diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 05c56008a..1aeed795d 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -161,6 +161,34 @@ check_log_size_limit() { fi } +check_os_updates() { + # Check to see if there are OS updates + NEEDUPDATES="We have detected missing operating system (OS) updates. Do you want to install these OS updates now? This could take a while depending on the size of your grid and how many packages are missing, but it is recommended to keep your system updated." + if [[ $OS == 'ubuntu' ]]; then + OSUPDATES=$(apt list --upgradeable | grep -v "^Listing..." | grep -v "^docker-ce" | grep -v "^wazuh-" | grep -v "^salt-" | wc -l) + else + OSUPDATES=$(yum -q list updates | wc -l) + fi + if [[ "$OSUPDATES" -gt 0 ]]; then + echo $NEEDUPDATES + echo "" + read -p "Press U to update OS packages (recommended), C to continue without updates, or E to exit: " confirm + + if [[ "$confirm" == [cC] ]]; then + echo "Continuing without updating packages" + elif [[ "$confirm" == [uU] ]]; then + echo "Applying Grid Updates" + salt \* -b 5 state.apply patch.os queue=True + else + echo "Exiting soup" + exit 0 + fi + else + echo "Looks like you have an updated OS" + fi + +} + clean_dockers() { # Place Holder for cleaning up old docker images echo "Trying to clean up old dockers." @@ -632,7 +660,7 @@ else rm -rf $UPDATE_DIR clone_to_tmp fi - +check_os_updates echo "" echo "Verifying we have the latest soup script." verify_latest_update_script @@ -822,8 +850,6 @@ Please review the following for more information about the update process and re https://docs.securityonion.net/soup https://blog.securityonion.net -Please note that soup only updates Security Onion components and does NOT update the underlying operating system (OS). When you installed Security Onion, there was an option to automatically update the OS packages. If you did not enable this option, then you will want to ensure that the OS is fully updated before running soup. - Press Enter to continue or Ctrl-C to cancel. EOF diff --git a/salt/repo/client/files/centos/securityonioncache.repo b/salt/repo/client/files/centos/securityonioncache.repo index e4d47cb11..f4ec6ef3f 100644 --- a/salt/repo/client/files/centos/securityonioncache.repo +++ b/salt/repo/client/files/centos/securityonioncache.repo @@ -67,12 +67,12 @@ gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH enabled=1 name=Wazuh repository -baseurl=https://repocache.securityonion.net/file/securityonion-repo/wazuh4_repo/ +baseurl=http://repocache.securityonion.net/file/securityonion-repo/wazuh4_repo/ protect=1 [securityonion] name=Security Onion Repo -baseurl=https://repocache.securityonion.net/file/securityonion-repo/securityonion/ +baseurl=http://repocache.securityonion.net/file/securityonion-repo/securityonion/ enabled=1 gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub \ No newline at end of file +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub diff --git a/salt/suricata/cron/surilogcompress b/salt/suricata/cron/surilogcompress index 4fe43bbee..94434d545 100644 --- a/salt/suricata/cron/surilogcompress +++ b/salt/suricata/cron/surilogcompress @@ -1,6 +1,6 @@ #!/bin/bash # Gzip the eve logs -find /nsm/suricata/eve*.json -type f -printf '%T@\t%p\n' | sort -t $'\t' -g | head -n -1 | cut -d $'\t' -f 2 | xargs nice gzip +find /nsm/suricata/eve*.json -type f -printf '%T@\t%p\n' | sort -t $'\t' -g | head -n -1 | cut -d $'\t' -f 2 | xargs nice gzip >/dev/null 2>&1 # TODO Add stats log \ No newline at end of file diff --git a/salt/suricata/threading.map.jinja b/salt/suricata/threading.map.jinja index fb9e16d6b..16bffb165 100644 --- a/salt/suricata/threading.map.jinja +++ b/salt/suricata/threading.map.jinja @@ -1,4 +1,18 @@ -{% if salt['pillar.get']('sensor:suriprocs') %} +{% if salt['pillar.get']('sensor:suripins') %} + {% load_yaml as cpu_affinity%} +cpu-affinity: + - management-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings + - worker-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] + mode: "exclusive" + threads: {{ salt['pillar.get']('sensor:suripins')|length }} + prio: + default: "high" + {% endload %} +{% elif salt['pillar.get']('sensor:suriprocs') %} {% load_yaml as cpu_affinity%} cpu-affinity: - management-cpu-set: @@ -15,18 +29,4 @@ cpu-affinity: high: [ 3 ] default: "high" {% endload %} -{% elif salt['pillar.get']('sensor:suripins') %} - {% load_yaml as cpu_affinity%} -cpu-affinity: - - management-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings - - worker-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] - mode: "exclusive" - threads: {{ salt['pillar.get']('sensor:suripins')|length }} - prio: - default: "high" - {% endload %} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/setup/so-functions b/setup/so-functions index 027b81171..5485397e0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -175,10 +175,8 @@ __check_so_status() { } __check_salt_master() { - local salt_master_status - salt_master_status=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" systemctl is-active --quiet salt-master) - [[ -z $salt_master_status ]] && salt_master_status=1 - return $salt_master_status + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" systemctl is-active --quiet salt-master + return $? } check_network_manager_conf() {