Merge remote-tracking branch 'remotes/origin/2.4/dev' into 2.4/fleetautogen

salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers

@@ -15,7 +15,7 @@ for i in {1..30}
 do
    ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json'  | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')
    FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq -r  '.item.host_urls[]' | paste -sd ',')
-if [[ $FLEETHOST ]] && [[  $ENROLLMENTOKEN ]] && [[  $ELASTICVERSION ]]; then break; else sleep 10; fi
+if [[ $FLEETHOST ]] && [[  $ENROLLMENTOKEN ]]; then break; else sleep 10; fi
 done
 
 if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then 
@@ -67,4 +67,4 @@ do
 done
 
 printf "\n### Cleaning up temp files in /nsm/elastic-agent-workspace"
-rm -rf /nsm/elastic-agent-workspace
+rm -rf /nsm/elastic-agent-workspace

salt/nginx/defaults.yaml

@@ -1,6 +1,7 @@
 nginx:
   enabled: False
-  config:
+  ssl:
     replace_cert: False
+  config:
     throttle_login_burst: 12
     throttle_login_rate: 20

salt/nginx/enabled.sls

@@ -7,11 +7,79 @@
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'nginx/map.jinja' import NGINXMERGED %}
+{%   set ca_server = GLOBALS.minion_id %}
 
 include:
   - nginx.config
   - nginx.sostatus
 
+{#   if the user has selected to replace the crt and key in the ui #}
+{%   if NGINXMERGED.ssl.replace_cert %}
+
+managerssl_key:
+  file.managed:
+    - name: /etc/pki/managerssl.key
+    - source: salt://nginx/ssl/ssl.key
+    - mode: 640
+    - group: 939
+    - watch_in:
+      - docker_container: so-nginx
+
+managerssl_crt:
+  file.managed:
+    - name: /etc/pki/managerssl.crt
+    - source: salt://nginx/ssl/ssl.crt
+    - mode: 644
+    - watch_in:
+      - docker_container: so-nginx
+
+{%   else %}
+
+managerssl_key:
+  x509.private_key_managed:
+    - name: /etc/pki/managerssl.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
+    - prereq:
+      - x509: /etc/pki/managerssl.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+    - watch_in:
+      - docker_container: so-nginx
+
+# Create a cert for the reverse proxy
+managerssl_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/managerssl.crt
+    - ca_server: {{ ca_server }}
+    - signing_policy: managerssl
+    - private_key: /etc/pki/managerssl.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+    - watch_in:
+      - docker_container: so-nginx
+
+{%   endif %}
+
+msslkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/managerssl.key
+    - mode: 640
+    - group: 939
+
 make-rule-dir-nginx:
   file.directory:
     - name: /nsm/rules
@@ -74,12 +142,17 @@ so-nginx:
       - file: nginxconfdir
     - require:
       - file: nginxconf
-      {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %}
+{%   if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %}
+{%     if NGINXMERGED.ssl.replace_cert %}
+      - file: managerssl_key
+      - file: managerssl_crt
+{%     else %}
       - x509: managerssl_key
       - x509: managerssl_crt
+{%     endif%}
       - file: navigatorconfig
       - file: navigatordefaultlayer
-      {% endif %}
+{%   endif %}
 
 delete_so-nginx_so-status.disabled:
   file.uncomment:

salt/nginx/soc_nginx.yaml

@@ -3,27 +3,29 @@ nginx:
     description: You can enable or disable Nginx.
     advanced: True
     helpLink: nginx.html
-  config:
+  ssl:
     replace_cert:
       description: Enable this if you would like to replace the Security Onion Certificate with your own.
       global: True
       advanced: True
+      forcedType: bool
       title: Replace Default Cert
       helpLink: nginx.html
     ssl__key:
-      description: If you enabled the replace_cert option, paste your .key file here.
+      description: If you enabled the replace_cert option, paste the contents of your .key file here.
       file: True
-      title: SSL Key File
+      title: SSL/TLS Key File
       advanced: True
       global: True
       helpLink: nginx.html
     ssl__crt:
-      description: If you enabled the replace_cert option, paste your .crt file here.
+      description: If you enabled the replace_cert option, paste the contents of your .crt file here.
       file: True
-      title: SSL Cert File
+      title: SSL/TLS Cert File
       advanced: True
       global: True
       helpLink: nginx.html
+  config:
     throttle_login_burst:
       description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow.
       global: True

salt/soc/config.sls

@@ -32,9 +32,10 @@ soclogdir:
 
 socsaltdir:
   file.directory:
-    - name: /opt/so/conf/soc/salt
+    - name: /opt/so/conf/soc/queue
     - user: 939
     - group: 939
+    - mode: 770
     - makedirs: True
 
 socconfig:

salt/soc/defaults.yaml

@@ -1039,7 +1039,7 @@ soc:
           bucket: telegraf/so_short_term
           verifyCert: false
         salt:
-          saltPipe: /opt/sensoroni/salt/pipe
+          queueDir: /opt/sensoroni/queue
         sostatus:
           refreshIntervalMs: 30000
           offlineThresholdMs: 900000

salt/soc/enabled.sls

@@ -31,7 +31,7 @@ so-soc:
       - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
       - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
       - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
-      - /opt/so/conf/soc/salt:/opt/sensoroni/salt:rw
+      - /opt/so/conf/soc/queue:/opt/sensoroni/queue:rw
       - /opt/so/saltstack:/opt/so/saltstack:rw
       {% if DOCKER.containers['so-soc'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-soc'].custom_bind_mounts %}
@@ -73,7 +73,7 @@ delete_so-soc_so-status.disabled:
 
 salt-relay:
   cron.present:
-    - name: 'ps -ef | grep salt-relay.sh | grep -v grep > /dev/null 2>&1 || /opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &'
+    - name: '/opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh &'
     - identifier: salt-relay
 
 {% else %}

salt/soc/files/bin/salt-relay.sh

@@ -6,58 +6,78 @@
 
 . /usr/sbin/so-common
 
-PIPE_OWNER=${PIPE_OWNER:-socore}
-PIPE_GROUP=${PIPE_GROUP:-socore}
-SOC_PIPE=${SOC_PIPE:-/opt/so/conf/soc/salt/pipe}
-CMD_PREFIX=${CMD_PREFIX:-""}
+QUEUE_OWNER=${QUEUE_OWNER:-socore}
+QUEUE_GROUP=${QUEUE_GROUP:-socore}
+MIN_POLL_INTERVAL=${MIN_POLL_INTERVAL:-1}
+LOG_FILE=${LOG_FILE:-/opt/so/log/soc/salt-relay.log}
 PATH=${PATH}:/usr/sbin
 
+# USE CAUTION when changing this value as all files in this dir will be deleted
+QUEUE_DIR=/opt/so/conf/soc/queue
+
 function log() {
-  echo "$(date) | $1"
+  echo "$(date) | $1" >> $LOG_FILE
 }
 
-function make_pipe() {
-  path=$1
+function poll() {
+  # Purge any expired files older than 1 minute. SOC will have already errored out to the user
+  # if a response hasn't been detected by this time.
+  find "$QUEUE_DIR" -type f -mmin +1 -delete
 
-  log "Creating pipe: $path"
-  rm -f "${path}"
-  mkfifo "${path}"
-  chmod 0660 "${path}"
-  chown ${PIPE_OWNER}:${PIPE_GROUP} "${path}"
+  file=$(ls -1trI "*.response" "$QUEUE_DIR" | head -1)
+  if [[ "$file" != "" ]]; then
+    contents=$(cat "$QUEUE_DIR/$file")
+    # Delete immediately to prevent a crash from potentially causing the same
+    # command to be executed multiple times -> Safer to not run at all than to
+    # potentially execute multiple times (Ex: user management)
+    rm -f "$QUEUE_DIR/$file"
+    echo "$contents"
+  fi
 }
 
-make_pipe "${SOC_PIPE}"
+function respond() {
+  file="$QUEUE_DIR/$1.response"
+  response=$2
+
+  touch "$file"
+  chmod 660 "$file"
+  chown "$QUEUE_OWNER:$QUEUE_GROUP" "$file"
+  echo "$response" > "$file"
+}
 
 function list_minions() {
-  response=$($CMD_PREFIX so-minion -o=list)
+  id=$1
+  response=$(so-minion -o=list)
   exit_code=$?
   if [[ $exit_code -eq 0 ]]; then
     log "Successful command execution"
-    $(echo "$response" > "${SOC_PIPE}")
+    respond "$id" "$response"
   else
     log "Unsuccessful command execution: $exit_code"
-    $(echo "false" > "${SOC_PIPE}")
+    respond "$id" "false"
   fi
 }
 
 function manage_minion() {
-  request=$1
+  id=$1
+  request=$2
   op=$(echo "$request" | jq -r .operation)
-  id=$(echo "$request" | jq -r .id)
+  minion_id=$(echo "$request" | jq -r .id)
 
-  response=$($CMD_PREFIX so-minion "-o=$op" "-m=$id")
+  response=$(so-minion "-o=$op" "-m=$minion_id")
   exit_code=$?
   if [[ exit_code -eq 0 ]]; then
     log "Successful command execution"
-    $(echo "true" > "${SOC_PIPE}")
+    respond "$id" "true"
   else
     log "Unsuccessful command execution: $response ($exit_code)"
-    $(echo "false" > "${SOC_PIPE}")
+    respond "$id" "false"
   fi
 }
 
 function manage_user() {
-  request=$1
+  id=$1
+  request=$2
   op=$(echo "$request" | jq -r .operation)
 
   max_tries=10
@@ -72,20 +92,20 @@ function manage_user() {
         lastName=$(echo "$request" | jq -r .lastName)
         note=$(echo "$request" | jq -r .note)
         log "Performing user '$op' for user '$email' with firstname '$firstName', lastname '$lastName', note '$note' and role '$role'"
-        response=$(echo "$password" | $CMD_PREFIX so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note" --role "$role" --skip-sync)
+        response=$(echo "$password" | so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note" --role "$role" --skip-sync)
         exit_code=$?
         ;;
       add|enable|disable|delete)
         email=$(echo "$request" | jq -r .email)
         log "Performing user '$op' for user '$email'"
-        response=$($CMD_PREFIX so-user "$op" --email "$email" --skip-sync)
+        response=$(so-user "$op" --email "$email" --skip-sync)
         exit_code=$?
         ;;
       addrole|delrole)
         email=$(echo "$request" | jq -r .email)
         role=$(echo "$request" | jq -r .role)
         log "Performing '$op' for user '$email' with role '$role'"
-        response=$($CMD_PREFIX so-user "$op" --email "$email" --role "$role" --skip-sync)
+        response=$(so-user "$op" --email "$email" --role "$role" --skip-sync)
         exit_code=$?
         ;;
       password)
@@ -101,12 +121,12 @@ function manage_user() {
         lastName=$(echo "$request" | jq -r .lastName)
         note=$(echo "$request" | jq -r .note)
         log "Performing '$op' update for user '$email' with firstname '$firstName', lastname '$lastName', and note '$note'"
-        response=$($CMD_PREFIX so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note")
+        response=$(so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note")
         exit_code=$?
         ;;
       sync)
         log "Performing '$op'"
-        response=$($CMD_PREFIX so-user "$op")
+        response=$(so-user "$op")
         exit_code=$?
         ;;
       *)
@@ -126,15 +146,16 @@ function manage_user() {
 
   if [[ exit_code -eq 0 ]]; then
     log "Successful command execution: $response"
-    $(echo "true" > "${SOC_PIPE}")
+    respond "$id" "true"
   else
     log "Unsuccessful command execution: $response ($exit_code)"
-    $(echo "false" > "${SOC_PIPE}")
+    respond "$id" "false"
   fi
 }
 
 function manage_salt() {
-  request=$1
+  id=$1
+  request=$2
   op=$(echo "$request" | jq -r .operation)
   minion=$(echo "$request" | jq -r .minion)
   if [[ -s $minion || "$minion" == "null" ]]; then
@@ -145,18 +166,18 @@ function manage_salt() {
     state)
       log "Performing '$op' for '$state' on minion '$minion'"
       state=$(echo "$request" | jq -r .state)
-      response=$($CMD_PREFIX salt --async "$minion" state.apply "$state" queue=2)
+      response=$(salt --async "$minion" state.apply "$state" queue=2)
       exit_code=$?
       ;;
     highstate)
       log "Performing '$op' on minion $minion"
-      response=$($CMD_PREFIX salt --async "$minion" state.highstate queue=2)
+      response=$(salt --async "$minion" state.highstate queue=2)
       exit_code=$?
       ;;
     activejobs)
-      response=$($CMD_PREFIX salt-run jobs.active -out json -l quiet)
+      response=$(salt-run jobs.active -out json -l quiet)
       log "Querying active salt jobs"
-      $(echo "$response" > "${SOC_PIPE}")
+      respond "$id" "$response"
       return
       ;;
     *)
@@ -167,15 +188,16 @@ function manage_salt() {
 
   if [[ exit_code -eq 0 ]]; then
     log "Successful command execution: $response"
-    $(echo "true" > "${SOC_PIPE}")
+    respond "$id" "true"
   else
     log "Unsuccessful command execution: $response ($exit_code)"
-    $(echo "false" > "${SOC_PIPE}")
+    respond "$id" "false"
   fi
 }
 
 function send_file() {
-  request=$1
+  id=$1
+  request=$2
   from=$(echo "$request" | jq -r .from)
   to=$(echo "$request" | jq -r .to)
   node=$(echo "$request" | jq -r .node)
@@ -195,7 +217,7 @@ function send_file() {
   filename=$(basename "$fromgpg")
 
   log "sending..."
-  response=$($CMD_PREFIX salt-cp -C "$node" "$fromgpg" "$to")
+  response=$(salt-cp -C "$node" "$fromgpg" "$to")
   # salt-cp returns 0 even if the file transfer fails, so we need to check the response.
   # Remove the node and filename from the response on the off-chance they contain
   # the word "True" in them
@@ -213,14 +235,15 @@ function send_file() {
   fi
 
   if [[ exit_code -eq 0 ]]; then
-    $(echo "true" > "${SOC_PIPE}")
+    respond "$id" "true"
   else
-    $(echo "false" > "${SOC_PIPE}")
+    respond "$id" "false"
   fi
 }
 
 function import_file() {
-  request=$1
+  id=$1
+  request=$2
   node=$(echo "$request" | jq -r .node)
   file=$(echo "$request" | jq -r .file)
   importer=$(echo "$request" | jq -r .importer)
@@ -234,7 +257,7 @@ function import_file() {
   log "decrypting..."
   password=$(lookup_pillar_secret import_pass)
   decrypt_cmd="gpg --passphrase $password -o $file.tmp --batch --decrypt $filegpg"
-  $CMD_PREFIX salt "$node" cmd.run "\"$decrypt_cmd\""
+  salt "$node" cmd.run "\"$decrypt_cmd\""
   decrypt_code=$?
 
   if [[ $decrypt_code -eq 0 ]]; then
@@ -243,12 +266,12 @@ function import_file() {
     case $importer in
       pcap)
         import_cmd="so-import-pcap $file --json"
-        response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"")
+        response=$(salt "$node" cmd.run "\"$import_cmd\"")
         exit_code=$?
         ;;
       evtx)
         import_cmd="so-import-evtx $file --json"
-        response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"")
+        response=$(salt "$node" cmd.run "\"$import_cmd\"")
         exit_code=$?
         ;;
       *)
@@ -269,45 +292,51 @@ function import_file() {
   if [[ exit_code -eq 0 ]]; then
     # trim off the node header ("manager_standalone:\n") and parse out the URL
     url=$(echo "$response" | tail -n +2 | jq -r .url)
-    $(echo "$url" > "${SOC_PIPE}")
+    respond "$id" "$url"
   else
     log "false"
-    $(echo "false" > "${SOC_PIPE}")
+    respond "$id" "false"
   fi
 }
 
+# Ensure there are not multiple salt-relay.sh programs running.
+num_relays_running=$(pgrep salt-relay.sh -c)
+if [[ $num_relays_running -gt 1 ]]; then
+  exit;
+fi
+
+# loop indefinitely
+log "Polling for requests: ${QUEUE_DIR}"
 while true; do
-  log "Listening for request"
-  request=$(cat ${SOC_PIPE})
+  request=$(poll)
   if [[ "$request" != "" ]]; then
     command=$(echo "$request" | jq -r .command)
-    log "Received request; command=${command}"
+    id=$(echo "$request" | jq -r .command_id)
+    log "Received request; command=${command}; id=${id}"
     case "$command" in
       list-minions)
-        list_minions
+        list_minions "$id" 
         ;;
       manage-minion)
-        manage_minion "${request}"
+        manage_minion "$id" "${request}"
         ;;
       manage-user)
-        manage_user "${request}"
+        manage_user "$id" "${request}"
         ;;
       manage-salt)
-        manage_salt "${request}"
+        manage_salt "$id" "${request}"
         ;;
       send-file)
-        send_file "${request}"
+        send_file "$id" "${request}"
         ;;
       import-file)
-        import_file "${request}"
+        import_file "$id" "${request}"
         ;;
       *)
         log "Unsupported command: $command"
-        $(echo "false" > "${SOC_PIPE}")
+        respond "$id" "false"
         ;;
     esac
-
-    # allow remote reader to get a clean reader before we try to read again on next loop
-    sleep 1
   fi
+  sleep $MIN_POLL_INTERVAL
 done

salt/ssl/init.sls

@@ -507,48 +507,6 @@ elasticp12perms:
     - mode: 640
     - group: 930
 
-managerssl_key:
-  x509.private_key_managed:
-    - name: /etc/pki/managerssl.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
-    - prereq:
-      - x509: /etc/pki/managerssl.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Create a cert for the reverse proxy
-managerssl_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/managerssl.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: managerssl
-    - private_key: /etc/pki/managerssl.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - unless:
-      # https://github.com/saltstack/salt/issues/52167
-      # Will trigger 5 days (432000 sec) from cert expiration
-      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-msslkeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/managerssl.key
-    - mode: 640
-    - group: 939
-
   {% endif %}