CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

New SOUP

Browse Source
This commit is contained in:
Mike Reeves
2020-07-15 17:46:33 -04:00
parent 9781d8d0e7
commit d71dc89b13
6 changed files with 169 additions and 242 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
exclude-list.txt
View File

1
salt/common/tools/sbin/so-docker-refresh
View File

@@ -78,6 +78,7 @@ if [ $MANAGERCHECK != 'so-helix' ]; then
"so-logstash:$VERSION" \ "so-logstash:$VERSION" \
"so-mysql:$VERSION" \ "so-mysql:$VERSION" \
"so-nginx:$VERSION" \ "so-nginx:$VERSION" \
"so-pcaptools:$VERSION" \
"so-playbook:$VERSION" \ "so-playbook:$VERSION" \
"so-redis:$VERSION" \ "so-redis:$VERSION" \
"so-soc:$VERSION" \ "so-soc:$VERSION" \

11
salt/common/tools/sbin/so-features-enable
View File

@@ -17,6 +17,17 @@
. /usr/sbin/so-common . /usr/sbin/so-common
local_salt_dir=/opt/so/saltstack/local local_salt_dir=/opt/so/saltstack/local
manager_check() {
# Check to see if this is a manager
MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
if [ $MANAGERCHECK == 'so-eval' OR $MANAGERCHECK == 'so-manager' OR $MANAGERCHECK == 'so-managersearch' ]; then
echo "This is a manager. We can proceed."
else
echo "Please run so-features-enable on the manager."
exit 0
}
manager_check
VERSION=$(grep soversion $local_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g') VERSION=$(grep soversion $local_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
# Modify static.sls to enable Features # Modify static.sls to enable Features
sed -i 's/features: False/features: True/' $local_salt_dir/pillar/static.sls sed -i 's/features: False/features: True/' $local_salt_dir/pillar/static.sls

167
salt/common/tools/sbin/soup
View File

@@ -15,23 +15,170 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
clone_to_tmp() { . /usr/sbin/so-common
UPDATE_DIR=/tmp/sogh/securityonion
INSTALLEDVERSION=$(cat /etc/soversion)
default_salt_dir=/opt/so/saltstack/default
manager_check() {
# Check to see if this is a manager
MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
if [ $MANAGERCHECK == 'so-eval' OR $MANAGERCHECK == 'so-manager' OR $MANAGERCHECK == 'so-managersearch' ]; then
echo "This is a manager. We can proceed"
else
echo "Please run soup on the manager. The manager controls all updates."
exit 0
}
clean_dockers() {
# Place Holder for cleaning up old docker images
echo ""
}
clone_to_tmp() {
# TODO Need to add a air gap option # TODO Need to add a air gap option
# Clean old files
rm -rf /tmp/sogh
# Make a temp location for the files # Make a temp location for the files
rm -rf /tmp/soup mkdir -p /tmp/sogh
mkdir -p /tmp/soup cd /tmp/sogh
cd /tmp/soup #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion.git
#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git git clone https://github.com/Security-Onion-Solutions/securityonion.git
git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git cd /tmp
if [ ! -f $UPDATE_DIR/VERSION ]; then
echo "Update was unable to pull from github. Please check your internet."
exit 0
fi
}
copy_new_files() {
# Copy new files over to the salt dir
cd /tmp/sogh/securityonion
rsync -a salt $default_salt_dir/
rsync -a pillar $default_salt_dir/
chown -R socore:socore $default_salt_dir/
chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
cd /tmp
}
highstate() {
# Run a highstate but first cancel a running one.
salt-call saltutil.kill_all_jobs
salt-call state.highstate
}
pillar_changes() {
# This function is to add any new pillar items if needed.
echo "Checking to see if pillar changes are needed"
} }
# Prompt the user that this requires internets update_dockers() {
# List all the containers
if [ $MANAGERCHECK != 'so-helix' ]; then
TRUSTED_CONTAINERS=( \
"so-acng" \
"so-thehive-cortex" \
"so-curator" \
"so-domainstats" \
"so-elastalert" \
"so-elasticsearch" \
"so-filebeat" \
"so-fleet" \
"so-fleet-launcher" \
"so-freqserver" \
"so-grafana" \
"so-idstools" \
"so-influxdb" \
"so-kibana" \
"so-kratos" \
"so-logstash" \
"so-mysql" \
"so-nginx" \
"so-pcaptools" \
"so-playbook" \
"so-redis" \
"so-soc" \
"so-soctopus" \
"so-steno" \
"so-strelka" \
"so-suricata" \
"so-telegraf" \
"so-thehive" \
"so-thehive-es" \
"so-wazuh" \
"so-zeek" )
else
TRUSTED_CONTAINERS=( \
"so-filebeat" \
"so-idstools" \
"so-logstash" \
"so-nginx" \
"so-redis" \
"so-steno" \
"so-suricata" \
"so-telegraf" \
"so-zeek" )
fi
# Download the containers from the interwebs
for i in "${TRUSTED_CONTAINERS[@]}"
do
# Pull down the trusted docker image
echo "Downloading $i:$NEWVERSION"
docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i:$NEWVERSION
# Tag it with the new registry destination
docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION
docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION
done
}
update_version() {
# Update the version to the latest
echo "Updating the version file."
echo $NEWVERSION > /etc/soversion
}
upgrade_check() {
# Let's make sure we actually need to update.
NEWVERSION=$(cat $UPDATE_DIR/VERSION)
if [ $INSTALLEDVERSION == $NEWVERSION ]; then
echo "You are already running the latest version of Security Onion."
exit 0
else
echo "Performing Upgrade from $INSTALLEDVERSION to $NEWVERSION"
fi
}
verify_latest_update_script() {
# Check to see if the update scripts match. If not run the new one.
CURRENTSOUP=$(md5sum /usr/sbin/soup)
GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup)
if [ $CURRENTSOUP == $GITSOUP ]; then
echo "The scripts match"
else
echo "They don't match"
cp $UPDATE_DIR/salt/sommon/tools/sbin/soup /usr/sbin/soup
cp $UPDATE_DIR/salt/common/tools/sbin/soup $default_salt_dir/salt/common/tools/sbin/
echo "soup has been updated. Please run soup again"
exit 0
fi
}
manager_check
clone_to_tmp clone_to_tmp
cd /tmp/soup/securityonion-saltstack/update verify_latest_update_script
chmod +x soup upgrade_check
./soup pillar_changes
clean_dockers
update_dockers
copy_new_files
highstate
update_version

205
upgrade/so-update-functions
View File

@@ -1,205 +0,0 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
# Set the new SO Version
UPDATEVERSION=1.2.2
BUILD=HH
#Determine the current install version
if [ -f /etc/soversion ]; then
OLDVERSION=$(cat /etc/soversion)
else
OLDVERSION=1.1.4
fi
# Use the hostname
HOSTNAME=$(hostname)
# List all the containers
if [ $MANAGERCHECK != 'so-helix' ]; then
TRUSTED_CONTAINERS=( \
"so-acng:$BUILD$UPDATEVERSION" \
"so-thehive-cortex:$BUILD$UPDATEVERSION" \
"so-curator:$BUILD$UPDATEVERSION" \
"so-domainstats:$BUILD$UPDATEVERSION" \
"so-elastalert:$BUILD$UPDATEVERSION" \
"so-elasticsearch:$BUILD$UPDATEVERSION" \
"so-filebeat:$BUILD$UPDATEVERSION" \
"so-fleet:$BUILD$UPDATEVERSION" \
"so-fleet-launcher:$BUILD$UPDATEVERSION" \
"so-freqserver:$BUILD$UPDATEVERSION" \
"so-grafana:$BUILD$UPDATEVERSION" \
"so-idstools:$BUILD$UPDATEVERSION" \
"so-influxdb:$BUILD$UPDATEVERSION" \
"so-kibana:$BUILD$UPDATEVERSION" \
"so-kratos:$BUILD$UPDATEVERSION" \
"so-logstash:$BUILD$UPDATEVERSION" \
"so-mysql:$BUILD$UPDATEVERSION" \
"so-nginx:$BUILD$UPDATEVERSION" \
"so-playbook:$BUILD$UPDATEVERSION" \
"so-redis:$BUILD$UPDATEVERSION" \
"so-soc:$BUILD$UPDATEVERSION" \
"so-soctopus:$BUILD$UPDATEVERSION" \
"so-steno:$BUILD$UPDATEVERSION" \
"so-strelka:$BUILD$UPDATEVERSION" \
"so-suricata:$BUILD$UPDATEVERSION" \
"so-telegraf:$BUILD$UPDATEVERSION" \
"so-thehive:$BUILD$UPDATEVERSION" \
"so-thehive-es:$BUILD$UPDATEVERSION" \
"so-wazuh:$BUILD$UPDATEVERSION" \
"so-zeek:$BUILD$UPDATEVERSION" )
else
TRUSTED_CONTAINERS=( \
"so-filebeat:$BUILD$UPDATEVERSION" \
"so-idstools:$BUILD$UPDATEVERSION" \
"so-logstash:$BUILD$UPDATEVERSION" \
"so-nginx:$BUILD$UPDATEVERSION" \
"so-redis:$BUILD$UPDATEVERSION" \
"so-steno:$BUILD$UPDATEVERSION" \
"so-suricata:$BUILD$UPDATEVERSION" \
"so-telegraf:$BUILD$UPDATEVERSION" \
"so-zeek:$BUILD$UPDATEVERSION" )
fi
clone_to_tmp() {
# TODO Need to add a air gap option
# Make a temp location for the files
mkdir /tmp/sogh
cd /tmp/sogh
#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
cd /tmp
}
copy_new_files() {
# Copy new files over to the salt dir
cd /tmp/sogh/securityonion-saltstack
rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/
chown -R socore:socore $default_salt_dir/salt
chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
cd /tmp
}
detect_os() {
# Detect Base OS
echo "Detecting Base OS" >> $UPDATELOG 2>&1
if [ -f /etc/redhat-release ]; then
OS=centos
if grep -q "CentOS Linux release 7" /etc/redhat-release; then
OSVER=7
elif grep -q "CentOS Linux release 8" /etc/redhat-release; then
OSVER=8
echo "We currently do not support CentOS $OSVER but we are working on it!"
exit
else
echo "We do not support the version of CentOS you are trying to use"
exit
fi
elif [ -f /etc/os-release ]; then
OS=ubuntu
if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then
OSVER=bionic
elif grep -q "UBUNTU_CODENAME=xenial" /etc/os-release; then
OSVER=xenial
else
echo "We do not support your current version of Ubuntu"
exit
fi
else
echo "We were unable to determine if you are using a supported OS." >> $UPDATELOG 2>&1
exit
fi
echo "Found OS: $OS $OSVER" >> $UPDATELOG 2>&1
}
manager_check() {
# Check to see if this is a manager
MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
if [ $MANAGERCHECK == 'so-eval' OR $MANAGERCHECK == 'so-manager' OR $MANAGERCHECK == 'so-managersearch' ]; then
echo "This is a manager. We can proceed"
else
echo "Please run soup on the manager. The manager controls all updates."
exit
}
salt_highstate() {
salt-call state.highstate
}
update_held_packages() {
if [ $OS == "centos" ]
SALTVER=2019.2.4
DOCKERVER=
yum -y --disableexcludes=all update salt-$SALTVER
yum -y --disableexcludes=all update docker-ce-$DOCKERVER
else
SALTVER=2019.2.4+ds-1
DOCKERVER=5:19.03.8~3-0~ubuntu-xenial
fi
}
update_all_packages() {
# Update all the things based on OS
if [ $OS == "centos" ]; then
yum -y update
else
apt -y update && apt -y upgrade
fi
}
update_docker_containers() {
# Download the containers from the interwebs
for i in "${TRUSTED_CONTAINERS[@]}"
do
# Pull down the trusted docker image
echo "Downloading $i"
docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i
# Tag it with the new registry destination
docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
docker push $HOSTNAME:5000/$IMAGEREPO/$i
done
for i in "${TRUSTED_CONTAINERS[@]}"
do
echo "Removing $i locally"
docker rmi $IMAGEREPO/$i
done
}
update_hh_version() {
# Change the version number in the static pillar
}

27
upgrade/soup
View File

@@ -1,27 +0,0 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
SCRIPTDIR=$(dirname "$0")
source $SCRIPTDIR/so-update-functions
# Update Packages
manager_check
update_all_packages
update_held_packages