From b48612dd3b23de77140f490ed9aad52b9bb4082d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 19 Mar 2020 13:46:19 -0400 Subject: [PATCH] Update Stuff Round 2 --- salt/common/tools/sbin/soup | 3 +- upgrade/so-update-functions | 164 +++++++++++++++++++++--------------- upgrade/soup | 1 + 3 files changed, 97 insertions(+), 71 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 17d360b6c..7c471aa34 100644 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -30,7 +30,8 @@ clone_to_tmp() { # Prompt the user that this requires internets clone_to_tmp -cd /tmp/soup/securityonion-saltstack +cd /tmp/soup/securityonion-saltstack/update +chmod +x soup ./soup diff --git a/upgrade/so-update-functions b/upgrade/so-update-functions index ccd208723..0961bbf7a 100644 --- a/upgrade/so-update-functions +++ b/upgrade/so-update-functions @@ -15,10 +15,71 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -# Set the SO Version -VERSION=1.2.1 +# Set the new SO Version + +UPDATEVERSION=1.2.1 BUILD=HH -OLDVERSION=$(cat /etc/soversion) + +#Determine the current install version + +if [ -f /etc/soversion ]; then + OLDVERSION=$(cat /etc/soversion) +else + OLDVERSION=1.1.4 +fi + +# Use the hostname +HOSTNAME=$(hostname) + +# List all the containers +if [ $MASTERCHECK != 'so-helix' ]; then + TRUSTED_CONTAINERS=( \ + "so-acng:$BUILD$UPDATEVERSION" \ + "so-auth-api:$BUILD$UPDATEVERSION" \ + "so-auth-ui:$BUILD$UPDATEVERSION" \ + "so-core:$BUILD$UPDATEVERSION" \ + "so-thehive-cortex:$BUILD$UPDATEVERSION" \ + "so-curator:$$BUILD$UPDATEVERSION" \ + "so-domainstats:$$BUILD$UPDATEVERSION" \ + "so-elastalert:$$BUILD$UPDATEVERSION" \ + "so-elasticsearch:$$BUILD$UPDATEVERSION" \ + "so-filebeat:$$BUILD$UPDATEVERSION" \ + "so-fleet:$$BUILD$UPDATEVERSION" \ + "so-fleet-launcher:$$BUILD$UPDATEVERSION" \ + "so-freqserver:$$BUILD$UPDATEVERSION" \ + "so-grafana:$$BUILD$UPDATEVERSION" \ + "so-idstools:$$BUILD$UPDATEVERSION" \ + "so-influxdb:$$BUILD$UPDATEVERSION" \ + "so-kibana:$$BUILD$UPDATEVERSION" \ + "so-logstash:$$BUILD$UPDATEVERSION" \ + "so-mysql:$$BUILD$UPDATEVERSION" \ + "so-navigator:$$BUILD$UPDATEVERSION" \ + "so-playbook:$$BUILD$UPDATEVERSION" \ + "so-redis:$$BUILD$UPDATEVERSION" \ + "so-sensoroni:$$BUILD$UPDATEVERSION" \ + "so-soctopus:$$BUILD$UPDATEVERSION" \ + "so-steno:$$BUILD$UPDATEVERSION" \ + "so-strelka:$$BUILD$UPDATEVERSION" \ + "so-suricata:$$BUILD$UPDATEVERSION" \ + "so-telegraf:$$BUILD$UPDATEVERSION" \ + "so-thehive:$$BUILD$UPDATEVERSION" \ + "so-thehive-es:$$BUILD$UPDATEVERSION" \ + "so-wazuh:$$BUILD$UPDATEVERSION" \ + "so-zeek:$$BUILD$UPDATEVERSION" ) + else + TRUSTED_CONTAINERS=( \ + "so-core:$$BUILD$UPDATEVERSION" \ + "so-filebeat:$$BUILD$UPDATEVERSION" \ + "so-idstools:$$BUILD$UPDATEVERSION" \ + "so-logstash:$$BUILD$UPDATEVERSION" \ + "so-redis:$$BUILD$UPDATEVERSION" \ + "so-sensoroni:$$BUILD$UPDATEVERSION" \ + "so-steno:$$BUILD$UPDATEVERSION" \ + "so-suricata:$$BUILD$UPDATEVERSION" \ + "so-telegraf:$$BUILD$UPDATEVERSION" \ + "so-zeek:$$BUILD$UPDATEVERSION" ) + fi + clone_to_tmp() { @@ -28,9 +89,20 @@ clone_to_tmp() { cd /tmp/sogh #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git + cd /tmp } +copy_new_files() { + + # Copy new files over to the salt dir + cd /tmp/sogh/securityonion-saltstack + rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/ + chown -R socore:socore /opt/so/saltstack/salt + chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh + cd /tmp +} + detect_os() { # Detect Base OS @@ -58,10 +130,6 @@ detect_os() { echo "We do not support your current version of Ubuntu" exit fi - # Install network manager so we can do interface stuff - apt install -y network-manager - /bin/systemctl enable network-manager - /bin/systemctl start network-manager else echo "We were unable to determine if you are using a supported OS." >> $UPDATELOG 2>&1 exit @@ -71,6 +139,22 @@ detect_os() { } +master_check() { + # Check to see if this is a master + MASTERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') + if [ $MASTERCHECK == 'so-eval' OR $MASTERCHECK == 'so-master' OR $MASTERCHECK == 'so-mastersearch' ]; then + echo "This is a master. We can proceed" + else + echo "Please run soup on the master. The master controls all updates." + exit +} + +salt_highstate() { + + salt-call state.highstate + +} + update_held_packages() { if [ $OS == "centos" ] @@ -97,55 +181,8 @@ update_all_packages() { } update_docker_containers() { - if [ $INSTALLTYPE != 'HELIXSENSOR' ]; then - TRUSTED_CONTAINERS=( \ - "so-acng:$BUILD$VERSION" \ - "so-auth-api:$BUILD$VERSION" \ - "so-auth-ui:$BUILD$VERSION" \ - "so-core:$BUILD$VERSION" \ - "so-thehive-cortex:$BUILD$VERSION" \ - "so-curator:$BUILD$VERSION" \ - "so-domainstats:$BUILD$VERSION" \ - "so-elastalert:$BUILD$VERSION" \ - "so-elasticsearch:$BUILD$VERSION" \ - "so-filebeat:$BUILD$VERSION" \ - "so-fleet:$BUILD$VERSION" \ - "so-fleet-launcher:$BUILD$VERSION" \ - "so-freqserver:$BUILD$VERSION" \ - "so-grafana:$BUILD$VERSION" \ - "so-idstools:$BUILD$VERSION" \ - "so-influxdb:$BUILD$VERSION" \ - "so-kibana:$BUILD$VERSION" \ - "so-logstash:$BUILD$VERSION" \ - "so-mysql:$BUILD$VERSION" \ - "so-navigator:$BUILD$VERSION" \ - "so-playbook:$BUILD$VERSION" \ - "so-redis:$BUILD$VERSION" \ - "so-sensoroni:$BUILD$VERSION" \ - "so-soctopus:$BUILD$VERSION" \ - "so-steno:$BUILD$VERSION" \ - #"so-strelka:$BUILD$VERSION" \ - "so-suricata:$BUILD$VERSION" \ - "so-telegraf:$BUILD$VERSION" \ - "so-thehive:$BUILD$VERSION" \ - "so-thehive-es:$BUILD$VERSION" \ - "so-wazuh:$BUILD$VERSION" \ - "so-zeek:$BUILD$VERSION" ) - else - TRUSTED_CONTAINERS=( \ - "so-core:$BUILD$VERSION" \ - "so-filebeat:$BUILD$VERSION" \ - "so-idstools:$BUILD$VERSION" \ - "so-logstash:$BUILD$VERSION" \ - "so-redis:$BUILD$VERSION" \ - "so-sensoroni:$BUILD$VERSION" \ - "so-steno:$BUILD$VERSION" \ - "so-suricata:$BUILD$VERSION" \ - "so-telegraf:$BUILD$VERSION" \ - "so-zeek:$BUILD$VERSION" ) - fi - - # Download the container from the interwebs + + # Download the containers from the interwebs for i in "${TRUSTED_CONTAINERS[@]}" do # Pull down the trusted docker image @@ -163,21 +200,8 @@ update_docker_containers() { done } + update_hh_version() { # Change the version number in the static pillar } - -# Clone github -mkdir /tmp/sogh -cd /tmp/sogh -#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git -git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git -cd securityonion-saltstack -rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/ -chown -R socore:socore /opt/so/saltstack/salt -chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh -cd ~ -rm -rf /tmp/sogh -# Run so-elastic-download here and call this soup with some magic -salt-call state.highstate diff --git a/upgrade/soup b/upgrade/soup index 6ae8def42..19fa0203f 100644 --- a/upgrade/soup +++ b/upgrade/soup @@ -19,6 +19,7 @@ SCRIPTDIR=$(dirname "$0") source $SCRIPTDIR/so-update-functions # Update Packages +master_check update_all_packages update_held_packages