/sbin/so-common
+
+if [[ $1 =~ ^(q|--quiet) ]]; then
+    quiet=true
+fi
+
+print_sshd_t() {
+    local string=$1
+    local state=$2
+    echo "${state}:"
+    sshd -T | grep "^${string}"
+}
+
+if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi
+sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config
+if ! [[ $quiet ]]; then
+    print_sshd_t "ciphers" "After"
+    echo ""
+fi
+
+if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi
+sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config
+if ! [[ $quiet ]]; then
+    print_sshd_t "kexalgorithms" "After"
+    echo ""
+fi
+
+if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi
+sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config
+if ! [[ $quiet ]]; then
+    print_sshd_t "macs" "After"
+    echo ""
+fi
+
+if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi
+sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config
+if ! [[ $quiet ]]; then
+    print_sshd_t "hostkeyalgorithms" "After"
+    echo ""
+fi
+
+{% if grains['os'] != 'CentOS' %}
+echo "----"
+echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting."
+echo "----"
+{% endif %}
+

salt/common/tools/sbin/soup

@@ -16,13 +16,17 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 . /usr/sbin/so-common
-. /usr/sbin/so-image-common
+if [ -f /usr/sbin/so-image-common ]; then
+  . /usr/sbin/so-image-common
+fi
 UPDATE_DIR=/tmp/sogh/securityonion
 INSTALLEDVERSION=$(cat /etc/soversion)
 INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk {'print $2'})
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
 BATCHSIZE=5
 SOUP_LOG=/root/soup.log
+CURLTYPE=soup
+
 exec 3>&1 1>${SOUP_LOG} 2>&1
 
 manager_check() {
@@ -119,7 +123,6 @@ clean_dockers() {
 }
 
 clone_to_tmp() {
-  # TODO Need to add a air gap option
   # Clean old files
   rm -rf /tmp/sogh
   # Make a temp location for the files
@@ -379,6 +382,7 @@ verify_latest_update_script() {
     else
       echo "You are not running the latest soup version. Updating soup."
       cp $UPDATE_DIR/salt/common/tools/sbin/soup $DEFAULT_SALT_DIR/salt/common/tools/sbin/
+      cp $UPDATE_DIR/salt/common/tools/sbin/so-image-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
       salt-call state.apply common queue=True
       echo ""
       echo "soup has been updated. Please run soup again."