CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 18:22:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

highstate , merge with dev fix conflict

Browse Source
This commit is contained in:
m0duspwnens
2020-11-18 14:47:40 -05:00
parent ceef07b74b e65c53dbb1
commit af6e14dc6f
8 changed files with 138 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
salt/common/tools/sbin/so-common
View File

@@ -17,8 +17,8 @@
# Check for prerequisites # Check for prerequisites
if [ "$(id -u)" -ne 0 ]; then if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!" echo "This script must be run using sudo!"
exit 1 exit 1
fi fi
# Define a banner to separate sections # Define a banner to separate sections
@@ -29,19 +29,43 @@ header() {
printf '%s\n' "$banner" "$*" "$banner" printf '%s\n' "$banner" "$*" "$banner"
} }
lookup_salt_value() {
key=$1
group=$2
kind=$3
if [ -z "$kind" ]; then
kind=pillar
fi
if [ -n "$group" ]; then
group=${group}:
fi
salt-call --no-color ${kind}.get ${group}${key} --out=newline_values_only
}
lookup_pillar() { lookup_pillar() {
key=$1 key=$1
salt-call --no-color pillar.get global:${key} --out=newline_values_only pillar=$2
if [ -z "$pillar" ]; then
pillar=global
fi
lookup_salt_value "$key" "$pillar" "pillar"
} }
lookup_pillar_secret() { lookup_pillar_secret() {
key=$1 lookup_pillar "$1" "secrets"
salt-call --no-color pillar.get secrets:${key} --out=newline_values_only
} }
lookup_grain() { lookup_grain() {
key=$1 lookup_salt_value "$1" "" "grains"
salt-call --no-color grains.get ${key} --out=newline_values_only }
lookup_role() {
id=$(lookup_grain id)
pieces=($(echo $id | tr '_' ' '))
echo ${pieces[1]}
} }
check_container() { check_container() {
@@ -50,9 +74,9 @@ check_container() {
} }
check_password() { check_password() {
local password=$1 local password=$1
echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1 echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1
return $? return $?
} }
set_os() { set_os() {
@@ -96,3 +120,18 @@ require_manager() {
exit 1 exit 1
fi fi
} }
is_single_node_grid() {
role=$(lookup_role)
if [ "$role" != "eval" ] && [ "$role" != "standalone" ] && [ "$role" != "import" ]; then
return 1
fi
return 0
}
fail() {
msg=$1
echo "ERROR: $msg"
echo "Exiting."
exit 1
}

59
salt/common/tools/sbin/so-ip-update Normal file
View File

@@ -0,0 +1,59 @@
#!/bin/bash
. $(dirname $0)/so-common
if [ "$FORCE_IP_UPDATE" != "1" ]; then
is_single_node_grid || fail "Cannot update the IP on a distributed grid"
fi
echo "This tool will update a manager's IP address to the new IP assigned to the management network interface."
echo
echo "WARNING: This tool is still undergoing testing, use at your own risk!"
echo
if [ -z "$OLD_IP" ]; then
OLD_IP=$(lookup_pillar "managerip")
if [ -z "$OLD_IP" ]; then
fail "Unable to find old IP; possible salt system failure"
fi
echo "Found old IP $OLD_IP."
fi
if [ -z "$NEW_IP" ]; then
iface=$(lookup_pillar "mainint" "host")
NEW_IP=$(ip -4 addr list $iface | grep inet | cut -d' ' -f6 | cut -d/ -f1)
if [ -z "$NEW_IP" ]; then
fail "Unable to detect new IP on interface $iface. "
fi
echo "Detected new IP $NEW_IP on interface $iface."
fi
if [ "$OLD_IP" == "$NEW_IP" ]; then
fail "IP address has not changed"
fi
echo "About to change old IP $OLD_IP to new IP $NEW_IP."
read -n 1 -p "Would you like to continue? (y/N) " CONTINUE
echo
if [ "$CONTINUE" == "y" ]; then
for file in $(grep -rlI $OLD_IP /opt/so/saltstack /etc); do
echo "Updating file: $file"
sed -i "s|$OLD_IP|$NEW_IP|g" $file
done
echo "The IP has been changed from $OLD_IP to $NEW_IP."
if [ -z "$SKIP_STATE_APPLY" ]; then
echo "Re-applying salt states."
salt-call state.highstate queue=True
fi
else
echo "Exiting without changes."
fi

10
salt/common/tools/sbin/soup
View File

@@ -114,6 +114,12 @@ check_airgap() {
fi fi
} }
check_sudoers() {
if grep -q "so-setup" /etc/sudoers; then
echo "There is an entry for so-setup in the sudoers file, this can be safely deleted using \"visudo\"."
fi
}
clean_dockers() { clean_dockers() {
# Place Holder for cleaning up old docker images # Place Holder for cleaning up old docker images
echo "Trying to clean up old dockers." echo "Trying to clean up old dockers."
@@ -191,7 +197,6 @@ pillar_changes() {
[[ "$INSTALLEDVERSION" =~ rc.1 ]] && rc1_to_rc2 [[ "$INSTALLEDVERSION" =~ rc.1 ]] && rc1_to_rc2
[[ "$INSTALLEDVERSION" =~ rc.2 ]] && rc2_to_rc3 [[ "$INSTALLEDVERSION" =~ rc.2 ]] && rc2_to_rc3
[[ "$INSTALLEDVERSION" =~ rc.3 ]] && rc3_to_2.3.0 [[ "$INSTALLEDVERSION" =~ rc.3 ]] && rc3_to_2.3.0
} }
rc1_to_rc2() { rc1_to_rc2() {
@@ -292,6 +297,7 @@ unmount_update() {
umount /tmp/soagupdate umount /tmp/soagupdate
} }
update_centos_repo() { update_centos_repo() {
# Update the files in the repo # Update the files in the repo
echo "Syncing new updates to /nsm/repo" echo "Syncing new updates to /nsm/repo"
@@ -525,6 +531,8 @@ if [ "$UPGRADESALT" == "1" ]; then
echo "" echo ""
fi fi
check_sudoers
} }
main "$@" | tee /dev/fd/3 main "$@" | tee /dev/fd/3

2
salt/filebeat/etc/filebeat.yml
View File

@@ -115,7 +115,7 @@ filebeat.inputs:
fields: ["source", "prospector", "input", "offset", "beat"] fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true fields_under_root: true
clean_removed: false clean_removed: true
close_removed: false close_removed: false
- type: log - type: log

6
salt/salt/map.jinja
View File

@@ -12,12 +12,12 @@
{% if grains.saltversion|string != SALTVERSION|string %} {% if grains.saltversion|string != SALTVERSION|string %}
{% if grains.os|lower in ['centos', 'redhat'] %} {% if grains.os|lower in ['centos', 'redhat'] %}
{% if ISAIRGAP is sameas true %} {% if ISAIRGAP is sameas true %}
{% set UPGRADECOMMAND = 'yum clean all && yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*" && salt-call state.highstate && sleep 300 && salt-call state.apply salt.minion queue=True'%} {% set UPGRADECOMMAND = 'yum clean all && yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*" && salt-call state.highstate' %}
{% else %} {% else %}
{% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*" && salt-call state.highstate && sleep 300 && salt-call state.apply salt.minion queue=True' %} {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*" && salt-call state.highstate' %}
{% endif %} {% endif %}
{% elif grains.os|lower == 'ubuntu' %} {% elif grains.os|lower == 'ubuntu' %}
{% set UPGRADECOMMAND = 'apt-mark unhold salt-common && apt-mark unhold salt-minion && /usr/sbin/bootstrap-salt.sh -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion && salt-call state.highstate && sleep 300 && salt-call state.apply salt.minion queue=True' %} {% set UPGRADECOMMAND = 'apt-mark unhold salt-common && apt-mark unhold salt-minion && /usr/sbin/bootstrap-salt.sh -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion && salt-call state.highstate' %}
{% endif %} {% endif %}
{% else %} {% else %}
{% set UPGRADECOMMAND = 'echo Already running Salt Minon version ' ~ SALTVERSION %} {% set UPGRADECOMMAND = 'echo Already running Salt Minon version ' ~ SALTVERSION %}

23
setup/so-functions
View File

@@ -1019,6 +1019,10 @@ install_cleanup() {
# If Mysql is running stop it # If Mysql is running stop it
/usr/sbin/so-mysql-stop /usr/sbin/so-mysql-stop
if [[ $setup_type == 'iso' ]]; then
info "Removing so-setup permission entry from sudoers file"
sed -i '/so-setup/d' /etc/sudoers
fi
} }
import_registry_docker() { import_registry_docker() {
@@ -1378,20 +1382,11 @@ reinstall_init() {
info "Putting system in state to run setup again" info "Putting system in state to run setup again"
{ {
local minion_config=/etc/salt/minion # Kill any salt processes
pkill -9 -ef /usr/bin/salt
# Remove startup_states from minion config so we don't immediately highstate when salt starts back up
if [[ -f $minion_config ]] && grep -q "startup_states" $minion_config; then
sed -i '/startup_states/d' $minion_config
fi
if command -v salt-call &> /dev/null; then # Remove all salt configs
# Disable schedule so highstate doesn't start running during the install rm -rf /etc/salt/global /etc/salt/minion /etc/salt/master /etc/salt/pki/*
salt-call -l info schedule.disable
# Kill any currently running salt jobs, also to prevent issues with highstate.
salt-call -l info saltutil.kill_all_jobs
fi
if command -v docker &> /dev/null; then if command -v docker &> /dev/null; then
# Stop and remove all so-* containers so files can be changed with more safety # Stop and remove all so-* containers so files can be changed with more safety
@@ -1410,7 +1405,7 @@ reinstall_init() {
# Backup /nsm for the same reason # Backup /nsm for the same reason
while IFS= read -r -d '' dir; do while IFS= read -r -d '' dir; do
mv "$dir" "${dir}_old_${date_string}" mv "$dir" "${dir}_old_${date_string}"
done < <(find /nsm -maxdepth 1 -mindepth 1 -type d -print0) done < <(find /nsm -maxdepth 1 -mindepth 1 -type d -not -path "/nsm/docker-registry" -print0)
# Remove the old launcher package in case the config changes # Remove the old launcher package in case the config changes
remove_package launcher-final remove_package launcher-final

7
setup/so-setup
View File

@@ -54,11 +54,12 @@ while [[ $# -gt 0 ]]; do
esac esac
done done
if [[ -f $setup_log ]]; then is_reinstall=false
if [[ -f /root/accept_changes ]]; then
is_reinstall=true is_reinstall=true
# Move last setup log to backup # Move last setup log to backup
mv $setup_log $setup_log.bak mv "$setup_log" "$setup_log.bak"
fi fi
# Begin Installation pre-processing # Begin Installation pre-processing
@@ -317,7 +318,6 @@ if [[ $is_import ]]; then
PLAYBOOK=0 PLAYBOOK=0
fi fi
# Start user prompts # Start user prompts
if [[ $is_helix || $is_sensor ]]; then if [[ $is_helix || $is_sensor ]]; then
@@ -427,6 +427,7 @@ if [[ $is_manager || $is_import ]]; then whiptail_so_allow; fi
whiptail_make_changes whiptail_make_changes
# From here on changes will be made. # From here on changes will be made.
echo "1" > /root/accept_changes
if [[ $is_reinstall ]]; then if [[ $is_reinstall ]]; then
reinstall_init reinstall_init

4
setup/so-whiptail
View File

@@ -168,8 +168,10 @@ whiptail_cancel() {
echo "/root/installtmp removed"; echo "/root/installtmp removed";
} >> $setup_log 2>&1 } >> $setup_log 2>&1
fi fi
exit
title "User cancelled setup, no changes made."
exit
} }
whiptail_check_exitstatus() { whiptail_check_exitstatus() {