Merge pull request #11572 from Security-Onion-Solutions/minechanges

2025-12-06 09:12:45 +01:00 · 2023-10-18 19:37:34 -04:00
parent 5e10a0d9e2 f30a652e19
commit 19bebe44aa
8 changed files with 56 additions and 7 deletions
--- a/pillar/nodegroups/init.sls
+++ b/pillar/nodegroups/init.sls
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -50,6 +50,12 @@ pki_public_ca_crt:
        attempts: 5
        interval: 30
 mine_update_ca_crt:
  module.run:
    - mine.update: []
    - onchanges:
      - x509: pki_public_ca_crt
 cakeyperms:
  file.managed:
    - replace: False
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -153,8 +153,8 @@ check_salt_master_status() {
 }
 check_salt_minion_status() {
-	local timeout=$1
+	local timeout="${1:-5}"
-	echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1
+	echo "Checking if the salt minion will respond to jobs"  >> "$setup_log" 2>&1
 	salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1
 	local status=$?
 	if [ $status -gt 0 ]; then
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -6,6 +6,9 @@
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 # include ssl since docker service requires the intca
 include:
  - ssl
 dockergroup:
  group.present:
@@ -86,6 +89,11 @@ docker_running:
    - enable: True
    - watch:
      - file: docker_daemon
      - x509: trusttheca
    - require:
      - file: docker_daemon
      - x509: trusttheca
 # Reserve OS ports for Docker proxy in case boot settings are not already applied/present
 # 57314 = Strelka, 47760-47860 = Zeek
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -578,7 +578,7 @@ update_centos_repo() {
 }
 update_salt_mine() {
-    echo "Populating the mine with network.ip_addrs pillar.host.mainint for each host."
+    echo "Populating the mine with mine_functions for each host."
    set +e
    salt \* mine.update -b 50
    set -e
--- a/salt/salt/engines/master/checkmine.py
+++ b/salt/salt/engines/master/checkmine.py
@@ -46,6 +46,28 @@ def start(interval=60):
                mine_update(minion)
                continue
            # if a manager check that the ca in in the mine and it is correct
            if minion.split('_')[-1] in ['manager', 'managersearch', 'eval', 'standalone', 'import']:
                x509 = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='x509.get_pem_entries')
                try:
                    ca_crt = x509[minion]['/etc/pki/ca.crt']
                    log.debug('checkmine engine: found minion %s has ca_crt: %s' % (minion, ca_crt))
                    # since the cert is defined, make sure it is valid
                    import salt.modules.x509_v2 as x509_v2
                    if not x509_v2.verify_private_key('/etc/pki/ca.key', '/etc/pki/ca.crt'):
                        log.error('checkmine engine: found minion %s does\'t have a valid ca_crt in the mine' % (minion))
                        log.error('checkmine engine: %s: ca_crt: %s' % (minion, ca_crt))
                        mine_delete(minion, 'x509.get_pem_entries')
                        mine_update(minion)
                        continue
                    else:
                        log.debug('checkmine engine: found minion %s has a valid ca_crt in the mine' % (minion))
                except IndexError:
                    log.error('checkmine engine: found minion %s does\'t have a ca_crt in the mine' % (minion))
                    mine_delete(minion, 'x509.get_pem_entries')
                    mine_update(minion)
                    continue
            # Update the mine if the ip in the mine doesn't match returned from manage.alived
            network_ip_addrs = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='network.ip_addrs')
            try:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -2495,6 +2495,16 @@ wait_for_file() {
 wait_for_salt_minion() {
 	retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || fail_setup
 	local attempt=0
 	# each attempts would take about 15 seconds
 	local maxAttempts=20
 	until check_salt_minion_status; do
 		attempt=$((attempt+1))
 		if [[ $attempt -gt $maxAttempts ]]; then
 			fail_setup
 		fi
 		sleep 10
 	done
 }
 verify_setup() {
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -714,12 +714,17 @@ if ! [[ -f $install_opt_file ]]; then
 		logCmd "salt-call state.apply common.packages"
 		logCmd "salt-call state.apply common"
 		# this will apply the salt.minion state first since salt.master includes salt.minion
 		logCmd "salt-call state.apply salt.master"
 		# wait here until we get a response from the salt-master since it may have just restarted
 		# exit setup after 5-6 minutes of trying
 		check_salt_master_status || fail  "Can't access salt master or it is not ready"
-
+		# apply the ca state to create the ca and put it in the mine early in the install
 		# the minion ip will already be in the mine from configure_minion function in so-functions
 		generate_ca
 		# this will also call the ssl state since docker requires the intca
 		# the salt-minion service will need to be up on the manager to sign requests
 		generate_ssl
 		logCmd "salt-call state.apply docker"
 		firewall_generate_templates
 		set_initial_firewall_policy
@@ -727,8 +732,6 @@ if ! [[ -f $install_opt_file ]]; then
 		title "Downloading Elastic Agent Artifacts"
 		download_elastic_agent_artifacts
 		generate_ca
 		generate_ssl
 		logCmd "salt-call state.apply -l info firewall"
 		# create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf