From d24125c9e61fa4ba5fb4c0b6f173fb12ab65ece9 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 1 Aug 2022 10:40:57 -0400 Subject: [PATCH 1/5] Update Elastic version to 8.3.3 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 4ec8f9ca7..a8dc56f32 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.2","id": "8.3.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.3","id": "8.3.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 3123407ef0c34ceb977c9d803909f53fde5287e6 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 1 Aug 2022 10:41:39 -0400 Subject: [PATCH 2/5] Update Elastic version to 8.3.3 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index e19f25439..7b49f5a94 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From cb384ae0246f1472f805ee865bf772529f670aba Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 5 Aug 2022 11:25:33 -0400 Subject: [PATCH 3/5] Ensure check_local_mods() runs at the beginning of SOUP, in addition to the end, and also that it prompts (forces) the user to accept/review local modifications. --- salt/common/tools/sbin/soup | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d41fcdfcf..d42cb59fa 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -203,7 +203,7 @@ check_airgap() { check_local_mods() { local salt_local=/opt/so/saltstack/local - + local_ignore_arr=("/opt/so/saltstack/local/salt/zeek/policy/intel/intel.dat") local_mod_arr=() while IFS= read -r -d '' local_file; do @@ -211,8 +211,10 @@ check_local_mods() { default_file="${DEFAULT_SALT_DIR}${stripped_path}" if [[ -f $default_file ]]; then file_diff=$(diff "$default_file" "$local_file" ) - if [[ $(echo "$file_diff" | grep -c "^<") -gt 0 ]]; then - local_mod_arr+=( "$local_file" ) + if [[ ! " ${local_ignore_arr[*]} " =~ " ${local_file} " ]]; then + if [[ $(echo "$file_diff" | grep -c "^<") -gt 0 ]]; then + local_mod_arr+=( "$local_file" ) + fi fi fi done< <(find $salt_local -type f -print0) @@ -223,11 +225,24 @@ check_local_mods() { echo " $file_str" done echo "" - echo "To reference this list later, check $SOUP_LOG" - sleep 10 + echo "To reference this list later, check $SOUP_LOG". + echo + if [[ -z $UNATTENDED ]]; then + while true; do + read -p "Please review the local modifications shown above as they may cause problems during or after the update. + +Would you like to proceed with the update anyway? + +If so, type 'YES'. Otherwise, type anything else to exit SOUP." yn + + case $yn in + [yY][eE][sS] ) echo "Local modifications accepted. Continuing..."; break;; + * ) exit 0;; + esac + done + fi fi } - # {% endraw %} check_pillar_items() { @@ -1230,6 +1245,7 @@ main() { echo "Let's see if we need to update Security Onion." upgrade_check + check_local_mods upgrade_space echo "Checking for Salt Master and Minion updates." From d7906945df2256a688607afac3f9937c9f911fb4 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 8 Aug 2022 08:24:38 -0400 Subject: [PATCH 4/5] Add extra set of brackets for comparison of integers --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d42cb59fa..5f176a264 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -463,7 +463,7 @@ enable_highstate() { es_version_check() { CHECK_ES=$(echo $INSTALLEDVERSION | awk -F. '{print $3}') - if [ "$CHECK_ES" -lt "110" ]; then + if [[ "$CHECK_ES" -lt "110" ]]; then echo "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version 2.3.130 before updating to 2.3.140 or higher." echo "" echo "If your deployment has Internet access, you can use the following command to update to 2.3.130:" From fd7a118664a7526a15e101876b92533f9ca0754c Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 8 Aug 2022 08:58:19 -0400 Subject: [PATCH 5/5] Invoke check_local_mods() function earlier so we don't have to wait for Docker image downloads or OS updates before checking and potentially exiting SOUP --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 5f176a264..09d1dc141 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1233,6 +1233,7 @@ main() { set_palette check_elastic_license echo "" + check_local_mods check_os_updates echo "Generating new repo archive" @@ -1245,7 +1246,6 @@ main() { echo "Let's see if we need to update Security Onion." upgrade_check - check_local_mods upgrade_space echo "Checking for Salt Master and Minion updates."