CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 02:02:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1219 from Security-Onion-Solutions/feature/mkrsoup

Browse Source 
Feature/mkrsoup
This commit is contained in:
Mike Reeves
2020-08-19 15:47:53 -04:00
committed by GitHub
parent d80156505c db2cc5f7a7
commit ac2cf8c6d8
2 changed files with 86 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
salt/common/tools/sbin/soup
View File

@@ -87,6 +87,36 @@ highstate() {
salt-call state.highstate -l info salt-call state.highstate -l info
} }
masterlock() {
echo "Locking Salt Master"
if [[ "$INSTALLEDVERSION" =~ rc.1 ]]; then
TOPFILE=/opt/so/saltstack/default/salt/top.sls
BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup
mv -v $TOPFILE $BACKUPTOPFILE
echo "base:" > $TOPFILE
echo " $MINIONID:" >> $TOPFILE
echo " - ca" >> $TOPFILE
echo " - ssl" >> $TOPFILE
echo " - elasticsearch" >> $TOPFILE
fi
}
masterunlock() {
echo "Unlocking Salt Master"
if [[ "$INSTALLEDVERSION" =~ rc.1 ]]; then
mv -v $BACKUPTOPFILE $TOPFILE
fi
}
playbook() {
echo "Applying playbook settings"
if [[ "$INSTALLEDVERSION" =~ rc.1 ]]; then
salt-call state.apply playbook.db_init
rm -f /opt/so/rules/elastalert/playbook/*.yaml
so-playbook-ruleupdate >> /root/soup_playbook_rule_update.log 2>&1 &
fi
}
pillar_changes() { pillar_changes() {
# This function is to add any new pillar items if needed. # This function is to add any new pillar items if needed.
echo "Checking to see if pillar changes are needed." echo "Checking to see if pillar changes are needed."
@@ -103,6 +133,31 @@ pillar_changes() {
sed -i '/^ url_base:/d' /opt/so/saltstack/local/pillar/minions/$MINIONID.sls; sed -i '/^ url_base:/d' /opt/so/saltstack/local/pillar/minions/$MINIONID.sls;
sed -i "/^global:/a \\$line" /opt/so/saltstack/local/pillar/global.sls; sed -i "/^global:/a \\$line" /opt/so/saltstack/local/pillar/global.sls;
# Adding play values to the global.sls
local HIVEPLAYSECRET=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)
local CORTEXPLAYSECRET=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)
sed -i "/^global:/a \\ hiveplaysecret: $HIVEPLAYSECRET" /opt/so/saltstack/local/pillar/global.sls;
sed -i "/^global:/a \\ cortexplaysecret: $CORTEXPLAYSECRET" /opt/so/saltstack/local/pillar/global.sls;
# Move storage nodes to hostname for SSL
# Get a list we can use:
grep -A1 searchnode /opt/so/saltstack/local/pillar/data/nodestab.sls | grep -v '\-\-' | sed '$!N;s/\n/ /' | awk '{print $1,$3}' | awk '/_searchnode:/{gsub(/\_searchnode:/, "_searchnode"); print}' >/tmp/nodes.txt
# Remove the nodes from cluster settings
while read p; do
local NAME=$(echo $p | awk '{print $1}')
local IP=$(echo $p | awk '{print $2}')
echo "Removing the old cross cluster config for $NAME"
curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_cluster/settings -d '{"persistent":{"cluster":{"remote":{"'$NAME'":{"skip_unavailable":null,"seeds":null}}}}}'
done </tmp/nodes.txt
# Add the nodes back using hostname
while read p; do
local NAME=$(echo $p | awk '{print $1}')
local EHOSTNAME=$(echo $p | awk -F"_" '{print $1}')
echo "Adding the new cross cluster config for $NAME"
curl -XPUT http://localhost:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"'$NAME'": {"skip_unavailable": "true", "seeds": ["'$EHOSTNAME':9300"]}}}}}'
done </tmp/nodes.txt
fi fi
} }
@@ -318,18 +373,32 @@ copy_new_files
echo "" echo ""
update_version update_version
echo ""
echo "Locking down Salt Master for upgrade"
masterlock
echo "" echo ""
echo "Starting Salt Master service." echo "Starting Salt Master service."
systemctl start salt-master systemctl start salt-master
echo "" echo ""
echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes." echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
highstate highstate
echo "" echo ""
echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete." echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete."
echo ""
echo "Stopping Salt Master to remove ACL"
systemctl stop salt-master
masterunlock
echo ""
echo "Starting Salt Master service."
systemctl start salt-master
highstate
playbook
SALTUPGRADED="True" SALTUPGRADED="True"
if [[ "$SALTUPGRADED" == "True" ]]; then if [[ "$SALTUPGRADED" == "True" ]]; then
echo "" echo ""

17
salt/ssl/init.sls
View File

@@ -368,7 +368,18 @@ fleetkeyperms:
- group: 939 - group: 939
{% endif %} {% endif %}
{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-import'] %} {% if grains['role'] in ['so-sensor', 'so-manager', 'so-searchnode', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-import'] %}
removefbcertdir:
file.absent:
- name: /etc/pki/filebeat.crt
- onlyif: "[ -d /etc/pki/filebeat.crt ]"
removefbp8dir:
file.absent:
- name: /etc/pki/filebeat.p8
- onlyif: "[ -d /etc/pki/filebeat.p8 ]"
fbcertdir: fbcertdir:
file.directory: file.directory:
@@ -505,7 +516,7 @@ fleetkeyperms:
{% endif %} {% endif %}
{% if grains['role'] in ['so-node', 'so-heavynode'] %} {% if grains['role'] in ['so-searchnode', 'so-heavynode'] %}
# Create a cert for elasticsearch # Create a cert for elasticsearch
/etc/pki/elasticsearch.key: /etc/pki/elasticsearch.key:
x509.private_key_managed: x509.private_key_managed:
@@ -518,6 +529,7 @@ fleetkeyperms:
{% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%} {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
- prereq: - prereq:
- x509: /etc/pki/elasticsearch.crt - x509: /etc/pki/elasticsearch.crt
{%- endif %}
/etc/pki/elasticsearch.crt: /etc/pki/elasticsearch.crt:
x509.certificate_managed: x509.certificate_managed:
@@ -552,4 +564,3 @@ elastickeyperms:
- group: 930 - group: 930
{%- endif %} {%- endif %}
{%- endif %}