enable/disable soqemussh. allow for pw to be set

2025-12-06 17:22:49 +01:00 · 2025-04-18 14:07:32 -04:00
parent 0bcb6040c9
commit 285d73d526
8 changed files with 127 additions and 6 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -26,6 +26,11 @@ base:
    - nginx.soc_nginx
    - nginx.adv_nginx

+  'salt-cloud:driver:libvirt':
+    - match: grain
+    - vm.soc_vm
+    - vm.adv_vm
+
  '*_manager or *_managersearch or *_managerhype':
    - match: compound
    - node_data.ips
--- a/salt/_runners/setup_hypervisor.py
+++ b/salt/_runners/setup_hypervisor.py
@@ -10,8 +10,6 @@
 #    software that is protected by the license key."

 """
-TODO: Remove passwd hash prior to release. used for development
-
 This runner performs the initial setup required for hypervisor hosts in the Security Onion environment.
 It handles downloading the Oracle Linux KVM image, setting up SSH keys for secure communication,
 and creating virtual machines with cloud-init configuration.
@@ -715,6 +713,24 @@ def create_vm(vm_name: str, disk_size: str = '220G'):
            log.error("CREATEVM: Failed to read SSH public key: %s", str(e))
            return {'success': False, 'error': 'Failed to read SSH public key'}

+        # Read pillar data for soqemussh password hash
+        pillar_path = '/opt/so/saltstack/local/pillar/vm/soc_vm.sls'
+        password_hash = None
+        passwd_line = ""  # Default to empty if no hash found
+        try:
+            if os.path.exists(pillar_path):
+                with salt.utils.files.fopen(pillar_path, 'r') as f:
+                    pillar_data = yaml.safe_load(f)
+                    if pillar_data:
+                        password_hash = pillar_data.get('vm', {}).get('user', {}).get('soqemussh', {}).get('passwordHash')
+            if password_hash:
+                passwd_line = f"      passwd: {password_hash}\n"
+                log.info("CREATEVM: Found soqemussh password hash in pillar.")
+            else:
+                log.info("CREATEVM: No soqemussh password hash found in pillar, omitting passwd line.")
+        except Exception as e:
+            log.warning(f"CREATEVM: Error reading or parsing pillar file {pillar_path}: {str(e)}. Omitting passwd line.")
+
        # Read and encode GPG keys
        keys_dir = '/opt/so/saltstack/default/salt/repo/client/files/oracle/keys'
        oracle_key = _read_and_encode_key(os.path.join(keys_dir, 'RPM-GPG-KEY-oracle'))
@@ -752,8 +768,7 @@ users:
      shell: /bin/bash
      sudo: ALL=(ALL) NOPASSWD:ALL
      lock_passwd: false
-      passwd: $6$THWuTZMZhIVMGaaw$w9kozn7z7i0Y9LRVGZwN6mcZag4vMpE3hW6eCtKNHlFpL1XLcOdiIr29JyDxx3MLBXNedIqnqcj4psqCjv58d.
-      ssh_authorized_keys:
+{passwd_line}      ssh_authorized_keys:
        - {ssh_pub_key}

 # Configure where output will go
@@ -796,6 +811,10 @@ write_files:
    content: |
      {securityonion_key}

+# Run on every boot - this will only run *after* the first boot and successful cloud-init run
+bootcmd:
+  - if [ -f /var/lib/cloud/instance/boot-finished ]; then touch /etc/cloud/cloud-init.disabled; fi
+
 runcmd:
  # Import GPG keys and remove repo files except securityonion.repo
  - rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
@@ -811,7 +830,6 @@ runcmd:
  - pvresize /dev/vda2
  - lvextend -l +100%FREE /dev/vg_main/lv_root
  - xfs_growfs /dev/vg_main/lv_root
-  - touch /etc/cloud/cloud-init.disabled
  - rm -f /etc/sysconfig/network-scripts/ifcfg-eth0

 power_state:
@@ -819,6 +837,7 @@ power_state:
  mode: poweroff
  timeout: 30
  condition: True
+  message: Cloud-init completed, powering off
 """
        user_data_path = os.path.join(vm_dir, 'user-data')
        with salt.utils.files.fopen(user_data_path, 'w') as f:
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -11,7 +11,8 @@ base:
  'salt-cloud:driver:libvirt':
    - match: grain
    - storage
-    - vm_status
+    - vm.status
+    - vm.user

  '*':
    - cron.running
--- a/salt/vm/defaults.yaml
+++ b/salt/vm/defaults.yaml
@@ -0,0 +1,5 @@
+vm:
+  user:
+    soqemussh:
+      enabled: False
+      passwordHash:
--- a/salt/vm/map.jinja
+++ b/salt/vm/map.jinja
@@ -0,0 +1,25 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. 
+   
+   Note: Per the Elastic License 2.0, the second limitation states:
+
+    "You may not move, change, disable, or circumvent the license key functionality
+     in the software, and you may not remove or obscure any functionality in the
+     software that is protected by the license key." #}
+
+{% if 'vrt' in salt['pillar.get']('features', []) %}
+
+{%   import_yaml 'vm/defaults.yaml' as VMDEFAULTS %}
+{%   set VMMERGED = salt['pillar.get']('vm', VMDEFAULTS.vm, merge=True) %}
+
+{% else %}
+
+{% do salt.log.error(
+  'Hypervisor nodes are a feature supported only for customers with a valid license.'
+  'Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com'
+  'for more information about purchasing a license to enable this feature.'
+) %}
+
+{% endif %}
--- a/salt/vm/soc_vm.yaml
+++ b/salt/vm/soc_vm.yaml
@@ -0,0 +1,10 @@
+vm:
+  user:
+    soqemussh:
+      enabled:
+        description: Enable or disable the soqemussh user.
+        forcedType: bool
+      passwordHash:
+        description: 'Enter a SHA-512 password hash to set the soqemussh user password. Generate this hash by running the following command on the manager: `openssl passwd -6`'
+        forcedType: string
+        global: True
--- a/salt/vm/status/init.sls
+++ b/salt/vm/status/init.sls
--- a/salt/vm/user/init.sls
+++ b/salt/vm/user/init.sls
@@ -0,0 +1,56 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+#
+# Note: Per the Elastic License 2.0, the second limitation states:
+#
+#   "You may not move, change, disable, or circumvent the license key functionality
+#    in the software, and you may not remove or obscure any functionality in the
+#    software that is protected by the license key."
+
+{% if 'vrt' in salt['pillar.get']('features', []) %}
+
+{%   from 'vm/map.jinja' import VMMERGED %}
+
+{%   if VMMERGED.user.soqemussh.enabled %}
+
+vm_user_soqemussh:
+  user.present:
+    - name: soqemussh
+    - shell: /bin/bash
+    - home: /home/soqemussh
+{%     if VMMERGED.user.soqemussh.passwordHash %}
+    - password: '{{ VMMERGED.user.soqemussh.passwordHash }}'
+{%     endif %}
+
+vm_user_soqemussh_home_directory:
+  file.directory:
+    - name: /home/soqemussh
+    - user: soqemussh
+    - group: soqemussh
+    - mode: 700
+    - recurse:
+      - user
+      - group
+
+{%   else %}
+
+vm_user_soqemussh:
+  user.absent:
+    - name: soqemussh
+    - force: True
+
+{%   endif %}
+
+{% else %}
+
+{{sls}}_no_license_detected:
+  test.fail_without_changes:
+    - name: {{sls}}_no_license_detected
+    - comment:
+      - "Hypervisor nodes are a feature supported only for customers with a valid license.
+      Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com
+      for more information about purchasing a license to enable this feature."
+
+{% endif %}