mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-06-07 10:55:26 +02:00
Compare commits
18 Commits
saltthangs
...
jertel/wip
| Author | SHA1 | Date | |
|---|---|---|---|
 Jason Ertel
|
ca85c5d900 | ||
|
Jason Ertel
|
1d3d98f759 | ||
|
Jason Ertel
|
a767c79641 | ||
|
Jason Ertel
|
61e72c89e4 | ||
|
Jason Ertel
|
d9fb7313f9 | ||
|
Jason Ertel
|
7ca2313255 | ||
 Jorge Reyes
|
534f0e639d | ||
|
reyesj2
|
559465b407 | ||
|
reyesj2
|
f9c2579261 | ||
|
Jorge Reyes
|
33699a914b | ||
|
Jorge Reyes
|
0c2d8f8973 | ||
|
reyesj2
|
f2996fb888 | ||
|
reyesj2
|
3c533cccbc | ||
|
reyesj2
|
79da9f9f2c | ||
 Mike Reeves
|
99a027589b | ||
|
Jason Ertel
|
68a82a425b | ||
 Jason Ertel
|
d86a3c5cc9 | ||
|
Jason Ertel
|
86edc5aaba |
@@ -25,9 +25,11 @@ if [ ! -f $BACKUPFILE ]; then
|
||||
# Create empty backup file
|
||||
tar -cf $BACKUPFILE -T /dev/null
|
||||
|
||||
# Loop through all paths defined in global.sls, and append them to backup file
|
||||
# Loop through all paths defined in global.sls, and append them to backup file if they exist
|
||||
{%- for LOCATION in BACKUPLOCATIONS %}
|
||||
tar -rf $BACKUPFILE "${EXCLUSIONS[@]}" {{ LOCATION }}
|
||||
if [[ -d {{ LOCATION }} || -f {{ LOCATION }} ]]; then
|
||||
tar -rf $BACKUPFILE "${EXCLUSIONS[@]}" {{ LOCATION }}
|
||||
fi
|
||||
{%- endfor %}
|
||||
|
||||
fi
|
||||
|
||||
@@ -188,13 +188,6 @@ airgap_update_dockers() {
|
||||
fi
|
||||
}
|
||||
|
||||
backup_old_states_pillars() {
|
||||
|
||||
tar czf /nsm/backup/$(echo $INSTALLEDVERSION)_$(date +%Y%m%d-%H%M%S)_soup_default_states_pillars.tar.gz /opt/so/saltstack/default/
|
||||
tar czf /nsm/backup/$(echo $INSTALLEDVERSION)_$(date +%Y%m%d-%H%M%S)_soup_local_states_pillars.tar.gz /opt/so/saltstack/local/
|
||||
|
||||
}
|
||||
|
||||
update_registry() {
|
||||
docker stop so-dockerregistry
|
||||
docker rm so-dockerregistry
|
||||
@@ -769,12 +762,18 @@ bootstrap_so_soc_database() {
|
||||
}
|
||||
|
||||
up_to_3.2.0() {
|
||||
fix_logstash_0013_lumberjack_pipeline_name
|
||||
|
||||
INSTALLEDVERSION=3.2.0
|
||||
}
|
||||
|
||||
post_to_3.2.0() {
|
||||
bootstrap_so_soc_database
|
||||
|
||||
# Including agent regen script here since it was missed in post_to_3.1.0
|
||||
echo "Regenerating Elastic Agent Installers"
|
||||
/sbin/so-elastic-agent-gen-installers
|
||||
|
||||
POSTVERSION=3.2.0
|
||||
}
|
||||
|
||||
@@ -1566,13 +1565,7 @@ EOF
|
||||
|
||||
# Keeping this block in case we need to do a hotfix that requires salt update
|
||||
apply_hotfix() {
|
||||
if [[ "$INSTALLEDVERSION" == "3.1.0" ]] ; then
|
||||
# Do not remove this fix_logstash_0013_lumberjack_pipeline_name in future hotfixes without first validating older
|
||||
# installs referencing "so/0013_input_lumberjack_fleet.conf" via pillar are upgradable
|
||||
fix_logstash_0013_lumberjack_pipeline_name
|
||||
else
|
||||
echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
|
||||
fi
|
||||
echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
|
||||
}
|
||||
|
||||
failed_soup_restore_items() {
|
||||
@@ -1644,13 +1637,13 @@ main() {
|
||||
echo "Verifying we have the latest soup script."
|
||||
verify_latest_update_script
|
||||
|
||||
echo "Verifying Elasticsearch version compatibility across the grid before upgrading."
|
||||
verify_es_version_compatibility
|
||||
|
||||
echo "Let's see if we need to update Security Onion."
|
||||
upgrade_check
|
||||
upgrade_space
|
||||
|
||||
echo "Verifying Elasticsearch version compatibility across the grid before upgrading."
|
||||
verify_es_version_compatibility
|
||||
|
||||
echo "Checking for Salt Master and Minion updates."
|
||||
upgrade_check_salt
|
||||
set -e
|
||||
@@ -1670,7 +1663,8 @@ main() {
|
||||
echo "Applying $HOTFIXVERSION hotfix"
|
||||
# since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
|
||||
if [[ ! "$MINION_ROLE" == "import" ]]; then
|
||||
backup_old_states_pillars
|
||||
echo "Running so-config-backup script."
|
||||
/sbin/so-config-backup
|
||||
fi
|
||||
copy_new_files
|
||||
create_local_directories "/opt/so/saltstack/default"
|
||||
@@ -1726,8 +1720,8 @@ main() {
|
||||
# since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
|
||||
if [[ ! "$MINION_ROLE" == "import" ]]; then
|
||||
echo ""
|
||||
echo "Creating snapshots of default and local Salt states and pillars and saving to /nsm/backup/"
|
||||
backup_old_states_pillars
|
||||
echo "Running so-config-backup script."
|
||||
/sbin/so-config-backup
|
||||
fi
|
||||
|
||||
echo ""
|
||||
|
||||
@@ -17,6 +17,7 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-E
|
||||
END IF;
|
||||
END
|
||||
\$\$;
|
||||
GRANT ALL ON SCHEMA public TO "$SO_POSTGRES_USER";
|
||||
GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$SO_POSTGRES_USER";
|
||||
-- Lock the SOC database down at the connect layer; PUBLIC gets CONNECT
|
||||
-- by default, which would let per-minion telegraf roles open sessions
|
||||
@@ -31,9 +32,4 @@ EOSQL
|
||||
# only ensures the shared database exists on first initialization.
|
||||
if ! psql -U "$POSTGRES_USER" -tAc "SELECT 1 FROM pg_database WHERE datname='so_telegraf'" | grep -q 1; then
|
||||
psql -v ON_ERROR_STOP=1 -U "$POSTGRES_USER" -c "CREATE DATABASE so_telegraf"
|
||||
fi
|
||||
|
||||
# Bootstrap the SOC database.
|
||||
if ! psql -U "$POSTGRES_USER" -tAc "SELECT 1 FROM pg_database WHERE datname='so_soc'" | grep -q 1; then
|
||||
psql -v ON_ERROR_STOP=1 -U "$POSTGRES_USER" -c "CREATE DATABASE so_soc"
|
||||
fi
|
||||
fi
|
||||
@@ -1523,8 +1523,12 @@ soc:
|
||||
saltstackDir: /opt/so/saltstack
|
||||
bypassEnabled: false
|
||||
postgres:
|
||||
host:
|
||||
password:
|
||||
host: ""
|
||||
port: 5432
|
||||
sslMode: "allow"
|
||||
database: securityonion
|
||||
user: ""
|
||||
password: ""
|
||||
salt:
|
||||
queueDir: /opt/sensoroni/queue
|
||||
timeoutMs: 45000
|
||||
|
||||
@@ -20,7 +20,8 @@
|
||||
{% do SOCMERGED.config.server.modules.postgres.update({'host': GLOBALS.manager}) %}
|
||||
{% endif %}
|
||||
{% if not SOCMERGED.config.server.modules.postgres.password %}
|
||||
{% do SOCMERGED.config.server.modules.postgres.update({'password': salt['pillar.get']('secrets:postgres_pass', '')}) %}
|
||||
{% do SOCMERGED.config.server.modules.postgres.update({'password': salt['pillar.get']('postgres:auth:users:so_postgres_user:pass', '')}) %}
|
||||
{% do SOCMERGED.config.server.modules.postgres.update({'user': salt['pillar.get']('postgres:auth:users:so_postgres_user:user', 'so_postgres')}) %}
|
||||
{% endif %}
|
||||
|
||||
{# if SOCMERGED.config.server.modules.cases == httpcase details come from the soc pillar #}
|
||||
|
||||
+17
-1
@@ -468,8 +468,24 @@ soc:
|
||||
description: Hostname or IP address of the PostgreSQL server used by SOC. Defaults to the manager hostname.
|
||||
global: True
|
||||
advanced: True
|
||||
port:
|
||||
description: Port of the PostgreSQL server used by SOC.
|
||||
global: True
|
||||
advanced: True
|
||||
sslMode:
|
||||
description: "Use encrypted connections to the PostgreSQL server. Must be one of the following values: disable, allow, prefer, require, verify-ca, verify-full. Defaults to allow."
|
||||
global: True
|
||||
advanced: True
|
||||
database:
|
||||
description: Database used by SOC to authenticate to the PostgreSQL server.
|
||||
global: True
|
||||
advanced: True
|
||||
user:
|
||||
description: Username used by SOC to authenticate to the PostgreSQL server.
|
||||
global: True
|
||||
advanced: True
|
||||
password:
|
||||
description: Password used by SOC to authenticate to the PostgreSQL server. Defaults to the postgres superuser password seeded in the secrets pillar.
|
||||
description: Password used by SOC to authenticate to the PostgreSQL server.
|
||||
global: True
|
||||
sensitive: True
|
||||
advanced: True
|
||||
|
||||
Reference in New Issue
Block a user