mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-13 04:32:48 +01:00
New SOUP
This commit is contained in:
Mike Reeves
@@ -15,23 +15,170 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
clone_to_tmp() {
|
||||
. /usr/sbin/so-common
|
||||
UPDATE_DIR=/tmp/sogh/securityonion
|
||||
INSTALLEDVERSION=$(cat /etc/soversion)
|
||||
default_salt_dir=/opt/so/saltstack/default
|
||||
|
||||
manager_check() {
|
||||
# Check to see if this is a manager
|
||||
MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
|
||||
if [ $MANAGERCHECK == 'so-eval' OR $MANAGERCHECK == 'so-manager' OR $MANAGERCHECK == 'so-managersearch' ]; then
|
||||
echo "This is a manager. We can proceed"
|
||||
else
|
||||
echo "Please run soup on the manager. The manager controls all updates."
|
||||
exit 0
|
||||
}
|
||||
|
||||
clean_dockers() {
|
||||
# Place Holder for cleaning up old docker images
|
||||
echo ""
|
||||
}
|
||||
|
||||
clone_to_tmp() {
|
||||
# TODO Need to add a air gap option
|
||||
# Clean old files
|
||||
rm -rf /tmp/sogh
|
||||
# Make a temp location for the files
|
||||
rm -rf /tmp/soup
|
||||
mkdir -p /tmp/soup
|
||||
cd /tmp/soup
|
||||
#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
|
||||
git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
|
||||
mkdir -p /tmp/sogh
|
||||
cd /tmp/sogh
|
||||
#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion.git
|
||||
git clone https://github.com/Security-Onion-Solutions/securityonion.git
|
||||
cd /tmp
|
||||
if [ ! -f $UPDATE_DIR/VERSION ]; then
|
||||
echo "Update was unable to pull from github. Please check your internet."
|
||||
exit 0
|
||||
fi
|
||||
}
|
||||
|
||||
copy_new_files() {
|
||||
# Copy new files over to the salt dir
|
||||
cd /tmp/sogh/securityonion
|
||||
rsync -a salt $default_salt_dir/
|
||||
rsync -a pillar $default_salt_dir/
|
||||
chown -R socore:socore $default_salt_dir/
|
||||
chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
|
||||
cd /tmp
|
||||
}
|
||||
|
||||
highstate() {
|
||||
# Run a highstate but first cancel a running one.
|
||||
salt-call saltutil.kill_all_jobs
|
||||
salt-call state.highstate
|
||||
}
|
||||
|
||||
pillar_changes() {
|
||||
# This function is to add any new pillar items if needed.
|
||||
echo "Checking to see if pillar changes are needed"
|
||||
|
||||
}
|
||||
|
||||
# Prompt the user that this requires internets
|
||||
update_dockers() {
|
||||
# List all the containers
|
||||
if [ $MANAGERCHECK != 'so-helix' ]; then
|
||||
TRUSTED_CONTAINERS=( \
|
||||
"so-acng" \
|
||||
"so-thehive-cortex" \
|
||||
"so-curator" \
|
||||
"so-domainstats" \
|
||||
"so-elastalert" \
|
||||
"so-elasticsearch" \
|
||||
"so-filebeat" \
|
||||
"so-fleet" \
|
||||
"so-fleet-launcher" \
|
||||
"so-freqserver" \
|
||||
"so-grafana" \
|
||||
"so-idstools" \
|
||||
"so-influxdb" \
|
||||
"so-kibana" \
|
||||
"so-kratos" \
|
||||
"so-logstash" \
|
||||
"so-mysql" \
|
||||
"so-nginx" \
|
||||
"so-pcaptools" \
|
||||
"so-playbook" \
|
||||
"so-redis" \
|
||||
"so-soc" \
|
||||
"so-soctopus" \
|
||||
"so-steno" \
|
||||
"so-strelka" \
|
||||
"so-suricata" \
|
||||
"so-telegraf" \
|
||||
"so-thehive" \
|
||||
"so-thehive-es" \
|
||||
"so-wazuh" \
|
||||
"so-zeek" )
|
||||
else
|
||||
TRUSTED_CONTAINERS=( \
|
||||
"so-filebeat" \
|
||||
"so-idstools" \
|
||||
"so-logstash" \
|
||||
"so-nginx" \
|
||||
"so-redis" \
|
||||
"so-steno" \
|
||||
"so-suricata" \
|
||||
"so-telegraf" \
|
||||
"so-zeek" )
|
||||
fi
|
||||
|
||||
# Download the containers from the interwebs
|
||||
for i in "${TRUSTED_CONTAINERS[@]}"
|
||||
do
|
||||
# Pull down the trusted docker image
|
||||
echo "Downloading $i:$NEWVERSION"
|
||||
docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i:$NEWVERSION
|
||||
# Tag it with the new registry destination
|
||||
docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION
|
||||
docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION
|
||||
done
|
||||
|
||||
}
|
||||
|
||||
update_version() {
|
||||
# Update the version to the latest
|
||||
echo "Updating the version file."
|
||||
echo $NEWVERSION > /etc/soversion
|
||||
}
|
||||
|
||||
upgrade_check() {
|
||||
# Let's make sure we actually need to update.
|
||||
NEWVERSION=$(cat $UPDATE_DIR/VERSION)
|
||||
if [ $INSTALLEDVERSION == $NEWVERSION ]; then
|
||||
echo "You are already running the latest version of Security Onion."
|
||||
exit 0
|
||||
else
|
||||
echo "Performing Upgrade from $INSTALLEDVERSION to $NEWVERSION"
|
||||
fi
|
||||
}
|
||||
|
||||
verify_latest_update_script() {
|
||||
# Check to see if the update scripts match. If not run the new one.
|
||||
CURRENTSOUP=$(md5sum /usr/sbin/soup)
|
||||
GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup)
|
||||
if [ $CURRENTSOUP == $GITSOUP ]; then
|
||||
echo "The scripts match"
|
||||
else
|
||||
echo "They don't match"
|
||||
cp $UPDATE_DIR/salt/sommon/tools/sbin/soup /usr/sbin/soup
|
||||
cp $UPDATE_DIR/salt/common/tools/sbin/soup $default_salt_dir/salt/common/tools/sbin/
|
||||
echo "soup has been updated. Please run soup again"
|
||||
exit 0
|
||||
fi
|
||||
}
|
||||
|
||||
manager_check
|
||||
clone_to_tmp
|
||||
cd /tmp/soup/securityonion-saltstack/update
|
||||
chmod +x soup
|
||||
./soup
|
||||
verify_latest_update_script
|
||||
upgrade_check
|
||||
pillar_changes
|
||||
clean_dockers
|
||||
update_dockers
|
||||
copy_new_files
|
||||
highstate
|
||||
update_version
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user