mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-25 02:13:08 +01:00
165 lines
4.5 KiB
Bash
Executable File
165 lines
4.5 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
IMAGEREPO=securityonion
|
|
|
|
# Check for prerequisites
|
|
if [ "$(id -u)" -ne 0 ]; then
|
|
echo "This script must be run using sudo!"
|
|
exit 1
|
|
fi
|
|
|
|
# Define a banner to separate sections
|
|
banner="========================================================================="
|
|
|
|
header() {
|
|
echo
|
|
printf '%s\n' "$banner" "$*" "$banner"
|
|
}
|
|
|
|
lookup_pillar() {
|
|
key=$1
|
|
salt-call --no-color pillar.get global:${key} --out=newline_values_only
|
|
}
|
|
|
|
lookup_pillar_secret() {
|
|
key=$1
|
|
salt-call --no-color pillar.get secrets:${key} --out=newline_values_only
|
|
}
|
|
|
|
check_container() {
|
|
docker ps | grep "$1:" > /dev/null 2>&1
|
|
return $?
|
|
}
|
|
|
|
check_password() {
|
|
local password=$1
|
|
echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1
|
|
return $?
|
|
}
|
|
|
|
container_list() {
|
|
MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
|
|
if [ $MANAGERCHECK == 'so-import' ]; then
|
|
TRUSTED_CONTAINERS=( \
|
|
"so-idstools" \
|
|
"so-nginx" \
|
|
"so-filebeat" \
|
|
"so-suricata" \
|
|
"so-soc" \
|
|
"so-elasticsearch" \
|
|
"so-kibana" \
|
|
"so-kratos" \
|
|
"so-suricata" \
|
|
"so-registry" \
|
|
"so-pcaptools" \
|
|
"so-zeek" )
|
|
elif [ $MANAGERCHECK != 'so-helix' ]; then
|
|
TRUSTED_CONTAINERS=( \
|
|
"so-acng" \
|
|
"so-thehive-cortex" \
|
|
"so-curator" \
|
|
"so-domainstats" \
|
|
"so-elastalert" \
|
|
"so-elasticsearch" \
|
|
"so-filebeat" \
|
|
"so-fleet" \
|
|
"so-fleet-launcher" \
|
|
"so-freqserver" \
|
|
"so-grafana" \
|
|
"so-idstools" \
|
|
"so-influxdb" \
|
|
"so-kibana" \
|
|
"so-kratos" \
|
|
"so-logstash" \
|
|
"so-minio" \
|
|
"so-mysql" \
|
|
"so-nginx" \
|
|
"so-pcaptools" \
|
|
"so-playbook" \
|
|
"so-redis" \
|
|
"so-soc" \
|
|
"so-soctopus" \
|
|
"so-steno" \
|
|
"so-strelka-frontend" \
|
|
"so-strelka-manager" \
|
|
"so-strelka-backend" \
|
|
"so-strelka-filestream" \
|
|
"so-suricata" \
|
|
"so-telegraf" \
|
|
"so-thehive" \
|
|
"so-thehive-es" \
|
|
"so-wazuh" \
|
|
"so-zeek" )
|
|
else
|
|
TRUSTED_CONTAINERS=( \
|
|
"so-filebeat" \
|
|
"so-idstools" \
|
|
"so-logstash" \
|
|
"so-nginx" \
|
|
"so-redis" \
|
|
"so-steno" \
|
|
"so-suricata" \
|
|
"so-telegraf" \
|
|
"so-zeek" )
|
|
fi
|
|
}
|
|
|
|
update_docker_containers() {
|
|
# Let's make sure we have the public key
|
|
curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import -
|
|
|
|
CONTAINER_REGISTRY=quay.io
|
|
SIGNPATH=/root/sosigs
|
|
rm -rf $SIGNPATH
|
|
mkdir -p $SIGNPATH
|
|
if [ -z "$BRANCH" ]; then
|
|
BRANCH="master"
|
|
fi
|
|
# Download the containers from the interwebs
|
|
for i in "${TRUSTED_CONTAINERS[@]}"
|
|
do
|
|
# Pull down the trusted docker image
|
|
echo "Downloading $i"
|
|
docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i
|
|
|
|
# Get signature
|
|
curl https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/$BRANCH/sigs/images/$i.gpg --output $SIGNPATH/$i.gpg
|
|
if [[ $? -ne 0 ]]; then
|
|
echo "Unable to pull signature file for $i"
|
|
exit 1
|
|
fi
|
|
# Dump our hash values
|
|
docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i | jq '.[0].Created, .[0].Id, .[0].Size, .[0].RootFS.Layers' > $SIGNPATH/$i.txt
|
|
if [[ $? -ne 0 ]]; then
|
|
echo "Unable to inspect $i"
|
|
exit 1
|
|
fi
|
|
GPGTEST=$(gpg --verify $SIGNPATH/$i.gpg $SIGNPATH/$i.txt 2>&1)
|
|
if [[ $? -eq 0 ]]; then
|
|
# Tag it with the new registry destination
|
|
docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
|
|
docker push $HOSTNAME:5000/$IMAGEREPO/$i
|
|
else
|
|
echo "There is a problem downloading the $i image. Details: "
|
|
echo ""
|
|
echo $GPGTEST
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
} |