Merge pull request #8485 from Security-Onion-Solutions/foxtrot

Improve local file modification check in SOUP
2025-12-06 17:22:49 +01:00 · 2022-08-08 10:06:13 -04:00
parent 4827c9e0d4 fd7a118664
commit e950d865d8
1 changed files with 23 additions and 7 deletions
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -203,7 +203,7 @@ check_airgap() {

 check_local_mods() {
  local salt_local=/opt/so/saltstack/local
-
+  local_ignore_arr=("/opt/so/saltstack/local/salt/zeek/policy/intel/intel.dat")
  local_mod_arr=()

  while IFS= read -r -d '' local_file; do
@@ -211,8 +211,10 @@ check_local_mods() {
    default_file="${DEFAULT_SALT_DIR}${stripped_path}"
    if [[ -f $default_file ]]; then
      file_diff=$(diff "$default_file" "$local_file" )
-      if [[ $(echo "$file_diff" | grep -c "^<") -gt 0 ]]; then
-        local_mod_arr+=( "$local_file" )
+      if [[ ! " ${local_ignore_arr[*]} " =~ " ${local_file} " ]]; then
+        if [[ $(echo "$file_diff" | grep -c "^<") -gt 0 ]]; then
+          local_mod_arr+=( "$local_file" )
+        fi
      fi
    fi
  done< <(find $salt_local -type f -print0)
@@ -223,11 +225,24 @@ check_local_mods() {
      echo "  $file_str"
    done
    echo ""
-    echo "To reference this list later, check $SOUP_LOG"
-    sleep 10
+    echo "To reference this list later, check $SOUP_LOG".
+    echo
+    if [[ -z $UNATTENDED ]]; then
+      while true; do
+        read -p "Please review the local modifications shown above as they may cause problems during or after the update.
+
+Would you like to proceed with the update anyway?
+
+If so, type 'YES'. Otherwise, type anything else to exit SOUP." yn
+
+        case $yn in
+          [yY][eE][sS] ) echo "Local modifications accepted.  Continuing..."; break;;
+          * ) exit 0;;
+        esac
+      done
+    fi
  fi
 }
-
 # {% endraw %}

 check_pillar_items() {
@@ -448,7 +463,7 @@ enable_highstate() {
 es_version_check() {
    CHECK_ES=$(echo $INSTALLEDVERSION | awk -F. '{print $3}')
  
-    if [ "$CHECK_ES" -lt "110" ]; then
+    if [[ "$CHECK_ES" -lt "110" ]]; then
      echo "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version 2.3.130 before updating to 2.3.140 or higher."
      echo ""
      echo "If your deployment has Internet access, you can use the following command to update to 2.3.130:"
@@ -1218,6 +1233,7 @@ main() {
  set_palette
  check_elastic_license
  echo ""
+  check_local_mods
  check_os_updates

  echo "Generating new repo archive"