From 0ddfaf8d742c303ce273d88cb034cc93baae5807 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Mon, 28 Mar 2022 15:34:15 -0400
Subject: [PATCH] changes for workstation

---
 pillar/top.sls                   |  3 +++
 salt/allowed_states.map.jinja    |  2 ++
 salt/common/tools/sbin/so-common |  2 +-
 salt/repo/client/init.sls        |  2 +-
 salt/salt/minion.sls             |  2 +-
 salt/top.sls                     |  9 ++++++++-
 salt/workstation/init.sls        |  1 +
 salt/workstation/trusted-ca.sls  | 24 ++++++++++++++++++++++++
 8 files changed, 41 insertions(+), 4 deletions(-)
 create mode 100644 salt/workstation/trusted-ca.sls

diff --git a/pillar/top.sls b/pillar/top.sls
index 097f5b108..1cf3bdc8a 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -131,3 +131,6 @@ base:
 {% endif %}
     - global
     - minions.{{ grains.id }}
+
+  '*_workstation':
+    - minions.{{ grains.id }}
diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja
index a1f6cdb8c..3dbc6d24a 100644
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -217,6 +217,8 @@
           'schedule',
           'docker_clean'
           ],
+      'so-workstation': [
+          ],
   }, grain='role') %}
 
   {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %}
diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common
index a7677a754..fa4a7af80 100755
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -367,7 +367,7 @@ run_check_net_err() {
 		exit $exit_code
 	fi
 }
-set_cron_service_name() {
+   set_cron_service_name() {
   if [[ "$OS" == "centos" ]]; then
     cron_service_name="crond"
   else
diff --git a/salt/repo/client/init.sls b/salt/repo/client/init.sls
index 160782267..927a1091d 100644
--- a/salt/repo/client/init.sls
+++ b/salt/repo/client/init.sls
@@ -43,7 +43,7 @@ repair_yumdb:
 
 crsynckeys:
   file.recurse:
-    - name: /etc/pki/rpm_gpg
+    - name: /etc/pki/rpm-gpg
     - source: salt://repo/client/files/centos/keys/
 
 {% if not ISAIRGAP %}
diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls
index cf26c1249..882fe7580 100644
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -66,7 +66,7 @@ set_log_levels:
 
 salt_minion_service_unit_file:
   file.managed:
-    - name: /etc/systemd/system/multi-user.target.wants/salt-minion.service
+    - name: /usr/lib/systemd/system/salt-minion.service
     - source: salt://salt/service/salt-minion.service.jinja
     - template: jinja
     - defaults:
diff --git a/salt/top.sls b/salt/top.sls
index 83c911992..6e2de8d33 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -35,11 +35,14 @@ base:
   '* and G@saltversion:{{saltversion}}':
     - match: compound
     - salt.minion
-    - common
     - patch.os.schedule
     - motd
     - salt.minion-check
     - salt.lasthighstate
+
+  'not *_workstation and G@saltversion:{{saltversion}}':
+    - match: compound
+    - common
   
   '*_helixsensor and G@saltversion:{{saltversion}}':
     - match: compound
@@ -507,3 +510,7 @@ base:
     - docker_clean
     - filebeat
     - idh
+
+  '*_workstation and G@saltversion:{{saltversion}}':
+    - match: compound
+    - workstation
diff --git a/salt/workstation/init.sls b/salt/workstation/init.sls
index 66d926847..c786cdab5 100644
--- a/salt/workstation/init.sls
+++ b/salt/workstation/init.sls
@@ -1,2 +1,3 @@
 include:
   - workstation.xwindows
+  - workstation.trusted-ca
diff --git a/salt/workstation/trusted-ca.sls b/salt/workstation/trusted-ca.sls
new file mode 100644
index 000000000..6d86a8157
--- /dev/null
+++ b/salt/workstation/trusted-ca.sls
@@ -0,0 +1,24 @@
+   
+    {% set global_ca_text = [] %}
+    {% set global_ca_server = [] %}
+    {% set manager = salt['grains.get']('master') %}
+    {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %}
+    {% for host in x509dict %}
+      {% if host.split('_')|last in ['manager', 'managersearch', 'standalone', 'import'] %}
+        {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
+        {% do global_ca_server.append(host) %}
+      {% endif %}
+    {% endfor %}
+    {% set trusttheca_text = global_ca_text[0] %}
+    {% set ca_server = global_ca_server[0] %}
+
+trusted_ca:
+  x509.pem_managed:
+    - name: /etc/pki/ca-trust/source/anchors/ca.crt
+    - text:  {{ trusttheca_text }}
+
+update_ca_certs:
+  cmd.run:
+    - name: update-ca-trust
+    - onchanges:
+      - x509: trusted_ca