diff --git a/exclude-list.txt b/exclude-list.txt
index 98efb2c36..e69de29bb 100644
--- a/exclude-list.txt
+++ b/exclude-list.txt
@@ -1,2 +0,0 @@
-salt/bro/files/local.bro
-salt/bro/files/local.bro.community
diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
new file mode 100644
index 000000000..17d360b6c
--- /dev/null
+++ b/salt/common/tools/sbin/soup
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+clone_to_tmp() {
+
+ # TODO Need to add a air gap option
+ # Make a temp location for the files
+ rm -rf /tmp/soup
+ mkdir -p /tmp/soup
+ cd /tmp/soup
+ #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+ git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+
+}
+
+# Prompt the user that this requires internets
+
+clone_to_tmp
+cd /tmp/soup/securityonion-saltstack
+./soup
+
+
diff --git a/salt/registry/init.sls b/salt/registry/init.sls
index c0b4bf038..ed56d25ae 100644
--- a/salt/registry/init.sls
+++ b/salt/registry/init.sls
@@ -27,15 +27,15 @@ dockerregistryconf:
- source: salt://registry/etc/config.yml
# Copy the registry script
-dockerregistrybuild:
- file.managed:
- - name: /opt/so/conf/docker-registry/so-buildregistry
- - source: salt://registry/bin/so-buildregistry
- - mode: 755
+#dockerregistrybuild:
+# file.managed:
+# - name: /opt/so/conf/docker-registry/so-buildregistry
+# - source: salt://registry/bin/so-buildregistry
+# - mode: 755
-dockerexpandregistry:
- cmd.run:
- - name: /opt/so/conf/docker-registry/so-buildregistry
+#dockerexpandregistry:
+# cmd.run:
+# - name: /opt/so/conf/docker-registry/so-buildregistry
# Install the registry container
so-dockerregistry:
diff --git a/setup/so-functions b/setup/so-functions
index 7a516f95f..0ec8b53b0 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -17,6 +17,7 @@
SCRIPTDIR=$(dirname "$0")
source $SCRIPTDIR/so-whiptail
+SOVERSION=1.2.1
accept_salt_key_local() {
echo "Accept the key locally on the master" >> $SETUPLOG 2>&1
@@ -460,7 +461,7 @@ docker_registry() {
}
docker_seed_registry() {
- VERSION="HH1.1.4"
+ VERSION="HH$SOVERSION"
if [ $INSTALLTYPE != 'HELIXSENSOR' ]; then
TRUSTED_CONTAINERS=( \
"so-acng:$VERSION" \
@@ -743,7 +744,7 @@ master_static() {
touch /opt/so/saltstack/pillar/static.sls
echo "static:" > /opt/so/saltstack/pillar/static.sls
- echo " soversion: HH1.1.4" >> /opt/so/saltstack/pillar/static.sls
+ echo " soversion: $SOVERSION" >> /opt/so/saltstack/pillar/static.sls
echo " hnmaster: $HNMASTER" >> /opt/so/saltstack/pillar/static.sls
echo " ntpserver: $NTPSERVER" >> /opt/so/saltstack/pillar/static.sls
echo " proxy: $PROXY" >> /opt/so/saltstack/pillar/static.sls
@@ -1412,6 +1413,11 @@ set_updates() {
fi
}
+set_version() {
+ # Drop a file with the current version
+ echo "$SOVERSION" > /etc/soversion
+}
+
update_sudoers() {
if ! grep -qE '^socore\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
diff --git a/setup/so-setup b/setup/so-setup
index d3956a845..d9d10cf8c 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -159,6 +159,7 @@ if (whiptail_you_sure) ; then
calculate_useable_cores
whiptail_make_changes
set_hostname
+ set_version
clear_master
mkdir -p /nsm
get_filesystem_root
@@ -302,6 +303,7 @@ if (whiptail_you_sure) ; then
# Last Chance to back out
whiptail_make_changes
set_hostname
+ set_version
generate_passwords
auth_pillar
clear_master
@@ -570,6 +572,7 @@ if (whiptail_you_sure) ; then
fi
whiptail_make_changes
set_hostname
+ set_version
generate_passwords
auth_pillar
clear_master
diff --git a/so-setup-network b/so-setup-network
index a24fc76f5..ae9af4ffa 100755
--- a/so-setup-network
+++ b/so-setup-network
@@ -1,6 +1,6 @@
#!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
diff --git a/updatemaster b/updatemaster
deleted file mode 100644
index c66c01d86..000000000
--- a/updatemaster
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/bash
-
-# Clone github
-mkdir /tmp/sogh
-cd /tmp/sogh
-#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
-git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
-cd securityonion-saltstack
-rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/
-chown -R socore:socore /opt/so/saltstack/salt
-chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh
-cd ~
-rm -rf /tmp/sogh
-# Run so-elastic-download here and call this soup with some magic
-salt-call state.highstate
diff --git a/upgrade/so-update-functions b/upgrade/so-update-functions
new file mode 100644
index 000000000..ccd208723
--- /dev/null
+++ b/upgrade/so-update-functions
@@ -0,0 +1,183 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# Set the SO Version
+VERSION=1.2.1
+BUILD=HH
+OLDVERSION=$(cat /etc/soversion)
+
+clone_to_tmp() {
+
+ # TODO Need to add a air gap option
+ # Make a temp location for the files
+ mkdir /tmp/sogh
+ cd /tmp/sogh
+ #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+ git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+
+}
+
+detect_os() {
+
+ # Detect Base OS
+ echo "Detecting Base OS" >> $UPDATELOG 2>&1
+ if [ -f /etc/redhat-release ]; then
+ OS=centos
+ if grep -q "CentOS Linux release 7" /etc/redhat-release; then
+ OSVER=7
+ elif grep -q "CentOS Linux release 8" /etc/redhat-release; then
+ OSVER=8
+ echo "We currently do not support CentOS $OSVER but we are working on it!"
+ exit
+ else
+ echo "We do not support the version of CentOS you are trying to use"
+ exit
+ fi
+
+ elif [ -f /etc/os-release ]; then
+ OS=ubuntu
+ if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then
+ OSVER=bionic
+ elif grep -q "UBUNTU_CODENAME=xenial" /etc/os-release; then
+ OSVER=xenial
+ else
+ echo "We do not support your current version of Ubuntu"
+ exit
+ fi
+ # Install network manager so we can do interface stuff
+ apt install -y network-manager
+ /bin/systemctl enable network-manager
+ /bin/systemctl start network-manager
+ else
+ echo "We were unable to determine if you are using a supported OS." >> $UPDATELOG 2>&1
+ exit
+ fi
+
+ echo "Found OS: $OS $OSVER" >> $UPDATELOG 2>&1
+
+}
+
+update_held_packages() {
+
+ if [ $OS == "centos" ]
+ SALTVER=2019.2.3
+ DOCKERVER=
+ yum -y --disableexcludes=all update salt-$SALTVER
+ yum -y --disableexcludes=all update docker-ce-$DOCKERVER
+ else
+ SALTVER=2019.2.3+ds-1
+ DOCKERVER=5:19.03.8~3-0~ubuntu-xenial
+ fi
+
+}
+
+update_all_packages() {
+
+ # Update all the things based on OS
+ if [ $OS == "centos" ]; then
+ yum -y update
+ else
+ apt -y update && apt -y upgrade
+ fi
+
+}
+
+update_docker_containers() {
+ if [ $INSTALLTYPE != 'HELIXSENSOR' ]; then
+ TRUSTED_CONTAINERS=( \
+ "so-acng:$BUILD$VERSION" \
+ "so-auth-api:$BUILD$VERSION" \
+ "so-auth-ui:$BUILD$VERSION" \
+ "so-core:$BUILD$VERSION" \
+ "so-thehive-cortex:$BUILD$VERSION" \
+ "so-curator:$BUILD$VERSION" \
+ "so-domainstats:$BUILD$VERSION" \
+ "so-elastalert:$BUILD$VERSION" \
+ "so-elasticsearch:$BUILD$VERSION" \
+ "so-filebeat:$BUILD$VERSION" \
+ "so-fleet:$BUILD$VERSION" \
+ "so-fleet-launcher:$BUILD$VERSION" \
+ "so-freqserver:$BUILD$VERSION" \
+ "so-grafana:$BUILD$VERSION" \
+ "so-idstools:$BUILD$VERSION" \
+ "so-influxdb:$BUILD$VERSION" \
+ "so-kibana:$BUILD$VERSION" \
+ "so-logstash:$BUILD$VERSION" \
+ "so-mysql:$BUILD$VERSION" \
+ "so-navigator:$BUILD$VERSION" \
+ "so-playbook:$BUILD$VERSION" \
+ "so-redis:$BUILD$VERSION" \
+ "so-sensoroni:$BUILD$VERSION" \
+ "so-soctopus:$BUILD$VERSION" \
+ "so-steno:$BUILD$VERSION" \
+ #"so-strelka:$BUILD$VERSION" \
+ "so-suricata:$BUILD$VERSION" \
+ "so-telegraf:$BUILD$VERSION" \
+ "so-thehive:$BUILD$VERSION" \
+ "so-thehive-es:$BUILD$VERSION" \
+ "so-wazuh:$BUILD$VERSION" \
+ "so-zeek:$BUILD$VERSION" )
+ else
+ TRUSTED_CONTAINERS=( \
+ "so-core:$BUILD$VERSION" \
+ "so-filebeat:$BUILD$VERSION" \
+ "so-idstools:$BUILD$VERSION" \
+ "so-logstash:$BUILD$VERSION" \
+ "so-redis:$BUILD$VERSION" \
+ "so-sensoroni:$BUILD$VERSION" \
+ "so-steno:$BUILD$VERSION" \
+ "so-suricata:$BUILD$VERSION" \
+ "so-telegraf:$BUILD$VERSION" \
+ "so-zeek:$BUILD$VERSION" )
+ fi
+
+ # Download the container from the interwebs
+ for i in "${TRUSTED_CONTAINERS[@]}"
+ do
+ # Pull down the trusted docker image
+ echo "Downloading $i"
+ docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+ # Tag it with the new registry destination
+ docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+ docker push $HOSTNAME:5000/soshybridhunter/$i
+ done
+
+ for i in "${TRUSTED_CONTAINERS[@]}"
+ do
+ echo "Removing $i locally"
+ docker rmi soshybridhunter/$i
+ done
+
+}
+update_hh_version() {
+ # Change the version number in the static pillar
+
+}
+
+# Clone github
+mkdir /tmp/sogh
+cd /tmp/sogh
+#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+cd securityonion-saltstack
+rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/
+chown -R socore:socore /opt/so/saltstack/salt
+chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh
+cd ~
+rm -rf /tmp/sogh
+# Run so-elastic-download here and call this soup with some magic
+salt-call state.highstate
diff --git a/upgrade/soup b/upgrade/soup
new file mode 100644
index 000000000..6ae8def42
--- /dev/null
+++ b/upgrade/soup
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+SCRIPTDIR=$(dirname "$0")
+source $SCRIPTDIR/so-update-functions
+
+# Update Packages
+update_all_packages
+update_held_packages
+
+
+