CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-16 22:12:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9988 from Security-Onion-Solutions/repofun

Browse Source 
Add Repo Sync
This commit is contained in:
Mike Reeves
2023-03-23 12:49:06 -04:00
committed by GitHub
parent c64987e756 3b671efa8e
commit 886bcda38c
6 changed files with 92 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
salt/common/tools/sbin/so-common
View File

@@ -8,10 +8,12 @@
DEFAULT_SALT_DIR=/opt/so/saltstack/default DEFAULT_SALT_DIR=/opt/so/saltstack/default
DOC_BASE_URL="https://docs.securityonion.net/en/2.4" DOC_BASE_URL="https://docs.securityonion.net/en/2.4"
# Check for prerequisites if [ -z $NOROOT ]; then
if [ "$(id -u)" -ne 0 ]; then # Check for prerequisites
echo "This script must be run using sudo!" if [ "$(id -u)" -ne 0 ]; then
exit 1 echo "This script must be run using sudo!"
exit 1
fi
fi fi
# Define a banner to separate sections # Define a banner to separate sections

5
salt/manager/defaults.yaml Normal file
View File

@@ -0,0 +1,5 @@
manager:
reposync:
enabled: True
hour: 3
minute: 0

4
salt/common/tools/sbin/so-repo-sync → salt/manager/files/so-repo-sync
View File

@@ -4,7 +4,7 @@
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
NOROOT=1
. /usr/sbin/so-common . /usr/sbin/so-common
set_version set_version
@@ -12,5 +12,5 @@ set_os
salt_minion_count salt_minion_count
curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup
dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/
createrepo /nsm/repo createrepo /nsm/repo

48
salt/manager/init.sls
View File

@@ -7,6 +7,8 @@
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'strelka/map.jinja' import STRELKAMERGED %} {% from 'strelka/map.jinja' import STRELKAMERGED %}
{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %}
{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=true) %}
include: include:
- salt.minion - salt.minion
@@ -14,6 +16,52 @@ include:
- manager.sync_es_users - manager.sync_es_users
- manager.elasticsearch - manager.elasticsearch
repo_log_dir:
file.directory:
- name: /opt/so/log/reposync
- user: socore
- group: socore
- recurse:
- user
- group
repo_conf_dir:
file.directory:
- name: /opt/so/conf/reposync
- user: socore
- group: socore
- recurse:
- user
- group
repo_dir:
file.directory:
- name: /nsm/repo
- user: socore
- group: socore
- recurse:
- user
- group
repo_sync_script:
file.managed:
- name: /usr/sbin/so-repo-sync
- source: salt://manager/files/so-repo-sync
- user: root
- group: root
- mode: 755
reposync_cron:
{% if MANAGERMERGED.reposync.enabled %}
cron.present:
{% else %}
cron.absent:
{% endif %}
- user: socore
- name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1'
- hour: '{{ MANAGERMERGED.reposync.hour }}'
- minute: '{{ MANAGERMERGED.reposync.minute }}'
socore_own_saltstack: socore_own_saltstack:
file.directory: file.directory:
- name: /opt/so/saltstack - name: /opt/so/saltstack

13
salt/manager/soc_manager.yaml
View File

@@ -1,4 +1,17 @@
manager: manager:
reposync:
enabled:
description: This is the daily task of syncing the Security Onion OS packages. It is recommended that you leave this enabled.
global: True
helpLink: manager.html
hour:
description: The hour of the day in which the repo sync takes place.
global: True
helpLink: manager.html
minute:
description: The minute within the hour to run the repo sync.
global: True
helpLink: manager.html
elastalert: elastalert:
description: Enable elastalert 1=enabled 0=disabled. description: Enable elastalert 1=enabled 0=disabled.
global: True global: True

36
setup/so-functions
View File

@@ -1967,28 +1967,28 @@ repo_sync_local() {
# Check for reposync # Check for reposync
info "Backing up old repos" info "Backing up old repos"
mkdir -p /nsm/repo mkdir -p /nsm/repo
mkdir -p /root/reposync_cache mkdir -p /opt/so/conf/reposync/cache
echo "[main]" > /root/repodownload.conf echo "[main]" > /opt/so/conf/reposync/repodownload.conf
echo "gpgcheck=1" >> /root/repodownload.conf echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
echo "installonly_limit=3" >> /root/repodownload.conf echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
echo "clean_requirements_on_remove=True" >> /root/repodownload.conf echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf
echo "best=True" >> /root/repodownload.conf echo "best=True" >> /opt/so/conf/reposync/repodownload.conf
echo "skip_if_unavailable=False" >> /root/repodownload.conf echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf
echo "cachedir=/root/reposync_cache" >> /root/repodownload.conf echo "cachedir=/opt/so/conf/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf
echo "keepcache=0" >> /root/repodownload.conf echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf
echo "[securityonionsync]" >> /root/repodownload.conf echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf
echo "name=Security Onion Repo repo" >> /root/repodownload.conf echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf
echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/2.4/" >> /root/repodownload.conf echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/2.4/" >> /opt/so/conf/reposync/repodownload.conf
echo "enabled=1" >> /root/repodownload.conf echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf
echo "gpgcheck=1" >> /root/repodownload.conf echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /opt/so/conf/reposync/repodownload.conf
logCmd "dnf repolist" logCmd "dnf repolist"
# Make sure we can get to the sig repo # Make sure we can get to the sig repo
logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/install"
logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/"
# Run it again and make sure we got allt he things # Run it again and make sure we got allt he things
logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/"
# After the download is complete run createrepo # After the download is complete run createrepo
create_repo create_repo