#!/bin/bash # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . . /usr/sbin/so-common manager_check() { # Check to see if this is a manager MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') if [ $MANAGERCHECK == 'so-eval' ] || [ $MANAGERCHECK == 'so-manager' ] || [ $MANAGERCHECK == 'so-managersearch' ] || [ $MANAGERCHECK == 'so-standalone' ] || [ $MANAGERCHECK == 'so-helix' ]; then echo "This is a manager. We can proceed" else echo "Please run soup on the manager. The manager controls all updates." exit 1 fi } update_docker_containers() { SIGNPATH=/root/sosigs rm -rf $SIGNPATH mkdir -p $SIGNPATH if [ -z "$BRANCH" ]; then BRANCH="master" fi # Download the containers from the interwebs for i in "${TRUSTED_CONTAINERS[@]}" do # Pull down the trusted docker image echo "Downloading $i" docker pull quay.io/$IMAGEREPO/$i # Get signature curl https://github.com/Security-Onion-Solutions/securityonion/blob/$BRANCH/sigs/images/$i.gpg --output $SIGNPATH/$i.gpg if [[ $? -ne 0 ]] echo "Unable to pull signature file for $i" exit 1 fi # Dump our hash values docker inspect quay.io/$IMAGEREPO/$i | jq '.[0].Created, .[0].Id, .[0].Size, .[0].RootFS.Layers' > $SIGNPATH/$i.txt if [[ $? -ne 0 ]] echo "Unable to inspect $i" exit 1 fi GPGTEST=$(gpg --verify $SIGNPATH/$i.gpg $SIGNPATH/$i.txt 2>&1) if [[ $? -eq 0 ]] # Tag it with the new registry destination docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i docker push $HOSTNAME:5000/$IMAGEREPO/$i else echo "There is a problem downloading the $i image. Details: " echo "" echo $GPGTEST exit 1 done } version_check() { if [ -f /etc/soversion ]; then VERSION=$(cat /etc/soversion) else echo "Unable to detect version. I will now terminate." exit 1 fi } manager_check version_check # Use the hostname HOSTNAME=$(hostname) # List all the containers if [ $MANAGERCHECK != 'so-helix' ]; then TRUSTED_CONTAINERS=( \ "so-acng:$VERSION" \ "so-thehive-cortex:$VERSION" \ "so-curator:$VERSION" \ "so-domainstats:$VERSION" \ "so-elastalert:$VERSION" \ "so-elasticsearch:$VERSION" \ "so-filebeat:$VERSION" \ "so-fleet:$VERSION" \ "so-fleet-launcher:$VERSION" \ "so-freqserver:$VERSION" \ "so-grafana:$VERSION" \ "so-idstools:$VERSION" \ "so-influxdb:$VERSION" \ "so-kibana:$VERSION" \ "so-kratos:$VERSION" \ "so-logstash:$VERSION" \ "so-minio:$VERSION" \ "so-mysql:$VERSION" \ "so-nginx:$VERSION" \ "so-pcaptools:$VERSION" \ "so-playbook:$VERSION" \ "so-redis:$VERSION" \ "so-soc:$VERSION" \ "so-soctopus:$VERSION" \ "so-steno:$VERSION" \ "so-strelka-frontend:$VERSION" \ "so-strelka-manager:$VERSION" \ "so-strelka-backend:$VERSION" \ "so-strelka-filestream:$VERSION" \ "so-suricata:$VERSION" \ "so-telegraf:$VERSION" \ "so-thehive:$VERSION" \ "so-thehive-es:$VERSION" \ "so-wazuh:$VERSION" \ "so-zeek:$VERSION" ) else TRUSTED_CONTAINERS=( \ "so-filebeat:$VERSION" \ "so-idstools:$VERSION" \ "so-logstash:$VERSION" \ "so-nginx:$VERSION" \ "so-redis:$VERSION" \ "so-steno:$VERSION" \ "so-suricata:$VERSION" \ "so-telegraf:$VERSION" \ "so-zeek:$VERSION" ) fi update_docker_containers