From 9a59ceee4e32a477e9096222415dcecc342c642d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 10 Nov 2020 12:16:54 -0500 Subject: [PATCH] move to so-image-common --- salt/common/tools/sbin/so-common | 112 -------------------- salt/common/tools/sbin/so-docker-refresh | 1 + salt/common/tools/sbin/so-image-common | 128 +++++++++++++++++++++++ salt/common/tools/sbin/soup | 1 + 4 files changed, 130 insertions(+), 112 deletions(-) create mode 100755 salt/common/tools/sbin/so-image-common diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 93b13ec44..cbc0bd4e5 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -51,115 +51,3 @@ check_password() { echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1 return $? } - -container_list() { - MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') - if [ $MANAGERCHECK == 'so-import' ]; then - TRUSTED_CONTAINERS=( \ - "so-idstools" \ - "so-nginx" \ - "so-filebeat" \ - "so-suricata" \ - "so-soc" \ - "so-elasticsearch" \ - "so-kibana" \ - "so-kratos" \ - "so-suricata" \ - "so-registry" \ - "so-pcaptools" \ - "so-zeek" ) - elif [ $MANAGERCHECK != 'so-helix' ]; then - TRUSTED_CONTAINERS=( \ - "so-acng" \ - "so-thehive-cortex" \ - "so-curator" \ - "so-domainstats" \ - "so-elastalert" \ - "so-elasticsearch" \ - "so-filebeat" \ - "so-fleet" \ - "so-fleet-launcher" \ - "so-freqserver" \ - "so-grafana" \ - "so-idstools" \ - "so-influxdb" \ - "so-kibana" \ - "so-kratos" \ - "so-logstash" \ - "so-minio" \ - "so-mysql" \ - "so-nginx" \ - "so-pcaptools" \ - "so-playbook" \ - "so-redis" \ - "so-soc" \ - "so-soctopus" \ - "so-steno" \ - "so-strelka-frontend" \ - "so-strelka-manager" \ - "so-strelka-backend" \ - "so-strelka-filestream" \ - "so-suricata" \ - "so-telegraf" \ - "so-thehive" \ - "so-thehive-es" \ - "so-wazuh" \ - "so-zeek" ) - else - TRUSTED_CONTAINERS=( \ - "so-filebeat" \ - "so-idstools" \ - "so-logstash" \ - "so-nginx" \ - "so-redis" \ - "so-steno" \ - "so-suricata" \ - "so-telegraf" \ - "so-zeek" ) - fi -} - -update_docker_containers() { - # Let's make sure we have the public key - curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import - - - CONTAINER_REGISTRY=quay.io - SIGNPATH=/root/sosigs - rm -rf $SIGNPATH - mkdir -p $SIGNPATH - if [ -z "$BRANCH" ]; then - BRANCH="master" - fi - # Download the containers from the interwebs - for i in "${TRUSTED_CONTAINERS[@]}" - do - # Pull down the trusted docker image - echo "Downloading $i" - docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i - - # Get signature - curl https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/$BRANCH/sigs/images/$i.gpg --output $SIGNPATH/$i.gpg - if [[ $? -ne 0 ]]; then - echo "Unable to pull signature file for $i" - exit 1 - fi - # Dump our hash values - docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i | jq '.[0].Created, .[0].Id, .[0].Size, .[0].RootFS.Layers' > $SIGNPATH/$i.txt - if [[ $? -ne 0 ]]; then - echo "Unable to inspect $i" - exit 1 - fi - GPGTEST=$(gpg --verify $SIGNPATH/$i.gpg $SIGNPATH/$i.txt 2>&1) - if [[ $? -eq 0 ]]; then - # Tag it with the new registry destination - docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i - docker push $HOSTNAME:5000/$IMAGEREPO/$i - else - echo "There is a problem downloading the $i image. Details: " - echo "" - echo $GPGTEST - exit 1 - fi - done - -} \ No newline at end of file diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/common/tools/sbin/so-docker-refresh index 37908fffc..b39513990 100755 --- a/salt/common/tools/sbin/so-docker-refresh +++ b/salt/common/tools/sbin/so-docker-refresh @@ -16,6 +16,7 @@ # along with this program. If not, see . . /usr/sbin/so-common +. /usr/sbin/so-image-common manager_check() { # Check to see if this is a manager diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common new file mode 100755 index 000000000..a739ec889 --- /dev/null +++ b/salt/common/tools/sbin/so-image-common @@ -0,0 +1,128 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +container_list() { + MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') + if [ $MANAGERCHECK == 'so-import' ]; then + TRUSTED_CONTAINERS=( \ + "so-idstools" \ + "so-nginx" \ + "so-filebeat" \ + "so-suricata" \ + "so-soc" \ + "so-elasticsearch" \ + "so-kibana" \ + "so-kratos" \ + "so-suricata" \ + "so-registry" \ + "so-pcaptools" \ + "so-zeek" ) + elif [ $MANAGERCHECK != 'so-helix' ]; then + TRUSTED_CONTAINERS=( \ + "so-acng" \ + "so-thehive-cortex" \ + "so-curator" \ + "so-domainstats" \ + "so-elastalert" \ + "so-elasticsearch" \ + "so-filebeat" \ + "so-fleet" \ + "so-fleet-launcher" \ + "so-freqserver" \ + "so-grafana" \ + "so-idstools" \ + "so-influxdb" \ + "so-kibana" \ + "so-kratos" \ + "so-logstash" \ + "so-minio" \ + "so-mysql" \ + "so-nginx" \ + "so-pcaptools" \ + "so-playbook" \ + "so-redis" \ + "so-soc" \ + "so-soctopus" \ + "so-steno" \ + "so-strelka-frontend" \ + "so-strelka-manager" \ + "so-strelka-backend" \ + "so-strelka-filestream" \ + "so-suricata" \ + "so-telegraf" \ + "so-thehive" \ + "so-thehive-es" \ + "so-wazuh" \ + "so-zeek" ) + else + TRUSTED_CONTAINERS=( \ + "so-filebeat" \ + "so-idstools" \ + "so-logstash" \ + "so-nginx" \ + "so-redis" \ + "so-steno" \ + "so-suricata" \ + "so-telegraf" \ + "so-zeek" ) + fi +} + +update_docker_containers() { + # Let's make sure we have the public key + curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import - + + CONTAINER_REGISTRY=quay.io + SIGNPATH=/root/sosigs + rm -rf $SIGNPATH + mkdir -p $SIGNPATH + if [ -z "$BRANCH" ]; then + BRANCH="master" + fi + # Download the containers from the interwebs + for i in "${TRUSTED_CONTAINERS[@]}" + do + # Pull down the trusted docker image + echo "Downloading $i" + docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i + + # Get signature + curl https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/$BRANCH/sigs/images/$i.gpg --output $SIGNPATH/$i.gpg + if [[ $? -ne 0 ]]; then + echo "Unable to pull signature file for $i" + exit 1 + fi + # Dump our hash values + docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i | jq '.[0].Created, .[0].Id, .[0].Size, .[0].RootFS.Layers' > $SIGNPATH/$i.txt + if [[ $? -ne 0 ]]; then + echo "Unable to inspect $i" + exit 1 + fi + GPGTEST=$(gpg --verify $SIGNPATH/$i.gpg $SIGNPATH/$i.txt 2>&1) + if [[ $? -eq 0 ]]; then + # Tag it with the new registry destination + docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i + docker push $HOSTNAME:5000/$IMAGEREPO/$i + else + echo "There is a problem downloading the $i image. Details: " + echo "" + echo $GPGTEST + exit 1 + fi + done + +} \ No newline at end of file diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index ab90653d1..538ac1c56 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -16,6 +16,7 @@ # along with this program. If not, see . . /usr/sbin/so-common +. /usr/sbin/so-image-common UPDATE_DIR=/tmp/sogh/securityonion INSTALLEDVERSION=$(cat /etc/soversion) INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk {'print $2'})