From 1043315e6b35cf8d07d924ab8ce6d296b5752e62 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 12 Oct 2023 09:22:26 -0400 Subject: [PATCH 01/50] Manage Elastic Defend Integration manually --- .../elastic-defend-endpoints.json | 0 .../tools/sbin/so-elastic-fleet-common | 18 +++++++++++++ ...ic-fleet-integration-policy-elastic-defend | 27 +++++++++++++++++++ .../so-elastic-fleet-integration-policy-load | 4 +++ 4 files changed, 49 insertions(+) rename salt/elasticfleet/files/integrations/{endpoints-initial => elastic-defend}/elastic-defend-endpoints.json (100%) mode change 100755 => 100644 salt/elasticfleet/tools/sbin/so-elastic-fleet-common create mode 100755 salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend mode change 100755 => 100644 salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json similarity index 100% rename from salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json rename to salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common old mode 100755 new mode 100644 index 6ada43003..c0b4db53a --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -42,6 +42,23 @@ elastic_fleet_integration_create() { curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" } + +elastic_fleet_integration_remove() { + + AGENT_POLICY=$1 + + NAME=$2 + + INTEGRATION_ID=$(/usr/sbin/so-elastic-fleet-agent-policy-view "$AGENT_POLICY" | jq -r '.item.package_policies[] | select(.name=="'"$NAME"'") | .id') + + JSON_STRING=$( jq -n \ + --arg INTEGRATIONID "$INTEGRATION_ID" \ + '{"packagePolicyIds":[$INTEGRATIONID]}' + ) + + curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies/delete" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} + elastic_fleet_integration_update() { UPDATE_ID=$1 @@ -98,3 +115,4 @@ elastic_fleet_policy_update() { curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" } + diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend new file mode 100755 index 000000000..c4a7d39fd --- /dev/null +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend @@ -0,0 +1,27 @@ +#!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +# Usage: Run with --force to update the Elastic Defend integration policy + +. /usr/sbin/so-elastic-fleet-common + +# Manage Elastic Defend Integration for Initial Endpoints Policy +for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/elastic-defend/*.json +do + printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n" + elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION" + if [ -n "$INTEGRATION_ID" ]; then + if [ "$1" = "--force" ]; then + printf "\n\nIntegration $NAME exists - Updating integration\n" + elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" + else + printf "\n\nIntegration $NAME exists - Not updating - rerun with --force to force the update.\n" + fi + else + printf "\n\nIntegration does not exist - Creating integration\n" + elastic_fleet_integration_create "@$INTEGRATION" + fi +done diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load old mode 100755 new mode 100644 index ae0fbb6ba..44e7ccf2b --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -12,6 +12,9 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then # First, check for any package upgrades /usr/sbin/so-elastic-fleet-package-upgrade + # Second, configure Elastic Defend Integration seperately + /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend + # Initial Endpoints for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json do @@ -65,3 +68,4 @@ else exit $RETURN_CODE fi + From a671ac387a39a49d384323239692df3857478596 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 12 Oct 2023 09:45:20 -0400 Subject: [PATCH 02/50] Add hotfix changes --- HOTFIX | 2 +- salt/manager/tools/sbin/soup | 11 +++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/HOTFIX b/HOTFIX index d3f5a12fa..afd2e4c40 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +20231012 diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 960c50f31..fa714cda4 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -691,13 +691,16 @@ verify_latest_update_script() { # Keeping this block in case we need to do a hotfix that requires salt update apply_hotfix() { -# if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then -# fix_wazuh + if [[ "$INSTALLEDVERSION" == "2.4.20" ]] ; then + salt-call state.appply elastic-fleet -l info queue=True + . /usr/sbin/so-elastic-fleet-common + elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints + /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend # elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then # 2_3_10_hotfix_1 -# else + else echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" -# fi + fi } From 967138cdff029ff5d0be3dac016be1cc2e7d9b13 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 12 Oct 2023 10:54:26 -0400 Subject: [PATCH 03/50] Apply state correctly --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index fa714cda4..d128a7c4d 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -692,7 +692,7 @@ verify_latest_update_script() { # Keeping this block in case we need to do a hotfix that requires salt update apply_hotfix() { if [[ "$INSTALLEDVERSION" == "2.4.20" ]] ; then - salt-call state.appply elastic-fleet -l info queue=True + salt-call state.apply elastic-fleet -l info queue=True . /usr/sbin/so-elastic-fleet-common elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend From 98eab906aff0d269bc92ed02c721afa02408a3ac Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 12 Oct 2023 11:00:24 -0400 Subject: [PATCH 04/50] Apply named state --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index d128a7c4d..375d48209 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -692,7 +692,7 @@ verify_latest_update_script() { # Keeping this block in case we need to do a hotfix that requires salt update apply_hotfix() { if [[ "$INSTALLEDVERSION" == "2.4.20" ]] ; then - salt-call state.apply elastic-fleet -l info queue=True + salt-call state.apply elasticfleet -l info queue=True . /usr/sbin/so-elastic-fleet-common elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend From 17ae9b33498c6d8ebaf4b503044a5c892ca77ace Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 12 Oct 2023 13:54:07 -0400 Subject: [PATCH 05/50] avoid reboot during testing --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index e35dde579..17c62af81 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -91,7 +91,7 @@ fi # if packages are updated and the box isn't rebooted if [[ $is_debian ]]; then update_packages - if [[ -f "/var/run/reboot-required" ]]; then + if [[ -f "/var/run/reboot-required" ]] && [ -z "$TESTING" ]; then whiptail_debian_reboot_required reboot fi From 49a651fd72deb8e15affdd9a2ca6fc866641283a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 12 Oct 2023 15:43:22 -0400 Subject: [PATCH 06/50] adjust var name --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 17c62af81..60296d2f3 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -91,7 +91,7 @@ fi # if packages are updated and the box isn't rebooted if [[ $is_debian ]]; then update_packages - if [[ -f "/var/run/reboot-required" ]] && [ -z "$TESTING" ]; then + if [[ -f "/var/run/reboot-required" ]] && [ -z "$test_profile" ]; then whiptail_debian_reboot_required reboot fi From b6af59d9b09c8ea405275cdebedd9ec000ca042c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 12 Oct 2023 15:47:53 -0400 Subject: [PATCH 07/50] 2.4.20 hotfix --- DOWNLOAD_AND_VERIFY_ISO.md | 22 ++++++++++----------- sigs/securityonion-2.4.20-20231012.iso.sig | Bin 0 -> 566 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.4.20-20231012.iso.sig diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index dabfd285c..539dd9e8e 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.4.20-20231006 ISO image released on 2023/10/06 +### 2.4.20-20231012 ISO image released on 2023/10/12 ### Download and Verify -2.4.20-20231006 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso +2.4.20-20231012 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231012.iso -MD5: 269F00308C53976BF0EAE788D1DB29DB -SHA1: 3F7C2324AE1271112F3B752BA4724AF36688FC27 -SHA256: 542B8B3F4F75AD24DC78007F8FE0857E00DC4CC9F4870154DCB8D5D0C4144B65 +MD5: 7D6ACA843068BA9432B3FF63BFD1EF0F +SHA1: BEF2B906066A1B04921DF0B80E7FDD4BC8ECED5C +SHA256: 5D511D50F11666C69AE12435A47B9A2D30CB3CC88F8D38DC58A5BC0ECADF1BF5 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231012.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231012.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231012.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.20-20231006.iso.sig securityonion-2.4.20-20231006.iso +gpg --verify securityonion-2.4.20-20231012.iso.sig securityonion-2.4.20-20231012.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 03 Oct 2023 11:40:51 AM EDT using RSA key ID FE507013 +gpg: Signature made Thu 12 Oct 2023 01:28:32 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.4.20-20231012.iso.sig b/sigs/securityonion-2.4.20-20231012.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..0704f7d1c253915a81383222f6238a3d5d62bdc7 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%a&HzyJyf5PT3| zxBgIY6GqGr|4VA;xMiecEI{gjUYL2W<40M5tH3?g_4Y`oAyjO0cF^+WeS(7J&}s@- zOx2!={+X!hztM{3;w{PuK!3{CmAU`PQ&$_PYvXIryf9AkQx<`1Y-n?Q4}$ReYDY3- zkL(mYW^n4{y1r-VgH^6u3?|#b4##(wrBYf2cnH-$P@^;F?}mn^Shy*wY1|{RxVK>Y zkDh@Zu0{#DHO9VL@2m3obxlgVjXDj#1DCsA3)icR&Ga?8SBYq)3A$0cy(Dt zXwe(*W;p4(pZ6@(4I~+#m-LG}X3CVX>(h6_RFs@|0})09rzd0EGN)L=x8R@##@1yl zTVF>NT-rxZS))jQ$y*ZN_uG}Wzt-83>^~YInB}AP#c_kMtOq^Mq9Fz_pnaBK5n3=- ze5mCQDqMFZ9Cq2l_+r2>`LTS*y7qBP8muMVWwBg4Dkfo?^4ljQ#&zf*JT^%6ZGk$fS=MJ$EP$=Oler)b>|nKO z;BgH?2IF-C&M23kWqbMLwfY-*_FiIR`KjmETbDAfJ!Ut}G&{9jy!%A#P6!6+BY-Uc zNhi2Du?+1A*_2tG5E20s%kvm{T=H}fPuvT@XbP{zF+!aqy+vby-3$^HTHk}9KXsA{ EFqyLvWB>pF literal 0 HcmV?d00001 From 6c5f8e4e2d2a3ada0ee87f13b3304ab42fae8c7f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 12 Oct 2023 16:19:59 -0400 Subject: [PATCH 08/50] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index afd2e4c40..d3f5a12fa 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -20231012 + From 1641aa111b2f2f4b86e75bb28aec5c5332a23051 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 13 Oct 2023 13:46:31 -0400 Subject: [PATCH 09/50] add checkmine back --- salt/salt/engines/checkmine.py | 28 ++++++++++++++++++++++++++++ salt/salt/files/engines.conf | 6 ++++++ salt/salt/master.sls | 7 +++++-- 3 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 salt/salt/engines/checkmine.py create mode 100644 salt/salt/files/engines.conf diff --git a/salt/salt/engines/checkmine.py b/salt/salt/engines/checkmine.py new file mode 100644 index 000000000..851d9a555 --- /dev/null +++ b/salt/salt/engines/checkmine.py @@ -0,0 +1,28 @@ +# -*- coding: utf-8 -*- + +import logging +from time import sleep +from os import remove + +log = logging.getLogger(__name__) + +def start(interval=30): + log.info("checkmine engine started") + minionid = __grains__['id'] + while True: + try: + ca_crt = __salt__['saltutil.runner']('mine.get', tgt=minionid, fun='x509.get_pem_entries')[minionid]['/etc/pki/ca.crt'] + log.info('Successfully queried Salt mine for the CA.') + except: + log.error('Could not pull CA from the Salt mine.') + log.info('Removing /var/cache/salt/master/minions/%s/mine.p to force Salt mine to be repopulated.' % minionid) + try: + remove('/var/cache/salt/master/minions/%s/mine.p' % minionid) + log.info('Removed /var/cache/salt/master/minions/%s/mine.p' % minionid) + except FileNotFoundError: + log.error('/var/cache/salt/master/minions/%s/mine.p does not exist' % minionid) + + __salt__['mine.send'](name='x509.get_pem_entries', glob_path='/etc/pki/ca.crt') + log.warning('Salt mine repopulated with /etc/pki/ca.crt') + + sleep(interval) diff --git a/salt/salt/files/engines.conf b/salt/salt/files/engines.conf new file mode 100644 index 000000000..878aa9c49 --- /dev/null +++ b/salt/salt/files/engines.conf @@ -0,0 +1,6 @@ +engines_dirs: + - /etc/salt/engines + +engines: + - checkmine: + interval: 30 diff --git a/salt/salt/master.sls b/salt/salt/master.sls index b10a4df0f..1e0e6e303 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -18,14 +18,17 @@ salt_master_service: - enable: True checkmine_engine: - file.absent: + file.managed: - name: /etc/salt/engines/checkmine.py + - source: salt://salt/engines/checkmine.py + - makedirs: True - watch_in: - service: salt_minion_service engines_config: - file.absent: + file.managed: - name: /etc/salt/minion.d/engines.conf + - source: salt://salt/files/engines.conf - watch_in: - service: salt_minion_service From 57684efddfe99b92b5297fd6435d8eed0e47cfa8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 13 Oct 2023 16:23:16 -0400 Subject: [PATCH 10/50] checkmine looks for 1 byte file and verify mine ip is correct --- salt/salt/engines/checkmine.py | 58 +++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 19 deletions(-) diff --git a/salt/salt/engines/checkmine.py b/salt/salt/engines/checkmine.py index 851d9a555..54f66a5ed 100644 --- a/salt/salt/engines/checkmine.py +++ b/salt/salt/engines/checkmine.py @@ -2,27 +2,47 @@ import logging from time import sleep -from os import remove +import os +import salt.client log = logging.getLogger(__name__) +local = salt.client.LocalClient() -def start(interval=30): - log.info("checkmine engine started") - minionid = __grains__['id'] - while True: - try: - ca_crt = __salt__['saltutil.runner']('mine.get', tgt=minionid, fun='x509.get_pem_entries')[minionid]['/etc/pki/ca.crt'] - log.info('Successfully queried Salt mine for the CA.') - except: - log.error('Could not pull CA from the Salt mine.') - log.info('Removing /var/cache/salt/master/minions/%s/mine.p to force Salt mine to be repopulated.' % minionid) - try: - remove('/var/cache/salt/master/minions/%s/mine.p' % minionid) - log.info('Removed /var/cache/salt/master/minions/%s/mine.p' % minionid) - except FileNotFoundError: - log.error('/var/cache/salt/master/minions/%s/mine.p does not exist' % minionid) +def start(interval=10): + def mine_flush(minion): + log.warning('checkmine engine: flushing mine cache for %s' % minion) + local.cmd(minion, 'mine.flush') - __salt__['mine.send'](name='x509.get_pem_entries', glob_path='/etc/pki/ca.crt') - log.warning('Salt mine repopulated with /etc/pki/ca.crt') + def mine_update(minion): + log.warning('checkmine engine: updating mine cache for %s' % minion) + local.cmd(minion, 'mine.update') - sleep(interval) + log.info("checkmine engine: started") + cachedir = __opts__['cachedir'] + while True: + log.debug('checkmine engine: checking which minions are alive') + manage_alived = __salt__['saltutil.runner']('manage.alived', show_ip=True) + log.debug('checkmine engine: alive minions: %s' % ' , '.join(manage_alived)) + + for minion in manage_alived: + mine_path = os.path.join(cachedir, 'minions', minion, 'mine.p') + mine_size = os.path.getsize(mine_path) + log.debug('checkmine engine: minion: %s mine_size: %i' % (minion, mine_size)) + # For some reason the mine file can be corrupt and only be 1 byte in size + if mine_size == 1: + log.error('checkmine engine: found %s to be 1 byte' % mine_path) + mine_flush(minion) + mine_update(minion) + # Update the mine if the ip in the mine doesn't match returned from manage.alived + else: + network_ip_addrs = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='network.ip_addrs') + mine_ip = network_ip_addrs[minion][0] + log.debug('checkmine engine: minion: %s mine_ip: %s' % (minion, mine_ip)) + manage_alived_ip = manage_alived[minion] + log.debug('checkmine engine: minion: %s managed_alived_ip: %s' % (minion, manage_alived_ip)) + if mine_ip != manage_alived_ip: + log.error('checkmine engine: found minion %s has manage_alived_ip %s but a mine_ip of %s' % (minion, manage_alived_ip, mine_ip)) + mine_flush(minion) + mine_update(minion) + + sleep(interval) From e23b3a62f30f2467389ba68578a7056943387f0c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 13 Oct 2023 16:24:11 -0400 Subject: [PATCH 11/50] default interval of 60s --- salt/salt/engines/checkmine.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/engines/checkmine.py b/salt/salt/engines/checkmine.py index 54f66a5ed..09e624ba3 100644 --- a/salt/salt/engines/checkmine.py +++ b/salt/salt/engines/checkmine.py @@ -8,7 +8,7 @@ import salt.client log = logging.getLogger(__name__) local = salt.client.LocalClient() -def start(interval=10): +def start(interval=60): def mine_flush(minion): log.warning('checkmine engine: flushing mine cache for %s' % minion) local.cmd(minion, 'mine.flush') From 2773da5a125623cb10a4983394d5862bf8419427 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 16 Oct 2023 10:34:45 -0400 Subject: [PATCH 12/50] run the checkmine engine under master instead of minion --- salt/salt/engines/{ => master}/checkmine.py | 0 salt/salt/files/engines.conf | 2 +- salt/salt/master.sls | 19 +++++++++++++++---- 3 files changed, 16 insertions(+), 5 deletions(-) rename salt/salt/engines/{ => master}/checkmine.py (100%) diff --git a/salt/salt/engines/checkmine.py b/salt/salt/engines/master/checkmine.py similarity index 100% rename from salt/salt/engines/checkmine.py rename to salt/salt/engines/master/checkmine.py diff --git a/salt/salt/files/engines.conf b/salt/salt/files/engines.conf index 878aa9c49..7c43e99e1 100644 --- a/salt/salt/files/engines.conf +++ b/salt/salt/files/engines.conf @@ -3,4 +3,4 @@ engines_dirs: engines: - checkmine: - interval: 30 + interval: 60 diff --git a/salt/salt/master.sls b/salt/salt/master.sls index 1e0e6e303..182498678 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -20,17 +20,28 @@ salt_master_service: checkmine_engine: file.managed: - name: /etc/salt/engines/checkmine.py - - source: salt://salt/engines/checkmine.py + - source: salt://salt/engines/master/checkmine.py - makedirs: True - watch_in: - - service: salt_minion_service + - service: salt_master_service -engines_config: - file.managed: +# prior to 2.4.30 this engine ran on the manager with salt-minion +# this has changed to running with the salt-master in 2.4.30 +remove_engines_config: + file.absent: - name: /etc/salt/minion.d/engines.conf - source: salt://salt/files/engines.conf - watch_in: - service: salt_minion_service + - order: last + +engines_config: + file.managed: + - name: /etc/salt/master.d/engines.conf + - source: salt://salt/files/engines.conf + - watch_in: + - service: salt_master_service + - order: last {% else %} From 1a7761c531968ca62edea907b6c615dd39db5d7d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 16 Oct 2023 11:00:31 -0400 Subject: [PATCH 13/50] display container dl status during soup --- salt/common/tools/sbin/so-image-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 11d2d6366..82487d69b 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -137,7 +137,7 @@ update_docker_containers() { for i in "${TRUSTED_CONTAINERS[@]}" do if [ -z "$PROGRESS_CALLBACK" ]; then - echo "Downloading $i" >> "$LOG_FILE" 2>&1 + echo "Downloading $i" 2>&1 | tee "$LOG_FILE" else $PROGRESS_CALLBACK $i fi From 07902d17cc4fea82cb24af20b16810a18fc6fdb8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 16 Oct 2023 11:20:19 -0400 Subject: [PATCH 14/50] display container dl status during soup --- salt/common/tools/sbin/so-image-common | 2 +- salt/manager/tools/sbin/soup | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 82487d69b..7e510e3ad 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -137,7 +137,7 @@ update_docker_containers() { for i in "${TRUSTED_CONTAINERS[@]}" do if [ -z "$PROGRESS_CALLBACK" ]; then - echo "Downloading $i" 2>&1 | tee "$LOG_FILE" + echo "Downloading $i" >> "$LOG_FILE" 2>&1 else $PROGRESS_CALLBACK $i fi diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 998d27539..0e11276ea 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -829,7 +829,7 @@ main() { else update_registry set +e - update_docker_containers "soup" "" "" "$SOUP_LOG" + update_docker_containers 'soup' '' '' '/dev/stdout' 2>&1 | tee -a "$SOUP_LOG" set -e fi From 84c39b5de7b40b59577d7f7e41de78ff0e51e294 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 16 Oct 2023 13:01:13 -0400 Subject: [PATCH 15/50] only add heavynodes to remoteHostUrls --- salt/soc/defaults.map.jinja | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index 2587051c5..83cb5637c 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -13,11 +13,13 @@ {% do SOCDEFAULTS.soc.config.server.modules[module].update({'hostUrl': application_url}) %} {% endfor %} -{# add nodes from the logstash:nodes pillar to soc.server.modules.elastic.remoteHostUrls #} +{# add all grid heavy nodes to soc.server.modules.elastic.remoteHostUrls #} {% for node_type, minions in salt['pillar.get']('logstash:nodes', {}).items() %} -{% for m in minions.keys() %} -{% do SOCDEFAULTS.soc.config.server.modules.elastic.remoteHostUrls.append('https://' ~ m ~ ':9200') %} -{% endfor %} +{% if node_type in ['heavynode'] %} +{% for m in minions.keys() %} +{% do SOCDEFAULTS.soc.config.server.modules.elastic.remoteHostUrls.append('https://' ~ m ~ ':9200') %} +{% endfor %} +{% endif %} {% endfor %} {% do SOCDEFAULTS.soc.config.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %} From a637b0e61b53976a15035f225197e01f12de50d4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 16 Oct 2023 14:58:58 -0400 Subject: [PATCH 16/50] apply salt.master and minion state early in setup to prevent the services from restarting later in setup --- setup/so-setup | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 60296d2f3..dc209b756 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -714,6 +714,7 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.apply common.packages" logCmd "salt-call state.apply common" + logCmd "salt-call state.apply salt.master" logCmd "salt-call state.apply docker" firewall_generate_templates set_initial_firewall_policy @@ -768,8 +769,6 @@ if ! [[ -f $install_opt_file ]]; then checkin_at_boot set_initial_firewall_access logCmd "salt-call schedule.enable -linfo --local" - systemctl restart salt-master - systemctl restart salt-minion verify_setup else touch /root/accept_changes From c0030bc513001530c57ee880708ccf1a8805f8ea Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 16 Oct 2023 15:00:07 -0400 Subject: [PATCH 17/50] dont need to restart minion service when just adding sleep delay on service start --- salt/salt/minion.sls | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 865bd367f..e0c422e7f 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -67,6 +67,9 @@ set_log_levels: - "log_level: info" - "log_level_logfile: info" +# prior to 2.4.30 this managed file would restart the salt-minion service when updated +# since this file is currently only adding a sleep timer on service start +# it is not required to restart the service salt_minion_service_unit_file: file.managed: - name: {{ SYSTEMD_UNIT_FILE }} @@ -89,6 +92,5 @@ salt_minion_service: - file: mine_functions {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %} - file: set_log_levels - - file: salt_minion_service_unit_file {% endif %} - order: last From 9f3a9dfab09b1b11b7cbbab152d952babc4e2c16 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 16 Oct 2023 15:00:53 -0400 Subject: [PATCH 18/50] reorder salt.master state --- salt/salt/master.sls | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/salt/salt/master.sls b/salt/salt/master.sls index 182498678..0a65f3e01 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -12,19 +12,6 @@ hold_salt_master_package: - name: salt-master {% endif %} -salt_master_service: - service.running: - - name: salt-master - - enable: True - -checkmine_engine: - file.managed: - - name: /etc/salt/engines/checkmine.py - - source: salt://salt/engines/master/checkmine.py - - makedirs: True - - watch_in: - - service: salt_master_service - # prior to 2.4.30 this engine ran on the manager with salt-minion # this has changed to running with the salt-master in 2.4.30 remove_engines_config: @@ -32,15 +19,26 @@ remove_engines_config: - name: /etc/salt/minion.d/engines.conf - source: salt://salt/files/engines.conf - watch_in: - - service: salt_minion_service - - order: last + - service: salt_minion_service + +checkmine_engine: + file.managed: + - name: /etc/salt/engines/checkmine.py + - source: salt://salt/engines/master/checkmine.py + - makedirs: True engines_config: file.managed: - name: /etc/salt/master.d/engines.conf - source: salt://salt/files/engines.conf - - watch_in: - - service: salt_master_service + +salt_master_service: + service.running: + - name: salt-master + - enable: True + - watch: + - file: checkmine_engine + - file: engines_config - order: last {% else %} From e5c936e8cf088fe46597333e6aaa921a99c6ccc9 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:18:26 -0400 Subject: [PATCH 19/50] Replace external zeek-community-id with builtin community-id. Disable plugin-tds + plugin-profinet. Not updated for Zeek 6.x Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/zeek/defaults.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 4435670a2..ad34e1a93 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -49,12 +49,13 @@ zeek: - frameworks/files/hash-all-files - frameworks/files/detect-MHR - policy/frameworks/notice/extend-email/hostnames + - policy/frameworks/notice/community-id + - policy/protocols/conn/community-id-logging - ja3 - hassh - intel - cve-2020-0601 - securityonion/bpfconf - - securityonion/communityid - securityonion/file-extraction - oui-logging - icsnpp-modbus @@ -65,8 +66,8 @@ zeek: - icsnpp-opcua-binary - icsnpp-bsap - icsnpp-s7comm - - zeek-plugin-tds - - zeek-plugin-profinet + # - zeek-plugin-tds + # - zeek-plugin-profinet - zeek-spicy-wireguard - zeek-spicy-stun load-sigs: @@ -75,7 +76,7 @@ zeek: - LogAscii::use_json = T; - CaptureLoss::watch_interval = 5 mins; networks: - HOME_NET: + HOME_NET: - 192.168.0.0/16 - 10.0.0.0/8 - 172.16.0.0/12 @@ -120,4 +121,4 @@ zeek: - stats - stderr - stdout - + From ed693a7ae67e63e547e45a141fc570030749e7a5 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:48:51 -0400 Subject: [PATCH 20/50] Remove commented lines in defaults.yaml to avoid UI issues. Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/zeek/defaults.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index ad34e1a93..ce22c1aef 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -66,8 +66,6 @@ zeek: - icsnpp-opcua-binary - icsnpp-bsap - icsnpp-s7comm - # - zeek-plugin-tds - # - zeek-plugin-profinet - zeek-spicy-wireguard - zeek-spicy-stun load-sigs: From 53fcafea50fb4f7f07928d0252d465560cd86dad Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 16 Oct 2023 16:31:43 -0400 Subject: [PATCH 21/50] redo how we check if salt-master is ready and accessible --- salt/common/tools/sbin/so-common | 22 +++++++++++++++++----- salt/manager/tools/sbin/soup | 12 +++--------- setup/so-functions | 5 ----- setup/so-setup | 5 +++++ 4 files changed, 25 insertions(+), 19 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index f754b34ef..c19d51a42 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -133,11 +133,23 @@ check_elastic_license() { } check_salt_master_status() { - local timeout=$1 - echo "Checking if we can talk to the salt master" - salt-call state.show_top concurrent=true - - return + local count=0 + local attempts="${1:- 10}" + current_time="$(date '+%b %d %H:%M:%S')" + echo "Checking if we can access the salt master and that it is ready at: ${current_time}" + while ! salt-call state.show_top -l error concurrent=true 1> /dev/null; do + current_time="$(date '+%b %d %H:%M:%S')" + echo "Can't access salt master or it is not ready at: ${current_time}" + ((count+=1)) + if [[ $count -eq $attempts ]]; then + # 10 attempts takes about 5.5 minutes + echo "Gave up trying to access salt-master" + return 1 + fi + done + current_time="$(date '+%b %d %H:%M:%S')" + echo "Successfully accessed and salt master ready at: ${current_time}" + return 0 } check_salt_minion_status() { diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 0e11276ea..84501bad5 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -736,14 +736,8 @@ main() { echo "" set_os - if ! check_salt_master_status; then - echo "Could not talk to salt master" - echo "Please run 'systemctl status salt-master' to ensure the salt-master service is running and check the log at /opt/so/log/salt/master." - echo "SOUP will now attempt to start the salt-master service and exit." - exit 1 - fi - echo "This node can communicate with the salt-master." + check_salt_master_status 1 || fail "Could not talk to salt master: Please run 'systemctl status salt-master' to ensure the salt-master service is running and check the log at /opt/so/log/salt/master." echo "Checking to see if this is a manager." echo "" @@ -881,7 +875,7 @@ main() { # Testing that salt-master is up by checking that is it connected to itself set +e echo "Waiting on the Salt Master service to be ready." - salt-call state.show_top -l error queue=True || fail "salt-master could not be reached. Check $SOUP_LOG for details." + check_salt_master_status || fail "Can't access salt master or it is not ready. Check $SOUP_LOG for details." set -e # update the salt-minion configs here and start the minion @@ -917,7 +911,7 @@ main() { set +e echo "Waiting on the Salt Master service to be ready." - salt-call state.show_top -l error queue=True || fail "salt-master could not be reached. Check $SOUP_LOG for details." + check_salt_master_status || fail "Can't access salt master or it is not ready. Check $SOUP_LOG for details." set -e echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes." diff --git a/setup/so-functions b/setup/so-functions index 42a4b4ac6..68fd01550 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2111,11 +2111,6 @@ saltify() { } -# Run a salt command to generate the minion key -salt_firstcheckin() { - salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput -} - salt_install_module_deps() { logCmd "salt-pip install docker --no-index --only-binary=:all: --find-links files/salt_module_deps/docker/" logCmd "salt-pip install pymysql --no-index --only-binary=:all: --find-links files/salt_module_deps/pymysql/" diff --git a/setup/so-setup b/setup/so-setup index dc209b756..4db24aa1a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -715,6 +715,11 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.apply common.packages" logCmd "salt-call state.apply common" logCmd "salt-call state.apply salt.master" + + # wait here until we get a response from the salt-master since it may have just restarted + # exit setup after 5-6 minutes of trying + check_salt_master_status || fail "Can't access salt master or it is not ready" + logCmd "salt-call state.apply docker" firewall_generate_templates set_initial_firewall_policy From 01cb0fccb62fb1cfebdb4be88d9b2201a7cd8559 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 17 Oct 2023 10:01:11 -0400 Subject: [PATCH 22/50] mark suricata 7 log line as fp fo so-log-check --- salt/common/tools/sbin/so-log-check | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check index c2d16fd86..395f60c7d 100755 --- a/salt/common/tools/sbin/so-log-check +++ b/salt/common/tools/sbin/so-log-check @@ -136,6 +136,7 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|invalid query input" # false positive (Invalid user input in hunt query) EXCLUDED_ERRORS="$EXCLUDED_ERRORS|example" # false positive (example test data) EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status 200" # false positive (request successful, contained error string in content) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|app_layer.error" # false positive (suricata 7) in stats.log e.g. app_layer.error.imap.parser | Total | 0 fi if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then @@ -230,4 +231,4 @@ else echo -e "\nResult: One or more errors found" fi -exit $RESULT \ No newline at end of file +exit $RESULT From 7c2cdb78e92d58ab0ef5363a2098915394674d11 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 17 Oct 2023 10:31:53 -0400 Subject: [PATCH 23/50] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 8ea99f559..7d52aac7f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.30 +2.4.0-foxtrot From 1db88bdbb59357988c4e335b5a908785b93a101c Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 17 Oct 2023 10:33:39 -0400 Subject: [PATCH 24/50] Update so-common --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index c19d51a42..a2f11555a 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -8,7 +8,7 @@ # Elastic agent is not managed by salt. Because of this we must store this base information in a # script that accompanies the soup system. Since so-common is one of those special soup files, # and since this same logic is required during installation, it's included in this file. -ELASTIC_AGENT_TARBALL_VERSION="8.8.2" +ELASTIC_AGENT_TARBALL_VERSION="8.10.3" ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" From 24329e3731564bacdeeb7806318c6d752602311e Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 17 Oct 2023 10:34:38 -0400 Subject: [PATCH 25/50] Update config_saved_objects.ndjson --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index a2dedd324..c3742af6d 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.8.2","id": "8.8.2","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.10.3","id": "8.10.3","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 8db6fef92dd6e998bafcacfdaad83b2948ce63a7 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 17 Oct 2023 10:35:36 -0400 Subject: [PATCH 26/50] Elastic 8.10.3 --- salt/kibana/tools/sbin_jinja/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-config-load b/salt/kibana/tools/sbin_jinja/so-kibana-config-load index 159a69e68..88195f32b 100644 --- a/salt/kibana/tools/sbin_jinja/so-kibana-config-load +++ b/salt/kibana/tools/sbin_jinja/so-kibana-config-load @@ -63,7 +63,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.8.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.10.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From adcb7840bd03b36553a6b8c1a28bf1912b731eeb Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 17 Oct 2023 10:38:20 -0400 Subject: [PATCH 27/50] Elastic 8.10.3 --- .../integrations/elastic-defend/elastic-defend-endpoints.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json index 8ab4f748e..de35f803b 100644 --- a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json +++ b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json @@ -5,7 +5,7 @@ "package": { "name": "endpoint", "title": "Elastic Defend", - "version": "8.8.0" + "version": "8.10.2" }, "enabled": true, "policy_id": "endpoints-initial", From 99054a2687c5b20795d48f26d5a823db92aa03ba Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 17 Oct 2023 10:47:26 -0400 Subject: [PATCH 28/50] Elastic 8.10.4 --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index a2f11555a..530cdeb60 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -8,7 +8,7 @@ # Elastic agent is not managed by salt. Because of this we must store this base information in a # script that accompanies the soup system. Since so-common is one of those special soup files, # and since this same logic is required during installation, it's included in this file. -ELASTIC_AGENT_TARBALL_VERSION="8.10.3" +ELASTIC_AGENT_TARBALL_VERSION="8.10.4" ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" From 8cab242ad079237d50e7aeb9165df794dc432b4d Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 17 Oct 2023 10:48:31 -0400 Subject: [PATCH 29/50] Elastic 8.10.4 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index c3742af6d..bc503debb 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.10.3","id": "8.10.3","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.10.4","id": "8.10.4","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From be2a8295247fea2bdb56af616303fbecf36b9651 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 17 Oct 2023 10:49:03 -0400 Subject: [PATCH 30/50] Elastic 8.10.4 --- salt/kibana/tools/sbin_jinja/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-config-load b/salt/kibana/tools/sbin_jinja/so-kibana-config-load index 88195f32b..b9df9c6d4 100644 --- a/salt/kibana/tools/sbin_jinja/so-kibana-config-load +++ b/salt/kibana/tools/sbin_jinja/so-kibana-config-load @@ -63,7 +63,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.10.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.10.4" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From 06e731c762b7ec877729cadec5c3bc7aa855b5d9 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 17 Oct 2023 13:33:12 -0400 Subject: [PATCH 31/50] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 7d52aac7f..8ea99f559 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-foxtrot +2.4.30 From 496b97d706365da98f38ad4965a5bcb69be2db48 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 17 Oct 2023 15:42:42 -0400 Subject: [PATCH 32/50] handle the mine file not being present before checking the size --- salt/salt/engines/master/checkmine.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/salt/salt/engines/master/checkmine.py b/salt/salt/engines/master/checkmine.py index 09e624ba3..0cfb4032d 100644 --- a/salt/salt/engines/master/checkmine.py +++ b/salt/salt/engines/master/checkmine.py @@ -26,8 +26,16 @@ def start(interval=60): for minion in manage_alived: mine_path = os.path.join(cachedir, 'minions', minion, 'mine.p') - mine_size = os.path.getsize(mine_path) - log.debug('checkmine engine: minion: %s mine_size: %i' % (minion, mine_size)) + # it is possible that a minion is alive, but there isn't a mine.p file + try: + mine_size = os.path.getsize(mine_path) + log.debug('checkmine engine: minion: %s mine_size: %i' % (minion, mine_size)) + except FileNotFoundError: + log.warning('checkmine engine: minion: %s %s does not exist' % (minion, mine_path)) + mine_flush(minion) + mine_update(minion) + continue + # For some reason the mine file can be corrupt and only be 1 byte in size if mine_size == 1: log.error('checkmine engine: found %s to be 1 byte' % mine_path) From d9862aefcfa84f10dedf2b1e95eaf685b5f6f517 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 17 Oct 2023 17:09:52 -0400 Subject: [PATCH 33/50] handle mine.p not being present. only check if mine_ip exists, dont compare to alived ip --- salt/salt/engines/master/checkmine.py | 35 +++++++++++++++------------ 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/salt/salt/engines/master/checkmine.py b/salt/salt/engines/master/checkmine.py index 0cfb4032d..c62c1f058 100644 --- a/salt/salt/engines/master/checkmine.py +++ b/salt/salt/engines/master/checkmine.py @@ -9,6 +9,10 @@ log = logging.getLogger(__name__) local = salt.client.LocalClient() def start(interval=60): + def mine_delete(minion, func): + log.warning('checkmine engine: deleting mine function %s for %s' % (func, minion)) + local.cmd(minion, 'mine.delete', [func]) + def mine_flush(minion): log.warning('checkmine engine: flushing mine cache for %s' % minion) local.cmd(minion, 'mine.flush') @@ -21,36 +25,35 @@ def start(interval=60): cachedir = __opts__['cachedir'] while True: log.debug('checkmine engine: checking which minions are alive') - manage_alived = __salt__['saltutil.runner']('manage.alived', show_ip=True) + manage_alived = __salt__['saltutil.runner']('manage.alived', show_ip=False) log.debug('checkmine engine: alive minions: %s' % ' , '.join(manage_alived)) for minion in manage_alived: mine_path = os.path.join(cachedir, 'minions', minion, 'mine.p') - # it is possible that a minion is alive, but there isn't a mine.p file + # it is possible that a minion is alive, but hasn't created a mine file yet try: mine_size = os.path.getsize(mine_path) log.debug('checkmine engine: minion: %s mine_size: %i' % (minion, mine_size)) + # For some reason the mine file can be corrupt and only be 1 byte in size + if mine_size == 1: + log.error('checkmine engine: found %s to be 1 byte' % mine_path) + mine_flush(minion) + mine_update(minion) + continue except FileNotFoundError: log.warning('checkmine engine: minion: %s %s does not exist' % (minion, mine_path)) mine_flush(minion) mine_update(minion) continue - # For some reason the mine file can be corrupt and only be 1 byte in size - if mine_size == 1: - log.error('checkmine engine: found %s to be 1 byte' % mine_path) - mine_flush(minion) - mine_update(minion) # Update the mine if the ip in the mine doesn't match returned from manage.alived - else: - network_ip_addrs = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='network.ip_addrs') + network_ip_addrs = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='network.ip_addrs') + try: mine_ip = network_ip_addrs[minion][0] - log.debug('checkmine engine: minion: %s mine_ip: %s' % (minion, mine_ip)) - manage_alived_ip = manage_alived[minion] - log.debug('checkmine engine: minion: %s managed_alived_ip: %s' % (minion, manage_alived_ip)) - if mine_ip != manage_alived_ip: - log.error('checkmine engine: found minion %s has manage_alived_ip %s but a mine_ip of %s' % (minion, manage_alived_ip, mine_ip)) - mine_flush(minion) - mine_update(minion) + log.debug('checkmine engine: found minion %s has mine_ip: %s' % (minion, mine_ip)) + except IndexError: + log.error('checkmine engine: found minion %s does\'t have a mine_ip' % (minion)) + mine_delete(minion, 'network.ip_addrs') + mine_update(minion) sleep(interval) From 928fb23e963c425098a4105ef91c965a9a6f814e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 17 Oct 2023 17:28:28 -0400 Subject: [PATCH 34/50] only add node to pillar if returned ip from mine --- pillar/logstash/nodes.sls | 22 +++++++++++++--------- pillar/node_data/ips.sls | 24 ++++++++++++++---------- pillar/nodegroups/init.sls | 0 3 files changed, 27 insertions(+), 19 deletions(-) create mode 100644 pillar/nodegroups/init.sls diff --git a/pillar/logstash/nodes.sls b/pillar/logstash/nodes.sls index 8d3bdab65..228122b03 100644 --- a/pillar/logstash/nodes.sls +++ b/pillar/logstash/nodes.sls @@ -7,19 +7,23 @@ tgt_type='compound') | dictsort() %} -{% set hostname = cached_grains[minionid]['host'] %} -{% set node_type = minionid.split('_')[1] %} -{% if node_type not in node_types.keys() %} -{% do node_types.update({node_type: {hostname: ip[0]}}) %} -{% else %} -{% if hostname not in node_types[node_type] %} -{% do node_types[node_type].update({hostname: ip[0]}) %} +# only add a node to the pillar if it returned an ip from the mine +{% if ip[0] | length > 0%} +{% set hostname = cached_grains[minionid]['host'] %} +{% set node_type = minionid.split('_')[1] %} +{% if node_type not in node_types.keys() %} +{% do node_types.update({node_type: {hostname: ip[0]}}) %} {% else %} -{% do node_types[node_type][hostname].update(ip[0]) %} +{% if hostname not in node_types[node_type] %} +{% do node_types[node_type].update({hostname: ip[0]}) %} +{% else %} +{% do node_types[node_type][hostname].update(ip[0]) %} +{% endif %} {% endif %} -{% endif %} +{% fi %} {% endfor %} + logstash: nodes: {% for node_type, values in node_types.items() %} diff --git a/pillar/node_data/ips.sls b/pillar/node_data/ips.sls index 59c598879..5801d36f1 100644 --- a/pillar/node_data/ips.sls +++ b/pillar/node_data/ips.sls @@ -4,18 +4,22 @@ {% set hostname = minionid.split('_')[0] %} {% set node_type = minionid.split('_')[1] %} {% set is_alive = False %} -{% if minionid in manage_alived.keys() %} -{% if ip[0] == manage_alived[minionid] %} -{% set is_alive = True %} + +# only add a node to the pillar if it returned an ip from the mine +{% if ip | length > 0%} +{% if minionid in manage_alived.keys() %} +{% if ip[0] == manage_alived[minionid] %} +{% set is_alive = True %} +{% endif %} {% endif %} -{% endif %} -{% if node_type not in node_types.keys() %} -{% do node_types.update({node_type: {hostname: {'ip':ip[0], 'alive':is_alive }}}) %} -{% else %} -{% if hostname not in node_types[node_type] %} -{% do node_types[node_type].update({hostname: {'ip':ip[0], 'alive':is_alive}}) %} +{% if node_type not in node_types.keys() %} +{% do node_types.update({node_type: {hostname: {'ip':ip[0], 'alive':is_alive }}}) %} {% else %} -{% do node_types[node_type][hostname].update({'ip':ip[0], 'alive':is_alive}) %} +{% if hostname not in node_types[node_type] %} +{% do node_types[node_type].update({hostname: {'ip':ip[0], 'alive':is_alive}}) %} +{% else %} +{% do node_types[node_type][hostname].update({'ip':ip[0], 'alive':is_alive}) %} +{% endif %} {% endif %} {% endif %} {% endfor %} diff --git a/pillar/nodegroups/init.sls b/pillar/nodegroups/init.sls new file mode 100644 index 000000000..e69de29bb From fb9a0ab8b627e51dc1c6898bd7b3f4f05ca2b3aa Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 17 Oct 2023 17:33:53 -0400 Subject: [PATCH 35/50] endif not fi in jinja --- pillar/logstash/nodes.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pillar/logstash/nodes.sls b/pillar/logstash/nodes.sls index 228122b03..a77978821 100644 --- a/pillar/logstash/nodes.sls +++ b/pillar/logstash/nodes.sls @@ -8,7 +8,7 @@ %} # only add a node to the pillar if it returned an ip from the mine -{% if ip[0] | length > 0%} +{% if ip | length > 0%} {% set hostname = cached_grains[minionid]['host'] %} {% set node_type = minionid.split('_')[1] %} {% if node_type not in node_types.keys() %} @@ -20,7 +20,7 @@ {% do node_types[node_type][hostname].update(ip[0]) %} {% endif %} {% endif %} -{% fi %} +{% endif %} {% endfor %} From 34717fb65e75281a17b1809df257d88a2f3e2bf5 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 18 Oct 2023 13:44:09 -0400 Subject: [PATCH 36/50] Add note regarding DNS resolver --- .../files/analyzers/malwarehashregistry/README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 salt/sensoroni/files/analyzers/malwarehashregistry/README.md diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/README.md b/salt/sensoroni/files/analyzers/malwarehashregistry/README.md new file mode 100644 index 000000000..8c50a3124 --- /dev/null +++ b/salt/sensoroni/files/analyzers/malwarehashregistry/README.md @@ -0,0 +1,10 @@ +# Malware Hash Registry + +## Description +Search Team Cymru's Malware Hash Registry for a file hash. + +## Configuration Requirements + +None. + +**NOTE:** If you try to run the Malware Hash Registry analyzer but it results in a "Name or service not known" error, then it may be a DNS issue. Folks using 8.8.4.4 or 8.8.8.8 as their DNS resolver have reported this issue. A potential workaround is to switch to another DNS resolver like 1.1.1.1. From 138aa9c5542e3fb3a5a85c1a1edc66d6d13ae8ff Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 13:54:14 -0400 Subject: [PATCH 37/50] update the mine with the ca when it is created or changed --- salt/ca/init.sls | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 0eaf86b3c..2f15872ea 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -50,6 +50,12 @@ pki_public_ca_crt: attempts: 5 interval: 30 +mine_update_ca_crt: + - module.run: + - mine.update: [] + - onchanges: + - file: pki_public_ca_crt + cakeyperms: file.managed: - replace: False From 8e68f9631618c58f9f95d507ebfcc888b143532f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 13:59:15 -0400 Subject: [PATCH 38/50] check that the manager has a ca in the mine and that it is valid --- salt/salt/engines/master/checkmine.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/salt/salt/engines/master/checkmine.py b/salt/salt/engines/master/checkmine.py index c62c1f058..e72d2fbe6 100644 --- a/salt/salt/engines/master/checkmine.py +++ b/salt/salt/engines/master/checkmine.py @@ -46,6 +46,25 @@ def start(interval=60): mine_update(minion) continue + # if a manager check that the ca in in the mine and it is correct + if minion.split('_')[-1] in ['manager', 'managersearch', 'eval', 'standalone', 'import']: + x509 = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='x509.get_pem_entries') + try: + ca_crt = x509[minion]['/etc/pki/ca.crt'] + log.debug('checkmine engine: found minion %s has ca_crt: %s' % (minion, ca_crt)) + # since the cert is defined, make sure it is valid + if not __salt__['x509.verify_private_key'](private_key='/etc/pki/ca.key', public_key='/etc/pki/ca.crt'): + log.error('checkmine engine: found minion %s does\'t have a valid ca_crt in the mine' % (minion)) + log.error('checkmine engine: %s: ca_crt: %s' % (minion, ca_crt)) + mine_delete(minion, 'x509.get_pem_entries') + mine_update(minion) + else: + log.debug('checkmine engine: found minion %s has a valid ca_crt in the mine' % (minion)) + except IndexError: + log.error('checkmine engine: found minion %s does\'t have a ca_crt in the mine' % (minion)) + mine_delete(minion, 'x509.get_pem_entries') + mine_update(minion) + # Update the mine if the ip in the mine doesn't match returned from manage.alived network_ip_addrs = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='network.ip_addrs') try: From c3cde61202507f177f30212fa75d8b258e6da671 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 15:01:26 -0400 Subject: [PATCH 39/50] docker service watches and requires the intca --- salt/docker/init.sls | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 45ba4a1ac..769c58af8 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -6,6 +6,9 @@ {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} +# include ssl since docker service requires the intca +include: + - ssl dockergroup: group.present: @@ -86,6 +89,11 @@ docker_running: - enable: True - watch: - file: docker_daemon + - x509: trusttheca + - require: + - file: docker_daemon + - x509: trusttheca + # Reserve OS ports for Docker proxy in case boot settings are not already applied/present # 57314 = Strelka, 47760-47860 = Zeek From 1999db0bb3d593df97a1267e398813d4fabcd084 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 15:02:22 -0400 Subject: [PATCH 40/50] apply ca state early in setup --- setup/so-setup | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 4db24aa1a..052111591 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -714,12 +714,19 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.apply common.packages" logCmd "salt-call state.apply common" + # apply the ca state to create the ca and put it in the mine early in the install + # this is done before the salt.master state puts the checkmine engine in place and starts + # checking for a valid ca in the mine for the manager + # the minion ip will already be in the mine from configure_minion function in so-functions + logCmd "salt-call state.apply ca" + # this will apply the salt.minion state first since salt.master includes salt.minion logCmd "salt-call state.apply salt.master" - # wait here until we get a response from the salt-master since it may have just restarted # exit setup after 5-6 minutes of trying check_salt_master_status || fail "Can't access salt master or it is not ready" + # this will also call the ssl state since docker requires the intca + # the salt-minion service will need to be up on the manager to sign requests logCmd "salt-call state.apply docker" firewall_generate_templates set_initial_firewall_policy From 2206cdb0fad836de3ab5a0c9197416e1ed9eb537 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 15:04:39 -0400 Subject: [PATCH 41/50] change soup comment --- pillar/nodegroups/init.sls | 0 salt/manager/tools/sbin/soup | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 pillar/nodegroups/init.sls diff --git a/pillar/nodegroups/init.sls b/pillar/nodegroups/init.sls deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 84501bad5..fc07765b8 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -578,7 +578,7 @@ update_centos_repo() { } update_salt_mine() { - echo "Populating the mine with network.ip_addrs pillar.host.mainint for each host." + echo "Populating the mine with mine_functions for each host." set +e salt \* mine.update -b 50 set -e From 1c1b23c328af4d2788992c1cfc87451d97e6648b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 15:07:18 -0400 Subject: [PATCH 42/50] fix mine update for ca --- salt/ca/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 2f15872ea..477b51a5d 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -51,7 +51,7 @@ pki_public_ca_crt: interval: 30 mine_update_ca_crt: - - module.run: + module.run: - mine.update: [] - onchanges: - file: pki_public_ca_crt From e58c1e189c63bd6aab9d6b7a32b06ee6cc3a075b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 15:10:17 -0400 Subject: [PATCH 43/50] use x509 instead of file for onchanges --- salt/ca/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 477b51a5d..895e8235a 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -54,7 +54,7 @@ mine_update_ca_crt: module.run: - mine.update: [] - onchanges: - - file: pki_public_ca_crt + - x509: pki_public_ca_crt cakeyperms: file.managed: From dd28dc6ddd26a2ee913cf668dca4f8c9e0754007 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 18 Oct 2023 15:30:32 -0400 Subject: [PATCH 44/50] Add back plugin-tds/ plugin-profinet. Using patched versions for Zeek 6 Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/zeek/defaults.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index ce22c1aef..2621c2738 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -66,6 +66,8 @@ zeek: - icsnpp-opcua-binary - icsnpp-bsap - icsnpp-s7comm + - zeek-plugin-tds + - zeek-plugin-profinet - zeek-spicy-wireguard - zeek-spicy-stun load-sigs: From ac28e1b967f35c1f3f21424b14036367b627f48c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 15:53:12 -0400 Subject: [PATCH 45/50] verify crt and key differently in checkmine --- salt/salt/engines/master/checkmine.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/salt/engines/master/checkmine.py b/salt/salt/engines/master/checkmine.py index e72d2fbe6..1440fb72f 100644 --- a/salt/salt/engines/master/checkmine.py +++ b/salt/salt/engines/master/checkmine.py @@ -53,17 +53,20 @@ def start(interval=60): ca_crt = x509[minion]['/etc/pki/ca.crt'] log.debug('checkmine engine: found minion %s has ca_crt: %s' % (minion, ca_crt)) # since the cert is defined, make sure it is valid - if not __salt__['x509.verify_private_key'](private_key='/etc/pki/ca.key', public_key='/etc/pki/ca.crt'): + import salt.modules.x509_v2 as x509_v2 + if not x509_v2.verify_private_key('/etc/pki/ca.key', '/etc/pki/ca.crt'): log.error('checkmine engine: found minion %s does\'t have a valid ca_crt in the mine' % (minion)) log.error('checkmine engine: %s: ca_crt: %s' % (minion, ca_crt)) mine_delete(minion, 'x509.get_pem_entries') mine_update(minion) + continue else: log.debug('checkmine engine: found minion %s has a valid ca_crt in the mine' % (minion)) except IndexError: log.error('checkmine engine: found minion %s does\'t have a ca_crt in the mine' % (minion)) mine_delete(minion, 'x509.get_pem_entries') mine_update(minion) + continue # Update the mine if the ip in the mine doesn't match returned from manage.alived network_ip_addrs = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='network.ip_addrs') From a52ee063e597b010df8996fd02423598570fd9a6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 16:35:33 -0400 Subject: [PATCH 46/50] use generate_ca and generate_ssl functions and move them up --- setup/so-setup | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 052111591..73ef29f4b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -718,7 +718,7 @@ if ! [[ -f $install_opt_file ]]; then # this is done before the salt.master state puts the checkmine engine in place and starts # checking for a valid ca in the mine for the manager # the minion ip will already be in the mine from configure_minion function in so-functions - logCmd "salt-call state.apply ca" + generate_ca # this will apply the salt.minion state first since salt.master includes salt.minion logCmd "salt-call state.apply salt.master" # wait here until we get a response from the salt-master since it may have just restarted @@ -727,6 +727,7 @@ if ! [[ -f $install_opt_file ]]; then # this will also call the ssl state since docker requires the intca # the salt-minion service will need to be up on the manager to sign requests + generate_ssl logCmd "salt-call state.apply docker" firewall_generate_templates set_initial_firewall_policy @@ -734,8 +735,6 @@ if ! [[ -f $install_opt_file ]]; then title "Downloading Elastic Agent Artifacts" download_elastic_agent_artifacts - generate_ca - generate_ssl logCmd "salt-call state.apply -l info firewall" # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf From 9eb682bc40fca2463275e43e2db37a7a52978216 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 18:37:35 -0400 Subject: [PATCH 47/50] generate_ca after salt-master and salt-minion states run --- salt/common/tools/sbin/so-common | 2 +- setup/so-functions | 10 ++++++++++ setup/so-setup | 9 +++------ 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index c19d51a42..be001f0d7 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -153,7 +153,7 @@ check_salt_master_status() { } check_salt_minion_status() { - local timeout=$1 + local timeout="${1:-5}" echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1 salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1 local status=$? diff --git a/setup/so-functions b/setup/so-functions index 68fd01550..7ead07ca7 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2495,6 +2495,16 @@ wait_for_file() { wait_for_salt_minion() { retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || fail_setup + local attempt=0 + # each attempts would take about 15 seconds + local maxAttempts=20 + until check_salt_minion_status; do + attempt=$((attempt+1)) + if [[ $attempt -gt $maxAttempts ]]; then + fail_setup + fi + sleep 10 + done } verify_setup() { diff --git a/setup/so-setup b/setup/so-setup index 73ef29f4b..543ac0156 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -714,17 +714,14 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.apply common.packages" logCmd "salt-call state.apply common" - # apply the ca state to create the ca and put it in the mine early in the install - # this is done before the salt.master state puts the checkmine engine in place and starts - # checking for a valid ca in the mine for the manager - # the minion ip will already be in the mine from configure_minion function in so-functions - generate_ca # this will apply the salt.minion state first since salt.master includes salt.minion logCmd "salt-call state.apply salt.master" # wait here until we get a response from the salt-master since it may have just restarted # exit setup after 5-6 minutes of trying check_salt_master_status || fail "Can't access salt master or it is not ready" - + # apply the ca state to create the ca and put it in the mine early in the install + # the minion ip will already be in the mine from configure_minion function in so-functions + generate_ca # this will also call the ssl state since docker requires the intca # the salt-minion service will need to be up on the manager to sign requests generate_ssl From ff18b1f074c8448b9503e04acf7b6df41240fde5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 18:45:14 -0400 Subject: [PATCH 48/50] remove redirect --- salt/common/tools/sbin/so-common | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index be001f0d7..1a5e5df6c 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -154,13 +154,13 @@ check_salt_master_status() { check_salt_minion_status() { local timeout="${1:-5}" - echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1 + echo "Checking if the salt minion will respond to jobs" salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1 local status=$? if [ $status -gt 0 ]; then - echo " Minion did not respond" >> "$setup_log" 2>&1 + echo " Minion did not respond" else - echo " Received job response from salt minion" >> "$setup_log" 2>&1 + echo " Received job response from salt minion" fi return $status From f30a652e19ea9c363f5bf4bba682153c2f56fc5b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 19:31:45 -0400 Subject: [PATCH 49/50] add back redirects --- salt/common/tools/sbin/so-common | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 1a5e5df6c..dce86362f 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -154,13 +154,13 @@ check_salt_master_status() { check_salt_minion_status() { local timeout="${1:-5}" - echo "Checking if the salt minion will respond to jobs" + echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1 salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1 local status=$? if [ $status -gt 0 ]; then - echo " Minion did not respond" + echo " Minion did not respond" >> "$setup_log" 2>&1 else - echo " Received job response from salt minion" + echo " Received job response from salt minion" >> "$setup_log" 2>&1 fi return $status From b2bb92d41368f93db9122ffcab5ae761e33f6669 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Oct 2023 19:38:19 -0400 Subject: [PATCH 50/50] remove extra space --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index dce86362f..be001f0d7 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -154,7 +154,7 @@ check_salt_master_status() { check_salt_minion_status() { local timeout="${1:-5}" - echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1 + echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1 salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1 local status=$? if [ $status -gt 0 ]; then