CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-10 03:02:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix indent in main(), re-add trap, remove ERR_HANDLED variable

Browse Source
This commit is contained in:
William Wernert
2021-05-12 13:20:59 -04:00
parent 807b525c79
commit 9ced391c11
2 changed files with 309 additions and 226 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/common/tools/sbin/so-common
View File

@@ -334,7 +334,6 @@ run_check_net_err() {
exit_code=$? exit_code=$?
if [[ $exit_code -ne 0 ]]; then if [[ $exit_code -ne 0 ]]; then
ERR_HANDLED=true
echo "Command failed with error $exit_code" echo "Command failed with error $exit_code"
echo "$err_msg" echo "$err_msg"
exit $exit_code exit $exit_code

200
salt/common/tools/sbin/soup
View File

@@ -26,6 +26,72 @@ SOUP_LOG=/root/soup.log
INFLUXDB_MIGRATION_LOG=/opt/so/log/influxdb/soup_migration.log INFLUXDB_MIGRATION_LOG=/opt/so/log/influxdb/soup_migration.log
WHATWOULDYOUSAYYAHDOHERE=soup WHATWOULDYOUSAYYAHDOHERE=soup
check_err() {
local exit_code=$1
local lineno=$2
local err_msg="Unhandled error occured, please check $SOUP_LOG for details."
if [[ $exit_code -ne 0 ]]; then
printf '%s' "Soup failed on line $lineno with error $exit_code: "
case $exit_code in
2)
echo 'No such file or directory'
;;
5)
echo 'Interrupted system call'
;;
12)
echo 'Out of memory'
;;
28)
echo 'No space left on device'
echo 'Likely ran out of space on disk, please review hardware requirements for Security Onion: https://docs.securityonion.net/en/2.3/hardware.html'
;;
30)
echo 'Read-only file system'
;;
35)
echo 'Resource temporarily unavailable'
;;
64)
echo 'Machine is not on the network'
;;
67)
echo 'Link has been severed'
;;
100)
echo 'Netowrk is down'
;;
101)
echo 'Network is unreachable'
;;
102)
echo 'Network reset'
;;
110)
echo 'Connection timed out'
;;
111)
echo 'Connection refused'
;;
112)
echo 'Host is down'
;;
113)
echo 'No route to host'
;;
*)
echo 'Unhandled error'
echo "$err_msg"
;;
esac
if [[ $exit_code -ge 64 && $exit_code -le 113 ]]; then
echo "$err_msg"
fi
exit $exit_code
fi
}
add_common() { add_common() {
cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/ cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
@@ -48,8 +114,8 @@ airgap_mounted() {
echo "Example: /home/user/securityonion-2.X.0.iso" echo "Example: /home/user/securityonion-2.X.0.iso"
echo "Example: /dev/sdx1" echo "Example: /dev/sdx1"
echo "" echo ""
read -p 'Enter the location of the iso: ' ISOLOC read -rp 'Enter the location of the iso: ' ISOLOC
if [ -f $ISOLOC ]; then if [[ -f $ISOLOC ]]; then
# Mounting the ISO image # Mounting the ISO image
mkdir -p /tmp/soagupdate mkdir -p /tmp/soagupdate
mount -t iso9660 -o loop $ISOLOC /tmp/soagupdate mount -t iso9660 -o loop $ISOLOC /tmp/soagupdate
@@ -61,7 +127,7 @@ airgap_mounted() {
else else
echo "ISO has been mounted!" echo "ISO has been mounted!"
fi fi
elif [ -f $ISOLOC/SecurityOnion/VERSION ]; then elif [[ -f $ISOLOC/SecurityOnion/VERSION ]]; then
ln -s $ISOLOC /tmp/soagupdate ln -s $ISOLOC /tmp/soagupdate
echo "Found the update content" echo "Found the update content"
else else
@@ -79,9 +145,9 @@ airgap_mounted() {
} }
airgap_update_dockers() { airgap_update_dockers() {
if [ $is_airgap -eq 0 ]; then if [[ $is_airgap -eq 0 ]]; then
# Let's copy the tarball # Let's copy the tarball
if [ ! -f $AGDOCKER/registry.tar ]; then if [[ ! -f $AGDOCKER/registry.tar ]]; then
echo "Unable to locate registry. Exiting" echo "Unable to locate registry. Exiting"
exit 1 exit 1
else else
@@ -179,7 +245,9 @@ check_os_updates() {
echo "Continuing without updating packages" echo "Continuing without updating packages"
elif [[ "$confirm" == [uU] ]]; then elif [[ "$confirm" == [uU] ]]; then
echo "Applying Grid Updates" echo "Applying Grid Updates"
set +e
run_check_net_err "salt '*' -b 5 state.apply patch.os queue=True" 'Could not apply OS updates, please check your network connection.' run_check_net_err "salt '*' -b 5 state.apply patch.os queue=True" 'Could not apply OS updates, please check your network connection.'
set -e
else else
echo "Exiting soup" echo "Exiting soup"
exit 0 exit 0
@@ -207,7 +275,9 @@ clone_to_tmp() {
if [ -n "$BRANCH" ]; then if [ -n "$BRANCH" ]; then
SOUP_BRANCH="-b $BRANCH" SOUP_BRANCH="-b $BRANCH"
fi fi
set +e
run_check_net_err "git clone $SOUP_BRANCH https://github.com/Security-Onion-Solutions/securityonion.git" "Could not clone repo, please ensure network access to https://github.com" run_check_net_err "git clone $SOUP_BRANCH https://github.com/Security-Onion-Solutions/securityonion.git" "Could not clone repo, please ensure network access to https://github.com"
set -e
cd /tmp cd /tmp
if [ ! -f $UPDATE_DIR/VERSION ]; then if [ ! -f $UPDATE_DIR/VERSION ]; then
echo "Update was unable to pull from github. Please check your internet." echo "Update was unable to pull from github. Please check your internet."
@@ -253,7 +323,11 @@ preupgrade_changes_2.3.50_repo() {
# We made repo changes in 2.3.50 and this prepares for that on upgrade # We made repo changes in 2.3.50 and this prepares for that on upgrade
echo "Checking to see if 2.3.50 repo changes are needed." echo "Checking to see if 2.3.50 repo changes are needed."
[[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]] && up_2.3.3X_to_2.3.50_repo if [[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]]; then
up_2.3.3X_to_2.3.50_repo
else
echo "No changes needed."
fi
} }
preupgrade_changes() { preupgrade_changes() {
@@ -433,7 +507,7 @@ up_2.3.2X_to_2.3.30() {
sed -i "/ imagerepo: securityonion/c\ imagerepo: 'security-onion-solutions'" /opt/so/saltstack/local/pillar/global.sls sed -i "/ imagerepo: securityonion/c\ imagerepo: 'security-onion-solutions'" /opt/so/saltstack/local/pillar/global.sls
# Strelka rule repo pillar addition # Strelka rule repo pillar addition
if [ $is_airgap -eq 0 ]; then if [[ $is_airgap -eq 0 ]]; then
# Add manager as default Strelka YARA rule repo # Add manager as default Strelka YARA rule repo
sed -i "/^strelka:/a \\ repos: \n - https://$HOSTNAME/repo/rules/strelka" /opt/so/saltstack/local/pillar/global.sls; sed -i "/^strelka:/a \\ repos: \n - https://$HOSTNAME/repo/rules/strelka" /opt/so/saltstack/local/pillar/global.sls;
else else
@@ -460,7 +534,7 @@ up_2.3.3X_to_2.3.50_repo() {
rm -f "/etc/yum.repos.d/$DELREPO.repo" rm -f "/etc/yum.repos.d/$DELREPO.repo"
fi fi
done done
if [ $is_airgap -eq 1 ]; then if [[ $is_airgap -eq 1 ]]; then
# Copy the new repo file if not airgap # Copy the new repo file if not airgap
cp $UPDATE_DIR/salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/ cp $UPDATE_DIR/salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
yum clean all yum clean all
@@ -613,9 +687,11 @@ upgrade_salt() {
yum versionlock delete "salt-*" yum versionlock delete "salt-*"
echo "Updating Salt packages and restarting services." echo "Updating Salt packages and restarting services."
echo "" echo ""
set +e
run_check_net_err \ run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \
"Could not update soup, please check $SOUP_LOG for details." "Could not update soup, please check $SOUP_LOG for details."
set -e
echo "Applying yum versionlock for Salt." echo "Applying yum versionlock for Salt."
echo "" echo ""
yum versionlock add "salt-*" yum versionlock add "salt-*"
@@ -628,9 +704,11 @@ upgrade_salt() {
apt-mark unhold "salt-minion" apt-mark unhold "salt-minion"
echo "Updating Salt packages and restarting services." echo "Updating Salt packages and restarting services."
echo "" echo ""
set +e
run_check_net_err \ run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable \"$NEWSALTVERSION\"" \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable \"$NEWSALTVERSION\"" \
"Could not update soup, please check $SOUP_LOG for details." "Could not update soup, please check $SOUP_LOG for details."
set -e
echo "Applying apt hold for Salt." echo "Applying apt hold for Salt."
echo "" echo ""
apt-mark hold "salt-common" apt-mark hold "salt-common"
@@ -662,9 +740,12 @@ verify_latest_update_script() {
fi fi
} }
main () { main() {
echo "### Preparing soup at $(date) ###" set -e
while getopts ":b" opt; do trap 'check_err $? $BASH_LINENO' EXIT
echo "### Preparing soup at $(date) ###"
while getopts ":b" opt; do
case "$opt" in case "$opt" in
b ) # process option b b ) # process option b
shift shift
@@ -678,82 +759,85 @@ while getopts ":b" opt; do
echo "Usage: cmd [-b]" echo "Usage: cmd [-b]"
;; ;;
esac esac
done done
echo "Checking to see if this is a manager." echo "Checking to see if this is a manager."
echo "" echo ""
require_manager require_manager
set_minionid set_minionid
echo "Checking to see if this is an airgap install" echo "Checking to see if this is an airgap install"
echo "" echo ""
check_airgap check_airgap
echo "Found that Security Onion $INSTALLEDVERSION is currently installed." echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
echo "" echo ""
set_os set_os
set_palette set_palette
check_elastic_license check_elastic_license
echo "" echo ""
if [ $is_airgap -eq 0 ]; then if [[ $is_airgap -eq 0 ]]; then
# Let's mount the ISO since this is airgap # Let's mount the ISO since this is airgap
airgap_mounted airgap_mounted
else else
echo "Cloning Security Onion github repo into $UPDATE_DIR." echo "Cloning Security Onion github repo into $UPDATE_DIR."
echo "Removing previous upgrade sources." echo "Removing previous upgrade sources."
rm -rf $UPDATE_DIR rm -rf $UPDATE_DIR
clone_to_tmp clone_to_tmp
fi fi
check_os_updates check_os_updates
echo "" echo ""
echo "Verifying we have the latest soup script." echo "Verifying we have the latest soup script."
verify_latest_update_script verify_latest_update_script
echo "" echo ""
echo "Generating new repo archive" echo "Generating new repo archive"
generate_and_clean_tarballs generate_and_clean_tarballs
if [ -f /usr/sbin/so-image-common ]; then if [ -f /usr/sbin/so-image-common ]; then
. /usr/sbin/so-image-common . /usr/sbin/so-image-common
else else
add_common add_common
fi fi
echo "Let's see if we need to update Security Onion." echo "Let's see if we need to update Security Onion."
echo "DEBUG: before upgrade_check" echo "DEBUG: before upgrade_check"
upgrade_check upgrade_check
echo "DEBUG: after upgrade_check" echo "DEBUG: after upgrade_check"
upgrade_space upgrade_space
echo "Checking for Salt Master and Minion updates." echo "Checking for Salt Master and Minion updates."
upgrade_check_salt upgrade_check_salt
if [ "$is_hotfix" == "true" ]; then if [ "$is_hotfix" == "true" ]; then
echo "Applying $HOTFIXVERSION" echo "Applying $HOTFIXVERSION"
copy_new_files copy_new_files
echo "" echo ""
update_version update_version
salt-call state.highstate -l info queue=True salt-call state.highstate -l info queue=True
else
else
echo "" echo ""
echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION." echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
echo "" echo ""
echo "Updating dockers to $NEWVERSION." echo "Updating dockers to $NEWVERSION."
if [ $is_airgap -eq 0 ]; then if [[ $is_airgap -eq 0 ]]; then
airgap_update_dockers airgap_update_dockers
update_centos_repo update_centos_repo
yum clean all yum clean all
check_os_updates check_os_updates
else else
update_registry update_registry
set +e
update_docker_containers "soup" update_docker_containers "soup"
set -e
fi fi
echo "" echo ""
echo "Stopping Salt Minion service." echo "Stopping Salt Minion service."
systemctl stop salt-minion systemctl stop salt-minion
echo "Killing any remaining Salt Minion processes." echo "Killing any remaining Salt Minion processes."
set +e
pkill -9 -ef /usr/bin/salt-minion pkill -9 -ef /usr/bin/salt-minion
set -e
echo "" echo ""
echo "Stopping Salt Master service." echo "Stopping Salt Master service."
systemctl stop salt-master systemctl stop salt-master
@@ -762,7 +846,7 @@ else
preupgrade_changes_2.3.50_repo preupgrade_changes_2.3.50_repo
# Does salt need upgraded. If so update it. # Does salt need upgraded. If so update it.
if [ "$UPGRADESALT" == "1" ]; then if [[ $UPGRADESALT -eq 1 ]]; then
echo "Upgrading Salt" echo "Upgrading Salt"
# Update the repo files so it can actually upgrade # Update the repo files so it can actually upgrade
upgrade_salt upgrade_salt
@@ -786,13 +870,13 @@ else
preupgrade_changes preupgrade_changes
echo "" echo ""
if [ $is_airgap -eq 0 ]; then if [[ $is_airgap -eq 0 ]]; then
echo "Updating Rule Files to the Latest." echo "Updating Rule Files to the Latest."
update_airgap_rules update_airgap_rules
fi fi
# Only update the repo if its airgap # Only update the repo if its airgap
if [[ $is_airgap -eq 0 ]] && [[ "$UPGRADESALT" != "1" ]]; then if [[ $is_airgap -eq 0 ]] && [[ $UPGRADESALT -ne 1 ]]; then
update_centos_repo update_centos_repo
fi fi
@@ -853,8 +937,8 @@ else
unmount_update unmount_update
thehive_maint thehive_maint
if [ "$UPGRADESALT" == "1" ]; then if [[ $UPGRADESALT -eq 1 ]]; then
if [ $is_airgap -eq 0 ]; then if [[ $is_airgap -eq 0 ]]; then
echo "" echo ""
echo "Cleaning repos on remote Security Onion nodes." echo "Cleaning repos on remote Security Onion nodes."
salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all" salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all"
@@ -882,7 +966,7 @@ else
NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l) NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l)
if [ $NUM_MINIONS -gt 1 ]; then if [[ $NUM_MINIONS -gt 1 ]]; then
cat << EOF cat << EOF
@@ -899,9 +983,9 @@ For more information, please see https://docs.securityonion.net/en/2.3/soup.html
EOF EOF
fi fi
fi fi
echo "### soup has been served at $(date) ###" echo "### soup has been served at $(date) ###"
} }
cat << EOF cat << EOF