diff --git a/salt/common/init.sls b/salt/common/init.sls index 0ada77e1a..adf34a43a 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -74,6 +74,12 @@ repair_yumdb: - onlyif: - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' +crsynckeys: + file.recurse: + - name: /etc/pki/rpm_gpg + - source: salt://common/keys/ + + crbase: file.absent: - name: /etc/yum.repos.d/CentOS-Base.repo diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 5108e73d3..a1792fdab 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -239,6 +239,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" =~ rc.3 ]] && rc3_to_2.3.0 [[ "$INSTALLEDVERSION" == 2.3.0 || "$INSTALLEDVERSION" == 2.3.1 || "$INSTALLEDVERSION" == 2.3.2 || "$INSTALLEDVERSION" == 2.3.10 ]] && up_2.3.0_to_2.3.20 [[ "$INSTALLEDVERSION" == 2.3.20 || "$INSTALLEDVERSION" == 2.3.21 ]] && up_2.3.2X_to_2.3.30 + [[ "$INSTALLEDVERSION" == 2.3.30 ]] && up_2.3.3X_to_2.3.50 } postupgrade_changes() { @@ -409,6 +410,30 @@ up_2.3.2X_to_2.3.30() { sed -i "/^strelka:/a \\ repos: \n - https://github.com/Neo23x0/signature-base" /opt/so/saltstack/local/pillar/global.sls; fi check_log_size_limit + INSTALLEDVERSION=2.3.30 +} + +up_2.3.3X_to_2.3.50() { + if [[ $OS == 'centos' ]]; then + # Import GPG Keys + gpg_rpm_import + + if [[ ! $is_airgap ]]; then + + DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') + + for DELREPO in "${DELREPOS[@]}"; + rm /etc/yum.repos.d/$DELREPO + done + + # Copy the new repo file if not airgap + cp $UPDATE_DIR/salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + yum clean all + yum repolist + fi + fi + INSTALLEDVERSION=2.3.50 + } verify_upgradespace() { @@ -503,7 +528,7 @@ upgrade_salt() { echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION." echo "" # If CentOS - if [ "$OS" == "centos" ]; then + if [[ $OS == 'centos' ]]; then echo "Removing yum versionlock for Salt." echo "" yum versionlock delete "salt-*" @@ -514,7 +539,7 @@ upgrade_salt() { echo "" yum versionlock add "salt-*" # Else do Ubuntu things - elif [ "$OS" == "ubuntu" ]; then + elif [[ $OS == 'ubuntu' ]]; then echo "Removing apt hold for Salt." echo "" apt-mark unhold "salt-common" diff --git a/salt/common/yum_repos/securityonion.repo b/salt/common/yum_repos/securityonion.repo index 2fb35e579..0cd96bd91 100644 --- a/salt/common/yum_repos/securityonion.repo +++ b/salt/common/yum_repos/securityonion.repo @@ -31,25 +31,25 @@ name=Extra Packages for Enterprise Linux 7 - $basearch baseurl=https://repo.securityonion.net/file/securityonion-repo/epel/ enabled=1 gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/RPM-GPG-KEY-EPEL-7 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 [docker-ce-stable] name=Docker CE Stable - $basearch baseurl=https://repo.securityonion.net/file/securityonion-repo/docker-ce-stable enabled=1 gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub +gpgkey=file:///etc/pki/rpm-gpg/docker.pub -[saltstack] +[saltstack3003] name=SaltStack repo for RHEL/CentOS $releasever PY3 baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack3003/ enabled=1 gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub +gpgkey=file:///etc/pki/rpm-gpg/SALTSTACK-GPG-KEY.pub [wazuh_repo] gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh_repo/ @@ -57,7 +57,7 @@ protect=1 [wazuh4_repo] gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/ diff --git a/salt/common/yum_repos/securityonioncache.repo b/salt/common/yum_repos/securityonioncache.repo index 56ada1413..bc0454ae7 100644 --- a/salt/common/yum_repos/securityonioncache.repo +++ b/salt/common/yum_repos/securityonioncache.repo @@ -40,7 +40,7 @@ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub -[saltstack] +[saltstack3003] name=SaltStack repo for RHEL/CentOS $releasever PY3 baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack3003/ enabled=1