From 02a96c409e7b957e22fdeb4d0328e39fd4bfa8a5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 09:52:57 -0400 Subject: [PATCH 01/27] Update HOTFIX --- HOTFIX | 1 + 1 file changed, 1 insertion(+) diff --git a/HOTFIX b/HOTFIX index e69de29bb..6711b0853 100644 --- a/HOTFIX +++ b/HOTFIX @@ -0,0 +1 @@ +04012022 From d95391505fb215cea276e900bc4ef53b64fcfc46 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 1 Apr 2022 09:55:03 -0400 Subject: [PATCH 02/27] Update minion.defaults.yaml --- salt/salt/minion.defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index ef7bfe37c..68e044db8 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,6 +2,6 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3004 + version: 3004.1 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default service_start_delay: 30 # in seconds. From f71fcdaed7fc05fa6104dc3024f724be97cc5225 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 1 Apr 2022 09:55:55 -0400 Subject: [PATCH 03/27] salt 3004.1 --- salt/salt/master.defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index 8d5e85e15..a07f22865 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3004 + version: 3004.1 From 45dd7d47582fa55134dd046b6d6d2921618b1207 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 1 Apr 2022 11:17:38 -0400 Subject: [PATCH 04/27] salt 3004.1 in setup --- setup/so-functions | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index b71648fbe..0047fe4a2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2277,13 +2277,13 @@ saltify() { # Download Ubuntu Keys in case manager updates = 1 logCmd "mkdir -vp /opt/so/gpg" if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004" + logCmd "yum -y install salt-master-3004.1" fi logCmd "systemctl enable salt-master" ;; @@ -2295,7 +2295,7 @@ saltify() { fi set_progress_str 8 'Installing salt-minion & python modules' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi logCmd "systemctl enable salt-minion" @@ -2334,8 +2334,8 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -2343,7 +2343,7 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 @@ -2356,7 +2356,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3004+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-master=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 ;; *) @@ -2367,14 +2367,14 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3004+ds-1 salt-common=3004+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-minion=3004.1+ds-1 salt-common=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1 fi From 48e40513ff3b0cc5de9f734aba9fdccb625b268c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 1 Apr 2022 15:53:48 -0400 Subject: [PATCH 05/27] remove influx patch state files --- salt/salt/minion.sls | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index cf26c1249..a35746db7 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -31,6 +31,22 @@ install_salt_minion: exec 1>&- # close stdout exec 2>&- # close stderr nohup /bin/sh -c '{{ UPGRADECOMMAND }}' & + + {# if we are the salt master #} + {% if grains.id.split('_')|first == grains.master %} +remove_influxdb_continuous_query_state_file: + file.absent: + - name: /opt/so/state/influxdb_continuous_query.py.patched + +remove_influxdbmod_state_file: + file.absent: + - name: /opt/so/state/influxdbmod.py.patched + +remove_influxdb_retention_policy_state_file: + file.absent: + - name: /opt/so/state/influxdb_retention_policy.py.patched + {% endif %} + {% endif %} {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %} From 127420b4725576702b3d7c3ee3e398d5cdf5aa68 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Apr 2022 10:39:44 -0400 Subject: [PATCH 06/27] hotfix function for 2.3.10 hotfix 1 --- salt/common/tools/sbin/soup | 55 ++++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 42c7b43bf..72777831e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -889,11 +889,27 @@ upgrade_salt() { apt-mark hold "salt-master" apt-mark hold "salt-minion" fi + + echo "Checking if Salt was upgraded." + echo "" + # Check that Salt was upgraded + SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}') + if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then + echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." + echo "Once the issue is resolved, run soup again." + echo "Exiting." + echo "" + exit 0 + else + echo "Salt upgrade success." + echo "" + fi + } update_repo() { - echo "Performing repo changes." if [[ "$OS" == "centos" ]]; then + echo "Performing repo changes." # Import GPG Keys gpg_rpm_import echo "Disabling fastestmirror." @@ -945,6 +961,8 @@ verify_latest_update_script() { apply_hotfix() { if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then fix_wazuh + elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then + 2_3_10_hotfix_1 else echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" fi @@ -966,6 +984,26 @@ fix_wazuh() { fi } +#upgrade salt to 3004.1 +2_3_10_hotfix_1() { + systemctl_func "stop" "$cron_service_name" + # update mine items prior to stopping salt-minion and salt-master + update_salt_mine + stop_salt_minion + stop_salt_master + update_repo + # Does salt need upgraded. If so update it. + if [[ $UPGRADESALT -eq 1 ]]; then + echo "Upgrading Salt" + # Update the repo files so it can actually upgrade + upgrade_salt + fi + systemctl_func "start" "salt-master" + systemctl_func "start" "salt-minion" + systemctl_func "start" "$cron_service_name" + +} + main() { trap 'check_err $?' EXIT @@ -1080,21 +1118,6 @@ main() { echo "Upgrading Salt" # Update the repo files so it can actually upgrade upgrade_salt - - echo "Checking if Salt was upgraded." - echo "" - # Check that Salt was upgraded - SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}') - if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then - echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." - echo "Once the issue is resolved, run soup again." - echo "Exiting." - echo "" - exit 0 - else - echo "Salt upgrade success." - echo "" - fi fi preupgrade_changes From 1e955e0d38b9e09a4584ded2e7a2a9bfaa85e39e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Apr 2022 11:28:03 -0400 Subject: [PATCH 07/27] enable highstate before highstate run for hotfix --- salt/common/tools/sbin/soup | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 72777831e..9d8329b03 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -93,8 +93,7 @@ check_err() { fi set +e systemctl_func "start" "$cron_service_name" - echo "Ensuring highstate is enabled." - salt-call state.enable highstate --local + enable_highstate exit $exit_code fi @@ -366,6 +365,12 @@ clone_to_tmp() { fi } +enable_highstate() { + echo "Enabling highstate." + salt-call state.enable highstate -l info --local + echo "" +} + generate_and_clean_tarballs() { local new_version new_version=$(cat $UPDATE_DIR/VERSION) @@ -1079,6 +1084,7 @@ main() { apply_hotfix echo "Hotfix applied" update_version + enable_highstate salt-call state.highstate -l info queue=True else echo "" @@ -1173,9 +1179,7 @@ main() { echo "" fi - echo "Enabling highstate." - salt-call state.enable highstate -l info --local - echo "" + enable_highstate echo "" echo "Running a highstate. This could take several minutes." From b7aff4f4dfe36343fa905d0cfe672b6e032c5cb6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Apr 2022 12:28:23 -0400 Subject: [PATCH 08/27] remove influxdb state files --- salt/common/tools/sbin/soup | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 9d8329b03..673d4c1f9 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -497,10 +497,10 @@ stop_salt_master() { set +e echo "" echo "Killing all Salt jobs across the grid." - salt \* saltutil.kill_all_jobs + salt \* saltutil.kill_all_jobs >> $SOUP_LOG 2>&1 echo "" echo "Killing any queued Salt jobs on the manager." - pkill -9 -ef "/usr/bin/python3 /bin/salt" + pkill -9 -ef "/usr/bin/python3 /bin/salt" >> $SOUP_LOG 2>&1 set -e echo "" @@ -1003,6 +1003,7 @@ fix_wazuh() { # Update the repo files so it can actually upgrade upgrade_salt fi + rm -f /opt/so/state/influxdb_continuous_query.py.patched /opt/so/state/influxdbmod.py.patched /opt/so/state/influxdb_retention_policy.py.patched systemctl_func "start" "salt-master" systemctl_func "start" "salt-minion" systemctl_func "start" "$cron_service_name" From f9563b2dc4589bcbcbbc12e44ebd1b10e455133d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Apr 2022 12:57:36 -0400 Subject: [PATCH 09/27] patch influxdb modules --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 673d4c1f9..5e813c2c8 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1005,6 +1005,7 @@ fix_wazuh() { fi rm -f /opt/so/state/influxdb_continuous_query.py.patched /opt/so/state/influxdbmod.py.patched /opt/so/state/influxdb_retention_policy.py.patched systemctl_func "start" "salt-master" + salt-call state.apply salt.python3-influxdb -l info systemctl_func "start" "salt-minion" systemctl_func "start" "$cron_service_name" From 04370a04ceefbe23fc2cb62d884d4cebbc524886 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 4 Apr 2022 16:06:20 -0400 Subject: [PATCH 10/27] 2.3.110 hotfix 0401 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.110-20220404.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.110-20220404.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 300428636..08e02da0f 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.110-20220309 ISO image built on 2022/03/09 +### 2.3.110-20220401 ISO image built on 2022/04/04 ### Download and Verify -2.3.110-20220309 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220309.iso +2.3.110-20220401 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220401.iso -MD5: 537564F8B56633E2D46E5E7C4E2BF18A -SHA1: 1E1B42EDB711AC8B5963B3460056770B91AE6BFC -SHA256: 4D73E5BE578DA43DCFD3C1B5F9AF07A7980D8DF90ACDDFEF6CEA177F872EECA0 +MD5: 17625039D4ED23EC217589A1681C4FDA +SHA1: 8244A7BE12F27E71721ADC699950BB27C5C03BF2 +SHA256: 76C135C3FDA8A28C13A142B944BE72E67192AC7C4BC85838230EFF45E8978BD1 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220309.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220401.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220309.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220401.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220309.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220401.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.110-20220309.iso.sig securityonion-2.3.110-20220309.iso +gpg --verify securityonion-2.3.110-20220401.iso.sig securityonion-2.3.110-20220401.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Wed 09 Mar 2022 10:20:47 AM EST using RSA key ID FE507013 +gpg: Signature made Mon 04 Apr 2022 02:08:59 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.110-20220404.iso.sig b/sigs/securityonion-2.3.110-20220404.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..bd821595356bc64607342e647f969113028eb4aa GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;DAG&=wa2@re`V7LBIa1+w)5CEJ0nU#eP2}|H9Z~~i% z?IIOFN;8&0C|C@MHDB}Zz)@*6BNN9a)FA%q36hL`=C$0uOEHAz*Llt;{%>Xgf+p9gM2%u+hGyJVY^ z?`aH_EBL2g89zvEkI*;#9$ORHpQ9Q_m3nZqGU(t}9063xmV*@!Z#8yt!6yKaJ2FU# z%GqMUdSA{w8xEmdiIRfZfVQu4*a^Gf)nSL9nWg0QrLEDf2oV#!MBhje(a@D>U;p;# z&cvxs4JjdXN+MCMbJR!twvstN9X4mc`hjXu<(6C#cS7M4!J3s`+# h-{176JTXYmstMrD&!uB^(fcr)*joI30fL^>7Hg7r0>S_Q literal 0 HcmV?d00001 From e08b13629ae971d446005241a011e0f3d96136d2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 13:41:26 -0400 Subject: [PATCH 11/27] manage repo conf for ubuntu --- salt/common/tools/sbin/soup | 3 + salt/repo/client/centos.sls | 98 +++++++++++++++++ .../client/files/ubuntu/18.04/saltstack.list | 1 + .../client/files/ubuntu/20.04/saltstack.list | 1 + salt/repo/client/init.sls | 100 +----------------- salt/repo/client/ubuntu.sls | 4 + salt/salt/map.jinja | 2 +- salt/top.sls | 3 +- setup/so-functions | 10 +- 9 files changed, 116 insertions(+), 106 deletions(-) create mode 100644 salt/repo/client/centos.sls create mode 100644 salt/repo/client/files/ubuntu/18.04/saltstack.list create mode 100644 salt/repo/client/files/ubuntu/20.04/saltstack.list create mode 100644 salt/repo/client/ubuntu.sls diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 5e813c2c8..a46938da9 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -934,6 +934,9 @@ update_repo() { yum clean all yum repolist fi + elif [[ "$OS" == "ubuntu" ]]; then + cp $UPDATE_DIR/salt/repo/client/files/ubuntu/$ubuntu_version/* /etc/apt/sources.list.d/ + apt-get update fi } diff --git a/salt/repo/client/centos.sls b/salt/repo/client/centos.sls new file mode 100644 index 000000000..160782267 --- /dev/null +++ b/salt/repo/client/centos.sls @@ -0,0 +1,98 @@ +{% from 'repo/client/map.jinja' import ABSENTFILES with context %} +{% from 'repo/client/map.jinja' import REPOPATH with context %} +{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} +{% set managerupdates = salt['pillar.get']('global:managerupdate', 0) %} +{% set role = grains.id.split('_') | last %} + +# from airgap state +{% if ISAIRGAP and grains.os == 'CentOS' %} +{% set MANAGER = salt['grains.get']('master') %} +airgapyum: + file.managed: + - name: /etc/yum/yum.conf + - source: salt://repo/client/files/centos/airgap/yum.conf + +airgap_repo: + pkgrepo.managed: + - humanname: Airgap Repo + - baseurl: https://{{ MANAGER }}/repo + - gpgcheck: 0 + - sslverify: 0 + +{% endif %} + +# from airgap and common +{% if ABSENTFILES|length > 0%} + {% for file in ABSENTFILES %} +{{ file }}: + file.absent: + - name: {{ REPOPATH }}{{ file }} + - onchanges_in: + - cmd: cleanyum + {% endfor %} +{% endif %} + +# from common state +# Remove default Repos +{% if grains['os'] == 'CentOS' %} +repair_yumdb: + cmd.run: + - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all' + - onlyif: + - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' + +crsynckeys: + file.recurse: + - name: /etc/pki/rpm_gpg + - source: salt://repo/client/files/centos/keys/ + +{% if not ISAIRGAP %} + {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} +remove_securityonionrepocache: + file.absent: + - name: /etc/yum.repos.d/securityonioncache.repo + {% endif %} + + {% if role not in ['eval', 'standalone', 'import', 'manager', 'managersearch'] and managerupdates == 1 %} +remove_securityonionrepo: + file.absent: + - name: /etc/yum.repos.d/securityonion.repo + {% endif %} + +crsecurityonionrepo: + file.managed: + {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} + - name: /etc/yum.repos.d/securityonion.repo + - source: salt://repo/client/files/centos/securityonion.repo + {% else %} + - name: /etc/yum.repos.d/securityonioncache.repo + - source: salt://repo/client/files/centos/securityonioncache.repo + {% endif %} + - mode: 644 + +yumconf: + file.managed: + - name: /etc/yum.conf + - source: salt://repo/client/files/centos/yum.conf.jinja + - mode: 644 + - template: jinja + - show_changes: False + +cleanairgap: + file.absent: + - name: /etc/yum.repos.d/airgap_repo.repo +{% endif %} + +cleanyum: + cmd.run: + - name: 'yum clean metadata' + - onchanges: +{% if ISAIRGAP %} + - file: airgapyum + - pkgrepo: airgap_repo +{% else %} + - file: crsecurityonionrepo + - file: yumconf +{% endif %} + +{% endif %} diff --git a/salt/repo/client/files/ubuntu/18.04/saltstack.list b/salt/repo/client/files/ubuntu/18.04/saltstack.list new file mode 100644 index 000000000..b41f03856 --- /dev/null +++ b/salt/repo/client/files/ubuntu/18.04/saltstack.list @@ -0,0 +1 @@ +deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/18.04/amd64/salt/ bionic main diff --git a/salt/repo/client/files/ubuntu/20.04/saltstack.list b/salt/repo/client/files/ubuntu/20.04/saltstack.list new file mode 100644 index 000000000..bc7236d82 --- /dev/null +++ b/salt/repo/client/files/ubuntu/20.04/saltstack.list @@ -0,0 +1 @@ +deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/ focal main diff --git a/salt/repo/client/init.sls b/salt/repo/client/init.sls index 160782267..154867caf 100644 --- a/salt/repo/client/init.sls +++ b/salt/repo/client/init.sls @@ -1,98 +1,2 @@ -{% from 'repo/client/map.jinja' import ABSENTFILES with context %} -{% from 'repo/client/map.jinja' import REPOPATH with context %} -{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} -{% set managerupdates = salt['pillar.get']('global:managerupdate', 0) %} -{% set role = grains.id.split('_') | last %} - -# from airgap state -{% if ISAIRGAP and grains.os == 'CentOS' %} -{% set MANAGER = salt['grains.get']('master') %} -airgapyum: - file.managed: - - name: /etc/yum/yum.conf - - source: salt://repo/client/files/centos/airgap/yum.conf - -airgap_repo: - pkgrepo.managed: - - humanname: Airgap Repo - - baseurl: https://{{ MANAGER }}/repo - - gpgcheck: 0 - - sslverify: 0 - -{% endif %} - -# from airgap and common -{% if ABSENTFILES|length > 0%} - {% for file in ABSENTFILES %} -{{ file }}: - file.absent: - - name: {{ REPOPATH }}{{ file }} - - onchanges_in: - - cmd: cleanyum - {% endfor %} -{% endif %} - -# from common state -# Remove default Repos -{% if grains['os'] == 'CentOS' %} -repair_yumdb: - cmd.run: - - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all' - - onlyif: - - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' - -crsynckeys: - file.recurse: - - name: /etc/pki/rpm_gpg - - source: salt://repo/client/files/centos/keys/ - -{% if not ISAIRGAP %} - {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} -remove_securityonionrepocache: - file.absent: - - name: /etc/yum.repos.d/securityonioncache.repo - {% endif %} - - {% if role not in ['eval', 'standalone', 'import', 'manager', 'managersearch'] and managerupdates == 1 %} -remove_securityonionrepo: - file.absent: - - name: /etc/yum.repos.d/securityonion.repo - {% endif %} - -crsecurityonionrepo: - file.managed: - {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} - - name: /etc/yum.repos.d/securityonion.repo - - source: salt://repo/client/files/centos/securityonion.repo - {% else %} - - name: /etc/yum.repos.d/securityonioncache.repo - - source: salt://repo/client/files/centos/securityonioncache.repo - {% endif %} - - mode: 644 - -yumconf: - file.managed: - - name: /etc/yum.conf - - source: salt://repo/client/files/centos/yum.conf.jinja - - mode: 644 - - template: jinja - - show_changes: False - -cleanairgap: - file.absent: - - name: /etc/yum.repos.d/airgap_repo.repo -{% endif %} - -cleanyum: - cmd.run: - - name: 'yum clean metadata' - - onchanges: -{% if ISAIRGAP %} - - file: airgapyum - - pkgrepo: airgap_repo -{% else %} - - file: crsecurityonionrepo - - file: yumconf -{% endif %} - -{% endif %} +include: + - repo.client.{{grains.os | lower}} diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls new file mode 100644 index 000000000..449b4ae14 --- /dev/null +++ b/salt/repo/client/ubuntu.sls @@ -0,0 +1,4 @@ +ubuntu_repo_files: + - file.recurse: + - name: /etc/apt/sources.list.d/ + - source: salt://repo/client/files/ubuntu/{{grains.osrelease}}/ diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index b66ec23eb..eb9f5ae89 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -29,7 +29,7 @@ {% if grains.os|lower in ['centos', 'redhat'] %} {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -s 120 -r -F -x python3 stable ' ~ SALTVERSION %} {% elif grains.os|lower == 'ubuntu' %} - {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -s 120 -F -x python3 stable ' ~ SALTVERSION %} + {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -s 120 -r -F -x python3 stable ' ~ SALTVERSION %} {% endif %} {% else %} {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %} diff --git a/salt/top.sls b/salt/top.sls index 67d717d3b..c20bf33b7 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -21,16 +21,15 @@ base: '*': - cron.running + - repo.client 'not G@saltversion:{{saltversion}}': - match: compound - salt.minion-state-apply-test - - repo.client - salt.minion 'G@os:CentOS and G@saltversion:{{saltversion}}': - match: compound - - repo.client - yum.packages '* and G@saltversion:{{saltversion}}': diff --git a/setup/so-functions b/setup/so-functions index 0047fe4a2..9d09e78a0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2277,7 +2277,7 @@ saltify() { # Download Ubuntu Keys in case manager updates = 1 logCmd "mkdir -vp /opt/so/gpg" if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" fi @@ -2334,8 +2334,8 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + wget -q --inet4-only -O - https://repo.securityonion.net/file/securityonion-repo/ubuntu/"$ubuntu_version"/amd64/salt/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + echo "https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -2343,7 +2343,7 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/"$ubuntu_version"/amd64/salt/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 @@ -2367,7 +2367,7 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac From 020871ef61aacc94158841c5c96fe5149a0d82b0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 13:49:28 -0400 Subject: [PATCH 12/27] update hotfix version --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 6711b0853..e4a42e6ac 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -04012022 +04012022 04052022 From b467cde9ad4ae0cdb69103f6291c4ae5d453686b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 14:42:36 -0400 Subject: [PATCH 13/27] add deb to saltstack.list --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 9d09e78a0..2c3d2a649 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2335,7 +2335,7 @@ saltify() { # Add saltstack repo(s) wget -q --inet4-only -O - https://repo.securityonion.net/file/securityonion-repo/ubuntu/"$ubuntu_version"/amd64/salt/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 From 1248ba892400369d5092cb1b3441b124b8cb9e79 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 15:40:39 -0400 Subject: [PATCH 14/27] update update_repo function --- salt/common/tools/sbin/soup | 15 +++++++++++++-- .../repo/client/files/ubuntu/18.04/saltstack.list | 1 - .../repo/client/files/ubuntu/20.04/saltstack.list | 1 - salt/repo/client/ubuntu.sls | 9 +++++---- 4 files changed, 18 insertions(+), 8 deletions(-) delete mode 100644 salt/repo/client/files/ubuntu/18.04/saltstack.list delete mode 100644 salt/repo/client/files/ubuntu/20.04/saltstack.list diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a46938da9..b64a778ea 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -935,8 +935,19 @@ update_repo() { yum repolist fi elif [[ "$OS" == "ubuntu" ]]; then - cp $UPDATE_DIR/salt/repo/client/files/ubuntu/$ubuntu_version/* /etc/apt/sources.list.d/ - apt-get update + ubuntu_version=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') + + if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then + OSVER=bionic + elif grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then + OSVER=focal + else + echo "We do not support your current version of Ubuntu." + exit 1 + fi + + echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list + apt-get update fi } diff --git a/salt/repo/client/files/ubuntu/18.04/saltstack.list b/salt/repo/client/files/ubuntu/18.04/saltstack.list deleted file mode 100644 index b41f03856..000000000 --- a/salt/repo/client/files/ubuntu/18.04/saltstack.list +++ /dev/null @@ -1 +0,0 @@ -deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/18.04/amd64/salt/ bionic main diff --git a/salt/repo/client/files/ubuntu/20.04/saltstack.list b/salt/repo/client/files/ubuntu/20.04/saltstack.list deleted file mode 100644 index bc7236d82..000000000 --- a/salt/repo/client/files/ubuntu/20.04/saltstack.list +++ /dev/null @@ -1 +0,0 @@ -deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/ focal main diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index 449b4ae14..a7b7a90af 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -1,4 +1,5 @@ -ubuntu_repo_files: - - file.recurse: - - name: /etc/apt/sources.list.d/ - - source: salt://repo/client/files/ubuntu/{{grains.osrelease}}/ +saltstack.list: + - file.managed: + - name: /etc/apt/sources.list.d/saltstack.list + - contents: + - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt/ {{grains.oscodename}} main From 89518b59397e50924f5aff70d5bdf0ee7c579bff Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 15:44:06 -0400 Subject: [PATCH 15/27] proper salt format --- salt/repo/client/ubuntu.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index a7b7a90af..efc06b24a 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -1,5 +1,5 @@ saltstack.list: - - file.managed: - - name: /etc/apt/sources.list.d/saltstack.list - - contents: - - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt/ {{grains.oscodename}} main + file.managed: + - name: /etc/apt/sources.list.d/saltstack.list + - contents: + - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt/ {{grains.oscodename}} main From 89c7f5b356512bac2cb8d77eb10a4c3b1e7dbbb4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 17:28:47 -0400 Subject: [PATCH 16/27] point to so repo --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index b64a778ea..99074c6d4 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -946,7 +946,7 @@ update_repo() { exit 1 fi - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list + echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt $OSVER main" > /etc/apt/sources.list.d/saltstack.list apt-get update fi } From cf68aeb36e4223cbe3f30583807892ab567be70d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 17:35:03 -0400 Subject: [PATCH 17/27] use -r for bootstrap-salt for ubuntu --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 99074c6d4..8a6132898 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -885,7 +885,7 @@ upgrade_salt() { echo "" set +e run_check_net_err \ - "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M -x python3 stable \"$NEWSALTVERSION\"" \ + "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \ "Could not update salt, please check $SOUP_LOG for details." set -e echo "Applying apt hold for Salt." From 79175b57fa2d3add592c58235fed3594bbaf727c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Apr 2022 19:15:20 -0400 Subject: [PATCH 18/27] 2.3.110 hotfix 0405 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.110-20220405.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.110-20220405.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 08e02da0f..13999abee 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.110-20220401 ISO image built on 2022/04/04 +### 2.3.110-20220405 ISO image built on 2022/04/05 ### Download and Verify -2.3.110-20220401 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220401.iso +2.3.110-20220405 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220405.iso -MD5: 17625039D4ED23EC217589A1681C4FDA -SHA1: 8244A7BE12F27E71721ADC699950BB27C5C03BF2 -SHA256: 76C135C3FDA8A28C13A142B944BE72E67192AC7C4BC85838230EFF45E8978BD1 +MD5: 9CE982FE45DC2957A3A6D376E6DCC048 +SHA1: 10E3FF28A69F9617D4CCD2F5061AA2DC062B8F94 +SHA256: 0C178A422ABF7B61C08728E32CE20A9F9C1EC65807EB67D06F1C23F7D1EA51A7 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220401.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220405.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220401.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220405.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220401.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220405.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.110-20220401.iso.sig securityonion-2.3.110-20220401.iso +gpg --verify securityonion-2.3.110-20220405.iso.sig securityonion-2.3.110-20220405.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 04 Apr 2022 02:08:59 PM EDT using RSA key ID FE507013 +gpg: Signature made Tue 05 Apr 2022 06:37:40 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.110-20220405.iso.sig b/sigs/securityonion-2.3.110-20220405.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..bc4648f170e208b09d018af200ca617a16cce98d GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;DB#Iyhk2@re`V7LBIa1#Rj5CD~~Z->xQCzGa%Q&QYU zG@wSy)a|Rp*fF%|6wbDlkN7BwzP}X6&p6WG32IZ(`sdfDG)%EMk=(8{1p1S7fM$oD z#csC--TYuGG^&h7X69T!*u$Sq#`%>*g%2z%Wo-&8p;nTynq*db-#2?LBH=nV4*8|5 z^w^u5WThDSLA>A@94bp9RD{L~UL;j# znTjw^wlmVW=PEE9L*~-?3u!s6b#Wvh_da`tPb7<{=~(+gqWOnB85FWG=S60P&Y9zY zP#+9VGW`ffhwcTMH`mnK2EQKP;>3~3X?oW2F0Wh=fxcAZJP_7;3pivo(jNMsOHo{i zF_B03Z*0&|OfJtrWt7bg>#l@8#S8MdqSjMCPzCfu)Y z`@vX5KHW8?3Zy;n^j;aB6bvvAQ#8d2SYUP`J2@EuA_)ID96T}I3}P;QH`$zukcxx Date: Wed, 6 Apr 2022 16:53:55 -0400 Subject: [PATCH 19/27] update the centos repo for airgap prior to applying hotfix or standard soup run --- salt/common/tools/sbin/soup | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 8a6132898..f1b23b3bd 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1094,6 +1094,12 @@ main() { upgrade_check_salt set -e + if [[ $is_airgap -eq 0 ]]; then + update_centos_repo + yum clean all + check_os_updates + fi + if [ "$is_hotfix" == "true" ]; then echo "Applying $HOTFIXVERSION hotfix" copy_new_files @@ -1115,9 +1121,6 @@ main() { echo "Updating dockers to $NEWVERSION." if [[ $is_airgap -eq 0 ]]; then airgap_update_dockers - update_centos_repo - yum clean all - check_os_updates # if not airgap but -f was used elif [[ ! -z "$ISOLOC" ]]; then airgap_update_dockers From 08ac696f143196366bb04312a2c076e03d67a444 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 6 Apr 2022 17:38:06 -0400 Subject: [PATCH 20/27] remove saltstack repo created by bootstrap-salt for ubuntu --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index f1b23b3bd..7181b1b9e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -946,6 +946,7 @@ update_repo() { exit 1 fi + rm -f /etc/apt/sources.list.d/salt.list echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt $OSVER main" > /etc/apt/sources.list.d/saltstack.list apt-get update fi From be3769fd7c1cc1a754c542537d08bf59830ea837 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 7 Apr 2022 08:53:44 -0400 Subject: [PATCH 21/27] run apt-get update if saltstack.list changes --- salt/repo/client/ubuntu.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index efc06b24a..63980c90e 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -3,3 +3,8 @@ saltstack.list: - name: /etc/apt/sources.list.d/saltstack.list - contents: - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt/ {{grains.oscodename}} main + +apt_update: + cmd.run: + - name: apt-get update + - onchanges: saltstack.list From b2a98af18b6a32023e0d59bcc6a74e39c4fbbc99 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 7 Apr 2022 08:55:30 -0400 Subject: [PATCH 22/27] proper formatting --- salt/repo/client/ubuntu.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index 63980c90e..9f8a3e4ec 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -7,4 +7,5 @@ saltstack.list: apt_update: cmd.run: - name: apt-get update - - onchanges: saltstack.list + - onchanges: + - file: saltstack.list From 722b200e16d172200e79962f9e10c07b0e10032f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 7 Apr 2022 08:58:07 -0400 Subject: [PATCH 23/27] add retry to apt_update incase running in background --- salt/repo/client/ubuntu.sls | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index 9f8a3e4ec..1d61a1007 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -9,3 +9,7 @@ apt_update: - name: apt-get update - onchanges: - file: saltstack.list + - timeout: 30 + - retry: + attempts: 5 + interval: 30 From 8fbd16f75d580c642da64e4d531116a408cb793a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 7 Apr 2022 09:03:51 -0400 Subject: [PATCH 24/27] ensure salt.list is absent --- salt/repo/client/ubuntu.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index 1d61a1007..301bdabae 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -1,3 +1,8 @@ +# this removes the repo file left by bootstrap-salt.sh without -r +remove_salt.list: + file.absent: + - name: /etc/apt/sources.list.d/salt.list + saltstack.list: file.managed: - name: /etc/apt/sources.list.d/saltstack.list From 93e04850c445f153b5ce3950fe4bfcfa8594881e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 7 Apr 2022 14:40:54 -0400 Subject: [PATCH 25/27] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index e4a42e6ac..644f9e9ee 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -04012022 04052022 +04012022 04052022 04072022 From 6a28e752f0b658d56b9b489c3d0df4a321080a64 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 7 Apr 2022 16:03:13 -0400 Subject: [PATCH 26/27] 2.3.110 hotfix 0407 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.110-20220407.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.110-20220407.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 13999abee..c8e0158f9 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.110-20220405 ISO image built on 2022/04/05 +### 2.3.110-20220407 ISO image built on 2022/04/07 ### Download and Verify -2.3.110-20220405 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220405.iso +2.3.110-20220407 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220407.iso -MD5: 9CE982FE45DC2957A3A6D376E6DCC048 -SHA1: 10E3FF28A69F9617D4CCD2F5061AA2DC062B8F94 -SHA256: 0C178A422ABF7B61C08728E32CE20A9F9C1EC65807EB67D06F1C23F7D1EA51A7 +MD5: 928D589709731EFE9942CA134A6F4C6B +SHA1: CA588A684586CC0D5BDE5E0E41C935FFB939B6C7 +SHA256: CBF8743838AF2C7323E629FB6B28D5DD00AE6658B0E29E4D0916411D2D526BD2 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220405.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220407.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220405.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220407.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220405.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220407.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.110-20220405.iso.sig securityonion-2.3.110-20220405.iso +gpg --verify securityonion-2.3.110-20220407.iso.sig securityonion-2.3.110-20220407.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 05 Apr 2022 06:37:40 PM EDT using RSA key ID FE507013 +gpg: Signature made Thu 07 Apr 2022 03:30:03 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.110-20220407.iso.sig b/sigs/securityonion-2.3.110-20220407.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..2ea694428e65f9c571dea027b6398028cafd3da3 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;DEJG%f12@re`V7LBIa1&?<5C2>F$KwVTPphWkRG5e^ zkI4UDI?PgP49EDJeSx(r*qp(EDAKKyO}+20qN9N5NS6MNqwu#M`oigDwVj|MdRsED z?mRwt{^!1<&}n|V75vS0@{^+aR(lf?JOMPP#QI&50uw4Z8U}+G{QRBd9O-_jk*9`~ zgzJTNdPx+apX6VbdV+(ecGf!_6!8{(_rHI3yy)w>>ATpwi0F477~;uvLLjTm_R&mZ zl@HGUc8gBO<44 Date: Fri, 8 Apr 2022 10:23:44 -0400 Subject: [PATCH 27/27] Clearing hotfix --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 644f9e9ee..d3f5a12fa 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -04012022 04052022 04072022 +