Compare commits

...
120 Commits
Author SHA1 Message Date
Josh Brower 48a7d66964 Update baseline agents 2026-07-17 15:20:20 -04:00
Jason ErtelandGitHub 30f3bddb8b Merge pull request #16078 from Security-Onion-Solutions/jertel/wip
ignore file already closed
2026-07-17 10:58:55 -04:00
Jason Ertel 811b799b0b ignore file already closed 2026-07-17 10:57:30 -04:00
Doug BurksandGitHub 6f61e7c901 Merge pull request #16075 from Security-Onion-Solutions/dougburks-patch-1
Fix typos in CPU affinity descriptions
2026-07-16 15:15:38 -04:00
Doug BurksandGitHub cc2bfc26e2 Fix typos in CPU affinity descriptions 2026-07-16 15:13:51 -04:00
Jorge ReyesandGitHub 073e32520b Merge pull request #16074 from Security-Onion-Solutions/reyesj2-patch-5
include so-yaml.py in get_soup_script_hashes() so we ensure its at la…
2026-07-16 13:00:16 -05:00
reyesj2 5867b50720 include so-yaml.py in get_soup_script_hashes() so we ensure its at latest version before using it later on in soup 2026-07-16 12:28:23 -05:00
Mike ReevesandGitHub 3503d0c33d Merge pull request #16054 from Security-Onion-Solutions/kernel
Install UEK8 in so-kernel-upgrade when no UEK kernel is present
2026-07-15 16:29:51 -04:00
Mike ReevesandGitHub 02318f065c Merge pull request #16069 from Security-Onion-Solutions/mreeves/soup-resumable-upgrade
soup: make failed upgrades and hotfixes resumable
2026-07-15 15:13:57 -04:00
Mike Reeves 186bf86e99 soup: require green Elasticsearch cluster before upgrading
Change the pre-flight cluster-health gate to wait_for_status=green instead of
yellow, so soup only proceeds when the cluster is fully green.
2026-07-15 12:14:18 -04:00
Mike Reeves bd70dd53fb soup: add cluster-health and Fleet Server pre-flight checks
Before making any changes, verify the grid is in a good state:
 - check_cluster_health: waits for Elasticsearch to reach at least 'yellow'
   (blocks only on red/unreachable, since yellow is normal), modeled on the
   wait in so-elasticsearch-roles-load.
 - check_fleet_server: confirms the Fleet Server status API returns HTTP 200,
   modeled on the wait_for_so-elastic-fleet state in elasticfleet/enabled.sls.

Both run alongside the existing check_pillar_items (manager pillar render) and
verify_es_version_compatibility, before soup modifies anything, so a failure
exits cleanly with an actionable message and no partial changes. Valid on all
manager roles soup runs on (eval/standalone/manager/managerhype/managersearch/
import), which all run Elasticsearch and the Fleet Server.
2026-07-15 12:00:11 -04:00
Mike Reeves be7d8a2aa7 soup: make partial-upgrade state clear and avoid re-running completed upgrades
After a partial upgrade, /etc/soversion already reads the target version, so
soup's startup line "Found that Security Onion X is currently installed" made
it look finished even as soup resumed. When a resume marker is present and
differs from the installed version, print an explicit NOTE that the grid is only
partially upgraded and this run will resume and complete it.

Also clear any stale resume marker in the already-latest path so a successfully
completed upgrade is never mistaken for a partial one and re-run on a later
invocation (the marker is normally removed at the end of postupgrade_changes;
this is a belt-and-suspenders guard).
2026-07-15 11:35:04 -04:00
Mike Reeves 618712469e soup: clearly report incomplete upgrades on trap exit
When soup fails via the EXIT trap after it has begun modifying the system, print
a prominent UPGRADE INCOMPLETE banner instructing the user to run soup again to
resume and complete the update. Gated on a new SOUP_UPGRADE_STARTED flag set at
the start of the hotfix and upgrade branches, so pre-flight gate failures (ES
compatibility, disk, network) that abort before any changes are made do not show
it.
2026-07-15 09:42:59 -04:00
Mike Reeves 8b488f9226 soup: make failed upgrades and hotfixes resumable
A failed highstate mid-upgrade left /etc/soversion already advanced to the
target version (the highstate stamps it from the pillar via the soversionfile
state), so a re-run of soup saw INSTALLEDVERSION == NEWVERSION and reported
"already running the latest version", stranding the box with post-upgrade
steps never run.

Introduce /etc/sopostversion, a soup-owned marker (no salt state manages it)
that records post-upgrade walk progress. It is seeded from the pre-upgrade
version before the highstate, advanced after each post_to_* step, and removed
on successful completion. upgrade_check treats a leftover marker as "upgrade
not finished" and resumes the remaining post steps instead of bailing.

Also fix the hotfix path: /etc/sohotfix was written before the hotfix
highstate, so a failed hotfix highstate looked already-applied on re-run.
Since no salt state manages /etc/sohotfix, defer its write (update_version)
until after the highstate succeeds so it is an honest completion marker.
2026-07-14 17:30:58 -04:00
Jason ErtelandGitHub 1657480d31 Merge pull request #16064 from Security-Onion-Solutions/jertel/wip
prevent login redirect to any API url
2026-07-14 13:55:44 -04:00
Jason Ertel 63d4061500 prevent login redirect to any API url 2026-07-14 13:52:32 -04:00
Jorge ReyesandGitHub 8167ae3282 Merge pull request #16062 from Security-Onion-Solutions/reyesj2/es937
ES 9.3.7
2026-07-13 14:35:35 -05:00
reyesj2 2cd889782d soup es check for 9.3.7 2026-07-13 13:16:12 -05:00
reyesj2 87a5639643 pipeline updates 2026-07-13 13:05:25 -05:00
reyesj2 99e9fc1c3b ES 9.3.7 2026-07-10 13:50:55 -05:00
Jorge ReyesandGitHub e5de499bcc Merge pull request #16059 from Security-Onion-Solutions/reyesj2-patch-4 2026-07-10 13:02:18 -05:00
reyesj2 7d17784e96 status messages for so-elastic-fleet-setup 2026-07-10 12:50:21 -05:00
Jason ErtelandGitHub f0bbbf37d8 Merge pull request #16058 from Security-Onion-Solutions/jertel/wip
toggle pg metrics
2026-07-10 10:48:07 -04:00
Jason Ertel 6fc0fd954c clarify output annotation 2026-07-10 10:35:37 -04:00
Jason Ertel 566f90a0c0 toggle pg metrics 2026-07-10 10:32:25 -04:00
Mike Reeves 52885e28c5 Name the reposync-side kernel repo securityonionkernelsync
The reposync section in repodownload.conf and the client repo assigned in
repo/client/oracle.sls both used the bare name securityonionkernel, colliding
across the two roles. Rename the reposync-side section (and its --repoid, the
so-repo-sync guard, and the so-kernel-upgrade presence check) to
securityonionkernelsync, mirroring the existing securityonion/securityonionsync
split for the main repo. The client repo stays securityonionkernel. Also give
the section its own name=Security Onion Kernel Repo repo.
2026-07-09 17:02:47 -04:00
Jorge ReyesandGitHub 4e856f02da Merge pull request #16055 from Security-Onion-Solutions/reyesj2-patch-3
exit so-setup early for issues with so-elastic-fleet-setup
2026-07-09 14:53:52 -05:00
reyesj2 f6a2758321 add so-elastic-agent-install script to minions 2026-07-09 14:44:42 -05:00
reyesj2 0b078c4804 give the elasticfleet state a few chances to complete successfully before exiting 1 causing so-setup to fail 2026-07-09 14:23:45 -05:00
reyesj2 2959dc9564 keep logs for all 3 attempts 2026-07-09 14:18:08 -05:00
reyesj2 8b0759866e verify installers are generated 2026-07-09 14:15:22 -05:00
reyesj2 6fa0d327cb cause so-setup to fail if there are issues setting up fleet 2026-07-09 14:14:58 -05:00
Mike Reeves 9a71f64a35 Branch so-kernel-upgrade on the running kernel flavor
Only the RHCK->UEK flavor cross needs grubby --set-default; a UEK7->UEK8
update stays in the kernel-uek lineage and auto-promotes on its own. Detect
the running kernel and act accordingly:

- UEK8: already on target, no-op.
- UEK7: populate the repo and install UEK8, then verify it auto-promoted
  (warn with the manual grubby command if it did not) -- no grubby change.
- RHCK: install UEK8 and set the boot default explicitly, as before.

Also make an already-installed UEK8 skip the repo entirely so a disabled or
empty kernel repo can't block flipping the default, and correct the header
comment that claimed every transition needs grubby.
2026-07-09 15:10:13 -04:00
Mike Reeves 40c02b3149 Make so-kernel-upgrade populate the kernel repo and fail loudly
Three stages of the UEK8 path fail silently, and the script only handled
the last one:

1. Populate. so-repo-sync runs before the highstate deploys the
   [securityonionkernel] section into repodownload.conf, so the first
   kernel-aware soup skips the kernel sync. kernelrepo_init_empty then
   seeds valid-but-empty repodata, leaving an enabled repo with zero
   packages. dnf resolves it happily and installs nothing, no error.

2. Install. `dnf install kernel-uek` on a UEK7 node sees kernel-uek 5.15
   already installed, prints "Nothing to do" and exits 0 -- so the script
   sailed past the install and died later with a misleading grubby error.

3. Boot. Already handled: grubby only auto-promotes within the running
   kernel's flavor lineage, so 5.x -> 6.x UEK never promotes on its own.

Add ensure_kernel_repo(), which verifies the repo is enabled (necessary
because skip_if_unavailable=1 hides a broken repo) and that it can serve a
6.x kernel-uek. When it cannot, a manager runs so-repo-sync to populate
/nsm/kernelrepo and re-checks; a minion cannot fix it and exits non-zero
pointing the admin at the manager. Airgap managers bail, since their repo
comes from the ISO rather than a sync.

Install the explicit UEK8 NEVRA instead of the bare package name so the
"Nothing to do" exit-0 case cannot mask a no-op, and pin the repoquery to
securityonionkernel so a UEK7 kernel-uek in the main repo is never picked.

Still idempotent and still never reboots.
2026-07-09 14:21:08 -04:00
Mike Reeves 5fd5df54b4 Install UEK8 in so-kernel-upgrade when no UEK kernel is present
The script assumed the UEK8 kernel was already installed and only switched
the boot default to it. On a node running the EL9 stock kernel (RHCK 5.14)
there is no kernel-uek* package at all, so `dnf update` has nothing to
upgrade and UEK8 never lands -- the script just logged "nothing to do" and
exited 0.

When no 6.x UEK boot entry exists, install the kernel-uek metapackage (it
pulls kernel-uek-core plus the module subpackages, including
kernel-uek-modules-extra-netfilter) and then proceed with the grubby
switch. Fail loudly if securityonionkernel is not an enabled repo, since
that assignment is gated on the NIC-pin marker and the salt version match
and a silent no-op there is hard to diagnose.

Also point DEFAULTKERNEL at kernel-uek-core so later kernel updates stay on
the UEK line rather than falling back to RHCK.

Still idempotent and still never reboots.
2026-07-09 13:47:50 -04:00
reyesj2 3394e9aab7 increase agent health timeout and add logging for elastic agent status output 2026-07-09 11:29:43 -05:00
Jorge ReyesandGitHub 3766f74102 Merge pull request #16052 from Security-Onion-Solutions/reyesj2-patch-2
elastic fleet server persistence
2026-07-08 16:40:45 -05:00
reyesj2 c04a30785f make elastic agent state persistent to prevent re-enrollment during soup / reboots 2026-07-08 16:15:02 -05:00
Jason ErtelandGitHub ca4d22a5fe Merge pull request #16050 from Security-Onion-Solutions/jertel/wip
restart soc after re-initing db
2026-07-08 16:07:13 -04:00
Jorge ReyesandGitHub ea199aee55 Merge pull request #16049 from Security-Onion-Solutions/reyesj2-patch-1
add missing so-logs-soc annotation
2026-07-08 14:09:17 -05:00
reyesj2 5a57bbe4de add missing so-logs-soc annotation 2026-07-08 14:03:31 -05:00
Jason Ertel 1f44e98681 restart soc after re-initing db 2026-07-08 14:34:27 -04:00
Jorge ReyesandGitHub 9a313d1966 Merge pull request #16045 from Security-Onion-Solutions/reyesj2/eahealth
verify elastic-agent reports healthy status before completing install…
2026-07-08 11:45:54 -05:00
reyesj2 85d7f6bebc independently download so-elastic-agent installer 2026-07-08 08:19:15 -05:00
reyesj2 2a4a7307f7 uninstall agent after downloading new one and getting gridtoken 2026-07-08 07:51:13 -05:00
reyesj2 f8de176f4b uninstall agent on final failed attempt 2026-07-08 07:47:47 -05:00
Jason ErtelandGitHub dffe0d3780 Merge pull request #16046 from Security-Onion-Solutions/jertel/wip
recollate databases
2026-07-08 07:05:37 -04:00
Jason Ertel d131d167de provide explanation text 2026-07-08 07:00:38 -04:00
Jason Ertel 8a8f2c4a33 change order to recollate first 2026-07-07 22:22:00 -04:00
Jason Ertel 7f6014096b recollate db 2026-07-07 22:01:27 -04:00
reyesj2 70af3cec53 avoid using 'failure' until all loops are done so so-verify doesn't flag it 2026-07-07 16:48:10 -05:00
reyesj2 57b7d59387 verify elastic-agent reports healthy status before completing installation 2026-07-07 16:42:47 -05:00
Jason Ertel ef83450107 recollate 2026-07-07 16:54:06 -04:00
coreyogburnandGitHub 032d792331 Merge pull request #16030 from Security-Onion-Solutions/feature/agentic
Feature/agentic
2026-07-07 14:37:52 -06:00
Josh BrowerandGitHub 0cac761edc Merge pull request #16041 from Security-Onion-Solutions/playbook-reponames
Add repo names
2026-07-07 13:53:16 +02:00
Josh Brower db91ce981d Add repo names 2026-07-07 07:49:11 -04:00
Mike ReevesandGitHub bd8e5a63db Merge pull request #16039 from Security-Onion-Solutions/TOoSmOotH-patch-1
Add cluster_health option to telegraf.conf
2026-07-06 17:29:04 -04:00
Mike ReevesandGitHub 18212cad0d Add cluster_health option to telegraf.conf
Enable cluster health monitoring in Telegraf configuration.
2026-07-06 17:27:37 -04:00
Josh BrowerandGitHub 9975d36b4f Merge pull request #16019 from Security-Onion-Solutions/feature/sigma-playbooks
support sigma playbooks
2026-07-06 13:17:54 +02:00
Jorge ReyesandGitHub 8e9e221196 Merge pull request #16035 from Security-Onion-Solutions/reyesj2/huntquery
update default hunt query
2026-07-02 14:50:59 -05:00
Josh Brower 1fe7726aff Changes from feedback 2026-07-02 14:58:48 -04:00
Corey Ogburn 83cf1f0793 New Client Params for Tool Retries 2026-07-02 10:11:52 -06:00
Jason ErtelandGitHub 07d6b2cfdd Merge pull request #16033 from Security-Onion-Solutions/jertel/wip
avoid setup failure reason ambiguity
2026-07-02 09:20:48 -04:00
Jason ErtelandGitHub 89afea876a Merge branch '3/dev' into jertel/wip 2026-07-02 09:04:57 -04:00
Jason Ertel 1243a25bd3 avoid setup failure reason ambiguity 2026-07-02 08:59:52 -04:00
Corey Ogburn 8675296393 More Agentic Fields
The big agentic switch, a specific maxDelegationDepth, and the agentMapping dict
2026-07-01 15:04:42 -06:00
Matthew WrightandCorey Ogburn 23f04e2866 maxSubSessionTokens and maxDelegationDepth config settings 2026-07-01 15:02:21 -06:00
Josh PattersonandGitHub 76f6947f36 Merge pull request #16029 from Security-Onion-Solutions/surirulereload
only reload suricata rules if all-rulesets.rules exists
2026-07-01 16:54:02 -04:00
Jorge ReyesandGitHub 92a55386c6 Merge pull request #16028 from Security-Onion-Solutions/reyesj2-patch-6
duplicate repo name in so-repo-sync
2026-07-01 15:50:54 -05:00
reyesj2 e7352eb841 duplicate repo name in so-repo-sync 2026-07-01 15:17:55 -05:00
Josh Patterson 795aa898a3 suricata: only reload rules once the ruleset file exists
On a fresh install the surirulesync file.recurse creates .gitkeep before
SOC has generated all-rulesets.rules. That change satisfied the
surirulereload onchanges requisite, so the reload ran with no ruleset
present, failed to stat the file, and reported the state (and install)
as failed.

Add an onlyif guard so the reload only runs when all-rulesets.rules
exists. A .gitkeep-only sync now leaves the state a clean success
(onlyif condition false); once SOC writes the ruleset, the reload fires
normally.
2026-07-01 15:12:54 -04:00
Josh Patterson 69d77382f1 suricata: timestamp each line of reload log output
Route the reload/verify output (ours plus so-common's retry/fail lines)
through a synchronous timestamping pipeline so every line in reload.log
is prefixed with a date/time, and preserve the real exit code via
PIPESTATUS.
2026-07-01 15:12:53 -04:00
Jorge ReyesandGitHub dc9b4f3ce5 Merge pull request #16027 from Security-Onion-Solutions/reyesj2-patch-6
increase wait_for_so-kibana timeout to 10m
2026-07-01 13:48:10 -05:00
reyesj2 87b9276c79 increase wait_for_so-kibana timeout to 10m 2026-07-01 13:19:47 -05:00
Jorge ReyesandGitHub 99118f9bed Merge pull request #16023 from Security-Onion-Solutions/reyesj2/uekairgap
update airgap soup to sync uek repo from iso and retain latest packag…
2026-07-01 13:14:55 -05:00
reyesj2 24b75b4a2b typo 2026-07-01 12:50:23 -05:00
Jorge ReyesandGitHub 395bd627f1 Merge pull request #16024 from Security-Onion-Solutions/reyesj2/fixsearch
remove outdated eval script and associated salt utility state
2026-07-01 11:59:00 -05:00
reyesj2 868b217549 update default hunt query 2026-07-01 11:37:46 -05:00
reyesj2 c33db9d00f remove outdated eval script and associated salt utility state 2026-07-01 11:12:39 -05:00
reyesj2 e88eb65a44 keep old packages for rollback ability 2026-07-01 10:29:05 -05:00
reyesj2 dc8c80633b update airgap soup to sync uek repo from iso and retain latest packages only 2026-07-01 10:23:04 -05:00
Josh PattersonandGitHub 895aa18486 Merge pull request #16021 from Security-Onion-Solutions/surirulereload
suricata: verify reloaded ruleset is newer than the rules file
2026-07-01 10:33:14 -04:00
Josh Brower 2a6cc58306 Simplify mappings 2026-07-01 09:07:02 -04:00
Josh Patterson ee36f5f84c suricata: verify reloaded ruleset is newer than the rules file
Treating an in-progress reload as instant success could report success
while Suricata was still running a stale ruleset (the in-flight reload
may have started before the new all-rulesets.rules was written).

Make success conditional on Suricata actually having loaded the current
ruleset: capture the rules-file mtime up front, trigger a blocking
reload-rules, then query ruleset-reload-time and only succeed when
last_reload >= mtime. An in-progress reload now retries (waits for it to
clear so our own fresh reload runs) instead of short-circuiting, and a
ruleset that never catches up within the retry window fails via fail().

Also drop the redundant ruleset-reload-nonblocking call (the verified
blocking reload is authoritative and the async call was what left a
reload running) and log human-readable timestamps.
2026-07-01 09:00:36 -04:00
Josh Brower 9217670bab support sigma playbooks 2026-06-30 16:21:01 -04:00
Jorge ReyesandGitHub a3f586cf88 Merge pull request #16018 from Security-Onion-Solutions/reyesj2/kf 2026-06-30 14:46:22 -05:00
reyesj2 670d2b2757 casing 2026-06-30 12:57:56 -05:00
reyesj2 3b8459c6ec soup upgrade kafka cluster metadata v4 2026-06-30 12:43:42 -05:00
Josh Patterson 52574e21c6 suricata: treat in-progress rule reload as success
so-suricata-reload-rules failed the surirulereload state when a rule
reload was already running: suricatasc returns
{"message":"Reload already in progress","return":"NOK"}, which never
matched the expected output, so retry looped all 60 attempts (~3 min)
and called fail.

Wrap the suricatasc calls so an in-progress reload is treated as
success (the in-flight reload picks up the new rules) while genuine
container-not-ready conditions still retry and ultimately fail.
2026-06-30 09:40:23 -04:00
Jorge ReyesandGitHub 576c7bfedd Merge pull request #16013 from Security-Onion-Solutions/reyesj2/so-start
update so-stop | so-start | so-restart scripts
2026-06-26 13:47:09 -05:00
reyesj2 b3b7ecdded update so-stop | so-start | so-restart scripts 2026-06-26 13:19:18 -05:00
Mike ReevesandGitHub 0af020b6c3 Merge pull request #16012 from Security-Onion-Solutions/kernel
Serve /kernelrepo through nginx so minions can reach the kernel repo
2026-06-26 12:04:33 -04:00
Mike Reeves 339a5af4a3 Serve /kernelrepo through nginx so minions can reach the kernel repo
The /nsm/kernelrepo bind mount exposed the files, but without a matching
location block external requests to /kernelrepo/ fell through to the SOC
app and returned HTML, so minions hit 'repomd.xml parser error'. Add a
/kernelrepo/ location mirroring /repo/.
2026-06-26 12:02:49 -04:00
Mike ReevesandGitHub 7952c274c4 Merge pull request #16011 from Security-Onion-Solutions/kernel
Switch boot default to UEK8 kernel and gate kernel repo on salt version
2026-06-26 09:27:01 -04:00
Mike Reeves 67a9abadf2 Gate so_kernel_repo on running salt matching the shipped version
During soup the grid is mid-salt-upgrade. Only assign the UEK8 kernel
repo once the node's grains.saltversion matches salt.minion.version from
minion.defaults.yaml, so the kernel repo and the update it enables don't
activate until the node is fully on the target salt.
2026-06-26 09:21:11 -04:00
Mike Reeves 94f31e1356 Add so-kernel-upgrade to switch the boot default to the UEK8 kernel
Installing kernel-uek-core adds a UEK8 (6.x) boot entry but doesn't make
it the default, because grubby only auto-promotes within the running
kernel's flavor lineage and we cross from a 5.x kernel to the new UEK8
flavor. so-kernel-upgrade finds the newest installed 6.x UEK kernel and
grubby --set-default's it (idempotent, verifies the change, no reboot).
2026-06-26 09:21:11 -04:00
Josh BrowerandGitHub 435e2b4182 Merge pull request #16009 from Security-Onion-Solutions/zeek-communityid
Set transport for ssl.established:false logs
2026-06-25 21:04:27 +02:00
Josh Brower d0edfd2131 set transport for ssl.established:false logs 2026-06-25 14:18:43 -04:00
Mike ReevesandGitHub 13ebde61bd Merge pull request #16000 from Security-Onion-Solutions/kernel
Add UEK8 kernel repo support across install and grid
2026-06-25 14:15:58 -04:00
Jason ErtelandGitHub 30312b93a6 Merge pull request #16008 from Security-Onion-Solutions/jertel/wip
support multiple capinfos versions
2026-06-25 10:19:56 -04:00
Jason Ertel a9c03e39bb support multiple capinfos versions 2026-06-25 09:32:08 -04:00
Dan MarrandGitHub 4d34470b84 Merge pull request #16005 from triggerman86/triggerman-fix-root_check-so-soup
Fix premature fail_setup function call in so-setup
2026-06-24 13:41:53 -04:00
Mike Reeves b0b022c3ad Seed an empty /nsm/kernelrepo so the manager repo is always valid
so-repo-sync only populates /nsm/kernelrepo after the highstate, so on a
manager the file:///nsm/kernelrepo repo could be assigned before any
repodata exists, failing every dnf op. Run createrepo on the dir when
repodata/repomd.xml is missing, leaving a synced repo untouched.
2026-06-24 13:23:25 -04:00
Mike Reeves 27c1c35e62 Mark kernel repo skip_if_unavailable so an empty repo can't brick dnf
When the kernel repo is assigned but /nsm/kernelrepo isn't populated
yet, its missing repomd.xml makes every dnf/pkg operation fail (e.g.
pkg.held for salt during highstate). The kernel repo is supplementary,
so set skip_if_unavailable=1 in both the salt-managed client repo and
the four install-time bootstrap repo files; dnf ignores it until it is
populated instead of aborting. The main repo stays strict.
2026-06-24 13:20:10 -04:00
Mike Reeves f45631af3a Guard kernel reposync on its config section existing
During soup, so-repo-sync runs before the highstate deploys the new
repodownload.conf. On the first upgrade to a kernel-aware version the
on-disk config lacks the [securityonionkernel] section, so dnf aborts
with "Unknown repo: 'securityonionkernel'" (set -e kills soup). Guard
the kernel reposync on the section being present; the next sync after
the highstate deploys it picks it up.
2026-06-24 12:15:10 -04:00
Jorge ReyesandGitHub 81c8d54589 Merge pull request #16006 from Security-Onion-Solutions/reyesj2-patch-5
remove heayvnode FleetServer_* directory creation, and skip empty dir…
2026-06-23 15:53:34 -05:00
reyesj2 4f3b57f495 remove duplicate package-upgrade attempts, upgrade only when reported latest version differs from installed version 2026-06-23 15:52:10 -05:00
reyesj2 84228a819b remove heayvnode FleetServer_* directory creation, and skip empty directories during FleetServer policy management 2026-06-23 15:30:49 -05:00
Dan Marr 81ebea0451 Fix non-root exit checks at start of so-setup 2026-06-23 16:07:30 -04:00
Mike Reeves 8e2753aeb8 Fix duplicate securityonionkernel repo definition
The install bootstrap appended the [securityonionkernel] section to the
shared /etc/yum.repos.d/securityonion.repo, but the salt state so_kernel_repo
(name securityonionkernel) manages its own canonical file
/etc/yum.repos.d/securityonionkernel.repo. At highstate both files defined the
same repo id, so dnf failed with "repository securityonionkernel is listed
more than 1 time".

Write the bootstrap kernel repo to /etc/yum.repos.d/securityonionkernel.repo
in all four securityonion_repo() branches so the id lives in exactly one file
and salt edits it in place. Mirrors how the main repo's runtime id matches its
file name.
2026-06-23 13:53:14 -04:00
Mike Reeves 698a746d6d Add UEK8 kernel repo support across install and grid
Mirror the kernel repo to full parity with the main package repo so the
grid can pull the Oracle UEK8 kernel:

- setup/so-functions: securityonion_repo() emits a [securityonionkernel]
  section in every branch (mirrorlist on non-airgap, https://$MSRV/kernelrepo
  for airgap/minion, file:///nsm/kernelrepo/ for manager); repo_sync_local()
  and create_repo() sync and build /nsm/kernelrepo.
- manager/init.sls: create /nsm/kernelrepo and deploy mirror-kernel.txt.
- nginx/enabled.sls: serve /nsm/kernelrepo at https://<repo_host>/kernelrepo.
- repo/client/oracle.sls: add so_kernel_repo, gated by
  onlyif test -e /opt/so/state/nic_names_pinned so the kernel repo is only
  assigned once NICs are pinned by MAC.
- update_packages(): run so-nic-pin before the dnf update that pulls the
  kernel, freezing interface names and dropping the pin marker so the kernel
  isn't downgraded then re-upgraded on the first highstate.
2026-06-23 13:19:56 -04:00
Josh PattersonandGitHub a9f9d8bd0d Merge pull request #15985 from Security-Onion-Solutions/soupmod2
allow manager two full highstates during soup, improve elastic script runtime
2026-06-22 17:02:02 -04:00
Jason ErtelandGitHub 953fdee3af Merge pull request #15984 from Security-Onion-Solutions/jertel/wip
Upgrade registry
2026-06-22 16:56:18 -04:00
Jason Ertel e2e3e690ca reset version 2026-06-22 16:52:29 -04:00
Jason Ertel bcc60a4ae0 kilo version 2026-06-22 13:07:49 -04:00
Jason Ertel b77103aa9f upgrade registry 2026-06-22 13:01:02 -04:00
Jorge ReyesandGitHub 63a2e20698 Merge pull request #15982 from Security-Onion-Solutions/reyesj2/wip
don't create stack trace when set -e is disabled
2026-06-18 15:25:41 -05:00
reyesj2 22d5c96bd5 don't create stack trace when set -e is disabled 2026-06-18 14:56:29 -05:00
Mike ReevesandGitHub 28fdd1eb6f Merge pull request #15970 from Security-Onion-Solutions/udev
Pin NIC names by MAC via udev (run-once) from the common state
2026-06-18 14:28:09 -04:00
Mike Reeves 80c39d612c Pin NIC names by MAC via udev (run-once) from the common state
Add so-nic-pin, which writes by-MAC persistent-net udev rules pinning each
physical NIC to its current name so a kernel upgrade can't renumber the
interfaces Security Onion binds by name (host:mainint, sensor:mainint, bond0).

Gated by the drop file /opt/so/state/nic_names_pinned: run-once on highstate,
and an admin can pre-create the marker to opt out. Wired into common/init.sls
as pin_nic_names, guarded by a matching unless.
2026-06-11 18:40:43 -04:00
60 changed files with 1355 additions and 307 deletions
-59
View File
@@ -1,59 +0,0 @@
#!/usr/bin/env bash
# This script adds sensors/nodes/etc to the nodes tab
default_salt_dir=/opt/so/saltstack/default
local_salt_dir=/opt/so/saltstack/local
TYPE=$1
NAME=$2
IPADDRESS=$3
CPUS=$4
GUID=$5
MANINT=$6
ROOTFS=$7
NSM=$8
MONINT=$9
#NODETYPE=$10
#HOTNAME=$11
echo "Seeing if this host is already in here. If so delete it"
if grep -q $NAME "$local_salt_dir/pillar/data/$TYPE.sls"; then
echo "Node Already Present - Let's re-add it"
awk -v blah=" $NAME:" 'BEGIN{ print_flag=1 }
{
if( $0 ~ blah )
{
print_flag=0;
next
}
if( $0 ~ /^ [a-zA-Z0-9]+:$/ )
{
print_flag=1;
}
if ( print_flag == 1 )
print $0
} ' $local_salt_dir/pillar/data/$TYPE.sls > $local_salt_dir/pillar/data/tmp.$TYPE.sls
mv $local_salt_dir/pillar/data/tmp.$TYPE.sls $local_salt_dir/pillar/data/$TYPE.sls
echo "Deleted $NAME from the tab. Now adding it in again with updated info"
fi
echo " $NAME:" >> $local_salt_dir/pillar/data/$TYPE.sls
echo " ip: $IPADDRESS" >> $local_salt_dir/pillar/data/$TYPE.sls
echo " manint: $MANINT" >> $local_salt_dir/pillar/data/$TYPE.sls
echo " totalcpus: $CPUS" >> $local_salt_dir/pillar/data/$TYPE.sls
echo " guid: $GUID" >> $local_salt_dir/pillar/data/$TYPE.sls
echo " rootfs: $ROOTFS" >> $local_salt_dir/pillar/data/$TYPE.sls
echo " nsmfs: $NSM" >> $local_salt_dir/pillar/data/$TYPE.sls
if [ $TYPE == 'sensorstab' ]; then
echo " monint: bond0" >> $local_salt_dir/pillar/data/$TYPE.sls
fi
if [ $TYPE == 'evaltab' ] || [ $TYPE == 'standalonetab' ]; then
echo " monint: bond0" >> $local_salt_dir/pillar/data/$TYPE.sls
if [ ! $10 ]; then
salt-call state.apply utility queue=True
fi
fi
if [ $TYPE == 'nodestab' ]; then
salt-call state.apply elasticsearch queue=True
# echo " nodetype: $NODETYPE" >> $local_salt_dir/pillar/data/$TYPE.sls
# echo " hotname: $HOTNAME" >> $local_salt_dir/pillar/data/$TYPE.sls
fi
+1 -2
View File
@@ -37,8 +37,7 @@
'elasticfleet', 'elasticfleet',
'elasticfleet.manager', 'elasticfleet.manager',
'elasticsearch.cluster', 'elasticsearch.cluster',
'elastic-fleet-package-registry', 'elastic-fleet-package-registry'
'utility'
] %} ] %}
{% set sensor_states = [ {% set sensor_states = [
+11
View File
@@ -130,6 +130,17 @@ common_sbin:
- so-pcap-import - so-pcap-import
{% endif %} {% endif %}
# Pin physical NIC names by MAC (run-once) so a kernel upgrade can't renumber the
# interfaces SO binds by name. The marker keeps it a one-time setup; an admin can
# pre-create the marker to opt out.
pin_nic_names:
cmd.run:
- name: /usr/sbin/so-nic-pin
- unless: 'test -e /opt/so/state/nic_names_pinned'
- require:
- file: common_sbin
- file: statedir
common_sbin_jinja: common_sbin_jinja:
file.recurse: file.recurse:
- name: /usr/sbin - name: /usr/sbin
+14
View File
@@ -291,6 +291,20 @@ download_and_verify() {
fi fi
} }
# check if container with name is running and optionally stop it
docker_check_running() {
# show running containers, only names
if docker ps --format '{{.Names}}' | grep -q "^so-${1}$"; then
if [[ "$2" == "--stop" ]]; then
docker stop "so-${1}"
fi
return 0
else
return 1
fi
}
elastic_license() { elastic_license() {
read -r -d '' message <<- EOM read -r -d '' message <<- EOM
+243
View File
@@ -0,0 +1,243 @@
#!/bin/bash
#
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
#
# so-kernel-upgrade — install the UEK8 (6.x) kernel and make it the boot default.
#
# Security Onion is moving off the EL9 stock kernel (RHCK, 5.14) and UEK7 (5.15) onto UEK8
# (6.x). Three things have to happen, and the tool has to drive each one:
#
# 1. Populate. The manager mirrors the UEK8 packages into /nsm/kernelrepo via so-repo-sync,
# and serves them to the grid over https://<manager>/kernelrepo. Until that sync runs the
# repo is valid but EMPTY -- dnf resolves it happily and installs nothing, with no error.
# 2. Install. A node on RHCK has no kernel-uek* package at all, so there is nothing for
# 'dnf update' to upgrade. A node on UEK7 does have kernel-uek installed, so
# 'dnf install kernel-uek' reports "Nothing to do" and exits 0 without installing 6.x.
# Both cases need an explicit install of the UEK8 NEVRA.
# 3. Boot it. Whether a newly installed UEK8 kernel becomes the boot default depends on the
# RUNNING kernel's flavor. kernel-install/grubby (with UPDATEDEFAULT=yes) only auto-promote
# within the running kernel's flavor lineage:
# - From UEK7 (5.x, kernel-uek) the install stays in the kernel-uek lineage and IS
# auto-promoted, so no grubby change is needed -- just make sure the repo is populated
# and install UEK8.
# - From the stock EL9 kernel (RHCK, 5.14, no UEK) it is a flavor CROSS that is NOT
# auto-promoted, so the box keeps booting RHCK until grubby is told otherwise.
# This tool inspects the running kernel and only runs 'grubby --set-default' for RHCK.
#
# Every one of those failure modes is silent by default. This tool handles each case and fails
# loudly when it cannot, rather than reporting success while changing nothing.
#
# Manager vs minion: only the manager owns /nsm/kernelrepo, so only the manager can populate
# it. If the repo is empty here, a manager runs so-repo-sync itself; a minion has no way to
# fix it and exits non-zero telling the admin to sync the manager first.
#
# Idempotent: an already-installed, already-default UEK8 kernel is left alone. It only sets
# the boot default; it does NOT reboot -- the admin reboots the node on their own schedule.
. /usr/sbin/so-common
# Client-side repo id (what dnf enables on this node, from repo/client/oracle.sls) vs the
# reposync-side section in repodownload.conf that the manager mirrors from (mirrors the
# securityonion/securityonionsync split for the main repo).
KERNEL_REPO="securityonionkernel"
KERNEL_REPO_SYNC="securityonionkernelsync"
KERNEL_PKG="kernel-uek"
KERNEL_REPO_DIR="/nsm/kernelrepo"
REPOSYNC_CONF="/opt/so/conf/reposync/repodownload.conf"
GLOBAL_PILLAR="/opt/so/saltstack/local/pillar/global/soc_global.sls"
log() { echo "[so-kernel-upgrade] $*"; }
die() { echo "[so-kernel-upgrade] ERROR: $*" >&2; exit 1; }
command -v grubby >/dev/null 2>&1 || die "grubby not found"
command -v dnf >/dev/null 2>&1 || die "dnf not found"
ARCH="$(rpm -E '%{_arch}')"
is_airgap() {
[ -f "$GLOBAL_PILLAR" ] && grep -q 'airgap: *[Tt]rue' "$GLOBAL_PILLAR"
}
# Newest installed UEK8 (6.x) kernel known to the bootloader. UEK8 vmlinuz paths look like
# /boot/vmlinuz-6.12.0-204.92.4.2.el9uek.x86_64; UEK7 (5.15) and RHCK (5.14) won't match.
find_uek8() {
grubby --info=ALL 2>/dev/null \
| sed -n 's/^kernel="\(.*\)"$/\1/p' \
| grep -E '/vmlinuz-6\.[0-9]+.*uek' \
| sort -V | tail -1
}
# Classify the RUNNING kernel (uname -r) -- this, not what's installed, is what decides whether
# a UEK8 install auto-promotes to the boot default:
# uek8 6.x UEK already on the target line; nothing to do
# uek7 5.x UEK a UEK8 install stays in the kernel-uek lineage and auto-promotes (no grubby)
# rhck 5.14 EL9 crossing into the UEK flavor does NOT auto-promote (needs grubby --set-default)
running_flavor() {
case "$(uname -r)" in
6.*uek*) echo uek8 ;;
*uek*) echo uek7 ;;
*) echo rhck ;;
esac
}
# Newest UEK8 kernel-uek NEVRA offered by the kernel repo, empty if the repo has none.
# Restricted to the kernel repo so a UEK7 kernel-uek in the main repo can't be picked up,
# and filtered to 6.x so we never "succeed" by reinstalling the 5.15 we already have.
uek8_available() {
dnf -q repoquery --disablerepo='*' --enablerepo="$KERNEL_REPO" \
--arch="$ARCH" --latest-limit=1 \
--qf '%{name}-%{evr}.%{arch}\n' "$KERNEL_PKG" 2>/dev/null \
| grep -E "^${KERNEL_PKG}-6\." | tail -1
}
kernelrepo_rpm_count() {
find "$KERNEL_REPO_DIR" -maxdepth 1 -name '*.rpm' 2>/dev/null | wc -l
}
# The kernel repo starts life as valid-but-empty (kernelrepo_init_empty in
# salt/manager/init.sls) and is filled by so-repo-sync. During a soup, so-repo-sync runs
# BEFORE the highstate deploys the [securityonionkernelsync] section into repodownload.conf, so
# the first kernel-aware soup leaves the repo empty until the next nightly sync.
sync_kernel_repo() {
if is_airgap; then
log "airgap install: $KERNEL_REPO_DIR is populated from the airgap ISO, not by so-repo-sync."
return 1
fi
if ! grep -q "^\[${KERNEL_REPO_SYNC}\]" "$REPOSYNC_CONF" 2>/dev/null; then
log "$REPOSYNC_CONF has no [${KERNEL_REPO_SYNC}] section -- run a highstate to deploy it."
return 1
fi
log "populating $KERNEL_REPO_DIR with so-repo-sync (mirrors upstream; can take several minutes)"
su socore -c '/usr/sbin/so-repo-sync' || { log "so-repo-sync failed"; return 1; }
dnf -q clean expire-cache >/dev/null 2>&1
return 0
}
# Make the kernel repo actually able to serve a UEK8 package, or fail trying.
ensure_kernel_repo() {
# The repo is assigned by the repo.client highstate, and only once NICs are pinned by MAC
# (/opt/so/state/nic_names_pinned) so the kernel swap can't renumber interfaces SO binds
# by name. skip_if_unavailable=1 means a broken repo is silently ignored, so check first.
if ! dnf -q repolist --enabled 2>/dev/null | awk '{print $1}' | grep -qx "$KERNEL_REPO"; then
log "repo '$KERNEL_REPO' is not enabled on this node."
log "Run a highstate first; the repo is skipped until /opt/so/state/nic_names_pinned"
log "exists (run so-nic-pin) and this node's salt matches the version this release ships."
die "kernel repo unavailable"
fi
[ -n "$(uek8_available)" ] && return 0
log "repo '$KERNEL_REPO' is enabled but offers no UEK8 $KERNEL_PKG package"
if ! is_manager_node; then
log "This is a minion; it consumes the kernel repo from the manager and cannot populate it."
log "On the manager, run: su socore -c /usr/sbin/so-repo-sync"
log "then re-run this script here."
die "manager's kernel repo is empty"
fi
log "this is a manager and $KERNEL_REPO_DIR holds $(kernelrepo_rpm_count) rpm(s)"
sync_kernel_repo || die "could not populate $KERNEL_REPO_DIR"
[ -n "$(uek8_available)" ] \
|| die "so-repo-sync completed but $KERNEL_REPO still offers no UEK8 $KERNEL_PKG"
}
reboot_notice() {
[ "$(uname -r)" = "$(basename "$1" | sed 's/^vmlinuz-//')" ] \
|| log "REBOOT REQUIRED to start using the UEK8 kernel (currently running $(uname -r))."
}
# Keep future kernel updates on the UEK line rather than falling back to RHCK. Oracle ships
# /etc/sysconfig/kernel; only rewrite it when it's actually pointing somewhere else.
set_default_kernel_conf() {
if [ -f /etc/sysconfig/kernel ] && ! grep -q '^DEFAULTKERNEL=kernel-uek-core$' /etc/sysconfig/kernel; then
log "setting DEFAULTKERNEL=kernel-uek-core in /etc/sysconfig/kernel"
sed -i 's/^DEFAULTKERNEL=.*/DEFAULTKERNEL=kernel-uek-core/' /etc/sysconfig/kernel
fi
}
# Make sure a UEK8 kernel is installed, leaving its boot entry in INSTALLED_UEK8. If one is
# already present we leave the repo alone -- it may be disabled or empty and we don't need it
# just to flip the boot default. Otherwise install the explicit NEVRA, not the bare package
# name: on a UEK7 node 'dnf install kernel-uek' sees 5.15 already present, prints "Nothing to
# do" and exits 0 without installing 6.x.
ensure_uek8_installed() {
INSTALLED_UEK8="$(find_uek8)"
if [ -n "$INSTALLED_UEK8" ]; then
log "UEK8 kernel already installed: $INSTALLED_UEK8"
return 0
fi
ensure_kernel_repo
local nevra; nevra="$(uek8_available)"
log "installing $nevra from $KERNEL_REPO"
dnf -y install "$nevra" || die "failed to install $nevra"
INSTALLED_UEK8="$(find_uek8)"
[ -n "$INSTALLED_UEK8" ] || die "$nevra installed but no 6.x UEK boot entry appeared -- check 'grubby --info=ALL'"
log "installed UEK8 kernel: $INSTALLED_UEK8"
}
case "$(running_flavor)" in
uek8)
# Already on the 6.x UEK line. A plain 'dnf update' keeps this node current within the
# lineage and auto-promotes newer builds, so there is nothing for this tool to do.
log "already running a UEK8 kernel ($(uname -r)); nothing to do."
exit 0
;;
uek7)
# On a 5.x UEK kernel. Installing UEK8 stays inside the kernel-uek lineage, so dnf/grubby
# (UPDATEDEFAULT=yes) auto-promote it and we do NOT touch grubby. A node still on UEK7
# usually means the kernel repo was empty when it last updated, so populate it and install.
log "running UEK7 kernel ($(uname -r)); the kernel repo was likely not yet populated when"
log "this node last updated. Populating it and installing UEK8 -- the update stays on the"
log "kernel-uek line, so it becomes the boot default automatically (no grubby change needed)."
set_default_kernel_conf
ensure_uek8_installed
now="$(grubby --default-kernel 2>/dev/null)"
if [ "$now" = "$INSTALLED_UEK8" ]; then
log "boot default auto-promoted to UEK8 kernel: $INSTALLED_UEK8"
else
log "WARNING: expected the UEK8 kernel to auto-promote but the default is still"
log "'${now:-unknown}'. Run 'grubby --set-default=$INSTALLED_UEK8' to force it."
fi
reboot_notice "$INSTALLED_UEK8"
;;
rhck)
# On the stock EL9 kernel (5.14, no UEK installed). Crossing from RHCK into the UEK flavor
# does NOT auto-promote -- kernel-install/grubby only auto-promote within the running
# kernel's flavor lineage -- so after installing we must set the boot default explicitly.
log "running stock EL9 (RHCK) kernel ($(uname -r)); installing UEK8 and setting it as the"
log "boot default explicitly (a RHCK->UEK flavor change does not auto-promote)."
set_default_kernel_conf
ensure_uek8_installed
target="$INSTALLED_UEK8"
current="$(grubby --default-kernel 2>/dev/null)"
if [ "$current" = "$target" ]; then
log "UEK8 kernel is already the boot default: $target"
reboot_notice "$target"
exit 0
fi
log "current default kernel: ${current:-unknown}"
log "switching boot default to UEK8 kernel: $target"
grubby --set-default="$target" || die "grubby --set-default failed for $target"
# Verify the change actually took before claiming success.
now="$(grubby --default-kernel 2>/dev/null)"
[ "$now" = "$target" ] || die "default kernel is still '${now:-unknown}' after set-default"
log "boot default is now $target"
reboot_notice "$target"
;;
esac
+1
View File
@@ -132,6 +132,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found" # Salt loops until Kratos returns 200, during startup Kratos may not be ready EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found" # Salt loops until Kratos returns 200, during startup Kratos may not be ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Redis may have been restarted" # Redis likely restarted by salt EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Redis may have been restarted" # Redis likely restarted by salt
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|file already closed" # Go logging race condition during container restart
fi fi
if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
+76
View File
@@ -0,0 +1,76 @@
#!/bin/bash
#
# so-nic-pin — pin physical NIC names by permanent MAC via classic by-MAC udev
# rules, so a kernel upgrade can't renumber them.
#
# Security Onion binds its management and monitor interfaces BY NAME in pillar
# (host:mainint, sensor:mainint, and bond0 is built on a specific physical NIC).
# A kernel upgrade can change the kernel/systemd-udevd predictable-naming output
# and renumber those NICs (e.g. enp1s0 -> enp2s0), which breaks the grid: the
# pillar references a name that no longer exists and bond/bridge bring-up fails.
#
# This writes /etc/udev/rules.d/70-persistent-net.rules pinning each PHYSICAL NIC
# to its CURRENT name by its PERMANENT MAC, freezing the names across future kernel
# changes. It only writes the rules file; it does NOT live-trigger a rename (the
# rules apply on the next boot/kernel, and a live rename would be disruptive).
#
# Run-once: gated by the drop file /opt/so/state/nic_names_pinned. If the marker is
# present the script does nothing, so an admin can pre-create it to opt out. Invoked
# from the common state on every highstate; the marker keeps it a one-time setup.
NET_RULES_FILE="/etc/udev/rules.d/70-persistent-net.rules"
MARKER="/opt/so/state/nic_names_pinned"
log() { echo -e "[so-nic-pin] $*"; }
# Echo "<name> <permanent-mac>" for every PHYSICAL NIC. A physical NIC is backed by a
# real device (has device/driver), which excludes bond0/sobridge/docker0/veth*/lo whose
# MACs are dynamic and must never be pinned. The PERMANENT MAC is used (ethtool -P, with
# fallbacks), not the current one: an enslaved bond member's current MAC is rewritten to
# the bond's, so matching on it would be wrong/ambiguous.
physical_nics() {
local path n mac
for path in /sys/class/net/*; do
n="${path##*/}"
[ "$n" = "lo" ] && continue
[ -e "${path}/device/driver" ] || continue # real device only
mac="$(ethtool -P "$n" 2>/dev/null | awk '/Permanent address/{print $NF}')"
case "$mac" in ""|00:00:00:00:00:00) mac="$(cat "${path}/bonding_slave/perm_hwaddr" 2>/dev/null)" ;; esac
case "$mac" in ""|00:00:00:00:00:00) mac="$(cat "${path}/address" 2>/dev/null)" ;; esac
case "$mac" in ""|00:00:00:00:00:00) continue ;; esac
echo "$n $mac"
done
}
# Turn "<name> <mac>" lines on stdin into classic by-MAC persistent-net udev rules.
render_net_rules() {
echo "# Generated by so-nic-pin: pin NIC names by MAC so kernel upgrades can't renumber them."
echo "# Security Onion binds its management/monitor interfaces by name; do not hand-edit."
local n mac
while read -r n mac; do
[ -n "$n" ] || continue
printf 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="%s", NAME="%s"\n' \
"$mac" "$n"
done
}
[ "$(id -u)" -eq 0 ] || exit 0 # salt runs us as root; bail quietly otherwise
[ -e "${MARKER}" ] && exit 0 # run-once guard (mirrors the state's unless)
nics="$(physical_nics)"
if [ -z "${nics}" ]; then
log "no physical NICs detected — nothing to pin (will retry on next highstate)"
exit 0 # do NOT drop the marker; let it retry later
fi
log "pinning physical NICs by permanent MAC:"
echo "${nics}" | sed 's/^/ /'
[ -f "${NET_RULES_FILE}" ] && cp -f "${NET_RULES_FILE}" "${NET_RULES_FILE}.bak"
echo "${nics}" | render_net_rules > "${NET_RULES_FILE}" || {
log "ERROR: failed to write ${NET_RULES_FILE}"
exit 1
}
mkdir -p "$(dirname "${MARKER}")" && touch "${MARKER}"
log "wrote ${NET_RULES_FILE} ($(grep -c '^SUBSYSTEM' "${NET_RULES_FILE}") NIC(s) pinned); dropped ${MARKER}"
+32 -15
View File
@@ -5,27 +5,44 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
# Usage: so-restart kibana | playbook
. /usr/sbin/so-common . /usr/sbin/so-common
if [ $# -ge 1 ]; then usage() {
echo "Usage: $0 <component> [args]"
echo ""
echo "Supported args:"
echo " --force | -f Force stop all Salt jobs before starting component."
echo ""
echo "Examples:"
echo " $0 kibana Restart Kibana"
echo " $0 kibana --force Force stop all Salt jobs before restarting Kibana"
exit 1
}
echo $banner if [[ $# -lt 1 ]]; then
printf "Restarting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n" usage
echo $banner fi
if [ "$2" = "--force" ]; then #shellcheck disable=SC2154
echo "$banner"
printf "Restarting %s...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n" "$1"
echo "$banner"
if [[ "$2" = "--force" ]] || [[ "$2" = "-f" ]]; then
printf "\nForce-stopping all Salt jobs before proceeding\n\n" printf "\nForce-stopping all Salt jobs before proceeding\n\n"
salt-call saltutil.kill_all_jobs salt-call saltutil.kill_all_jobs
fi fi
case $1 in case $1 in
"elastic-fleet") docker stop so-elastic-fleet && docker rm so-elastic-fleet && salt-call state.apply elasticfleet queue=True;; "elastic-fleet"|"elasticfleet")
*) docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;; docker_check_running "elastic-fleet" "--stop"
docker rm "so-elastic-fleet" 2> /dev/null
# Removing the elastic fleet state directory, so that the next startup re-enrolls with a fresh policy
rm -rf /opt/so/conf/elastic-fleet/state
salt-call state.apply elasticfleet queue=True
;;
*)
docker_check_running "$1" "--stop"
docker rm "so-${1}" 2> /dev/null
salt-call state.apply "$1" queue=True
;;
esac esac
else
echo -e "\nPlease provide an argument by running like so-restart $component, or by using the component-specific script.\nEx. so-restart logstash, or so-logstash-restart\n"
fi
+42 -15
View File
@@ -5,27 +5,54 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
# shellcheck disable=SC1091
# Usage: so-start all | kibana | playbook
. /usr/sbin/so-common . /usr/sbin/so-common
if [ $# -ge 1 ]; then usage() {
echo $banner echo "Usage: $0 <component> [args]"
printf "Starting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n" echo ""
echo $banner echo "Supported args:"
echo " --force | -f Force stop all Salt jobs before starting component."
echo ""
echo "Examples:"
echo " $0 kibana Start Kibana"
echo " $0 kibana --force Force stop all Salt jobs before starting Kibana"
exit 1
}
if [ "$2" = "--force" ]; then if [[ $# -lt 1 ]]; then
usage
fi
#shellcheck disable=SC2154
echo "$banner"
printf "Starting %s...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n" "$1"
echo "$banner"
if [[ "$2" = "--force" ]] || [[ "$2" == "-f" ]]; then
printf "\nForce-stopping all Salt jobs before proceeding\n\n" printf "\nForce-stopping all Salt jobs before proceeding\n\n"
salt-call saltutil.kill_all_jobs salt-call saltutil.kill_all_jobs
fi fi
case $1 in case "$1" in
"all") salt-call state.highstate queue=True;; "all")
"elastic-fleet") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply elasticfleet queue=True; fi ;; salt-call state.highstate queue=True
*) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; ;;
esac "elastic-fleet"|"elasticfleet")
if docker_check_running "elastic-fleet"; then
printf "\nso-%s is already running!\n\n" "elastic-fleet"
/usr/sbin/so-status
else else
echo -e "\nPlease provide an argument by running like so-start $component, or by using the component-specific script.\nEx. so-start logstash, or so-logstash-start\n" docker rm "so-elastic-fleet" 2> /dev/null
salt-call state.apply elasticfleet queue=True
fi fi
;;
*)
if docker_check_running "$1"; then
printf "\nso-%s is already running\n\n" "$1"
/usr/sbin/so-status
else
docker rm "so-${1}" 2> /dev/null
salt-call state.apply "$1" queue=True
fi
;;
esac
+27 -13
View File
@@ -5,21 +5,35 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
# shellcheck disable=SC1091
# Usage: so-stop kibana | playbook | thehive
. /usr/sbin/so-common . /usr/sbin/so-common
if [ $# -ge 1 ]; then usage() {
echo $banner echo "Usage: $0 <component>"
printf "Stopping $1...\n" echo ""
echo $banner echo "Examples:"
echo " $0 kibana Stop Kibana"
exit 1
}
case $1 in if [[ $# -lt 1 ]]; then
*) docker stop so-$1 ; docker rm so-$1 ;; usage
esac
else
echo -e "\nPlease provide an argument by running like so-stop $component, or by using the component-specific script.\nEx. so-stop logstash, or so-logstash-stop\n"
fi fi
#shellcheck disable=SC2154
echo "$banner"
printf "Stopping %s...\n" "$1"
echo "$banner"
case $1 in
"elasticfleet"|"elastic-fleet")
docker_check_running "elastic-fleet" "--stop"
docker rm "so-elastic-fleet" 2> /dev/null
# Removing the elastic fleet state directory, so that the next startup re-enrolls with a fresh policy
rm -rf /opt/so/conf/elastic-fleet/state
;;
*)
docker_check_running "$1" "--stop"
docker rm "so-${1}" 2> /dev/null
;;
esac
+2 -1
View File
@@ -63,7 +63,8 @@ function status {
function pcapinfo() { function pcapinfo() {
PCAP=$1 PCAP=$1
ARGS=$2 ARGS=$2
docker run --rm -v "$PCAP:/input.pcap" --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap -ae $ARGS docker run --rm -v "$PCAP:/input.pcap" --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap -ae $ARGS |\
sed 's/First packet/Earliest packet/g' | sed 's/Last packet/Latest packet/g'
} }
function pcapfix() { function pcapfix() {
+1 -1
View File
@@ -173,7 +173,7 @@ eaoptionalintegrationsdir:
{% for minion in node_data %} {% for minion in node_data %}
{% set role = node_data[minion]["role"] %} {% set role = node_data[minion]["role"] %}
{% if role in [ "eval","fleet","heavynode","import","manager", "managerhype", "managersearch","standalone" ] %} {% if role in [ "eval","fleet","import","manager", "managerhype", "managersearch","standalone" ] %}
{% set optional_integrations = ELASTICFLEETMERGED.optional_integrations %} {% set optional_integrations = ELASTICFLEETMERGED.optional_integrations %}
{% set integration_keys = optional_integrations.keys() %} {% set integration_keys = optional_integrations.keys() %}
fleet_server_integrations_{{ minion }}: fleet_server_integrations_{{ minion }}:
-1
View File
@@ -1,6 +1,5 @@
elasticfleet: elasticfleet:
enabled: False enabled: False
patch_version: 9.3.3+build202604082258 # Elastic Agent specific patch release.
enable_manager_output: True enable_manager_output: True
config: config:
server: server:
+10
View File
@@ -11,6 +11,10 @@
{# This value is generated during node install and stored in minion pillar #} {# This value is generated during node install and stored in minion pillar #}
{% set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %} {% set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %}
{# Prevent Elastic Agent from re-enrolling with a new agent.id everytime the container starts up.
- if a fresh enrollment is needed use 'so-stop elasticfleet'
#}
{% set ENROLLED = salt['file.file_exists']('/opt/so/conf/elastic-fleet/state/fleet.enc') %}
include: include:
- ca - ca
@@ -65,6 +69,7 @@ so-elastic-fleet:
- /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro
- /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state
- /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs
{% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
@@ -72,6 +77,7 @@ so-elastic-fleet:
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- environment: - environment:
{% if not ENROLLED %}
- FLEET_SERVER_ENABLE=true - FLEET_SERVER_ENABLE=true
- FLEET_URL=https://{{ GLOBALS.hostname }}:8220 - FLEET_URL=https://{{ GLOBALS.hostname }}:8220
- FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200 - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
@@ -81,6 +87,9 @@ so-elastic-fleet:
- FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key
- FLEET_CA=/etc/pki/tls/certs/intca.crt - FLEET_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
{% endif %}
- STATE_PATH=/usr/share/elastic-agent/state
- CONFIG_PATH=/usr/share/elastic-agent/state
- LOGS_PATH=logs - LOGS_PATH=logs
{% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %} {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
@@ -99,6 +108,7 @@ so-elastic-fleet:
- x509: etc_elasticfleet_crt - x509: etc_elasticfleet_crt
- require: - require:
- file: trusttheca - file: trusttheca
- file: eastatedir
- x509: etc_elasticfleet_key - x509: etc_elasticfleet_key
- x509: etc_elasticfleet_crt - x509: etc_elasticfleet_crt
@@ -5,7 +5,7 @@
"package": { "package": {
"name": "endpoint", "name": "endpoint",
"title": "Elastic Defend", "title": "Elastic Defend",
"version": "9.3.0", "version": "9.3.1",
"requires_root": true "requires_root": true
}, },
"enabled": true, "enabled": true,
@@ -29,7 +29,7 @@
"\\.gz$" "\\.gz$"
], ],
"include_files": [], "include_files": [],
"processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-2.15.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-3.8.0\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-2.15.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-2.15.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-3.8.0\n- add_fields:\n target: data_stream\n fields:\n dataset: import", "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-2.20.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-3.8.3\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-2.20.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-2.20.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-3.8.3\n- add_fields:\n target: data_stream\n fields:\n dataset: import",
"tags": [ "tags": [
"import" "import"
], ],
+12 -5
View File
@@ -10,6 +10,15 @@
{% set AGENT_STATUS = salt['service.available']('elastic-agent') %} {% set AGENT_STATUS = salt['service.available']('elastic-agent') %}
{% set AGENT_EXISTS = salt['file.file_exists']('/opt/Elastic/Agent/elastic-agent') %} {% set AGENT_EXISTS = salt['file.file_exists']('/opt/Elastic/Agent/elastic-agent') %}
so-elastic-agent-install:
file.managed:
- name: /usr/sbin/so-elastic-agent-install
- source: salt://elasticfleet/tools/sbin/so-elastic-agent-install
- user: 947
- group: 939
- mode: 755
- show_changes: False
{% if not AGENT_STATUS or not AGENT_EXISTS %} {% if not AGENT_STATUS or not AGENT_EXISTS %}
pull_agent_installer: pull_agent_installer:
@@ -21,11 +30,9 @@ pull_agent_installer:
run_installer: run_installer:
cmd.run: cmd.run:
- name: ./so-elastic-agent_linux_amd64 -token={{ GRIDNODETOKEN }} -force - name: /usr/sbin/so-elastic-agent-install "{{ GRIDNODETOKEN }}"
- cwd: /opt/so - require:
- retry: - file: pull_agent_installer
attempts: 3
interval: 20
cleanup_agent_installer: cleanup_agent_installer:
file.absent: file.absent:
-2
View File
@@ -67,8 +67,6 @@ so-elastic-fleet-package-upgrade:
interval: 30 interval: 30
- require: - require:
- http: wait_for_so-kibana - http: wait_for_so-kibana
- onchanges:
- file: /opt/so/state/elastic_fleet_packages.txt
so-elastic-fleet-integrations: so-elastic-fleet-integrations:
cmd.run: cmd.run:
@@ -0,0 +1,100 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
# passed in as arg from elasticfleet/install_agent_grid.sls, else pulled from pillar later
GRIDNODETOKEN="$1"
LOGFILE="/opt/so/SO-Elastic-Agent_Installer_Health.log"
check_agent_health() {
timeout=300
interval=10
start=$SECONDS
while (( SECONDS - start < timeout )); do
agent_status=$(elastic-agent status 2>&1)
echo -e "\n$(date)\n$agent_status\n" >> "$LOGFILE"
if echo "$agent_status" | grep -A1 'elastic-agent$' | grep -q 'status: (HEALTHY)'; then
return 0
fi
echo "The Elastic Agent is not yet healthy. Waiting for ${interval} seconds before checking again..."
sleep "$interval"
done
echo "The Elastic Agent did not become healthy within ${timeout} seconds"
return 1
}
uninstall_agent() {
if command -v elastic-agent >/dev/null 2>&1; then
elastic-agent uninstall -f
fi
}
if [[ -z "$GRIDNODETOKEN" ]]; then
noderole=$(so-yaml.py get -r /etc/salt/grains role)
if [[ "$noderole" == "so-heavynode" ]]; then
GRIDNODETOKEN=$(salt-call pillar.get global:fleet_grid_enrollment_token_heavy --out=newline_values_only)
else
GRIDNODETOKEN=$(salt-call pillar.get global:fleet_grid_enrollment_token_general --out=newline_values_only)
fi
fi
if [[ -z "$GRIDNODETOKEN" ]]; then
echo "Unable to determine Elastic Fleet enrollment token. Exiting."
exit 1
fi
if [[ ! -x /opt/so/so-elastic-agent_linux_amd64 ]]; then
echo "Downloading so-elastic-agent installer... This could take a while if another Salt job is running."
# When running outside of elasticfleet/install_agent_grid.sls we need to download the installer independently.
# PYTHONWARNINGS="ignore" to avoid messages like the following when running salt-call:
# '/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py:129: TransportWarning: Unclosed transport! <salt.transport.zeromq.RequestClient object at 0x7fc5f0ee7a30>
# File "/bin/salt-call", line 12, in <module>
# sys.exit(salt_call())'
PYTHONWARNINGS="ignore" salt-call state.single file.managed name=/opt/so/so-elastic-agent_linux_amd64 source=salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64 mode=755 makedirs=True queue=True
fi
if [[ -x /opt/so/so-elastic-agent_linux_amd64 ]]; then
attempts=0
cd /opt/so/ || exit 1
truncate -s 0 "$LOGFILE"
uninstall_agent
while [[ $attempts -lt 3 ]]; do
if ./so-elastic-agent_linux_amd64 -token="$GRIDNODETOKEN" -force && echo "Verifying Elastic Agent health..." && check_agent_health; then
rm -f /opt/so/so-elastic-agent_linux_amd64
elastic-agent status
exit 0
fi
attempts=$((attempts + 1))
if [[ $attempts -lt 3 ]]; then
echo "Unable to verify Elastic Agent health... Retrying in 20 seconds..."
sleep 20
fi
done
uninstall_agent
rm -f /opt/so/so-elastic-agent_linux_amd64
echo "The so-elastic-agent installer failed after 3 attempts. Exiting."
exit 1
else
echo "Unable to locate so-elastic-agent installer. Exiting."
exit 1
fi
@@ -9,13 +9,11 @@
RETURN_CODE=0 RETURN_CODE=0
if [ ! -f /opt/so/state/eaintegrations.txt ]; then if [ ! -f /opt/so/state/eaintegrations.txt ]; then
# First, check for any package upgrades
/usr/sbin/so-elastic-fleet-package-upgrade
# Second, update Fleet Server policies # update Fleet Server policies
/usr/sbin/so-elastic-fleet-integration-policy-elastic-fleet-server /usr/sbin/so-elastic-fleet-integration-policy-elastic-fleet-server
# Third, configure Elastic Defend Integration seperately # configure Elastic Defend Integration separately
/usr/sbin/so-elastic-fleet-integration-policy-elastic-defend /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
# Each group fetches its agent policy once and dispatches create/update writes concurrently. # Each group fetches its agent policy once and dispatches create/update writes concurrently.
@@ -32,9 +30,12 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
elastic_fleet_load_integrations_dir "so-grid-nodes_heavy" \ elastic_fleet_load_integrations_dir "so-grid-nodes_heavy" \
/opt/so/conf/elastic-fleet/integrations/grid-nodes_heavy "Grid Nodes Policy_Heavy" || RETURN_CODE=1 /opt/so/conf/elastic-fleet/integrations/grid-nodes_heavy "Grid Nodes Policy_Heavy" || RETURN_CODE=1
# Fleet Server - Optional integrations (one agent policy per FleetServer_* directory) # Fleet Server - Optional integrations (adds integration configuration to a given FleetServer_ policy)
for FLEET_DIR in /opt/so/conf/elastic-fleet/integrations-optional/FleetServer*/; do for FLEET_DIR in /opt/so/conf/elastic-fleet/integrations-optional/FleetServer*/; do
[ -d "$FLEET_DIR" ] || continue [ -d "$FLEET_DIR" ] || continue
INTEGRATIONS=("${FLEET_DIR%/}"/*.json)
[ -e "${INTEGRATIONS[0]}" ] || continue
FLEET_POLICY=$(basename "$FLEET_DIR") FLEET_POLICY=$(basename "$FLEET_DIR")
elastic_fleet_load_integrations_dir "$FLEET_POLICY" \ elastic_fleet_load_integrations_dir "$FLEET_POLICY" \
"${FLEET_DIR%/}" "Fleet Server Policy" "elasticsearch-logs" || RETURN_CODE=1 "${FLEET_DIR%/}" "Fleet Server Policy" "elasticsearch-logs" || RETURN_CODE=1
@@ -30,7 +30,7 @@ done
if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then
printf "\nFleet Host URL, Enrollment Token or Elastic Version empty - exiting..." printf "\nFleet Host URL, Enrollment Token or Elastic Version empty - exiting..."
printf "\nFleet Host: $FLEETHOST, Enrollment Token: $ENROLLMENTOKEN\n" printf "\nFleet Host: $FLEETHOST, Enrollment Token: $ENROLLMENTOKEN\n"
exit exit 1
fi fi
OSARCH=( "linux-x86_64" "windows-x86_64" "darwin-x86_64" "darwin-aarch64" ) OSARCH=( "linux-x86_64" "windows-x86_64" "darwin-x86_64" "darwin-aarch64" )
@@ -62,31 +62,54 @@ do
done done
GOTARGETOS=( "linux" "windows" "darwin" "darwin/arm64" ) GOTARGETOS=( "linux" "windows" "darwin" "darwin/arm64" )
GOARCH="amd64"
printf "\n### Generating OS packages using the cleaned up tarballs" printf "\n### Generating OS packages using the cleaned up tarballs"
for GOOS in "${GOTARGETOS[@]}" for GOOS in "${GOTARGETOS[@]}"; do
do GOARCH="amd64"
if [[ $GOOS == 'darwin/arm64' ]]; then GOOS="darwin" && GOARCH="arm64"; fi if [[ $GOOS == 'darwin/arm64' ]]; then GOOS="darwin" && GOARCH="arm64"; fi
printf "\n\n### Generating $GOOS/$GOARCH Installer...\n" printf "\n\n### Generating $GOOS/$GOARCH Installer...\n"
docker run -e CGO_ENABLED=0 -e GOOS=$GOOS -e GOARCH=$GOARCH \ docker run -e CGO_ENABLED=0 -e GOOS=$GOOS -e GOARCH=$GOARCH \
--mount type=bind,source=/etc/pki/tls/certs/,target=/workspace/files/cert/ \ --mount type=bind,source=/etc/pki/tls/certs/,target=/workspace/files/cert/ \
--mount type=bind,source=/nsm/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ --mount type=bind,source=/nsm/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \
--mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \ --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/,target=/output/ \
{{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHostURLsList=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_${GOOS}_${GOARCH} {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHostURLsList=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_${GOOS}_${GOARCH}
printf "\n### $GOOS/$GOARCH Installer Generated...\n" printf "\n### $GOOS/$GOARCH Installer Generated...\n"
done done
printf "\n\n### Generating MSI...\n" printf "\n\n### Generating MSI...\n"
cp /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/so-elastic-agent_windows_amd64 /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/so-elastic-agent_windows_amd64.exe cp /opt/so/saltstack/local/salt/elasticfleet/files/so-elastic-agent_windows_amd64 /opt/so/saltstack/local/salt/elasticfleet/files/so-elastic-agent_windows_amd64.exe
docker run \ docker run \
--mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ -w /output \ --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/,target=/output/ -w /output \
{{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} wixl -o so-elastic-agent_windows_amd64_msi --arch x64 /workspace/so-elastic-agent.wxs {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} wixl -o so-elastic-agent_windows_amd64_msi --arch x64 /workspace/so-elastic-agent.wxs
printf "\n### MSI Generated...\n" printf "\n### MSI Generated...\n"
# Verify installers were created
for GOOS in "${GOTARGETOS[@]}"; do
GOARCH="amd64"
if [[ $GOOS == 'darwin/arm64' ]]; then GOOS="darwin"; GOARCH="arm64"; fi
if [[ ! -f /opt/so/saltstack/local/salt/elasticfleet/files/so-elastic-agent_${GOOS}_${GOARCH} ]]; then
printf "\n### ERROR: Installer for %s/%s was not generated. Exiting...\n" "$GOOS" "$GOARCH"
exit 1
fi
# After verifying new installer was generated, move it to so_agent-installers directory
mv /opt/so/saltstack/local/salt/elasticfleet/files/so-elastic-agent_${GOOS}_${GOARCH} /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/
done
# Verify MSI installer
if [[ ! -f /opt/so/saltstack/local/salt/elasticfleet/files/so-elastic-agent_windows_amd64_msi ]]; then
printf "\n### ERROR: Installer MSI was not generated. Exiting...\n"
exit 1
else
# After verifying new installer MSI was generated, move it to so_agent-installers directory
mv /opt/so/saltstack/local/salt/elasticfleet/files/so-elastic-agent_windows_amd64_msi /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/
fi
printf "\n### Cleaning up temp files \n" printf "\n### Cleaning up temp files \n"
rm -rf /nsm/elastic-agent-workspace rm -rf /nsm/elastic-agent-workspace
rm -rf /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/so-elastic-agent_windows_amd64.exe rm -rf /opt/so/saltstack/local/salt/elasticfleet/files/so-elastic-agent_windows_amd64.exe
printf "\n### Copying so_agent-installers to /nsm/elastic-fleet/ for nginx.\n" printf "\n### Copying so_agent-installers to /nsm/elastic-fleet/ for nginx.\n"
\cp -vr /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/ /nsm/elastic-fleet/ \cp -vr /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/ /nsm/elastic-fleet/
chmod 644 /nsm/elastic-fleet/so_agent-installers/* chmod 644 /nsm/elastic-fleet/so_agent-installers/*
# if we got here all installers have been generated successfully
exit 0
@@ -12,17 +12,22 @@ PKG_LOAD_FAILURES=0
PKG_LOAD_FAILURES_NAMES=() PKG_LOAD_FAILURES_NAMES=()
{%- for PACKAGE in SUPPORTED_PACKAGES %} {%- for PACKAGE in SUPPORTED_PACKAGES %}
echo "Upgrading {{ PACKAGE }} package..." if INSTALLED_VERSION=$(elastic_fleet_package_version_check "{{ PACKAGE }}") && LATEST_VERSION=$(elastic_fleet_package_latest_version_check "{{ PACKAGE }}"); then
if VERSION=$(elastic_fleet_package_latest_version_check "{{ PACKAGE }}"); then
if ! elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION"; then if [ "$INSTALLED_VERSION" == "$LATEST_VERSION" ]; then
echo "{{ PACKAGE }} integration version $INSTALLED_VERSION is already at the reported latest version $LATEST_VERSION, skipping upgrade."
else
echo "Upgrading {{ PACKAGE }} package to version $LATEST_VERSION..."
if ! elastic_fleet_package_install "{{ PACKAGE }}" "$LATEST_VERSION"; then
PKG_LOAD_FAILURES=$((PKG_LOAD_FAILURES + 1)) PKG_LOAD_FAILURES=$((PKG_LOAD_FAILURES + 1))
PKG_LOAD_FAILURES_NAMES+=("{{ PACKAGE }}") PKG_LOAD_FAILURES_NAMES+=("{{ PACKAGE }}")
fi fi
fi
else else
echo "ERROR: Failed to get version information for integration {{ PACKAGE }}"
PKG_LOAD_FAILURES=$((PKG_LOAD_FAILURES + 1)) PKG_LOAD_FAILURES=$((PKG_LOAD_FAILURES + 1))
PKG_LOAD_FAILURES_NAMES+=("{{ PACKAGE }}") PKG_LOAD_FAILURES_NAMES+=("{{ PACKAGE }}")
fi fi
echo
{%- endfor %} {%- endfor %}
if [ $PKG_LOAD_FAILURES -gt 0 ]; then if [ $PKG_LOAD_FAILURES -gt 0 ]; then
@@ -35,6 +40,3 @@ if [ $PKG_LOAD_FAILURES -gt 0 ]; then
else else
echo "Successfully upgraded all packages." echo "Successfully upgraded all packages."
fi fi
echo
/usr/sbin/so-elasticsearch-templates-load
@@ -181,6 +181,9 @@ if ! elastic_fleet_policy_create "so-grid-nodes_heavy" "SO Grid Nodes - Heavy No
exit 1 exit 1
fi fi
# Check for package upgrades
so-elastic-fleet-package-upgrade
# Load Integrations for default policies # Load Integrations for default policies
so-elastic-fleet-integration-policy-load so-elastic-fleet-integration-policy-load
@@ -241,11 +244,37 @@ printf '%s\n'\
"" >> "$global_pillar_file" "" >> "$global_pillar_file"
# Call Elastic-Fleet Salt State # Call Elastic-Fleet Salt State
printf "\nApplying elasticfleet state" printf "\nApplying elasticfleet state\n"
salt-call state.apply elasticfleet queue=True for state_attempt in {1..3}; do
if salt-call state.apply elasticfleet queue=True; then
break
elif [[ $state_attempt -lt 3 ]]; then
printf "\nElasticfleet state did not complete successfully... Attempt (%s/3). Retrying...\n" "$state_attempt"
sleep 10
else
printf "\nFailure(s) in elasticfleet state... Exiting...\n"
exit 1
fi
done
printf "\nRunning so-elastic-agent-gen-installers\n"
# Generate installers & install Elastic Agent on the node # Generate installers & install Elastic Agent on the node
so-elastic-agent-gen-installers for agent_gen_attempt in {1..3}; do
printf "\nApplying elasticfleet.install_agent_grid state" if so-elastic-agent-gen-installers; then
salt-call state.apply elasticfleet.install_agent_grid queue=True break
exit 0 elif [[ $agent_gen_attempt -lt 3 ]]; then
printf "\nUnable to generate Elastic Agent installers... Attempt (%s/3). Retrying...\n" "$agent_gen_attempt"
sleep 10
else
printf "\nFailed to generate Elastic Agent installers after 3 attempts. Exiting...\n"
exit 1
fi
done
printf "\nApplying elasticfleet.install_agent_grid state\n"
if ! salt-call state.apply elasticfleet.install_agent_grid queue=True; then
printf "\nFailure(s) in elasticfleet.install_agent_grid state... Exiting...\n"
exit 1
fi
printf "\nElastic Fleet setup completed successfully\n"
+1 -1
View File
@@ -1,6 +1,6 @@
elasticsearch: elasticsearch:
enabled: false enabled: false
version: 9.3.3 version: 9.3.7
index_clean: true index_clean: true
data_retention_method: DLM data_retention_method: DLM
vm: vm:
@@ -118,70 +118,70 @@
{ {
"pipeline": { "pipeline": {
"tag": "pipeline_e16851a7", "tag": "pipeline_e16851a7",
"name": "logs-pfsense.log-1.25.2-firewall", "name": "logs-pfsense.log-1.25.4-firewall",
"if": "ctx.event.provider == 'filterlog'" "if": "ctx.event.provider == 'filterlog'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"tag": "pipeline_828590b5", "tag": "pipeline_828590b5",
"name": "logs-pfsense.log-1.25.2-openvpn", "name": "logs-pfsense.log-1.25.4-openvpn",
"if": "ctx.event.provider == 'openvpn'" "if": "ctx.event.provider == 'openvpn'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"tag": "pipeline_9d37039c", "tag": "pipeline_9d37039c",
"name": "logs-pfsense.log-1.25.2-ipsec", "name": "logs-pfsense.log-1.25.4-ipsec",
"if": "ctx.event.provider == 'charon'" "if": "ctx.event.provider == 'charon'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"tag": "pipeline_ad56bbca", "tag": "pipeline_ad56bbca",
"name": "logs-pfsense.log-1.25.2-dhcp", "name": "logs-pfsense.log-1.25.4-dhcp",
"if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\", \"dnsmasq-dhcp\"].contains(ctx.event.provider)" "if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\", \"dnsmasq-dhcp\"].contains(ctx.event.provider)"
} }
}, },
{ {
"pipeline": { "pipeline": {
"tag": "pipeline_dd85553d", "tag": "pipeline_dd85553d",
"name": "logs-pfsense.log-1.25.2-unbound", "name": "logs-pfsense.log-1.25.4-unbound",
"if": "ctx.event.provider == 'unbound'" "if": "ctx.event.provider == 'unbound'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"tag": "pipeline_720ed255", "tag": "pipeline_720ed255",
"name": "logs-pfsense.log-1.25.2-haproxy", "name": "logs-pfsense.log-1.25.4-haproxy",
"if": "ctx.event.provider == 'haproxy'" "if": "ctx.event.provider == 'haproxy'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"tag": "pipeline_456beba5", "tag": "pipeline_456beba5",
"name": "logs-pfsense.log-1.25.2-php-fpm", "name": "logs-pfsense.log-1.25.4-php-fpm",
"if": "ctx.event.provider == 'php-fpm'" "if": "ctx.event.provider == 'php-fpm'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"tag": "pipeline_a0d89375", "tag": "pipeline_a0d89375",
"name": "logs-pfsense.log-1.25.2-squid", "name": "logs-pfsense.log-1.25.4-squid",
"if": "ctx.event.provider == 'squid'" "if": "ctx.event.provider == 'squid'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"tag": "pipeline_c2f1ed55", "tag": "pipeline_c2f1ed55",
"name": "logs-pfsense.log-1.25.2-snort", "name": "logs-pfsense.log-1.25.4-snort",
"if": "ctx.event.provider == 'snort'" "if": "ctx.event.provider == 'snort'"
} }
}, },
{ {
"pipeline": { "pipeline": {
"tag":"pipeline_33db1c9e", "tag":"pipeline_33db1c9e",
"name": "logs-pfsense.log-1.25.2-suricata", "name": "logs-pfsense.log-1.25.4-suricata",
"if": "ctx.event.provider == 'suricata'" "if": "ctx.event.provider == 'suricata'"
} }
}, },
+1
View File
@@ -5,6 +5,7 @@
{ "remove": { "field": ["host"], "ignore_failure": true } }, { "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version", "target_field": "ssl.version", "ignore_missing": true } }, { "rename": { "field": "message2.version", "target_field": "ssl.version", "ignore_missing": true } },
{ "set": { "description": "Set transport for the community_id processor", "if": "ctx.ssl?.version == null || !ctx.ssl.version.startsWith('DTLS')", "field": "network.transport", "value": "tcp", "ignore_failure": true } },
{ "rename": { "field": "message2.cipher", "target_field": "ssl.cipher", "ignore_missing": true } }, { "rename": { "field": "message2.cipher", "target_field": "ssl.cipher", "ignore_missing": true } },
{ "rename": { "field": "message2.curve", "target_field": "ssl.curve", "ignore_missing": true } }, { "rename": { "field": "message2.curve", "target_field": "ssl.curve", "ignore_missing": true } },
{ "rename": { "field": "message2.server_name", "target_field": "ssl.server_name", "ignore_missing": true } }, { "rename": { "field": "message2.server_name", "target_field": "ssl.server_name", "ignore_missing": true } },
@@ -645,6 +645,7 @@ elasticsearch:
global: True global: True
advanced: True advanced: True
helpLink: elasticsearch helpLink: elasticsearch
so-logs-soc: *dataStreamSettings
so-logs-system_x_auth: *dataStreamSettings so-logs-system_x_auth: *dataStreamSettings
so-logs-system_x_syslog: *dataStreamSettings so-logs-system_x_syslog: *dataStreamSettings
so-logs-system_x_system: *dataStreamSettings so-logs-system_x_system: *dataStreamSettings
+1 -1
View File
@@ -22,7 +22,7 @@ kibana:
- default - default
- file - file
migrations: migrations:
discardCorruptObjects: "9.3.3" discardCorruptObjects: "9.3.7"
telemetry: telemetry:
enabled: False enabled: False
xpack: xpack:
+1 -1
View File
@@ -69,7 +69,7 @@ wait_for_so-kibana:
- ssl: True - ssl: True
- verify_ssl: False - verify_ssl: False
- status: 200 - status: 200
- wait_for: 300 - wait_for: 600
- request_interval: 15 - request_interval: 15
- require: - require:
- docker_container: so-kibana - docker_container: so-kibana
+2
View File
@@ -0,0 +1,2 @@
https://repo.securityonion.net/file/so-repo/prod/3/oracle/9-uek8
https://repo-alt.securityonion.net/prod/3/oracle/9-uek8
+5
View File
@@ -11,3 +11,8 @@ name=Security Onion Repo repo
mirrorlist=file:///opt/so/conf/reposync/mirror.txt mirrorlist=file:///opt/so/conf/reposync/mirror.txt
enabled=1 enabled=1
gpgcheck=1 gpgcheck=1
[securityonionkernelsync]
name=Security Onion Kernel Repo repo
mirrorlist=file:///opt/so/conf/reposync/mirror-kernel.txt
enabled=1
gpgcheck=1
+29
View File
@@ -86,6 +86,28 @@ repo_dir:
- group - group
- show_changes: False - show_changes: False
kernelrepo_dir:
file.directory:
- name: /nsm/kernelrepo
- user: socore
- group: socore
- recurse:
- user
- group
- show_changes: False
# Ensure /nsm/kernelrepo is always a valid (if empty) repo before it is ever assigned to
# a client. Without repodata/repomd.xml an enabled file:///nsm/kernelrepo repo makes every
# dnf operation fail; so-repo-sync only populates it after the highstate, so seed an empty
# repo here. Only runs when repodata is missing, so it won't clobber a synced repo.
kernelrepo_init_empty:
cmd.run:
- name: createrepo /nsm/kernelrepo
- unless: 'test -e /nsm/kernelrepo/repodata/repomd.xml'
- require:
- file: kernelrepo_dir
- pkg: install_createrepo
manager_sbin: manager_sbin:
file.recurse: file.recurse:
- name: /usr/sbin - name: /usr/sbin
@@ -122,6 +144,13 @@ so-repo-mirrorlist:
- user: socore - user: socore
- group: socore - group: socore
so-repo-kernel-mirrorlist:
file.managed:
- name: /opt/so/conf/reposync/mirror-kernel.txt
- source: salt://manager/files/mirror-kernel.txt
- user: socore
- group: socore
so-repo-sync: so-repo-sync:
{% if MANAGERMERGED.reposync.enabled %} {% if MANAGERMERGED.reposync.enabled %}
cron.present: cron.present:
+11
View File
@@ -10,5 +10,16 @@ NOROOT=1
set -e set -e
curl --retry 5 --retry-delay 60 -A "reposync/$(sync_options)" https://sigs.securityonion.net/checkup --output /tmp/checkup curl --retry 5 --retry-delay 60 -A "reposync/$(sync_options)" https://sigs.securityonion.net/checkup --output /tmp/checkup
dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/
createrepo /nsm/repo createrepo /nsm/repo
# The kernel repo section is deployed to repodownload.conf by the manager highstate, which
# runs AFTER this script during soup. On the first upgrade to a kernel-aware version the
# on-disk config still predates the section, so guard on its presence to avoid dnf's
# "Unknown repo: 'securityonionkernelsync'" aborting the sync (set -e). The next sync after the
# highstate deploys the section will pick it up.
if grep -q '^\[securityonionkernelsync\]' /opt/so/conf/reposync/repodownload.conf; then
dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionkernelsync --download-metadata -p /nsm/kernelrepo/
createrepo /nsm/kernelrepo
fi
+179 -17
View File
@@ -12,7 +12,17 @@
UPDATE_DIR=/tmp/sogh/securityonion UPDATE_DIR=/tmp/sogh/securityonion
DEFAULT_SALT_DIR=/opt/so/saltstack/default DEFAULT_SALT_DIR=/opt/so/saltstack/default
INSTALLEDVERSION=$(cat /etc/soversion) INSTALLEDVERSION=$(cat /etc/soversion)
# /etc/sopostversion is a soup-owned marker (no salt state manages it) tracking how
# far the post-upgrade walk has progressed. Its presence means a prior upgrade did
# not finish its post-upgrade steps; its contents are the resume point. It is read
# here before preupgrade_changes mutates INSTALLEDVERSION and before any highstate
# stamps /etc/soversion from the pillar.
POSTVERSION_FILE=/etc/sopostversion
if [ -f "$POSTVERSION_FILE" ]; then
POSTVERSION=$(cat "$POSTVERSION_FILE")
else
POSTVERSION=$INSTALLEDVERSION POSTVERSION=$INSTALLEDVERSION
fi
INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk '{print $2}') INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk '{print $2}')
BATCHSIZE=5 BATCHSIZE=5
SOUP_LOG=/root/soup.log SOUP_LOG=/root/soup.log
@@ -23,6 +33,10 @@ NOTIFYCUSTOMELASTICCONFIG=false
TOPFILE=/opt/so/saltstack/default/salt/top.sls TOPFILE=/opt/so/saltstack/default/salt/top.sls
BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup
SALTUPGRADED=false SALTUPGRADED=false
# Set true once soup begins modifying the system (past the pre-flight checks), so the
# EXIT trap can tell the user the update did not finish and must be re-run. Only the
# pre-flight gates (ES compatibility, disk, network) fail before this is set.
SOUP_UPGRADE_STARTED=false
SALT_CLOUD_INSTALLED=false SALT_CLOUD_INSTALLED=false
SALT_CLOUD_CONFIGURED=false SALT_CLOUD_CONFIGURED=false
# Check if salt-cloud is installed # Check if salt-cloud is installed
@@ -123,6 +137,28 @@ check_err() {
echo "SOUP XTRACE debug log (if enabled) at $SOUP_DEBUG_LOG. Re-run soup with SOUP_DEBUG=1 to create $SOUP_DEBUG_LOG" echo "SOUP XTRACE debug log (if enabled) at $SOUP_DEBUG_LOG. Re-run soup with SOUP_DEBUG=1 to create $SOUP_DEBUG_LOG"
# If soup had already started modifying the system, make it unmistakable that the
# update is incomplete and must be re-run. soup is resumable: a version upgrade
# picks up from the /etc/sopostversion marker, and a hotfix re-applies because
# /etc/sohotfix is only advanced after a successful highstate.
if [[ "$SOUP_UPGRADE_STARTED" == "true" ]]; then
echo ""
echo "=============================================================================="
echo " UPGRADE INCOMPLETE"
echo "=============================================================================="
echo " This soup run did NOT finish. Your Security Onion installation may be in a"
echo " partially-updated state and is not yet fully upgraded."
echo ""
echo " Review the error above and $SOUP_LOG, resolve the underlying problem, then"
echo " run soup again to resume and complete the update:"
echo ""
echo " sudo soup"
echo ""
echo " soup is resumable -- re-running it continues from where this run stopped."
echo "=============================================================================="
echo ""
fi
exit $exit_code exit $exit_code
fi fi
@@ -131,6 +167,8 @@ check_err() {
# Collect bash error context before passing off to check_err() # Collect bash error context before passing off to check_err()
on_err() { on_err() {
local exit_code=$? local exit_code=$?
# Ignore failures in blocks that explicitly disabled errexit with `set +e`.
[[ $- == *e* ]] || return $exit_code
# turn off xtrace to prevent added noise in debug log # turn off xtrace to prevent added noise in debug log
set +x 2>/dev/null || true set +x 2>/dev/null || true
@@ -243,6 +281,7 @@ check_airgap() {
UPDATE_DIR=/tmp/soagupdate/SecurityOnion UPDATE_DIR=/tmp/soagupdate/SecurityOnion
AGDOCKER=/tmp/soagupdate/docker AGDOCKER=/tmp/soagupdate/docker
AGREPO=/tmp/soagupdate/minimal/Packages AGREPO=/tmp/soagupdate/minimal/Packages
AGUEKREPO=/tmp/soagupdate/uek/Packages
else else
is_airgap=1 is_airgap=1
fi fi
@@ -288,6 +327,30 @@ check_pillar_items() {
fi fi
} }
check_cluster_health() {
echo "Checking Elasticsearch cluster health."
# Require a 'green' cluster before upgrading; anything less (yellow, red, or
# unreachable) blocks. Modeled on the wait used in so-elasticsearch-roles-load.
if so-elasticsearch-query "_cluster/health?wait_for_status=green&timeout=120s" --fail > /dev/null 2>&1; then
printf "\nThe Elasticsearch cluster is healthy (green). We can proceed with SOUP.\n\n"
else
printf "\nThe Elasticsearch cluster is not green. Please resolve the cluster health issue so the cluster is green before running SOUP again.\n\n"
exit 0
fi
}
check_fleet_server() {
echo "Checking that Elastic Fleet Server is responding."
# Modeled on the wait_for_so-elastic-fleet state check in elasticfleet/enabled.sls,
# which waits for HTTP 200 from the Fleet Server status API.
if curl -sk --fail --retry 3 --retry-delay 10 --max-time 30 "https://localhost:8220/api/status" > /dev/null 2>&1; then
printf "\nElastic Fleet Server is responding. We can proceed with SOUP.\n\n"
else
printf "\nElastic Fleet Server is not responding at https://localhost:8220/api/status. Please ensure Elastic Fleet is healthy before running SOUP again.\n\n"
exit 0
fi
}
check_saltmaster_status() { check_saltmaster_status() {
set +e set +e
echo "Waiting on the Salt Master service to be ready." echo "Waiting on the Salt Master service to be ready."
@@ -374,6 +437,8 @@ get_soup_script_hashes() {
GITIMGCMN=$(md5sum $UPDATE_DIR/salt/common/tools/sbin/so-image-common | awk '{print $1}') GITIMGCMN=$(md5sum $UPDATE_DIR/salt/common/tools/sbin/so-image-common | awk '{print $1}')
CURRENTSOFIREWALL=$(md5sum /usr/sbin/so-firewall | awk '{print $1}') CURRENTSOFIREWALL=$(md5sum /usr/sbin/so-firewall | awk '{print $1}')
GITSOFIREWALL=$(md5sum $UPDATE_DIR/salt/manager/tools/sbin/so-firewall | awk '{print $1}') GITSOFIREWALL=$(md5sum $UPDATE_DIR/salt/manager/tools/sbin/so-firewall | awk '{print $1}')
CURRENTSOYAML=$(md5sum /usr/sbin/so-yaml.py | awk '{print $1}')
GITSOYAML=$(md5sum $UPDATE_DIR/salt/manager/tools/sbin/so-yaml.py | awk '{print $1}')
} }
highstate() { highstate() {
@@ -411,6 +476,13 @@ preupgrade_changes() {
true true
} }
set_postversion() {
# Persist post-upgrade walk progress so an interrupted upgrade can resume the
# remaining steps on the next soup run (see /etc/sopostversion handling).
POSTVERSION="$1"
echo "$POSTVERSION" > "$POSTVERSION_FILE"
}
postupgrade_changes() { postupgrade_changes() {
# This function is to add any new pillar items if needed. # This function is to add any new pillar items if needed.
echo "Running post upgrade processes." echo "Running post upgrade processes."
@@ -418,6 +490,8 @@ postupgrade_changes() {
[[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0 [[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0
[[ "$POSTVERSION" == "3.0.0" ]] && post_to_3.1.0 [[ "$POSTVERSION" == "3.0.0" ]] && post_to_3.1.0
[[ "$POSTVERSION" == "3.1.0" ]] && post_to_3.2.0 [[ "$POSTVERSION" == "3.1.0" ]] && post_to_3.2.0
# All applicable post-upgrade steps completed; clear the resume marker.
rm -f "$POSTVERSION_FILE"
true true
} }
@@ -510,7 +584,7 @@ post_to_3.0.0() {
# convert yes/no in suricata pillars to true/false # convert yes/no in suricata pillars to true/false
convert_suricata_yes_no convert_suricata_yes_no
POSTVERSION=3.0.0 set_postversion 3.0.0
} }
### 3.0.0 End ### ### 3.0.0 End ###
@@ -737,7 +811,6 @@ fix_logstash_0013_lumberjack_pipeline_name() {
up_to_3.1.0() { up_to_3.1.0() {
ensure_postgres_local_pillar ensure_postgres_local_pillar
ensure_postgres_secret ensure_postgres_secret
determine_elastic_agent_upgrade
elasticsearch_backup_index_templates elasticsearch_backup_index_templates
# Clear existing component template state file. # Clear existing component template state file.
rm -f /opt/so/state/esfleet_component_templates.json rm -f /opt/so/state/esfleet_component_templates.json
@@ -774,19 +847,30 @@ post_to_3.1.0() {
# Check for unhealthy / unauthorized integration transform jobs and attempt reauthorizations # Check for unhealthy / unauthorized integration transform jobs and attempt reauthorizations
check_transform_health_and_reauthorize || true check_transform_health_and_reauthorize || true
POSTVERSION=3.1.0 set_postversion 3.1.0
} }
### 3.1.0 End ### ### 3.1.0 End ###
### 3.2.0 Scripts ### ### 3.2.0 Scripts ###
recollate_postgres() {
echo ""
echo "Recollating PostgreSQL databases. The following output may contain warnings about a version mismatch, followed by a note indicating that the collation version has been changed."
for db in postgres securityonion so_telegraf; do
docker exec so-postgres psql -U postgres $db -c "reindex database $db"
docker exec so-postgres psql -U postgres $db -c "alter database $db refresh collation version"
done
echo "Recollating PostgreSQL databases complete."
echo ""
}
bootstrap_so_soc_database() { bootstrap_so_soc_database() {
# init-db.sh is mounted into so-postgres at /docker-entrypoint-initdb.d/init-db.sh # init-db.sh is mounted into so-postgres at /docker-entrypoint-initdb.d/init-db.sh
# and runs automatically only on a fresh data directory. Hosts upgrading from # and runs automatically only on a fresh data directory. Hosts upgrading from
# 3.1.0 already have /nsm/postgres populated, so the so_soc bootstrap block # 3.1.0 already have /nsm/postgres populated, so the so_soc bootstrap block
# added in 3.2 never fires. Re-run the script explicitly; it's idempotent. # added in 3.2 never fires. Re-run the script explicitly; it's idempotent.
echo "Bootstrapping so_soc database via init-db.sh." echo "Bootstrapping database via init-db.sh."
# The postgres image has no USER directive, so `docker exec` defaults to # The postgres image has no USER directive, so `docker exec` defaults to
# root, and the container env intentionally omits POSTGRES_USER (the upstream # root, and the container env intentionally omits POSTGRES_USER (the upstream
# entrypoint defaults it transiently during first-init only). Recreate both # entrypoint defaults it transiently during first-init only). Recreate both
@@ -797,10 +881,13 @@ bootstrap_so_soc_database() {
return 0 return 0
fi fi
if ! $exec_cmd; then if ! $exec_cmd; then
FINAL_MESSAGE_QUEUE+=("WARNING: init-db.sh failed inside so-postgres during the 3.2.0 upgrade; the so_soc database may not have been bootstrapped. Re-run manually: $exec_cmd") FINAL_MESSAGE_QUEUE+=("WARNING: init-db.sh failed inside so-postgres during the 3.2.0 upgrade; the database may not have been bootstrapped. Re-run manually: $exec_cmd")
return 0 return 0
fi fi
echo "so_soc bootstrap complete." echo "Database bootstrap complete."
echo "Restarting so-soc container to pick up database changes"
docker restart so-soc
} }
# Existing grids should keep ILM unless an admin explicitly opts in to DLM. # Existing grids should keep ILM unless an admin explicitly opts in to DLM.
@@ -848,7 +935,32 @@ kibana_backport_streams_index_template() {
} }
# Runs kafka-features.sh upgrade --release-version $1
# Upgrades Kafka KRaft cluster metadata
update_kafka_metadata() {
metadata_version="$1"
global_pillar="/opt/so/saltstack/local/pillar/global/soc_global.sls"
if PIPELINE=$(so-yaml.py get -r "$global_pillar" global.pipeline 2> /dev/null) && [[ "$PIPELINE" == "KAFKA" ]]; then
kafka_nodes_raw=$(salt-call pillar.get kafka:nodes --out=json)
if kafka_nodes=$(jq -er '.local | select(type == "object" and length > 0)' <<< "$kafka_nodes_raw"); then
bootstrap_servers=$(jq -r '[to_entries[] | select(.value.role | contains("broker")) | "\(.value.ip):9092"] | join(",")' <<< "$kafka_nodes")
echo "Upgrading Kafka KRaft cluster version"
so-kafka-cli kafka-features.sh --bootstrap-server "$bootstrap_servers" --command-config /opt/kafka/config/kraft/client.properties upgrade --release-version "$metadata_version" 2>/dev/null || true
return 0
else
FINAL_MESSAGE_QUEUE+=("WARNING: Unable to automatically perform Kafka KRaft cluster metadata update. This step can be performed manually using the following command (replacing \$BROKER_IP with the ip of atleast 1 available Kafka broker):")
FINAL_MESSAGE_QUEUE+=(" - so-kafka-cli kafka-features.sh --bootstrap-server \$BROKER_IP:9092 --command-config /opt/kafka/config/kraft/client.properties upgrade --release-version $metadata_version")
fi
else
echo "Nothing to do!"
fi
}
up_to_3.2.0() { up_to_3.2.0() {
# download 9.3.7 elastic agent packages
determine_elastic_agent_upgrade
fix_logstash_0013_lumberjack_pipeline_name fix_logstash_0013_lumberjack_pipeline_name
pin_elasticsearch_data_retention_method pin_elasticsearch_data_retention_method
@@ -857,15 +969,20 @@ up_to_3.2.0() {
} }
post_to_3.2.0() { post_to_3.2.0() {
# Recollate due to image OS rebase
recollate_postgres
bootstrap_so_soc_database bootstrap_so_soc_database
# Including agent regen script here since it was missed in post_to_3.1.0 # Generate 9.3.7 elastic agent installers
echo "Regenerating Elastic Agent Installers" echo "Regenerating Elastic Agent Installers"
/sbin/so-elastic-agent-gen-installers /sbin/so-elastic-agent-gen-installers
kibana_backport_streams_index_template kibana_backport_streams_index_template
POSTVERSION=3.2.0 update_kafka_metadata "4.3"
set_postversion 3.2.0
} }
### 3.2.0 End ### ### 3.2.0 End ###
@@ -978,13 +1095,19 @@ update_airgap_rules() {
rsync -a $UPDATE_DIR/agrules/securityonion-resources/* /nsm/securityonion-resources/ rsync -a $UPDATE_DIR/agrules/securityonion-resources/* /nsm/securityonion-resources/
} }
update_airgap_repo() { update_airgap_repos() {
# Update the files in the repo # Update the files in the repo
echo "Syncing new updates to /nsm/repo" echo "Syncing new updates to /nsm/repo & /nsm/kernelrepo"
rsync -a $AGREPO/* /nsm/repo/ # Airgap soup copies new files into the local repo, but doesn't remove old packages. Retaining the ability to rollback package updates
echo "Creating repo" rsync -a "$AGREPO"/ /nsm/repo/
rsync -a "$AGUEKREPO"/ /nsm/kernelrepo/
dnf -y install yum-utils createrepo_c dnf -y install yum-utils createrepo_c
echo "Running createrepo for /nsm/repo"
createrepo /nsm/repo createrepo /nsm/repo
echo "Running createrepo for /nsm/kernelrepo"
createrepo /nsm/kernelrepo
} }
update_salt_mine() { update_salt_mine() {
@@ -1011,8 +1134,20 @@ upgrade_check() {
fi fi
[[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix) [[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix)
if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
# A leftover post-version marker means a previous upgrade to this version
# advanced /etc/soversion (the highstate stamps it from the pillar) but did not
# finish its post-upgrade steps. Resume the upgrade instead of reporting "latest".
if [ -f "$POSTVERSION_FILE" ] && [ "$(cat "$POSTVERSION_FILE")" != "$NEWVERSION" ]; then
echo "A previous upgrade to $NEWVERSION did not complete its post-upgrade steps; resuming."
is_hotfix=false
return 0
fi
echo "Checking to see if there are hotfixes needed" echo "Checking to see if there are hotfixes needed"
if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then
# Reaching here means we are at the target version and NOT resuming (the resume
# check above returned otherwise). Clear any stale resume marker so a completed
# upgrade is never mistaken for a partial one and re-run on a later invocation.
rm -f "$POSTVERSION_FILE"
echo "You are already running the latest version of Security Onion." echo "You are already running the latest version of Security Onion."
exit 0 exit 0
else else
@@ -1091,7 +1226,7 @@ upgrade_salt() {
verify_latest_update_script() { verify_latest_update_script() {
get_soup_script_hashes get_soup_script_hashes
if [[ "$CURRENTSOUP" == "$GITSOUP" && "$CURRENTCMN" == "$GITCMN" && "$CURRENTIMGCMN" == "$GITIMGCMN" && "$CURRENTSOFIREWALL" == "$GITSOFIREWALL" ]]; then if [[ "$CURRENTSOUP" == "$GITSOUP" && "$CURRENTCMN" == "$GITCMN" && "$CURRENTIMGCMN" == "$GITIMGCMN" && "$CURRENTSOFIREWALL" == "$GITSOFIREWALL" && "$CURRENTSOYAML" == "$GITSOYAML" ]]; then
echo "This version of the soup script is up to date. Proceeding." echo "This version of the soup script is up to date. Proceeding."
else else
echo "You are not running the latest soup version. Updating soup and its components. This might take multiple runs to complete." echo "You are not running the latest soup version. Updating soup and its components. This might take multiple runs to complete."
@@ -1100,7 +1235,7 @@ verify_latest_update_script() {
# Verify that soup scripts updated as expected # Verify that soup scripts updated as expected
get_soup_script_hashes get_soup_script_hashes
if [[ "$CURRENTSOUP" == "$GITSOUP" && "$CURRENTCMN" == "$GITCMN" && "$CURRENTIMGCMN" == "$GITIMGCMN" && "$CURRENTSOFIREWALL" == "$GITSOFIREWALL" ]]; then if [[ "$CURRENTSOUP" == "$GITSOUP" && "$CURRENTCMN" == "$GITCMN" && "$CURRENTIMGCMN" == "$GITIMGCMN" && "$CURRENTSOFIREWALL" == "$GITSOFIREWALL" && "$CURRENTSOYAML" == "$GITSOYAML" ]]; then
echo "Succesfully updated soup scripts." echo "Succesfully updated soup scripts."
else else
echo "There was a problem updating soup scripts. Trying to rerun script update." echo "There was a problem updating soup scripts. Trying to rerun script update."
@@ -1124,7 +1259,8 @@ verify_es_version_compatibility() {
["8.18.4"]="8.18.6 8.18.8 9.0.8" ["8.18.4"]="8.18.6 8.18.8 9.0.8"
["8.18.6"]="8.18.8 9.0.8" ["8.18.6"]="8.18.8 9.0.8"
["8.18.8"]="9.0.8" ["8.18.8"]="9.0.8"
["9.0.8"]="9.3.3" ["9.0.8"]="9.3.3 9.3.7"
["9.3.3"]="9.3.7"
) )
# Elasticsearch MUST upgrade through these versions # Elasticsearch MUST upgrade through these versions
@@ -1707,6 +1843,15 @@ main() {
set_minionid set_minionid
MINION_ROLE=$(lookup_role) MINION_ROLE=$(lookup_role)
echo "Found that Security Onion $INSTALLEDVERSION is currently installed." echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
# /etc/soversion is stamped to the target version before the upgrade fully
# completes, so a lingering resume marker means this grid is only partially
# upgraded even though the line above shows the target version. Make that explicit
# so it is not mistaken for a finished upgrade.
if [ -f "$POSTVERSION_FILE" ] && [ "$(cat "$POSTVERSION_FILE")" != "$INSTALLEDVERSION" ]; then
echo ""
echo "NOTE: A previous upgrade to $INSTALLEDVERSION did not finish. This grid is"
echo " partially upgraded and this soup run will resume and complete it."
fi
echo "" echo ""
check_minimum_version check_minimum_version
@@ -1735,12 +1880,18 @@ main() {
echo "Verifying Elasticsearch version compatibility across the grid before upgrading." echo "Verifying Elasticsearch version compatibility across the grid before upgrading."
verify_es_version_compatibility verify_es_version_compatibility
# Pre-flight health checks: confirm the grid is in a good state before we change
# anything. These run before any modifications, so a failure exits cleanly and the
# operator can fix the issue and re-run soup.
check_cluster_health
check_fleet_server
echo "Checking for Salt Master and Minion updates." echo "Checking for Salt Master and Minion updates."
upgrade_check_salt upgrade_check_salt
set -e set -e
if [[ $is_airgap -eq 0 ]]; then if [[ $is_airgap -eq 0 ]]; then
update_airgap_repo update_airgap_repos
dnf clean all dnf clean all
check_os_updates check_os_updates
elif [[ $OS == 'oracle' ]]; then elif [[ $OS == 'oracle' ]]; then
@@ -1751,6 +1902,7 @@ main() {
fi fi
if [ "$is_hotfix" == "true" ]; then if [ "$is_hotfix" == "true" ]; then
SOUP_UPGRADE_STARTED=true
echo "Applying $HOTFIXVERSION hotfix" echo "Applying $HOTFIXVERSION hotfix"
# since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
if [[ ! "$MINION_ROLE" == "import" ]]; then if [[ ! "$MINION_ROLE" == "import" ]]; then
@@ -1761,10 +1913,16 @@ main() {
create_local_directories "/opt/so/saltstack/default" create_local_directories "/opt/so/saltstack/default"
apply_hotfix apply_hotfix
echo "Hotfix applied" echo "Hotfix applied"
update_version
enable_highstate enable_highstate
highstate highstate
# Record the hotfix only after the highstate succeeds. /etc/sohotfix is written
# solely by soup (no salt state manages it), so deferring the write means a failed
# hotfix highstate leaves the old hotfix value and re-running soup re-applies it,
# rather than reporting "already latest". The soversion/pillar writes in
# update_version are no-ops here since the version is unchanged for a hotfix.
update_version
else else
SOUP_UPGRADE_STARTED=true
echo "" echo ""
echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION." echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
echo "" echo ""
@@ -1820,6 +1978,10 @@ main() {
copy_new_files copy_new_files
echo "" echo ""
create_local_directories "/opt/so/saltstack/default" create_local_directories "/opt/so/saltstack/default"
# Seed the resume marker before the highstate stamps /etc/soversion to the new
# version, so an interrupted upgrade is detectable as "not finished" on re-run.
# POSTVERSION still holds the pre-upgrade (or prior resume) version here.
[ -f "$POSTVERSION_FILE" ] || echo "$POSTVERSION" > "$POSTVERSION_FILE"
update_version update_version
echo "" echo ""
+1
View File
@@ -59,6 +59,7 @@ so-nginx:
- /opt/so/conf/navigator/layers/:/opt/socore/html/navigator/assets/so:ro - /opt/so/conf/navigator/layers/:/opt/socore/html/navigator/assets/so:ro
- /opt/so/conf/navigator/config.json:/opt/socore/html/navigator/assets/config.json:ro - /opt/so/conf/navigator/config.json:/opt/socore/html/navigator/assets/config.json:ro
- /nsm/repo:/opt/socore/html/repo:ro - /nsm/repo:/opt/socore/html/repo:ro
- /nsm/kernelrepo:/opt/socore/html/kernelrepo:ro
- /nsm/rules:/nsm/rules:ro - /nsm/rules:/nsm/rules:ro
{% if NGINXMERGED.external_suricata %} {% if NGINXMERGED.external_suricata %}
- /opt/so/rules/nids/suri:/surirules:ro - /opt/so/rules/nids/suri:/surirules:ro
+11 -1
View File
@@ -323,6 +323,16 @@ http {
autoindex_localtime on; autoindex_localtime on;
} }
location /kernelrepo/ {
allow all;
sendfile on;
sendfile_max_chunk 1m;
autoindex on;
autoindex_exact_size off;
autoindex_format html;
autoindex_localtime on;
}
location /influxdb/ { location /influxdb/ {
auth_request /auth/sessions/whoami; auth_request /auth/sessions/whoami;
rewrite /influxdb/api/(.*) /api/$1 break; rewrite /influxdb/api/(.*) /api/$1 break;
@@ -389,7 +399,7 @@ http {
error_page 429 = @error429; error_page 429 = @error429;
location @error401 { location @error401 {
if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) { if ($request_uri ~* (^.*/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) {
return 401; return 401;
} }
+1 -1
View File
@@ -16,7 +16,7 @@ include:
# Install the registry container # Install the registry container
so-dockerregistry: so-dockerregistry:
docker_container.running: docker_container.running:
- image: ghcr.io/security-onion-solutions/registry:3.0.0 - image: ghcr.io/security-onion-solutions/registry:3.1.1
- hostname: so-registry - hostname: so-registry
- networks: - networks:
- sobridge: - sobridge:
+30
View File
@@ -6,6 +6,10 @@
{% from 'repo/client/map.jinja' import REPOPATH with context %} {% from 'repo/client/map.jinja' import REPOPATH with context %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
{% set saltversion = saltversion.salt.minion.version %}
{% set INSTALLEDSALTVERSION = grains.saltversion %}
{% set role = grains.id.split('_') | last %} {% set role = grains.id.split('_') | last %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
{% if grains['os'] == 'OEL' %} {% if grains['os'] == 'OEL' %}
@@ -57,6 +61,32 @@ so_repo:
- enabled: 1 - enabled: 1
- gpgcheck: 1 - gpgcheck: 1
# Only assign the kernel repo once this node's running salt matches the version this
# SO release ships. During a soup the grid is mid-salt-upgrade; gating here keeps the
# UEK8 kernel repo (and the kernel update it enables) from activating until the node is
# fully on the target salt, the same way other states defer across the upgrade window.
{% if saltversion | string == INSTALLEDSALTVERSION | string %}
so_kernel_repo:
pkgrepo.managed:
- name: securityonionkernel
- humanname: Security Onion Kernel Repo
{% if GLOBALS.is_manager %}
- baseurl: file:///nsm/kernelrepo/
{% else %}
- baseurl: https://{{ GLOBALS.repo_host }}/kernelrepo
{% endif %}
- enabled: 1
- gpgcheck: 1
# Supplementary kernel repo: tolerate it being empty/unreachable (e.g. before the
# manager has populated /nsm/kernelrepo) so a missing repomd.xml can't make every
# dnf/pkg operation on the grid fail.
- skip_if_unavailable: 1
# Only assign the kernel repo once physical NIC names are pinned by MAC, so the
# UEK8 kernel update can't renumber interfaces SO binds by name (see pin_nic_names
# in salt/common/init.sls, which drops this marker via /usr/sbin/so-nic-pin).
- onlyif: 'test -e /opt/so/state/nic_names_pinned'
{% endif %}
{% endif %} {% endif %}
# TODO: Add a pillar entry for custom repos # TODO: Add a pillar entry for custom repos
+24
View File
@@ -134,6 +134,30 @@ socsigmasopipeline:
- group: 939 - group: 939
- mode: 600 - mode: 600
socsigmaplaybookpipeline:
file.managed:
- name: /opt/so/conf/soc/sigma_playbook_pipeline.yaml
- source: salt://soc/files/soc/sigma_playbook_pipeline.yaml
- user: 939
- group: 939
- mode: 600
socplaybookplaceholdermap:
file.managed:
- name: /opt/so/conf/soc/playbook_placeholder_map.yaml
- source: salt://soc/files/soc/playbook_placeholder_map.yaml
- user: 939
- group: 939
- mode: 600
socplaybookplaceholdermapcustom:
file.managed:
- name: /opt/so/conf/soc/playbook_placeholder_map_custom.yaml
- source: salt://soc/files/soc/playbook_placeholder_map_custom.yaml
- user: 939
- group: 939
- mode: 600
socbanner: socbanner:
file.managed: file.managed:
- name: /opt/so/conf/soc/banner.md - name: /opt/so/conf/soc/banner.md
+10
View File
@@ -8,6 +8,7 @@
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%} {% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %} {% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
{% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %} {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
{% for module, application_url in GLOBALS.application_urls.items() %} {% for module, application_url in GLOBALS.application_urls.items() %}
{% do SOCDEFAULTS.soc.config.server.modules[module].update({'hostUrl': application_url}) %} {% do SOCDEFAULTS.soc.config.server.modules[module].update({'hostUrl': application_url}) %}
@@ -24,6 +25,14 @@
{% do SOCDEFAULTS.soc.config.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %} {% do SOCDEFAULTS.soc.config.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}
{% if TELEGRAFMERGED.output == 'POSTGRES' %}
{% for tool in SOCDEFAULTS.soc.config.server.client.tools %}
{% if tool.name == "toolInfluxDb" %}
{% do SOCDEFAULTS.soc.config.server.client.tools.remove(tool) %}
{% endif %}
{% endfor %}
{% else %}
{% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %} {% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
{% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %} {% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %}
{% for tool in SOCDEFAULTS.soc.config.server.client.tools %} {% for tool in SOCDEFAULTS.soc.config.server.client.tools %}
@@ -31,6 +40,7 @@
{% do tool.update({'link': METRICS_LINK}) %} {% do tool.update({'link': METRICS_LINK}) %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endif %}
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %} {% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
+19 -4
View File
@@ -1500,15 +1500,23 @@ soc:
playbookRepos: playbookRepos:
default: default:
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks - repo: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
rulesetName: sos-playbook-resources
branch: main branch: main
folder: securityonion-normalized folder: securityonion-normalized
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
rulesetName: sos-published
branch: published
folder: sigma
airgap: airgap:
- repo: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks - repo: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks
rulesetName: sos-resources-ag
branch: main branch: main
folder: securityonion-normalized folder: securityonion-normalized
assistant: assistant:
systemPromptAddendum: "" systemPromptAddendum: ""
systemPromptAddendumMaxLength: 50000 systemPromptAddendumMaxLength: 50000
maxSubSessionTokens: 0
maxDelegationDepth: 5
adapters: adapters:
- name: SOAI - name: SOAI
protocol: securityonion_ai_cloud protocol: securityonion_ai_cloud
@@ -1520,6 +1528,11 @@ soc:
serviceAccountJSON: "" serviceAccountJSON: ""
serviceAccountLocation: "" serviceAccountLocation: ""
healthTimeoutSeconds: 5 healthTimeoutSeconds: 5
agentic: false
agentMapping:
Orchestrator: sonnet
Investigator: sonnet
Detection Engineer: sonnet
onionconfig: onionconfig:
saltstackDir: /opt/so/saltstack saltstackDir: /opt/so/saltstack
bypassEnabled: false bypassEnabled: false
@@ -1771,13 +1784,13 @@ soc:
enabled: true enabled: true
queries: queries:
- name: Default Query - name: Default Query
description: Show all events grouped by the observer host
query: '* | groupby observer.name'
showSubtitle: true
- name: Log Type
description: Show all events grouped by module and dataset description: Show all events grouped by module and dataset
query: '* | groupby event.module* event.dataset' query: '* | groupby event.module* event.dataset'
showSubtitle: true showSubtitle: true
- name: Observer
description: Show all events grouped by the observer host
query: '* | groupby observer.name'
showSubtitle: true
- name: SOC - Auth - name: SOC - Auth
description: Users authenticated to SOC grouped by IP address and identity description: Users authenticated to SOC grouped by IP address and identity
query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip user.name' query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip user.name'
@@ -2689,6 +2702,8 @@ soc:
thresholdColorRatioLow: 0.5 thresholdColorRatioLow: 0.5
thresholdColorRatioMed: 0.75 thresholdColorRatioMed: 0.75
thresholdColorRatioMax: 1 thresholdColorRatioMax: 1
toolBusyMaxRetries: 30
toolBusyRetryDelayMs: 1000
availableModels: availableModels:
- id: sonnet - id: sonnet
displayName: Claude Sonnet displayName: Claude Sonnet
+6 -1
View File
@@ -45,7 +45,10 @@ so-soc:
- /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro
- /opt/so/conf/soc/banner.md:/opt/sensoroni/html/login/banner.md:ro - /opt/so/conf/soc/banner.md:/opt/sensoroni/html/login/banner.md:ro
- /opt/so/conf/soc/sigma_so_pipeline.yaml:/opt/sensoroni/sigma_so_pipeline.yaml:ro - /opt/so/conf/soc/sigma_so_pipeline.yaml:/opt/sensoroni/sigma_so_pipeline.yaml:ro
- /opt/so/conf/soc/sigma_final_pipeline.yaml:/opt/sensoroni/sigma_final_pipeline.yaml:rw - /opt/so/conf/soc/sigma_playbook_pipeline.yaml:/opt/sensoroni/sigma_playbook_pipeline.yaml:ro
- /opt/so/conf/soc/sigma_final_pipeline.yaml:/opt/sensoroni/sigma_final_pipeline.yaml:ro
- /opt/so/conf/soc/playbook_placeholder_map.yaml:/opt/sensoroni/playbook_placeholder_map.yaml:ro
- /opt/so/conf/soc/playbook_placeholder_map_custom.yaml:/opt/sensoroni/playbook_placeholder_map_custom.yaml:ro
- /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
- /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
- /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
@@ -99,6 +102,8 @@ so-soc:
- file: soccustomroles - file: soccustomroles
- file: socusersroles - file: socusersroles
- file: socclientsroles - file: socclientsroles
- file: socplaybookplaceholdermap
- file: socplaybookplaceholdermapcustom
delete_so-soc_so-status.disabled: delete_so-soc_so-status.disabled:
file.uncomment: file.uncomment:
@@ -0,0 +1,49 @@
# Global Playbook placeholder map: %token% -> event field path.
#
# Loaded by the SOC Playbook module and used to resolve `field|expand:%placeholder%` values
# from an alert when converting playbook questions to OQL.
# Left: the %token% used in a question
# Right: the event field its value is read from (event_data.-nested or bare; the module
# tries both).
#
# Example: with `src_ip: source.ip` (below), a question that writes
# `source.ip|expand: '%src_ip%'` resolves %src_ip% to the alert's source.ip at convert time.
#
# This is the global base layer. To add or override tokens edit playbook_placeholder_map_custom.yaml.
# those entries overlay this map and win on conflict.
CommandLine: process.command_line
CurrentDirectory: process.working_directory
Image: process.executable
ImageLoaded: dll.name
ParentImage: process.parent.executable
ParentName: process.parent.name
ParentProcessGuid: process.parent.entity_id
ProcessGuid: process.entity_id
TargetFilename: file.name
TargetObject: registry.path
TargetUserName: user.target.name
User: user.name
community_id: network.community_id
dns_resolved_ip: dns.resolved_ip
document_id: soc_id
dst_ip: destination.ip
dst_port: destination.port
event_data_source_ip: source.ip
file_path: file.path
file_dirs: process.file_dirs
file_name: process.name
file_paths: process.file_paths
hostname: host.name
private_ip: network.private_ip
public_ip: network.public_ip
related_hosts: related.hosts
related_ip: related.ip
src_ip: source.ip
dns_query_name: dns.query_name
flow_id: log.id.uid
payload: network.data.decoded
rule_category: rule.category
rule_name: rule.name
rule_uuid: rule.uuid
src_port: source.port
@@ -0,0 +1,14 @@
# Custom Playbook placeholder map: %token% -> event field path.
#
#
# Left: the %token% used in a playbook question.
# Right: the event field its value is read from (event_data.-nested or bare; the module tries
# both). Note: a token that is simply named after a flat event field resolves automatically
# without an entry here - only add a mapping when the token name differs from the field name.
#
# Example:
#
# account_id: cloudflare.account_id
#
# A question that writes
# `account_id|expand: '%account_id%'` resolves %account_id% from the alert at convert time.
@@ -0,0 +1,12 @@
name: Security Onion - Playbook Pipeline
priority: 97
transformations:
# Route string fields to their lowercase-normalized .caseless subfield so wildcard
# matches are case-insensitive.
- id: case_insensitive_string_fields
type: field_name_mapping
mapping:
process.executable: process.executable.caseless
process.parent.executable: process.parent.executable.caseless
process.command_line: process.command_line.caseless
process.parent.command_line: process.parent.command_line.caseless
+51
View File
@@ -63,6 +63,14 @@ transformations:
rule_conditions: rule_conditions:
- type: logsource - type: logsource
category: antivirus category: antivirus
# OS-agnostic process_creation scoping for product-less (NIDS/host-pivot) rules.
- id: process_creation_os_agnostic
type: add_condition
conditions:
event.category: process
rule_conditions:
- type: logsource
category: process_creation
# Transforms the `Hashes` field to ECS fields # Transforms the `Hashes` field to ECS fields
# ECS fields are used by the hash fields emitted by Elastic Defend # ECS fields are used by the hash fields emitted by Elastic Defend
# If shipped with Elastic Agent, sysmon logs will also have hashes mapped to ECS fields # If shipped with Elastic Agent, sysmon logs will also have hashes mapped to ECS fields
@@ -108,6 +116,40 @@ transformations:
- type: logsource - type: logsource
product: windows product: windows
category: driver_load category: driver_load
- id: ecs_fix_process_creation
type: field_name_mapping
mapping:
# bare `Hashes` (the combined-string case is broken out above)
winlog.event_data.Hashes: process.hash.sha256
winlog.event_data.IntegrityLevel: process.Ext.token.integrity_level_name
winlog.event_data.ParentName: process.parent.name
rule_conditions:
- type: logsource
product: windows
category: process_creation
- id: ecs_fix_registry_set
type: field_name_mapping
mapping:
winlog.event_data.Details: registry.data.strings
# field rename only; EventType values (SetValue/CreateKey) still differ from
# event.action values (modification/creation)
winlog.event_data.EventType: event.action
rule_conditions:
- type: logsource
product: windows
category: registry_set
- id: ecs_fix_image_load
type: field_name_mapping
mapping:
file.path: dll.path
file.code_signature.signed: dll.code_signature.exists
winlog.event_data.Signature: dll.code_signature.subject_name
file.code_signature.status: dll.code_signature.status
winlog.event_data.Hashes: dll.hash.sha256
rule_conditions:
- type: logsource
product: windows
category: image_load
- id: linux_security_add-fields - id: linux_security_add-fields
type: add_condition type: add_condition
conditions: conditions:
@@ -281,6 +323,15 @@ transformations:
rule_conditions: rule_conditions:
- type: logsource - type: logsource
category: file_event category: file_event
# Scope image_load rules to Elastic Endpoint library events (event.category:library, dll.*
# populated).
- id: endpoint_image_load_add-fields
type: add_condition
conditions:
event.category: 'library'
rule_conditions:
- type: logsource
category: image_load
# Maps network rules to all network logs # Maps network rules to all network logs
# This targets all network logs, all services, generated from endpoints and network # This targets all network logs, all services, generated from endpoints and network
- id: network_add-fields - id: network_add-fields
+19
View File
@@ -7,6 +7,11 @@
{% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %} {% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
{% from 'manager/map.jinja' import MANAGERMERGED %} {% from 'manager/map.jinja' import MANAGERMERGED %}
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
{%- set PG_ENTRY = salt['pillar.get']('telegraf:postgres_creds:' ~ grains.id, {}) %}
{%- set PG_USER = PG_ENTRY.get('user', '') %}
{%- set PG_PASS = PG_ENTRY.get('pass', '') %}
{% set DOCKER_EXTRA_HOSTS = ELASTICSEARCH_NODES %} {% set DOCKER_EXTRA_HOSTS = ELASTICSEARCH_NODES %}
{% do DOCKER_EXTRA_HOSTS.append({GLOBALS.influxdb_host:pillar.node_data[GLOBALS.influxdb_host].ip}) %} {% do DOCKER_EXTRA_HOSTS.append({GLOBALS.influxdb_host:pillar.node_data[GLOBALS.influxdb_host].ip}) %}
@@ -75,6 +80,20 @@
{% do SOCMERGED.config.server.update({'airgapEnabled': false}) %} {% do SOCMERGED.config.server.update({'airgapEnabled': false}) %}
{% endif %} {% endif %}
{# Define the postgresmetrics module if telegraf is setup to only use Postgres #}
{% if TELEGRAFMERGED.output != 'INFLUXDB' and PG_USER and PG_PASS %}
{% do SOCMERGED.config.server.modules.update({
'postgresmetrics': {
'database': 'so_telegraf',
'host': GLOBALS.manager_ip,
'password': PG_PASS,
'port': 5432,
'sslMode': 'allow',
'user': PG_USER,
}
}) %}
{% do SOCMERGED.config.server.modules.pop('influxdb') %}
{% endif %}
{# Define the Detections custom ruleset that should always be present #} {# Define the Detections custom ruleset that should always be present #}
{% set CUSTOM_RULESET = { {% set CUSTOM_RULESET = {
+39 -1
View File
@@ -46,7 +46,15 @@ soc:
syntax: yaml syntax: yaml
file: True file: True
global: True global: True
advanced: True advanced: False
helpLink: security-onion-console-customization
playbook_placeholder_map_custom__yaml:
title: Playbook Placeholder Map
description: Custom mappings of Playbook %placeholder% tokens to event fields.
syntax: yaml
file: True
global: True
advanced: False
helpLink: security-onion-console-customization helpLink: security-onion-console-customization
config: config:
licenseKey: licenseKey:
@@ -719,6 +727,16 @@ soc:
description: Maximum length of the system prompt addendum. Longer prompts will be truncated. description: Maximum length of the system prompt addendum. Longer prompts will be truncated.
global: True global: True
advanced: True advanced: True
maxSubSessionTokens:
description: Maximum number of output tokens a delegated sub-session may generate across all of its turns. When the budget is reached, the sub-agent is halted and its result is returned to the parent agent. Set to 0 to disable the limit.
global: True
advanced: True
forcedType: int
maxDelegationDepth:
description: Maximum delegation nesting depth for sub-agents. For example, a value of 2 lets the main agent delegate to a sub-agent that may itself delegate one level deeper. Any deeper delegation is refused and the requesting agent continues without it. Set to 0 to disable the limit.
global: True
advanced: True
forcedType: int
adapters: adapters:
description: Configuration for AI adapters used by the Onion AI assistant. Please see documentation for help on which fields are required for which protocols. description: Configuration for AI adapters used by the Onion AI assistant. Please see documentation for help on which fields are required for which protocols.
global: True global: True
@@ -757,12 +775,32 @@ soc:
label: Health Timeout Seconds label: Health Timeout Seconds
required: False required: False
forcedType: int forcedType: int
agentic:
description: Indicates if the Assistant Module should operate in agentic mode or not. If true, agents can work together to solve tasks.
global: True
forcedType: bool
agentMapping:
Orchestrator:
description: The initial agent in most agentic conversations. This agent will delegate requests to specialized agents.
global: True
Investigator:
description: This agent investigates alerts, explains events and records, and hunts through event data. It can also acknowledge alerts and escalate to cases.
global: True
Detection Engineer:
description: This agent manages detections and their overrides, including tuning noisy rules and authoring rule content.
global: True
client: client:
assistant: assistant:
enabled: enabled:
description: Set to true to enable the Onion AI assistant in SOC. description: Set to true to enable the Onion AI assistant in SOC.
global: True global: True
forcedType: bool forcedType: bool
toolBusyMaxRetries:
description: How many times to retry auto approving a tool while a tool is already running.
global: True
toolBusyRetryDelayMs:
description: How long in milliseconds to wait between each retry when auto approving a tool.
global: True
investigationPrompt: investigationPrompt:
description: Prompt given to Onion AI when beginning an investigation. description: Prompt given to Onion AI when beginning an investigation.
global: True global: True
+1
View File
@@ -69,6 +69,7 @@ surirulereload:
- name: /usr/sbin/so-suricata-reload-rules >> /opt/so/log/suricata/reload.log 2>&1 - name: /usr/sbin/so-suricata-reload-rules >> /opt/so/log/suricata/reload.log 2>&1
- onchanges: - onchanges:
- file: surirulesync - file: surirulesync
- onlyif: test -f /opt/so/rules/suricata/all-rulesets.rules
- require: - require:
- docker_container: so-suricata - docker_container: so-suricata
+2 -2
View File
@@ -153,12 +153,12 @@ suricata:
cpu-affinity: cpu-affinity:
management-cpu-set: management-cpu-set:
cpu: cpu:
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used. description: Bind management threads to a core or range of cores. This can be a single core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
forcedType: "[]string" forcedType: "[]string"
helpLink: suricata helpLink: suricata
worker-cpu-set: worker-cpu-set:
cpu: cpu:
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used. description: Bind worker threads to a core or range of cores. This can be a single core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
forcedType: "[]string" forcedType: "[]string"
helpLink: suricata helpLink: suricata
vars: vars:
@@ -7,5 +7,59 @@
. /usr/sbin/so-common . /usr/sbin/so-common
retry 60 3 'docker exec so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket' '{"message":"done","return":"OK"}' || fail "The Suricata container was not ready in time." RULES_FILE="/opt/so/rules/suricata/all-rulesets.rules"
retry 60 3 'docker exec so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket' '{"message":"done","return":"OK"}' || fail "The Suricata container was not ready in time." SOCKET="/var/run/suricata/suricata-command.socket"
SURICATASC="docker exec so-suricata /opt/suricata/bin/suricatasc"
# Format an epoch as a human-readable local timestamp for log messages.
fmt_time() { date -d "@$1" '+%Y-%m-%d %H:%M:%S %Z' 2>/dev/null; }
# Prefix each input line with the current timestamp.
timestamp_lines() { while IFS= read -r line; do printf '%s %s\n' "$(date '+%Y-%m-%d %H:%M:%S %Z')" "$line"; done; }
# Epoch of Suricata's last *completed* ruleset reload; non-zero return on failure.
suricata_reload_epoch() {
local out ts
out=$($SURICATASC -c ruleset-reload-time "$SOCKET" 2>/dev/null)
ts=$(echo "$out" | jq -r '.message[0].last_reload // empty' 2>/dev/null)
[ -n "$ts" ] || return 1
date -d "$ts" +%s 2>/dev/null
}
# Trigger a fresh reload and confirm Suricata is running a ruleset at least as new
# as the rules file. Returns 0 only when both hold, so retry keeps going until an
# in-progress reload clears and our own reload completes.
reload_and_verify() {
local out reload_epoch
out=$($SURICATASC -c reload-rules "$SOCKET")
echo "reload-rules: $out"
if [[ "$out" =~ "Reload already in progress" ]]; then
echo "A reload is already in progress; waiting for it to clear so a fresh reload can load the current ruleset."
return 1
fi
if [[ ! "$out" =~ '{"message":"done","return":"OK"}' ]]; then
echo "Suricata not ready or unexpected reload output; will retry."
return 1
fi
reload_epoch=$(suricata_reload_epoch) || { echo "Could not read ruleset-reload-time; will retry."; return 1; }
if [ "$reload_epoch" -ge "$target_mtime" ]; then
echo "Loaded ruleset is current: last reload ($(fmt_time "$reload_epoch")) is newer than rules file ($(fmt_time "$target_mtime"))."
return 0
fi
echo "Loaded ruleset is stale: last reload ($(fmt_time "$reload_epoch")) is older than rules file ($(fmt_time "$target_mtime")); retrying."
return 1
}
# Run the reload/verify, timestamping every line of output (ours and the
# retry/fail helpers') so reload.log shows when each step ran. The pipeline is
# synchronous, so the log is fully flushed and ordered before we exit; the
# script's real exit code is preserved via PIPESTATUS.
{
# Epoch mtime of the ruleset we need Suricata to have loaded. Captured once so
# a file update mid-reload does not move the goalpost.
target_mtime=$(stat -c %Y "$RULES_FILE") || fail "Could not stat the Suricata rules file: $RULES_FILE"
retry 60 3 'reload_and_verify' || fail "Suricata did not load the current ruleset in time."
} 2>&1 | timestamp_lines
exit "${PIPESTATUS[0]}"
+1
View File
@@ -244,6 +244,7 @@
username = "{{ ES_USER }}" username = "{{ ES_USER }}"
password = "{{ ES_PASS }}" password = "{{ ES_PASS }}"
insecure_skip_verify = true insecure_skip_verify = true
cluster_health = true
{%- elif grains['role'] in ['so-searchnode'] %} {%- elif grains['role'] in ['so-searchnode'] %}
[[inputs.elasticsearch]] [[inputs.elasticsearch]]
servers = ["https://{{ NODEIP }}:9200"] servers = ["https://{{ NODEIP }}:9200"]
+1 -1
View File
@@ -5,7 +5,7 @@ telegraf:
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb
output: output:
description: Selects the backend(s) Telegraf writes metrics to. INFLUXDB keeps the current behavior; POSTGRES writes to the grid's Postgres instance; BOTH dual-writes for migration validation. description: Selects the backend(s) Telegraf writes metrics to. INFLUXDB keeps the current behavior; POSTGRES writes to the grid's Postgres instance; BOTH dual-writes for migration validation. When set to BOTH, the grid screen's metrics are pulled from Postgres, and the InfluxDB tool link remains visible. When set to POSTGRES, the InfluxDB tool link is removed.
options: options:
- INFLUXDB - INFLUXDB
- POSTGRES - POSTGRES
-6
View File
@@ -83,7 +83,6 @@ base:
- zeek - zeek
- strelka - strelka
- elastalert - elastalert
- utility
- elasticfleet - elasticfleet
- pcap.cleanup - pcap.cleanup
@@ -113,7 +112,6 @@ base:
- zeek - zeek
- strelka - strelka
- elastalert - elastalert
- utility
- elasticfleet - elasticfleet
- stig - stig
- kafka - kafka
@@ -141,7 +139,6 @@ base:
- elastic-fleet-package-registry - elastic-fleet-package-registry
- kibana - kibana
- elastalert - elastalert
- utility
- elasticfleet - elasticfleet
- stig - stig
- kafka - kafka
@@ -168,7 +165,6 @@ base:
- elastic-fleet-package-registry - elastic-fleet-package-registry
- kibana - kibana
- elastalert - elastalert
- utility
- elasticfleet - elasticfleet
- kafka - kafka
@@ -198,7 +194,6 @@ base:
- elastic-fleet-package-registry - elastic-fleet-package-registry
- kibana - kibana
- elastalert - elastalert
- utility
- elasticfleet - elasticfleet
- stig - stig
- kafka - kafka
@@ -222,7 +217,6 @@ base:
- elasticsearch - elasticsearch
- elastic-fleet-package-registry - elastic-fleet-package-registry
- kibana - kibana
- utility
- suricata - suricata
- zeek - zeek
- elasticfleet - elasticfleet
-29
View File
@@ -1,29 +0,0 @@
#!/bin/bash
# Wait for ElasticSearch to come up, so that we can query for version infromation
echo -n "Waiting for ElasticSearch..."
COUNT=0
ELASTICSEARCH_CONNECTED="no"
while [[ "$COUNT" -le 30 ]]; do
curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://{{ GLOBALS.manager_ip }}:9200
if [ $? -eq 0 ]; then
ELASTICSEARCH_CONNECTED="yes"
echo "connected!"
break
else
((COUNT+=1))
sleep 1
echo -n "."
fi
done
if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
echo
echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'docker ps' \n -running 'sudo so-elastic-restart'"
echo
exit
fi
echo "Applying cross cluster search config..."
curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ GLOBALS.manager_ip }}:9200/_cluster/settings \
-H 'Content-Type: application/json' \
-d "{\"persistent\": {\"search\": {\"remote\": {\"{{ grains.host }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}"
-22
View File
@@ -1,22 +0,0 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if sls in allowed_states %}
{% if grains['role'] in ['so-eval', 'so-import'] %}
fixsearch:
cmd.script:
- shell: /bin/bash
- cwd: /opt/so
- source: salt://utility/bin/eval
- template: jinja
- defaults:
GLOBALS: {{ GLOBALS }}
{% endif %}
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}
+63 -15
View File
@@ -29,8 +29,12 @@ title() {
} }
fail_setup() { fail_setup() {
local err_msg=$1
if [[ -n "$err_msg" ]]; then
error "$err_msg"
fi
error "Setup encountered an unrecoverable failure, exiting" error "Setup encountered an unrecoverable failure, exiting"
touch /root/failure echo "setup incomplete: $err_msg" > /root/failure
exit 1 exit 1
} }
@@ -697,7 +701,7 @@ compare_main_nic_ip() {
EOM EOM
[[ -n $TESTING ]] || whiptail --title "$whiptail_title" --msgbox "$message" 11 75 [[ -n $TESTING ]] || whiptail --title "$whiptail_title" --msgbox "$message" 11 75
kill -SIGINT "$(ps --pid $$ -oppid=)"; fail_setup kill -SIGINT "$(ps --pid $$ -oppid=)"; fail_setup "Main IP mismatch"
fi fi
else else
# Setup uses MAINIP, but since we ignore the equality condition when using a VPN # Setup uses MAINIP, but since we ignore the equality condition when using a VPN
@@ -755,8 +759,7 @@ configure_management_bond() {
info "Setting up $bond_name management interface with mode $bond_mode" info "Setting up $bond_name management interface with mode $bond_mode"
if [[ ${#MBNICS[@]} -eq 0 ]]; then if [[ ${#MBNICS[@]} -eq 0 ]]; then
error "[ERROR] No management bond NICs were selected." fail_setup "No management bond NICs selected"
fail_setup
fi fi
nmcli -t -f NAME con show | grep -Fxq "$bond_name" nmcli -t -f NAME con show | grep -Fxq "$bond_name"
@@ -886,6 +889,7 @@ create_repo() {
title "Create the repo directory" title "Create the repo directory"
logCmd "dnf -y install yum-utils createrepo_c" logCmd "dnf -y install yum-utils createrepo_c"
logCmd "createrepo /nsm/repo" logCmd "createrepo /nsm/repo"
logCmd "createrepo /nsm/kernelrepo"
} }
@@ -913,8 +917,7 @@ detect_os() {
is_rpm=true is_rpm=true
is_supported=true is_supported=true
else else
info "This OS is not supported. Security Onion requires Oracle Linux 9." fail_setup "This OS is not supported. Security Onion requires Oracle Linux 9."
fail_setup
fi fi
info "Found OS: $OS $OSVER" info "Found OS: $OS $OSVER"
@@ -922,7 +925,7 @@ detect_os() {
download_elastic_agent_artifacts() { download_elastic_agent_artifacts() {
if ! update_elastic_agent 2>&1 | tee -a "$setup_log"; then if ! update_elastic_agent 2>&1 | tee -a "$setup_log"; then
fail_setup fail_setup "Failed to update Elastic Agent"
fi fi
} }
@@ -1566,7 +1569,7 @@ proxy_validate() {
error "Received error: $proxy_test_err" error "Received error: $proxy_test_err"
if [[ -n $TESTING ]]; then if [[ -n $TESTING ]]; then
error "Exiting setup" error "Exiting setup"
kill -SIGINT "$(ps --pid $$ -oppid=)"; fail_setup kill -SIGINT "$(ps --pid $$ -oppid=)"; fail_setup "Proxy validation failed"
fi fi
fi fi
return $ret return $ret
@@ -1773,8 +1776,7 @@ ensure_pyyaml() {
local result=$? local result=$?
set +o pipefail set +o pipefail
if [[ $result -ne 0 ]] || ! rpm -q python3-pyyaml >/dev/null 2>&1; then if [[ $result -ne 0 ]] || ! rpm -q python3-pyyaml >/dev/null 2>&1; then
error "Failed to install python3-pyyaml (exit=$result)" fail_setup "Failed to install python3-pyyaml (exit=$result)"
fail_setup
fi fi
info "python3-pyyaml installed successfully" info "python3-pyyaml installed successfully"
} }
@@ -1812,6 +1814,16 @@ securityonion_repo() {
echo "mirrorlist=file:///etc/yum/mirror.txt" >> /etc/yum.repos.d/securityonion.repo echo "mirrorlist=file:///etc/yum/mirror.txt" >> /etc/yum.repos.d/securityonion.repo
echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9-uek8" > /etc/yum/mirror-kernel.txt
echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/3/oracle/9-uek8" >> /etc/yum/mirror-kernel.txt
echo "[securityonionkernel]" > /etc/yum.repos.d/securityonionkernel.repo
echo "name=Security Onion Kernel Repo repo" >> /etc/yum.repos.d/securityonionkernel.repo
echo "mirrorlist=file:///etc/yum/mirror-kernel.txt" >> /etc/yum.repos.d/securityonionkernel.repo
echo "enabled=1" >> /etc/yum.repos.d/securityonionkernel.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/securityonionkernel.repo
# Supplementary kernel repo: tolerate it being empty/unreachable so a missing
# repomd.xml can't make every dnf operation fail before the repo is populated.
echo "skip_if_unavailable=1" >> /etc/yum.repos.d/securityonionkernel.repo
logCmd "dnf repolist" logCmd "dnf repolist"
else else
echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
@@ -1820,6 +1832,13 @@ securityonion_repo() {
echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
echo "[securityonionkernel]" > /etc/yum.repos.d/securityonionkernel.repo
echo "name=Security Onion Kernel Repo" >> /etc/yum.repos.d/securityonionkernel.repo
echo "baseurl=https://$MSRV/kernelrepo" >> /etc/yum.repos.d/securityonionkernel.repo
echo "enabled=1" >> /etc/yum.repos.d/securityonionkernel.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/securityonionkernel.repo
echo "sslverify=0" >> /etc/yum.repos.d/securityonionkernel.repo
echo "skip_if_unavailable=1" >> /etc/yum.repos.d/securityonionkernel.repo
logCmd "dnf repolist" logCmd "dnf repolist"
fi fi
elif [[ ! $waitforstate ]]; then elif [[ ! $waitforstate ]]; then
@@ -1829,12 +1848,25 @@ securityonion_repo() {
echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
echo "[securityonionkernel]" > /etc/yum.repos.d/securityonionkernel.repo
echo "name=Security Onion Kernel Repo" >> /etc/yum.repos.d/securityonionkernel.repo
echo "baseurl=https://$MSRV/kernelrepo" >> /etc/yum.repos.d/securityonionkernel.repo
echo "enabled=1" >> /etc/yum.repos.d/securityonionkernel.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/securityonionkernel.repo
echo "sslverify=0" >> /etc/yum.repos.d/securityonionkernel.repo
echo "skip_if_unavailable=1" >> /etc/yum.repos.d/securityonionkernel.repo
elif [[ $waitforstate ]]; then elif [[ $waitforstate ]]; then
echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo
echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
echo "[securityonionkernel]" > /etc/yum.repos.d/securityonionkernel.repo
echo "name=Security Onion Kernel Repo" >> /etc/yum.repos.d/securityonionkernel.repo
echo "baseurl=file:///nsm/kernelrepo/" >> /etc/yum.repos.d/securityonionkernel.repo
echo "enabled=1" >> /etc/yum.repos.d/securityonionkernel.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/securityonionkernel.repo
echo "skip_if_unavailable=1" >> /etc/yum.repos.d/securityonionkernel.repo
fi fi
logCmd "dnf repolist all" logCmd "dnf repolist all"
if [[ $waitforstate ]]; then if [[ $waitforstate ]]; then
@@ -1850,9 +1882,12 @@ repo_sync_local() {
# Sync the repo from the SO repo locally. # Sync the repo from the SO repo locally.
info "Adding Repo Download Configuration" info "Adding Repo Download Configuration"
mkdir -p /nsm/repo mkdir -p /nsm/repo
mkdir -p /nsm/kernelrepo
mkdir -p /opt/so/conf/reposync/cache mkdir -p /opt/so/conf/reposync/cache
echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /opt/so/conf/reposync/mirror.txt echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /opt/so/conf/reposync/mirror.txt
echo "https://repo-alt.securityonion.net/prod/3/oracle/9" >> /opt/so/conf/reposync/mirror.txt echo "https://repo-alt.securityonion.net/prod/3/oracle/9" >> /opt/so/conf/reposync/mirror.txt
echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9-uek8" > /opt/so/conf/reposync/mirror-kernel.txt
echo "https://repo-alt.securityonion.net/prod/3/oracle/9-uek8" >> /opt/so/conf/reposync/mirror-kernel.txt
echo "[main]" > /opt/so/conf/reposync/repodownload.conf echo "[main]" > /opt/so/conf/reposync/repodownload.conf
echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
@@ -1866,12 +1901,18 @@ repo_sync_local() {
echo "mirrorlist=file:///opt/so/conf/reposync/mirror.txt" >> /opt/so/conf/reposync/repodownload.conf echo "mirrorlist=file:///opt/so/conf/reposync/mirror.txt" >> /opt/so/conf/reposync/repodownload.conf
echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf
echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
echo "[securityonionkernel]" >> /opt/so/conf/reposync/repodownload.conf
echo "name=Security Onion Kernel Repo repo" >> /opt/so/conf/reposync/repodownload.conf
echo "mirrorlist=file:///opt/so/conf/reposync/mirror-kernel.txt" >> /opt/so/conf/reposync/repodownload.conf
echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf
echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
logCmd "dnf repolist" logCmd "dnf repolist"
if [[ ! $is_airgap ]]; then if [[ ! $is_airgap ]]; then
curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup "Failed to sync repos"
retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionkernel --download-metadata -p /nsm/kernelrepo/" >> "$setup_log" 2>&1 || fail_setup "Failed to sync kernel repos"
# After the download is complete run createrepo # After the download is complete run createrepo
create_repo create_repo
fi fi
@@ -1884,10 +1925,10 @@ saltify() {
if [[ $waitforstate ]]; then if [[ $waitforstate ]]; then
# install all for a manager # install all for a manager
retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup "Failed to install salt master"
else else
# just a minion # just a minion
retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup "Failed to install salt minion"
fi fi
salt_install_module_deps salt_install_module_deps
@@ -1959,7 +2000,7 @@ set_main_ip() {
info "MAINIP=$MAINIP" info "MAINIP=$MAINIP"
info "MNIC_IP=$MNIC_IP" info "MNIC_IP=$MNIC_IP"
whiptail_error_message "The management IP could not be determined. Please check the log at /root/sosetup.log and verify the network configuration. Select OK to exit." whiptail_error_message "The management IP could not be determined. Please check the log at /root/sosetup.log and verify the network configuration. Select OK to exit."
fail_setup fail_setup "Could not determine MAINIP or MNIC_IP"
fi fi
sleep 1 sleep 1
done done
@@ -2163,7 +2204,7 @@ set_initial_firewall_access() {
set_management_interface() { set_management_interface() {
title "Setting up the main interface" title "Setting up the main interface"
if [[ $MNIC == "bond1" ]]; then if [[ $MNIC == "bond1" ]]; then
configure_management_bond || fail_setup configure_management_bond || fail_setup "Failed to configure management bond"
fi fi
if [ "$address_type" = 'DHCP' ]; then if [ "$address_type" = 'DHCP' ]; then
@@ -2228,6 +2269,13 @@ update_sudoers_for_testing() {
} }
update_packages() { update_packages() {
# Pin physical NIC names by MAC BEFORE pulling packages, so the UEK8 kernel that
# the update below installs can't renumber the interfaces SO binds by name. Doing
# it here (instead of waiting for the common highstate) also drops the
# /opt/so/state/nic_names_pinned marker that gates the kernel repo, so the kernel
# repo is assigned on the very first highstate and the kernel isn't downgraded and
# then re-upgraded. Run-once: so-nic-pin no-ops if the marker already exists.
logCmd "bash ../salt/common/tools/sbin/so-nic-pin"
logCmd "dnf repolist" logCmd "dnf repolist"
logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*" logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo") RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo")
+12 -13
View File
@@ -9,14 +9,17 @@
# Make sure you are root before doing anything # Make sure you are root before doing anything
uid="$(id -u)" uid="$(id -u)"
if [ "$uid" -ne 0 ]; then if [ "$uid" -ne 0 ]; then
echo "This script must be run using sudo!" echo "This script must be run using sudo!" >&2
fail_setup exit 1
fi fi
# Save the original argument array since we modify it # Save the original argument array since we modify it
original_args=("$@") original_args=("$@")
cd "$(dirname "$0")" || fail_setup cd "$(dirname "$0")" || {
echo "Unable to change to setup directory" >&2
exit 1
}
echo "Getting started..." echo "Getting started..."
@@ -87,8 +90,7 @@ if [[ "$setup_type" == 'iso' ]]; then
if [[ $is_rpm ]]; then if [[ $is_rpm ]]; then
is_iso=true is_iso=true
else else
echo "Only use 'so-setup iso' for an ISO install on Security Onion ISO images. Please run 'so-setup network' instead." fail_setup "Only use 'so-setup iso' for an ISO install on Security Onion ISO images. Please run 'so-setup network' instead."
fail_setup
fi fi
fi fi
@@ -127,7 +129,7 @@ catch() {
info "Fatal error occurred at $1 in so-setup, failing setup." info "Fatal error occurred at $1 in so-setup, failing setup."
grep --color=never "ERROR" "$setup_log" > "$error_log" grep --color=never "ERROR" "$setup_log" > "$error_log"
whiptail_setup_failed whiptail_setup_failed
fail_setup fail_setup "Fatal error occurred at $1 in so-setup"
} }
# Add the progress function for manager node type installs # Add the progress function for manager node type installs
@@ -235,8 +237,7 @@ case "$setup_type" in
info "Beginning Security Onion $setup_type install" info "Beginning Security Onion $setup_type install"
;; ;;
*) *)
error "Invalid install type, must be 'iso', 'network' or 'desktop'." fail_setup "Invalid install type, must be 'iso', 'network' or 'desktop'."
fail_setup
;; ;;
esac esac
@@ -770,8 +771,7 @@ if ! [[ -f $install_opt_file ]]; then
logCmd "salt-call state.apply -l info registry" logCmd "salt-call state.apply -l info registry"
title "Seeding the docker registry" title "Seeding the docker registry"
if ! docker_seed_registry; then if ! docker_seed_registry; then
error "Failed to seed the docker registry" fail_setup "Failed to seed the docker registry"
fail_setup
fi fi
title "Applying the manager state" title "Applying the manager state"
logCmd "salt-call state.apply -l info manager" logCmd "salt-call state.apply -l info manager"
@@ -793,9 +793,8 @@ if ! [[ -f $install_opt_file ]]; then
logCmd "so-soc-restart" logCmd "so-soc-restart"
title "Setting up Elastic Fleet" title "Setting up Elastic Fleet"
logCmd "salt-call state.apply elasticfleet.config" logCmd "salt-call state.apply elasticfleet.config"
if ! logCmd so-elastic-fleet-setup; then if ! so-elastic-fleet-setup; then
error "Failed to run so-elastic-fleet-setup" fail_setup "Failed to run so-elastic-fleet-setup"
fail_setup
fi fi
mark_setup_complete mark_setup_complete
set_initial_firewall_access set_initial_firewall_access
+3 -3
View File
@@ -143,15 +143,15 @@ main() {
cat $error_log cat $error_log
echo "--------------------------" echo "--------------------------"
exit_code=1 exit_code=1
touch /root/failure echo "Found setup errors. Check $error_log for details" > /root/failure
elif using_iso && cron_error_in_mail_spool; then elif using_iso && cron_error_in_mail_spool; then
echo "WARNING: Unexpected cron job output in mail spool" echo "WARNING: Unexpected cron job output in mail spool"
exit_code=1 exit_code=1
touch /root/failure echo "Unexpected cron job output found in /var/spool/mail/" > /root/failure
elif is_manager_node && status_failed; then elif is_manager_node && status_failed; then
echo "WARNING: Containers are not in a healthy state" echo "WARNING: Containers are not in a healthy state"
exit_code=1 exit_code=1
touch /root/failure echo "Containers are not in a healthy state. Check so-status for details" > /root/failure
else else
echo "Successfully completed setup!" echo "Successfully completed setup!"
touch /root/success touch /root/success