From 73be1d092737ca53bb57cdacff6a0ec0abcfc800 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 17 Mar 2020 17:06:37 -0400 Subject: [PATCH] Update Stuff Round 1 --- exclude-list.txt | 2 - salt/common/tools/sbin/soup | 36 +++++++ salt/registry/init.sls | 16 ++-- setup/so-functions | 10 +- setup/so-setup | 3 + so-setup-network | 2 +- updatemaster | 15 --- upgrade/so-update-functions | 183 ++++++++++++++++++++++++++++++++++++ upgrade/soup | 26 +++++ 9 files changed, 265 insertions(+), 28 deletions(-) create mode 100644 salt/common/tools/sbin/soup delete mode 100644 updatemaster create mode 100644 upgrade/so-update-functions create mode 100644 upgrade/soup diff --git a/exclude-list.txt b/exclude-list.txt index 98efb2c36..e69de29bb 100644 --- a/exclude-list.txt +++ b/exclude-list.txt @@ -1,2 +0,0 @@ -salt/bro/files/local.bro -salt/bro/files/local.bro.community diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup new file mode 100644 index 000000000..17d360b6c --- /dev/null +++ b/salt/common/tools/sbin/soup @@ -0,0 +1,36 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +clone_to_tmp() { + + # TODO Need to add a air gap option + # Make a temp location for the files + rm -rf /tmp/soup + mkdir -p /tmp/soup + cd /tmp/soup + #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git + git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git + +} + +# Prompt the user that this requires internets + +clone_to_tmp +cd /tmp/soup/securityonion-saltstack +./soup + + diff --git a/salt/registry/init.sls b/salt/registry/init.sls index c0b4bf038..ed56d25ae 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -27,15 +27,15 @@ dockerregistryconf: - source: salt://registry/etc/config.yml # Copy the registry script -dockerregistrybuild: - file.managed: - - name: /opt/so/conf/docker-registry/so-buildregistry - - source: salt://registry/bin/so-buildregistry - - mode: 755 +#dockerregistrybuild: +# file.managed: +# - name: /opt/so/conf/docker-registry/so-buildregistry +# - source: salt://registry/bin/so-buildregistry +# - mode: 755 -dockerexpandregistry: - cmd.run: - - name: /opt/so/conf/docker-registry/so-buildregistry +#dockerexpandregistry: +# cmd.run: +# - name: /opt/so/conf/docker-registry/so-buildregistry # Install the registry container so-dockerregistry: diff --git a/setup/so-functions b/setup/so-functions index 7a516f95f..0ec8b53b0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -17,6 +17,7 @@ SCRIPTDIR=$(dirname "$0") source $SCRIPTDIR/so-whiptail +SOVERSION=1.2.1 accept_salt_key_local() { echo "Accept the key locally on the master" >> $SETUPLOG 2>&1 @@ -460,7 +461,7 @@ docker_registry() { } docker_seed_registry() { - VERSION="HH1.1.4" + VERSION="HH$SOVERSION" if [ $INSTALLTYPE != 'HELIXSENSOR' ]; then TRUSTED_CONTAINERS=( \ "so-acng:$VERSION" \ @@ -743,7 +744,7 @@ master_static() { touch /opt/so/saltstack/pillar/static.sls echo "static:" > /opt/so/saltstack/pillar/static.sls - echo " soversion: HH1.1.4" >> /opt/so/saltstack/pillar/static.sls + echo " soversion: $SOVERSION" >> /opt/so/saltstack/pillar/static.sls echo " hnmaster: $HNMASTER" >> /opt/so/saltstack/pillar/static.sls echo " ntpserver: $NTPSERVER" >> /opt/so/saltstack/pillar/static.sls echo " proxy: $PROXY" >> /opt/so/saltstack/pillar/static.sls @@ -1412,6 +1413,11 @@ set_updates() { fi } +set_version() { + # Drop a file with the current version + echo "$SOVERSION" > /etc/soversion +} + update_sudoers() { if ! grep -qE '^socore\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then diff --git a/setup/so-setup b/setup/so-setup index d3956a845..d9d10cf8c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -159,6 +159,7 @@ if (whiptail_you_sure) ; then calculate_useable_cores whiptail_make_changes set_hostname + set_version clear_master mkdir -p /nsm get_filesystem_root @@ -302,6 +303,7 @@ if (whiptail_you_sure) ; then # Last Chance to back out whiptail_make_changes set_hostname + set_version generate_passwords auth_pillar clear_master @@ -570,6 +572,7 @@ if (whiptail_you_sure) ; then fi whiptail_make_changes set_hostname + set_version generate_passwords auth_pillar clear_master diff --git a/so-setup-network b/so-setup-network index a24fc76f5..ae9af4ffa 100755 --- a/so-setup-network +++ b/so-setup-network @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/updatemaster b/updatemaster deleted file mode 100644 index c66c01d86..000000000 --- a/updatemaster +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -# Clone github -mkdir /tmp/sogh -cd /tmp/sogh -#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git -git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git -cd securityonion-saltstack -rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/ -chown -R socore:socore /opt/so/saltstack/salt -chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh -cd ~ -rm -rf /tmp/sogh -# Run so-elastic-download here and call this soup with some magic -salt-call state.highstate diff --git a/upgrade/so-update-functions b/upgrade/so-update-functions new file mode 100644 index 000000000..ccd208723 --- /dev/null +++ b/upgrade/so-update-functions @@ -0,0 +1,183 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Set the SO Version +VERSION=1.2.1 +BUILD=HH +OLDVERSION=$(cat /etc/soversion) + +clone_to_tmp() { + + # TODO Need to add a air gap option + # Make a temp location for the files + mkdir /tmp/sogh + cd /tmp/sogh + #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git + git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git + +} + +detect_os() { + + # Detect Base OS + echo "Detecting Base OS" >> $UPDATELOG 2>&1 + if [ -f /etc/redhat-release ]; then + OS=centos + if grep -q "CentOS Linux release 7" /etc/redhat-release; then + OSVER=7 + elif grep -q "CentOS Linux release 8" /etc/redhat-release; then + OSVER=8 + echo "We currently do not support CentOS $OSVER but we are working on it!" + exit + else + echo "We do not support the version of CentOS you are trying to use" + exit + fi + + elif [ -f /etc/os-release ]; then + OS=ubuntu + if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then + OSVER=bionic + elif grep -q "UBUNTU_CODENAME=xenial" /etc/os-release; then + OSVER=xenial + else + echo "We do not support your current version of Ubuntu" + exit + fi + # Install network manager so we can do interface stuff + apt install -y network-manager + /bin/systemctl enable network-manager + /bin/systemctl start network-manager + else + echo "We were unable to determine if you are using a supported OS." >> $UPDATELOG 2>&1 + exit + fi + + echo "Found OS: $OS $OSVER" >> $UPDATELOG 2>&1 + +} + +update_held_packages() { + + if [ $OS == "centos" ] + SALTVER=2019.2.3 + DOCKERVER= + yum -y --disableexcludes=all update salt-$SALTVER + yum -y --disableexcludes=all update docker-ce-$DOCKERVER + else + SALTVER=2019.2.3+ds-1 + DOCKERVER=5:19.03.8~3-0~ubuntu-xenial + fi + +} + +update_all_packages() { + + # Update all the things based on OS + if [ $OS == "centos" ]; then + yum -y update + else + apt -y update && apt -y upgrade + fi + +} + +update_docker_containers() { + if [ $INSTALLTYPE != 'HELIXSENSOR' ]; then + TRUSTED_CONTAINERS=( \ + "so-acng:$BUILD$VERSION" \ + "so-auth-api:$BUILD$VERSION" \ + "so-auth-ui:$BUILD$VERSION" \ + "so-core:$BUILD$VERSION" \ + "so-thehive-cortex:$BUILD$VERSION" \ + "so-curator:$BUILD$VERSION" \ + "so-domainstats:$BUILD$VERSION" \ + "so-elastalert:$BUILD$VERSION" \ + "so-elasticsearch:$BUILD$VERSION" \ + "so-filebeat:$BUILD$VERSION" \ + "so-fleet:$BUILD$VERSION" \ + "so-fleet-launcher:$BUILD$VERSION" \ + "so-freqserver:$BUILD$VERSION" \ + "so-grafana:$BUILD$VERSION" \ + "so-idstools:$BUILD$VERSION" \ + "so-influxdb:$BUILD$VERSION" \ + "so-kibana:$BUILD$VERSION" \ + "so-logstash:$BUILD$VERSION" \ + "so-mysql:$BUILD$VERSION" \ + "so-navigator:$BUILD$VERSION" \ + "so-playbook:$BUILD$VERSION" \ + "so-redis:$BUILD$VERSION" \ + "so-sensoroni:$BUILD$VERSION" \ + "so-soctopus:$BUILD$VERSION" \ + "so-steno:$BUILD$VERSION" \ + #"so-strelka:$BUILD$VERSION" \ + "so-suricata:$BUILD$VERSION" \ + "so-telegraf:$BUILD$VERSION" \ + "so-thehive:$BUILD$VERSION" \ + "so-thehive-es:$BUILD$VERSION" \ + "so-wazuh:$BUILD$VERSION" \ + "so-zeek:$BUILD$VERSION" ) + else + TRUSTED_CONTAINERS=( \ + "so-core:$BUILD$VERSION" \ + "so-filebeat:$BUILD$VERSION" \ + "so-idstools:$BUILD$VERSION" \ + "so-logstash:$BUILD$VERSION" \ + "so-redis:$BUILD$VERSION" \ + "so-sensoroni:$BUILD$VERSION" \ + "so-steno:$BUILD$VERSION" \ + "so-suricata:$BUILD$VERSION" \ + "so-telegraf:$BUILD$VERSION" \ + "so-zeek:$BUILD$VERSION" ) + fi + + # Download the container from the interwebs + for i in "${TRUSTED_CONTAINERS[@]}" + do + # Pull down the trusted docker image + echo "Downloading $i" + docker pull --disable-content-trust=false docker.io/soshybridhunter/$i + # Tag it with the new registry destination + docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i + docker push $HOSTNAME:5000/soshybridhunter/$i + done + + for i in "${TRUSTED_CONTAINERS[@]}" + do + echo "Removing $i locally" + docker rmi soshybridhunter/$i + done + +} +update_hh_version() { + # Change the version number in the static pillar + +} + +# Clone github +mkdir /tmp/sogh +cd /tmp/sogh +#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git +git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git +cd securityonion-saltstack +rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/ +chown -R socore:socore /opt/so/saltstack/salt +chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh +cd ~ +rm -rf /tmp/sogh +# Run so-elastic-download here and call this soup with some magic +salt-call state.highstate diff --git a/upgrade/soup b/upgrade/soup new file mode 100644 index 000000000..6ae8def42 --- /dev/null +++ b/upgrade/soup @@ -0,0 +1,26 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +SCRIPTDIR=$(dirname "$0") +source $SCRIPTDIR/so-update-functions + +# Update Packages +update_all_packages +update_held_packages + + +