From b80dd1ef3eb0f34df9a1f5642f08ba8da36abe02 Mon Sep 17 00:00:00 2001 From: Pete Date: Fri, 30 Apr 2021 20:21:50 +0000 Subject: [PATCH 01/13] fix 5-second sleep using wait here instead of sleep tries to wait until pid 5 exits and generates the error > /usr/sbin/so-playbook-reset: line 25: wait: pid 5 is not a child of this shell --- salt/common/tools/sbin/so-playbook-reset | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-playbook-reset b/salt/common/tools/sbin/so-playbook-reset index 9113fd2b8..ca1d3f57f 100755 --- a/salt/common/tools/sbin/so-playbook-reset +++ b/salt/common/tools/sbin/so-playbook-reset @@ -22,5 +22,5 @@ salt-call state.apply playbook.db_init,playbook,playbook.automation_user_create /usr/sbin/so-soctopus-restart echo "Importing Plays - this will take some time...." -wait 5 -/usr/sbin/so-playbook-ruleupdate \ No newline at end of file +sleep 5 +/usr/sbin/so-playbook-ruleupdate From 296c1c5a3c64e66e3fc49a032cc0e6967255e4a7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 3 May 2021 14:30:53 -0400 Subject: [PATCH 02/13] Adding airgap hotfix --- salt/common/tools/sbin/so-airgap-hotfixapply | 67 +++++++++++++++++++ .../tools/sbin/so-airgap-hotfixdownload | 33 +++++++++ 2 files changed, 100 insertions(+) create mode 100644 salt/common/tools/sbin/so-airgap-hotfixapply create mode 100644 salt/common/tools/sbin/so-airgap-hotfixdownload diff --git a/salt/common/tools/sbin/so-airgap-hotfixapply b/salt/common/tools/sbin/so-airgap-hotfixapply new file mode 100644 index 000000000..cb6bf6451 --- /dev/null +++ b/salt/common/tools/sbin/so-airgap-hotfixapply @@ -0,0 +1,67 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +HOTFIXDIR=/tmp/sohotfixapply + +if [ -z "$1" ]; then + echo "No tarball given. Please provide the filename so I can run the hotfix" + echo "so-airgap-hotfixapply /path/to/sohotfix.tar" + exit 1 +else + if [ ! -f "$1" ]; then + echo "Unable to find $1. Make sure your path is correct and retry." + exit 1 + else + echo "Determining if we need to apply this hotfix" + rm -rf $HOTFIXDIR + mkdir -p $HOTFIXDIR + tar xvf $1 -C $HOTFIXDIR + + # Compare some versions + NEWVERSION=$(cat $HOTFIXDIR/VERSION) + HOTFIXVERSION=$(cat $HOTFIXDIR/HOTFIX) + CURRENTHOTFIX=$(cat /etc/sohotfix) + INSTALLEDVERSION=$(cat /etc/soversion) + + if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then + echo "Checking to see if there are hotfixes needed" + if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then + echo "You are already running the latest version of Security Onion." + rm -rf $HOTFIXDIR + exit 1 + else + echo "We need to apply a hotfix" + rsync -a $HOTFIXDIR/salt /opt/so/saltstack/default/ + rsync -a $HOTFIXDIR/pillar /opt/so/saltstack/default/ + chown -R socore:socore /opt/so/saltstack/default/ + chmod 755 /opt/so/saltstack/default/pillar/firewall/addfirewall.sh + echo $HOTFIXVERSION > /etc/sohotfix + salt-call state.highstate -l info queue=True + echo "The Hotfix $HOTFIXVERSION has been applied" + # Clean up + rm -rf $HOTFIXDIR + exit 0 + fi + else + echo "This hotfix is not compatible with your current version. Download the latest ISO and run soup" + rm -rf $HOTFIXDIR + fi + + fi +fi \ No newline at end of file diff --git a/salt/common/tools/sbin/so-airgap-hotfixdownload b/salt/common/tools/sbin/so-airgap-hotfixdownload new file mode 100644 index 000000000..422fa5f1f --- /dev/null +++ b/salt/common/tools/sbin/so-airgap-hotfixdownload @@ -0,0 +1,33 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Get the latest code +rm -rf /tmp/sohotfix +mkdir -p /tmp/sohotfix +cd /tmp/sohotfix +git clone https://github.com/Security-Onion-Solutions/securityonion +if [ ! -d "/tmp/sohotfix/securityonion" ]; then + echo "I was unable to get the latest code. Check your internet and try again." + exit 1 +else + echo "Looks like we have the code lets create the tarball." + cd /tmp/sohotfix/securityonion + tar cvf /tmp/sohotfix/sohotfix.tar HOTFIX VERSION salt pillar + echo "" + echo "Copy /tmp/sohotfix/sohotfix.tar to portable media and then copy it to your airgap manager." + exit 0 +fi \ No newline at end of file From f04ed946272fe7a654f34f5444c7207eb1612af7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 3 May 2021 14:33:45 -0400 Subject: [PATCH 03/13] Adding airgap hotfix --- salt/common/tools/sbin/soup | 282 ++++++++++++++++++++---------------- 1 file changed, 154 insertions(+), 128 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d6f0c4fa7..637818a49 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -572,16 +572,28 @@ update_version() { # Update the version to the latest echo "Updating the Security Onion version file." echo $NEWVERSION > /etc/soversion + echo $HOTFIXVERSION > /etc/sohotfix sed -i "/ soversion:/c\ soversion: $NEWVERSION" /opt/so/saltstack/local/pillar/global.sls } upgrade_check() { # Let's make sure we actually need to update. NEWVERSION=$(cat $UPDATE_DIR/VERSION) + HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX) + CURRENTHOTFIX=$(cat /etc/sohotfix) if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then - echo "You are already running the latest version of Security Onion." - exit 0 + echo "Checking to see if there are hotfixes needed" + if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then + echo "You are already running the latest version of Security Onion." + exit 0 + else + echo "We need to apply a hotfix" + is_hotfix=true + fi + else + is_hotfix=false fi + } upgrade_check_salt() { @@ -712,142 +724,153 @@ upgrade_check_salt echo "" echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION." echo "" -echo "Updating dockers to $NEWVERSION." -if [ $is_airgap -eq 0 ]; then - airgap_update_dockers - update_centos_repo - yum clean all - check_os_updates + +if [[ $is_hotfix ]]; then + echo "Do Hotfix Things" + copy_new_files + echo "" + update_version + salt-call state.highstate -l info queue=True + else - update_registry - update_docker_containers "soup" -fi - -echo "" -echo "Stopping Salt Minion service." -systemctl stop salt-minion -echo "Killing any remaining Salt Minion processes." -pkill -9 -ef /usr/bin/salt-minion -echo "" -echo "Stopping Salt Master service." -systemctl stop salt-master -echo "" - -preupgrade_changes_2.3.50_repo - -# Does salt need upgraded. If so update it. -if [ "$UPGRADESALT" == "1" ]; then - echo "Upgrading Salt" - # Update the repo files so it can actually upgrade - upgrade_salt -fi - -echo "Checking if Salt was upgraded." -echo "" -# Check that Salt was upgraded -SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk {'print $2'}) -if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then - echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." - echo "Once the issue is resolved, run soup again." - echo "Exiting." - echo "" - exit 1 -else - echo "Salt upgrade success." - echo "" -fi - -preupgrade_changes -echo "" - -if [ $is_airgap -eq 0 ]; then - echo "Updating Rule Files to the Latest." - update_airgap_rules -fi - -# Only update the repo if its airgap -if [[ $is_airgap -eq 0 ]] && [[ "$UPGRADESALT" != "1" ]]; then -update_centos_repo -fi - -echo "" -echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR." -copy_new_files -echo "" -update_version - -echo "" -echo "Locking down Salt Master for upgrade" -masterlock - -echo "" -echo "Starting Salt Master service." -systemctl start salt-master - -# Only regenerate osquery packages if Fleet is enabled -FLEET_MANAGER=$(lookup_pillar fleet_manager) -FLEET_NODE=$(lookup_pillar fleet_node) -if [[ "$FLEET_MANAGER" == "True" || "$FLEET_NODE" == "True" ]]; then - echo "" - echo "Regenerating Osquery Packages.... This will take several minutes." - salt-call state.apply fleet.event_gen-packages -l info queue=True - echo "" -fi - -echo "" -echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes." -salt-call state.highstate -l info queue=True -echo "" -echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete." - -echo "" -echo "Stopping Salt Master to remove ACL" -systemctl stop salt-master - -masterunlock - -echo "" -echo "Starting Salt Master service." -systemctl start salt-master -echo "Running a highstate. This could take several minutes." -salt-call state.highstate -l info queue=True -postupgrade_changes -unmount_update -thehive_maint - -if [ "$UPGRADESALT" == "1" ]; then + echo "Updating dockers to $NEWVERSION." if [ $is_airgap -eq 0 ]; then + airgap_update_dockers + update_centos_repo + yum clean all + check_os_updates + else + update_registry + update_docker_containers "soup" + fi + + echo "" + echo "Stopping Salt Minion service." + systemctl stop salt-minion + echo "Killing any remaining Salt Minion processes." + pkill -9 -ef /usr/bin/salt-minion + echo "" + echo "Stopping Salt Master service." + systemctl stop salt-master + echo "" + + preupgrade_changes_2.3.50_repo + + # Does salt need upgraded. If so update it. + if [ "$UPGRADESALT" == "1" ]; then + echo "Upgrading Salt" + # Update the repo files so it can actually upgrade + upgrade_salt + fi + + echo "Checking if Salt was upgraded." + echo "" + # Check that Salt was upgraded + SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk {'print $2'}) + if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then + echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." + echo "Once the issue is resolved, run soup again." + echo "Exiting." echo "" - echo "Cleaning repos on remote Security Onion nodes." - salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all" + exit 1 + else + echo "Salt upgrade success." echo "" fi -fi -check_sudoers + preupgrade_changes + echo "" -if [[ -n $lsl_msg ]]; then - case $lsl_msg in - 'distributed') - echo "[INFO] The value of log_size_limit in any heavy node minion pillars may be incorrect." - echo " -> We recommend checking and adjusting the values as necessary." - echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/" - ;; - 'single-node') - # We can assume the lsl_details array has been set if lsl_msg has this value - echo "[WARNING] The value of log_size_limit (${lsl_details[0]}) does not match the recommended value of ${lsl_details[1]}." - echo " -> We recommend checking and adjusting the value as necessary." - echo " -> File: /opt/so/saltstack/local/pillar/minions/${lsl_details[2]}.sls" - ;; - esac -fi + if [ $is_airgap -eq 0 ]; then + echo "Updating Rule Files to the Latest." + update_airgap_rules + fi -NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l) + # Only update the repo if its airgap + if [[ $is_airgap -eq 0 ]] && [[ "$UPGRADESALT" != "1" ]]; then + update_centos_repo + fi -if [ $NUM_MINIONS -gt 1 ]; then + echo "" + echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR." + copy_new_files + echo "" + update_version - cat << EOF - + echo "" + echo "Locking down Salt Master for upgrade" + masterlock + + echo "" + echo "Starting Salt Master service." + systemctl start salt-master + + # Only regenerate osquery packages if Fleet is enabled + FLEET_MANAGER=$(lookup_pillar fleet_manager) + FLEET_NODE=$(lookup_pillar fleet_node) + if [[ "$FLEET_MANAGER" == "True" || "$FLEET_NODE" == "True" ]]; then + echo "" + echo "Regenerating Osquery Packages.... This will take several minutes." + salt-call state.apply fleet.event_gen-packages -l info queue=True + echo "" + fi + + echo "" + echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes." + salt-call state.highstate -l info queue=True + echo "" + echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete." + + echo "" + echo "Stopping Salt Master to remove ACL" + systemctl stop salt-master + + masterunlock + + echo "" + echo "Starting Salt Master service." + systemctl start salt-master + echo "Running a highstate. This could take several minutes." + salt-call state.highstate -l info queue=True + postupgrade_changes + unmount_update + thehive_maint + + if [ "$UPGRADESALT" == "1" ]; then + if [ $is_airgap -eq 0 ]; then + echo "" + echo "Cleaning repos on remote Security Onion nodes." + salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all" + echo "" + fi + fi + + check_sudoers + + if [[ -n $lsl_msg ]]; then + case $lsl_msg in + 'distributed') + echo "[INFO] The value of log_size_limit in any heavy node minion pillars may be incorrect." + echo " -> We recommend checking and adjusting the values as necessary." + echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/" + ;; + 'single-node') + # We can assume the lsl_details array has been set if lsl_msg has this value + echo "[WARNING] The value of log_size_limit (${lsl_details[0]}) does not match the recommended value of ${lsl_details[1]}." + echo " -> We recommend checking and adjusting the value as necessary." + echo " -> File: /opt/so/saltstack/local/pillar/minions/${lsl_details[2]}.sls" + ;; + esac + fi + + NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l) + + if [ $NUM_MINIONS -gt 1 ]; then + + cat << EOF + + + This appears to be a distributed deployment. Other nodes should update themselves at the next Salt highstate (typically within 15 minutes). Do not manually restart anything until you know that all the search/heavy nodes in your deployment are updated. This is especially important if you are using true clustering for Elasticsearch. Each minion is on a random 15 minute check-in period and things like network bandwidth can be a factor in how long the actual upgrade takes. If you have a heavy node on a slow link, it is going to take a while to get the containers to it. Depending on what changes happened between the versions, Elasticsearch might not be able to talk to said heavy node until the update is complete. @@ -855,9 +878,12 @@ Each minion is on a random 15 minute check-in period and things like network ban If it looks like you’re missing data after the upgrade, please avoid restarting services and instead make sure at least one search node has completed its upgrade. The best way to do this is to run 'sudo salt-call state.highstate' from a search node and make sure there are no errors. Typically if it works on one node it will work on the rest. Forward nodes are less complex and will update as they check in so you can monitor those from the Grid section of SOC. For more information, please see https://docs.securityonion.net/en/2.3/soup.html#distributed-deployments. + EOF + fi fi + echo "### soup has been served at `date` ###" } From cedcf0575184de82f474af26b506d3d960178739 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 3 May 2021 14:38:18 -0400 Subject: [PATCH 04/13] Adding airgap hotfix --- HOTFIX | 1 + 1 file changed, 1 insertion(+) create mode 100644 HOTFIX diff --git a/HOTFIX b/HOTFIX new file mode 100644 index 000000000..b0bdf03a0 --- /dev/null +++ b/HOTFIX @@ -0,0 +1 @@ +GRIDFIX \ No newline at end of file From f56244d708b9fe16437e6d6ea9e374f5186cce8c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 3 May 2021 14:39:32 -0400 Subject: [PATCH 05/13] Adding airgap hotfix --- salt/sensoroni/files/sensoroni.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 378d42373..1a6e6fc8c 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -15,6 +15,7 @@ "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"info", "agent": { + "nodeId": "{{ grains.host | lower }}", "role": "{{ grains.role }}", "description": "{{ DESCRIPTION }}", "address": "{{ ADDRESS }}", From 074fe46e9016a643b982870c7eb0d3a80eca47f4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 3 May 2021 15:02:51 -0400 Subject: [PATCH 06/13] Adding airgap hotfix --- salt/common/tools/sbin/soup | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 637818a49..679e7a9db 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -721,18 +721,19 @@ upgrade_space echo "Checking for Salt Master and Minion updates." upgrade_check_salt -echo "" -echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION." -echo "" if [[ $is_hotfix ]]; then - echo "Do Hotfix Things" + echo "Applying $HOTFIXVERSION" copy_new_files echo "" update_version salt-call state.highstate -l info queue=True else + echo "" + echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION." + echo "" + echo "Updating dockers to $NEWVERSION." if [ $is_airgap -eq 0 ]; then airgap_update_dockers From a489b369d7fdd9515fe31f3e0c43b3d0a84b3b05 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 3 May 2021 15:23:34 -0400 Subject: [PATCH 07/13] Jertel Compliance --- salt/common/tools/sbin/so-airgap-hotfixapply | 8 ++++---- salt/common/tools/sbin/so-common | 8 ++++++++ salt/common/tools/sbin/soup | 13 +++---------- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/salt/common/tools/sbin/so-airgap-hotfixapply b/salt/common/tools/sbin/so-airgap-hotfixapply index cb6bf6451..e57ea50fe 100644 --- a/salt/common/tools/sbin/so-airgap-hotfixapply +++ b/salt/common/tools/sbin/so-airgap-hotfixapply @@ -47,14 +47,14 @@ else exit 1 else echo "We need to apply a hotfix" - rsync -a $HOTFIXDIR/salt /opt/so/saltstack/default/ - rsync -a $HOTFIXDIR/pillar /opt/so/saltstack/default/ - chown -R socore:socore /opt/so/saltstack/default/ - chmod 755 /opt/so/saltstack/default/pillar/firewall/addfirewall.sh + cd $HOTFIXDIR + DEFAULT_SALT_DIR=/opt/so/saltstack/default + copy_new_files echo $HOTFIXVERSION > /etc/sohotfix salt-call state.highstate -l info queue=True echo "The Hotfix $HOTFIXVERSION has been applied" # Clean up + cd /tmp rm -rf $HOTFIXDIR exit 0 fi diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index c099f33af..6aff0269a 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -122,6 +122,14 @@ check_elastic_license() { fi } +copy_new_files() { + # Copy new files over to the salt dir + rsync -a salt $DEFAULT_SALT_DIR/ + rsync -a pillar $DEFAULT_SALT_DIR/ + chown -R socore:socore $DEFAULT_SALT_DIR/ + chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh +} + disable_fastestmirror() { sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf } diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 679e7a9db..ebf2562b0 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -214,16 +214,6 @@ clone_to_tmp() { fi } -copy_new_files() { - # Copy new files over to the salt dir - cd $UPDATE_DIR - rsync -a salt $DEFAULT_SALT_DIR/ - rsync -a pillar $DEFAULT_SALT_DIR/ - chown -R socore:socore $DEFAULT_SALT_DIR/ - chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh - cd /tmp -} - generate_and_clean_tarballs() { local new_version new_version=$(cat $UPDATE_DIR/VERSION) @@ -724,7 +714,9 @@ upgrade_check_salt if [[ $is_hotfix ]]; then echo "Applying $HOTFIXVERSION" + cd $UPDATE_DIR copy_new_files + cd /tmp echo "" update_version salt-call state.highstate -l info queue=True @@ -795,6 +787,7 @@ else echo "" echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR." copy_new_files + cd /tmp echo "" update_version From 6768e8ddf66822361c73cacf10146728ac70e482 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 3 May 2021 15:42:24 -0400 Subject: [PATCH 08/13] copy_new_files usage consistent across soup and hotfixapply scripts --- salt/common/tools/sbin/so-airgap-hotfixapply | 21 +++++++++----------- salt/common/tools/sbin/so-common | 4 ++++ salt/common/tools/sbin/soup | 4 ---- 3 files changed, 13 insertions(+), 16 deletions(-) diff --git a/salt/common/tools/sbin/so-airgap-hotfixapply b/salt/common/tools/sbin/so-airgap-hotfixapply index e57ea50fe..0149cdf61 100644 --- a/salt/common/tools/sbin/so-airgap-hotfixapply +++ b/salt/common/tools/sbin/so-airgap-hotfixapply @@ -17,7 +17,7 @@ . /usr/sbin/so-common -HOTFIXDIR=/tmp/sohotfixapply +UPDATE_DIR=/tmp/sohotfixapply if [ -z "$1" ]; then echo "No tarball given. Please provide the filename so I can run the hotfix" @@ -29,13 +29,13 @@ else exit 1 else echo "Determining if we need to apply this hotfix" - rm -rf $HOTFIXDIR - mkdir -p $HOTFIXDIR - tar xvf $1 -C $HOTFIXDIR + rm -rf $UPDATE_DIR + mkdir -p $UPDATE_DIR + tar xvf $1 -C $UPDATE_DIR # Compare some versions - NEWVERSION=$(cat $HOTFIXDIR/VERSION) - HOTFIXVERSION=$(cat $HOTFIXDIR/HOTFIX) + NEWVERSION=$(cat $UPDATE_DIR/VERSION) + HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX) CURRENTHOTFIX=$(cat /etc/sohotfix) INSTALLEDVERSION=$(cat /etc/soversion) @@ -43,24 +43,21 @@ else echo "Checking to see if there are hotfixes needed" if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then echo "You are already running the latest version of Security Onion." - rm -rf $HOTFIXDIR + rm -rf $UPDATE_DIR exit 1 else echo "We need to apply a hotfix" - cd $HOTFIXDIR - DEFAULT_SALT_DIR=/opt/so/saltstack/default copy_new_files echo $HOTFIXVERSION > /etc/sohotfix salt-call state.highstate -l info queue=True echo "The Hotfix $HOTFIXVERSION has been applied" # Clean up - cd /tmp - rm -rf $HOTFIXDIR + rm -rf $UPDATE_DIR exit 0 fi else echo "This hotfix is not compatible with your current version. Download the latest ISO and run soup" - rm -rf $HOTFIXDIR + rm -rf $UPDATE_DIR fi fi diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 6aff0269a..22c7543ea 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -15,6 +15,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +DEFAULT_SALT_DIR=/opt/so/saltstack/default + # Check for prerequisites if [ "$(id -u)" -ne 0 ]; then echo "This script must be run using sudo!" @@ -124,10 +126,12 @@ check_elastic_license() { copy_new_files() { # Copy new files over to the salt dir + cd $UPDATE_DIR rsync -a salt $DEFAULT_SALT_DIR/ rsync -a pillar $DEFAULT_SALT_DIR/ chown -R socore:socore $DEFAULT_SALT_DIR/ chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh + cd /tmp } disable_fastestmirror() { diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index ebf2562b0..9dcaaf1e1 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -21,7 +21,6 @@ UPDATE_DIR=/tmp/sogh/securityonion INSTALLEDVERSION=$(cat /etc/soversion) POSTVERSION=$INSTALLEDVERSION INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk {'print $2'}) -DEFAULT_SALT_DIR=/opt/so/saltstack/default BATCHSIZE=5 SOUP_LOG=/root/soup.log WHATWOULDYOUSAYYAHDOHERE=soup @@ -714,9 +713,7 @@ upgrade_check_salt if [[ $is_hotfix ]]; then echo "Applying $HOTFIXVERSION" - cd $UPDATE_DIR copy_new_files - cd /tmp echo "" update_version salt-call state.highstate -l info queue=True @@ -787,7 +784,6 @@ else echo "" echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR." copy_new_files - cd /tmp echo "" update_version From 9066959945ba7012961239acc3f339de512218f4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 3 May 2021 18:46:24 -0400 Subject: [PATCH 09/13] Update soup --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 9dcaaf1e1..41182a8ef 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -711,7 +711,7 @@ echo "Checking for Salt Master and Minion updates." upgrade_check_salt -if [[ $is_hotfix ]]; then +if [ $is_hotfix ]; then echo "Applying $HOTFIXVERSION" copy_new_files echo "" From e113e75f4d4e457a670663fe74484f8074962ebe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 3 May 2021 18:52:40 -0400 Subject: [PATCH 10/13] Update soup --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 41182a8ef..e1bda105d 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -711,7 +711,7 @@ echo "Checking for Salt Master and Minion updates." upgrade_check_salt -if [ $is_hotfix ]; then +if [ "$is_hotfix" == "true" ]; then echo "Applying $HOTFIXVERSION" copy_new_files echo "" From ffa9001df407b8b058ce96680074f0b1881b7f45 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 4 May 2021 07:57:07 -0400 Subject: [PATCH 11/13] Update raid.sh --- salt/telegraf/scripts/raid.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/telegraf/scripts/raid.sh b/salt/telegraf/scripts/raid.sh index 03e309c38..f237e8021 100644 --- a/salt/telegraf/scripts/raid.sh +++ b/salt/telegraf/scripts/raid.sh @@ -16,6 +16,8 @@ # along with this program. If not, see . THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) +RAIDLOG=/var/log/raid/status.log +RAIDSTATUS=$(cat /var/log/raid/status.log) if [ ! "$THEGREP" ]; then From 10c4a7fd984cf444e2c396daac25daeab3b9cb6e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 4 May 2021 09:18:59 -0400 Subject: [PATCH 12/13] Update soup --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e1bda105d..8e7f70517 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -569,7 +569,7 @@ upgrade_check() { # Let's make sure we actually need to update. NEWVERSION=$(cat $UPDATE_DIR/VERSION) HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX) - CURRENTHOTFIX=$(cat /etc/sohotfix) + CURRENTHOTFIX=$(cat /etc/sohotfix 2>/dev/null) if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then echo "Checking to see if there are hotfixes needed" if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then From a1a79719fc759577fe42ea0d368aa17f5b61bd39 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 5 May 2021 12:07:30 +0000 Subject: [PATCH 13/13] Add ignore above for message keyword field --- salt/elasticsearch/templates/so/so-common-template.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index 8adbdcf13..214e5c691 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -320,7 +320,8 @@ "type":"text", "fields":{ "keyword":{ - "type":"keyword" + "type":"keyword", + "ignore_above": 32766 } } },