#!/bin/bash # # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # Figure out if this is soup or refresh if [ -z "$VERSION" ]; then VERSION="$NEWVERSION" fi container_list() { MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') if [ $MANAGERCHECK == 'so-import' ]; then TRUSTED_CONTAINERS=( \ "so-idstools" \ "so-nginx" \ "so-filebeat" \ "so-suricata" \ "so-soc" \ "so-elasticsearch" \ "so-kibana" \ "so-kratos" \ "so-suricata" \ "so-registry" \ "so-pcaptools" \ "so-zeek" ) elif [ $MANAGERCHECK != 'so-helix' ]; then TRUSTED_CONTAINERS=( \ "so-acng" \ "so-thehive-cortex" \ "so-curator" \ "so-domainstats" \ "so-elastalert" \ "so-elasticsearch" \ "so-filebeat" \ "so-fleet" \ "so-fleet-launcher" \ "so-freqserver" \ "so-grafana" \ "so-idstools" \ "so-influxdb" \ "so-kibana" \ "so-kratos" \ "so-logstash" \ "so-minio" \ "so-mysql" \ "so-nginx" \ "so-pcaptools" \ "so-playbook" \ "so-redis" \ "so-soc" \ "so-soctopus" \ "so-steno" \ "so-strelka-frontend" \ "so-strelka-manager" \ "so-strelka-backend" \ "so-strelka-filestream" \ "so-suricata" \ "so-telegraf" \ "so-thehive" \ "so-thehive-es" \ "so-wazuh" \ "so-zeek" ) else TRUSTED_CONTAINERS=( \ "so-filebeat" \ "so-idstools" \ "so-logstash" \ "so-nginx" \ "so-redis" \ "so-steno" \ "so-suricata" \ "so-telegraf" \ "so-zeek" ) fi } update_docker_containers() { # Let's make sure we have the public key curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import - CONTAINER_REGISTRY=quay.io SIGNPATH=/root/sosigs rm -rf $SIGNPATH mkdir -p $SIGNPATH if [ -z "$BRANCH" ]; then BRANCH="master" fi # Download the containers from the interwebs for i in "${TRUSTED_CONTAINERS[@]}" do # Pull down the trusted docker image echo "Downloading $i" docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION # Get signature curl https://sigs.securityonion.net/$VERSION/$i:$VERSION.sig --output $SIGNPATH/$i:$VERSION.sig if [[ $? -ne 0 ]]; then echo "Unable to pull signature file for $i:$VERSION" exit 1 fi # Dump our hash values DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION) echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$i:$VERSION.txt echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$i:$VERSION.txt if [[ $? -ne 0 ]]; then echo "Unable to inspect $i:$VERSION" exit 1 fi GPGTEST=$(gpg --verify $SIGNPATH/$i:$VERSION.sig $SIGNPATH/$i:$VERSION.txt 2>&1) if [[ $? -eq 0 ]]; then # Tag it with the new registry destination docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION docker push $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION else echo "There is a problem downloading the $i:$VERSION image. Details: " echo "" echo $GPGTEST exit 1 fi done }