From 3977146a167bbd6769ce4b2b80306d5f554ce3ce Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jan 2022 10:36:30 -0500 Subject: [PATCH 1/7] add receiver to firewall files during soup --- salt/common/tools/sbin/soup | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index aa4ddf55f..8bdb67e8c 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -707,8 +707,20 @@ up_to_2.3.90() { up_to_2.3.100() { echo "Updating to Security Onion 2.3.100" fix_wazuh + echo "Removing /opt/so/state files for patched Salt InfluxDB module and state. This is due to Salt being upgraded and needing to patch the files again." rm -vrf /opt/so/state/influxdb_continuous_query.py.patched /opt/so/state/influxdb_retention_policy.py.patched /opt/so/state/influxdbmod.py.patched + + echo "Adding receiver hostgroup with so-firewall" + if so-firewall addhostgroup receiver 2>&1 | grep -q 'Already exists'; then + echo 'receiver hostgroup already exists' + else + echo 'receiver hostgroup added' + fi + + echo "Adding receiver to assigned_hostgroups.local.map.yaml" + grep -qxF " receiver:" /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml || echo " receiver:" >> /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml + } verify_upgradespace() { From 905ca35e93d6eb632f40c53b39a84484e9936973 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jan 2022 11:19:54 -0500 Subject: [PATCH 2/7] use sed instead of echo --- salt/common/tools/sbin/soup | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 8bdb67e8c..dc10b3f18 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -719,8 +719,7 @@ up_to_2.3.100() { fi echo "Adding receiver to assigned_hostgroups.local.map.yaml" - grep -qxF " receiver:" /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml || echo " receiver:" >> /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml - + grep -qxF " receiver:" /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml || sed -i -e '$a receiver:' /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml } verify_upgradespace() { From e82c6a23932429cd6d096c7c2c01cc14d373c548 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jan 2022 12:50:58 -0500 Subject: [PATCH 3/7] default for managerupdate should be int not a string --- salt/repo/client/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/repo/client/init.sls b/salt/repo/client/init.sls index 27ffbe527..739b839d3 100644 --- a/salt/repo/client/init.sls +++ b/salt/repo/client/init.sls @@ -1,7 +1,7 @@ {% from 'repo/client/map.jinja' import ABSENTFILES with context %} {% from 'repo/client/map.jinja' import REPOPATH with context %} {% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} -{% set managerupdates = salt['pillar.get']('global:managerupdate', '0') %} +{% set managerupdates = salt['pillar.get']('global:managerupdate', 0) %} {% set role = grains.id.split('_') | last %} # from airgap state From 75b8d6a0c5e0598714a1534e5bbe7b2477a1eed8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jan 2022 13:09:48 -0500 Subject: [PATCH 4/7] ensure /etc/yum.repos.d/securityonioncache.repo is absent if global:managerupdate = 0 --- salt/common/tools/sbin/soup | 1 + salt/repo/client/init.sls | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index dc10b3f18..dd8cf7b3f 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1159,6 +1159,7 @@ main() { if [[ $is_airgap -eq 0 ]]; then echo "" echo "Cleaning repos on remote Security Onion nodes." + salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' state.apply repo.client -l info salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all" echo "" fi diff --git a/salt/repo/client/init.sls b/salt/repo/client/init.sls index 739b839d3..081fef762 100644 --- a/salt/repo/client/init.sls +++ b/salt/repo/client/init.sls @@ -47,6 +47,12 @@ crsynckeys: - source: salt://repo/client/files/centos/keys/ {% if not ISAIRGAP %} + {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} +remove_securityonionrepocache: + file.absent: + - name: /etc/yum.repos.d/securityonioncache.repo + {% endif %} + crsecurityonionrepo: file.managed: {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} From 6b18551dd19092431758092adced123ca94229c7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jan 2022 14:39:10 -0500 Subject: [PATCH 5/7] skip applying repo.client if airgap and saltupgrade prior to yum clean all --- salt/common/tools/sbin/soup | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index dd8cf7b3f..dc10b3f18 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1159,7 +1159,6 @@ main() { if [[ $is_airgap -eq 0 ]]; then echo "" echo "Cleaning repos on remote Security Onion nodes." - salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' state.apply repo.client -l info salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all" echo "" fi From 014696f62f8184666f7a9dc300ba0bc05ba78d5b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jan 2022 15:26:37 -0500 Subject: [PATCH 6/7] fix receiver append to assigned_hostgroups.local.map.yaml --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index dc10b3f18..9cd47e4dc 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -719,7 +719,7 @@ up_to_2.3.100() { fi echo "Adding receiver to assigned_hostgroups.local.map.yaml" - grep -qxF " receiver:" /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml || sed -i -e '$a receiver:' /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml + grep -qxF " receiver:" /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml || sed -i -e '$a\ receiver:' /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml } verify_upgradespace() { From c8b1e6f5015b8eac9b520392371c10b644a9d968 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jan 2022 15:49:53 -0500 Subject: [PATCH 7/7] remove -X from UPGRADECOMMAND so salt-minion starts after upgrade --- salt/salt/map.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index 3ef334752..b66ec23eb 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -27,9 +27,9 @@ {% if grains.saltversion|string != SALTVERSION|string %} {% if grains.os|lower in ['centos', 'redhat'] %} - {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION %} + {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -s 120 -r -F -x python3 stable ' ~ SALTVERSION %} {% elif grains.os|lower == 'ubuntu' %} - {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION %} + {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -s 120 -F -x python3 stable ' ~ SALTVERSION %} {% endif %} {% else %} {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}