Merge pull request #9864 from Security-Onion-Solutions/setuperrors

Fix some errors in setup
2025-12-19 07:23:06 +01:00 · 2023-03-01 09:48:20 -05:00
parent a5c2c0fb20 704365c6eb
commit 2091806f1f
11 changed files with 14 additions and 133 deletions
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -251,13 +251,6 @@
    {% do allowed_states.append('redis') %}
  {% endif %}
  {% if grains.os == 'Rocky' %}
    {% if not ISAIRGAP %}
      {% do allowed_states.append('yum') %}
    {% endif %}
    {% do allowed_states.append('yum.packages') %}
  {% endif %}
  {# all nodes on the right salt version can run the following states #}
  {% do allowed_states.append('common') %}
  {% do allowed_states.append('patch.os.schedule') %}
--- a/salt/influxdb/init.sls
+++ b/salt/influxdb/init.sls
@@ -117,6 +117,12 @@ influxdb-setup:
      - file: influxdb_curl_config
      - docker_container: so-influxdb
 metrics_link_file:
  cmd.run:
    - name: so-influxdb-manage dashboardpath "Security Onion Performance" > /opt/so/saltstack/local/salt/influxdb/metrics_link.txt
    - require:
      - docker_container: so-influxdb
 # Install cron job to determine size of influxdb for telegraf
 get_influxdb_size:
  cron.present:
--- a/salt/influxdb/metrics_link.txt
+++ b/salt/influxdb/metrics_link.txt
--- a/salt/manager/files/acng/acng.conf
+++ b/salt/manager/files/acng/acng.conf
@@ -1,96 +0,0 @@
 # This is a configuration file for apt-cacher-ng, a smart caching proxy for
 CacheDir: /var/cache/apt-cacher-ng
 LogDir: /var/log/apt-cacher-ng
 Port: 3142
 # BindAddress: localhost 192.168.7.254 publicNameOnMainInterface
 Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian # Debian Archives
 Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu.us # Ubuntu Archives
 Remap-cygwin: file:cygwin_mirrors /cygwin # ; file:backends_cygwin # incomplete, please create this file or specify preferred mirrors here
 Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux
 Remap-centosmirrorlist: mirrorlist.centos.org
 Remap-centos: file:centos_mirrors ; file:backends_centos.us # Fedora Linux
 Remap-fedora: file:fedora_mirrors ; file:backends_fedora.us # Fedora Linux
 Remap-epel:   file:epel_mirrors ; file:backends_epel.us # Fedora EPEL
 Remap-slrep:  file:sl_mirrors # Scientific Linux
 Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives
 #Remap-alpine: file:alpine_mirrors /alpine #; dl-cdn.alpinelinux.org # Alpine Archives
 Remap-alpine: dl-cdn.alpinelinux.org
 Remap-yarn:   registry.yarnpkg.com
 Remap-npm:    registry.npmjs.org
 Remap-node:   nodejs.org
 Remap-apache: file:apache_mirrors ; file:backends_apache.us
 Remap-salt:   repo.saltstack.com; https://repo.saltstack.com
 Remap-securityonion: http://repocache.securityonion.net ; file:securityonion
 # Remap-secdeb: security.debian.org
 ReportPage: acng-report.html
 # SocketPath:/var/run/apt-cacher-ng/socket
 UnbufferLogs: 1
 VerboseLog: 1
 ForeGround: 1
 # PidFile: /var/run/apt-cacher-ng/pid
 # Offlinemode: 0
 # ForceManaged: 0
 ExTreshold: 8
 # ExAbortOnProblems: 1
 # ExSuppressAdminNotification: 1
 # StupidFs: 0
 # ForwardBtsSoap: 1
 # DnsCacheSeconds: 1800
 # MaxStandbyConThreads: 8
 MaxConThreads: 120
 #
 # - static data that doesn't change silently ont he server (PFilePattern)
 # - volatile data that can be changed like every hour (VFilePattern)
 # - special static data that shared some file names with volatile data,
 #   and in doubt should be identified as static (SPfilePattern)
 # - a "whitelist pattern" with hints for the regular expiration job telling
 #   to keep the files even if they are not referenced by others, like crypto
 #   signatures with which clients begin their downloads (WfilePattern)
 #
 VfilePatternEx: (metalink\?repo=[0-9a-zA-Z-]+&arch=[0-9a-zA-Z_-]+|/\?release=[0-9]+&arch=|repodata/.*\.(xml|sqlite)\.(gz|bz2)|APKINDEX.tar.gz|filelists\.xml\.gz|filelists\.sqlite\.bz2|repomd\.xml|packages\.[a-zA-Z][a-zA-Z]\.gz)
 PfilePatternEx: (/dists/.*/by-hash/.*|\.tgz|\.tar|\.xz|\.bz2|\.rpm|\.apk)$
 # WfilePatternEx:
 # SPfilePatternEx:
 Debug:1
 # ExposeOrigin: 0
 # LogSubmittedOrigin: 0
 # UserAgent: Yet Another HTTP Client/1.2.3p4
 # RecompBz2: 0
 # NetworkTimeout: 60
 # DontCacheRequested: linux-.*_10\...\.Custo._i386
 # DontCacheRequested: 192.168.0 ^10\..* 172.30
 # DontCacheResolved: ubuntumirror.local.net
 DontCache: mirrorlist.centos.org
 # DirPerms: 00755
 # FilePerms: 00664
 LocalDirs: acng-doc /usr/share/doc/apt-cacher-ng
 # PrecacheFor: debrep/dists/unstable/*/source/Sources* debrep/dists/unstable/*/binary-amd64/Packages*
 # RequestAppendix: X-Tracking-Choice: do-not-track\r\n
 # ConnectProto: v6 v4
 # KeepExtraVersions: 0
 # UseWrap: 0
 FreshIndexMaxAge: 300
 # AllowUserPorts: 80
 RedirMax: 6
 # VfileUseRangeOps is set for fedora volatile files on mirrors that dont to range
 VfileUseRangeOps: -1
 # PassThroughPattern: private-ppa\.launchpad\.net:443$
 # PassThroughPattern: .* # this would allow CONNECT to everything
 PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirrors\.fedoraproject\.org:443|packages\.wazuh\.com:443|repo\.saltstack\.com:443|repo\.saltproject\.io:443|yum\.dockerproject\.org:443|download\.docker\.com:443|registry\.npmjs\.org:443|registry\.yarnpkg\.com:443)$ # yarn/npm pkg, cant to http :/
 # ResponseFreezeDetectTime: 500
 # ReuseConnections: 1
 # PipelineDepth: 255
 # CApath: /etc/ssl/certs
 # CAfile:
 # OptProxyTimeout: -1
 # MaxDlSpeed: 500
 # MaxInresponsiveDlSize: 64000
 # BadRedirDetectMime: text/html
 {% set proxy = salt['pillar.get']('manager:proxy') -%}
 {% if proxy -%}
 Proxy: {{ proxy }}
 {% endif -%}
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -106,22 +106,6 @@ so-mysql:
    - require:
      - file: mysqlcnf
      - file: mysqlpass
  cmd.run:
    - name: until nc -z {{ GLOBALS.manager }} 3306; do sleep 1; done
    - timeout: 600
    - onchanges:
      - docker_container: so-mysql
  module.run:
    - so.mysql_conn:
      - retry: 300
    - onchanges:
      - cmd: so-mysql
 append_so-mysql_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-mysql
 {% endif %}
 {% else %}
--- a/salt/soc/defaults.map.jinja
+++ b/salt/soc/defaults.map.jinja
@@ -1,8 +1,8 @@
 {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'docker/docker.map.jinja' import DOCKER -%}
-{%- set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %}
+{% set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %}
-{%- set METRICS_LINK = salt['cmd.run']('so-influxdb-manage dashboardpath "Security Onion Performance"') %}
+{% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
 {% for module, application_url in GLOBALS.application_urls.items() %}
 {%   do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %}
@@ -20,7 +20,7 @@
 {% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
 {% do SOCDEFAULTS.soc.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %}
 {% for tool in SOCDEFAULTS.soc.server.client.tools %}
-{%   if tool.name == "toolInfluxDb" %}
+{%   if tool.name == "toolInfluxDb" and METRICS_LINK | length > 0 %}
 {%     do tool.update({'link': METRICS_LINK}) %}
 {%   endif %}
 {% endfor %}
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -28,10 +28,6 @@ base:
    - salt.minion-state-apply-test
    - salt.minion
  'G@os:Rocky and G@saltversion:{{saltversion}}':
    - match: compound
    - yum.packages
  '* and G@saltversion:{{saltversion}}':
    - match: compound
    - salt.minion
--- a/salt/yum/packages.sls
+++ b/salt/yum/packages.sls
@@ -1,4 +0,0 @@
 install_yum_utils:
  pkg.installed:
    - name: yum-utils
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1832,6 +1832,7 @@ reinstall_init() {
 		# Backup (and erase) directories in /nsm to prevent app errors
 		backup_dir /nsm/mysql "$date_string"
 		backup_dir /nsm/kratos "$date_string"
 		backup_dir /nsm/influxdb "$date_string"
 		# Remove the old launcher package in case the config changes
 		remove_package launcher-final
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -598,6 +598,7 @@ if ! [[ -f $install_opt_file ]]; then
 		docker_seed_registry
 		title "Applying the manager state"
 		logCmd "salt-call state.apply -l info manager"
 		logCmd "salt-call state.apply influxdb -l info"
 		logCmd "salt-call state.highstate -l info"
 		add_web_user
 		info "Restarting SOC to pick up initial user"
--- a/setup/so-verify
+++ b/setup/so-verify
@@ -36,7 +36,7 @@ log_has_errors() {
        grep -vE "The Salt Master has cached the public key for this node" | \
        grep -vE "Minion failed to authenticate with the master" | \
        grep -vE "Failed to connect to ::1" | \
-	grep -vE "Failed to set locale" | \
+        grep -vE "Failed to set locale" | \
        grep -vE "perl-Error-" | \
        grep -vE "Failed:\s*?[0-9]+" | \
        grep -vE "Status .* was not found" | \