Update Stuff Round 1

2025-12-06 09:12:45 +01:00 · 2020-03-17 17:06:37 -04:00
parent 2e72816d2a
commit 73be1d0927
9 changed files with 265 additions and 28 deletions
--- a/exclude-list.txt
+++ b/exclude-list.txt
@@ -1,2 +0,0 @@
-salt/bro/files/local.bro
-salt/bro/files/local.bro.community
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+clone_to_tmp() {
+
+  # TODO Need to add a air gap option
+  # Make a temp location for the files
+  rm -rf /tmp/soup
+  mkdir -p /tmp/soup
+  cd /tmp/soup
+  #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+  git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+
+}
+
+# Prompt the user that this requires internets
+
+clone_to_tmp
+cd /tmp/soup/securityonion-saltstack
+./soup
+
+
--- a/salt/registry/init.sls
+++ b/salt/registry/init.sls
@@ -27,15 +27,15 @@ dockerregistryconf:
    - source: salt://registry/etc/config.yml

 # Copy the registry script
-dockerregistrybuild:
-  file.managed:
-    - name: /opt/so/conf/docker-registry/so-buildregistry
-    - source: salt://registry/bin/so-buildregistry
-    - mode: 755
+#dockerregistrybuild:
+#  file.managed:
+#    - name: /opt/so/conf/docker-registry/so-buildregistry
+#    - source: salt://registry/bin/so-buildregistry
+#    - mode: 755

-dockerexpandregistry:
- cmd.run:
-   - name: /opt/so/conf/docker-registry/so-buildregistry
+#dockerexpandregistry:
+# cmd.run:
+#   - name: /opt/so/conf/docker-registry/so-buildregistry

 # Install the registry container
 so-dockerregistry:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -17,6 +17,7 @@

 SCRIPTDIR=$(dirname "$0")
 source $SCRIPTDIR/so-whiptail
+SOVERSION=1.2.1

 accept_salt_key_local() {
  echo "Accept the key locally on the master" >> $SETUPLOG 2>&1
@@ -460,7 +461,7 @@ docker_registry() {

 }
 docker_seed_registry() {
-  VERSION="HH1.1.4"
+  VERSION="HH$SOVERSION"
  if [ $INSTALLTYPE != 'HELIXSENSOR' ]; then
    TRUSTED_CONTAINERS=( \
    "so-acng:$VERSION" \
@@ -743,7 +744,7 @@ master_static() {
  touch /opt/so/saltstack/pillar/static.sls

  echo "static:" > /opt/so/saltstack/pillar/static.sls
-  echo "  soversion: HH1.1.4" >> /opt/so/saltstack/pillar/static.sls
+  echo "  soversion: $SOVERSION" >> /opt/so/saltstack/pillar/static.sls
  echo "  hnmaster: $HNMASTER" >> /opt/so/saltstack/pillar/static.sls
  echo "  ntpserver: $NTPSERVER" >> /opt/so/saltstack/pillar/static.sls
  echo "  proxy: $PROXY" >> /opt/so/saltstack/pillar/static.sls
@@ -1412,6 +1413,11 @@ set_updates() {
    fi
 }

+set_version() {
+  # Drop a file with the current version
+  echo "$SOVERSION" > /etc/soversion
+}
+
 update_sudoers() {

  if ! grep -qE '^socore\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -159,6 +159,7 @@ if (whiptail_you_sure) ; then
    calculate_useable_cores
    whiptail_make_changes
    set_hostname
+    set_version
    clear_master
    mkdir -p /nsm
    get_filesystem_root
@@ -302,6 +303,7 @@ if (whiptail_you_sure) ; then
    # Last Chance to back out
    whiptail_make_changes
    set_hostname
+    set_version
    generate_passwords
    auth_pillar
    clear_master
@@ -570,6 +572,7 @@ if (whiptail_you_sure) ; then
    fi
    whiptail_make_changes
    set_hostname
+    set_version
    generate_passwords
    auth_pillar
    clear_master
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 #!/bin/bash

-# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC

 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
--- a/15
+++ b/15
@@ -1,15 +0,0 @@
-#!/bin/bash
-
-# Clone github
-mkdir /tmp/sogh
-cd /tmp/sogh
-#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
-git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
-cd securityonion-saltstack
-rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/
-chown -R socore:socore /opt/so/saltstack/salt
-chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh
-cd ~
-rm -rf /tmp/sogh
-# Run so-elastic-download here and call this soup with some magic
-salt-call state.highstate
--- a/upgrade/so-update-functions
+++ b/upgrade/so-update-functions
@@ -0,0 +1,183 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Set the SO Version
+VERSION=1.2.1
+BUILD=HH
+OLDVERSION=$(cat /etc/soversion)
+
+clone_to_tmp() {
+
+  # TODO Need to add a air gap option
+  # Make a temp location for the files
+  mkdir /tmp/sogh
+  cd /tmp/sogh
+  #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+  git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+
+}
+
+detect_os() {
+
+  # Detect Base OS
+  echo "Detecting Base OS" >> $UPDATELOG 2>&1
+  if [ -f /etc/redhat-release ]; then
+    OS=centos
+    if grep -q "CentOS Linux release 7" /etc/redhat-release; then
+      OSVER=7
+    elif grep -q "CentOS Linux release 8" /etc/redhat-release; then
+      OSVER=8
+      echo "We currently do not support CentOS $OSVER but we are working on it!"
+      exit
+    else
+      echo "We do not support the version of CentOS you are trying to use"
+      exit
+    fi
+
+  elif [ -f /etc/os-release ]; then
+    OS=ubuntu
+    if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then
+      OSVER=bionic
+    elif grep -q "UBUNTU_CODENAME=xenial" /etc/os-release; then
+      OSVER=xenial
+    else
+      echo "We do not support your current version of Ubuntu"
+      exit
+    fi
+    # Install network manager so we can do interface stuff
+    apt install -y network-manager
+    /bin/systemctl enable network-manager
+    /bin/systemctl start network-manager
+  else
+    echo "We were unable to determine if you are using a supported OS." >> $UPDATELOG 2>&1
+    exit
+  fi
+
+  echo "Found OS: $OS $OSVER" >> $UPDATELOG 2>&1
+
+}
+
+update_held_packages() {
+
+    if [ $OS == "centos" ]
+      SALTVER=2019.2.3
+      DOCKERVER=
+      yum -y --disableexcludes=all update salt-$SALTVER
+      yum -y --disableexcludes=all update docker-ce-$DOCKERVER
+    else
+      SALTVER=2019.2.3+ds-1
+      DOCKERVER=5:19.03.8~3-0~ubuntu-xenial
+    fi 
+
+}
+
+update_all_packages() {
+  
+  # Update all the things based on OS
+  if [ $OS == "centos" ]; then
+    yum -y update
+  else
+    apt -y update && apt -y upgrade
+  fi
+
+}
+
+update_docker_containers() {
+  if [ $INSTALLTYPE != 'HELIXSENSOR' ]; then
+    TRUSTED_CONTAINERS=( \
+    "so-acng:$BUILD$VERSION" \
+    "so-auth-api:$BUILD$VERSION" \
+    "so-auth-ui:$BUILD$VERSION" \
+    "so-core:$BUILD$VERSION" \
+    "so-thehive-cortex:$BUILD$VERSION" \
+    "so-curator:$BUILD$VERSION" \
+    "so-domainstats:$BUILD$VERSION" \
+    "so-elastalert:$BUILD$VERSION" \
+    "so-elasticsearch:$BUILD$VERSION" \
+    "so-filebeat:$BUILD$VERSION" \
+    "so-fleet:$BUILD$VERSION" \
+    "so-fleet-launcher:$BUILD$VERSION" \
+    "so-freqserver:$BUILD$VERSION" \
+    "so-grafana:$BUILD$VERSION" \
+    "so-idstools:$BUILD$VERSION" \
+    "so-influxdb:$BUILD$VERSION" \
+    "so-kibana:$BUILD$VERSION" \
+    "so-logstash:$BUILD$VERSION" \
+    "so-mysql:$BUILD$VERSION" \
+    "so-navigator:$BUILD$VERSION" \
+    "so-playbook:$BUILD$VERSION" \
+    "so-redis:$BUILD$VERSION" \
+    "so-sensoroni:$BUILD$VERSION" \
+    "so-soctopus:$BUILD$VERSION" \
+    "so-steno:$BUILD$VERSION" \
+    #"so-strelka:$BUILD$VERSION" \
+    "so-suricata:$BUILD$VERSION" \
+    "so-telegraf:$BUILD$VERSION" \
+    "so-thehive:$BUILD$VERSION" \
+    "so-thehive-es:$BUILD$VERSION" \
+    "so-wazuh:$BUILD$VERSION" \
+    "so-zeek:$BUILD$VERSION" )
+  else
+    TRUSTED_CONTAINERS=( \
+    "so-core:$BUILD$VERSION" \
+    "so-filebeat:$BUILD$VERSION" \
+    "so-idstools:$BUILD$VERSION" \
+    "so-logstash:$BUILD$VERSION" \
+    "so-redis:$BUILD$VERSION" \
+    "so-sensoroni:$BUILD$VERSION" \
+    "so-steno:$BUILD$VERSION" \
+    "so-suricata:$BUILD$VERSION" \
+    "so-telegraf:$BUILD$VERSION" \
+    "so-zeek:$BUILD$VERSION" )
+  fi
+
+  # Download the container from the interwebs
+  for i in "${TRUSTED_CONTAINERS[@]}"
+  do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
+  done
+
+  for i in "${TRUSTED_CONTAINERS[@]}"
+  do
+    echo "Removing $i locally"
+    docker rmi soshybridhunter/$i
+  done
+  
+}
+update_hh_version() {
+  # Change the version number in the static pillar
+
+}
+
+# Clone github
+mkdir /tmp/sogh
+cd /tmp/sogh
+#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+cd securityonion-saltstack
+rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/
+chown -R socore:socore /opt/so/saltstack/salt
+chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh
+cd ~
+rm -rf /tmp/sogh
+# Run so-elastic-download here and call this soup with some magic
+salt-call state.highstate
--- a/upgrade/soup
+++ b/upgrade/soup
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+SCRIPTDIR=$(dirname "$0")
+source $SCRIPTDIR/so-update-functions
+
+# Update Packages
+update_all_packages
+update_held_packages
+
+
+