diff --git a/salt/common/init.sls b/salt/common/init.sls index 769484ef3..90a713c11 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -158,8 +158,8 @@ Etc/UTC: utilsyncscripts: file.recurse: - name: /usr/sbin - - user: 0 - - group: 0 + - user: root + - group: root - file_mode: 755 - template: jinja - source: salt://common/tools/sbin diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index b770f7cc8..26aca3542 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -58,8 +58,8 @@ filebeatconfsync: file.managed: - name: /opt/so/conf/filebeat/etc/filebeat.yml - source: salt://filebeat/etc/filebeat.yml - - user: 0 - - group: 0 + - user: root + - group: root - template: jinja - defaults: INPUTS: {{ salt['pillar.get']('filebeat:config:inputs', {}) }} diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls index ac886a6b7..8b583bf91 100644 --- a/salt/nodered/init.sls +++ b/salt/nodered/init.sls @@ -52,8 +52,8 @@ noderedflowsload: file.managed: - name: /usr/sbin/so-nodered-load-flows - source: salt://nodered/files/nodered_load_flows - - user: 0 - - group: 0 + - user: root + - group: root - mode: 755 - template: jinja diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 0bbf131f7..bae80c697 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -26,7 +26,7 @@ tgrafetsdir: tgrafsyncscripts: file.recurse: - name: /opt/so/conf/telegraf/scripts - - user: 0 + - user: root - group: 939 - file_mode: 700 - template: jinja diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index f2a4ae05b..03cd3f89e 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -65,7 +65,7 @@ wazuhagentconf: file.managed: - name: /var/ossec/etc/ossec.conf - source: salt://wazuh/files/agent/ossec.conf - - user: 0 + - user: root - group: 945 - template: jinja @@ -81,8 +81,8 @@ wazuhagentregister: file.managed: - name: /usr/sbin/wazuh-register-agent - source: salt://wazuh/files/agent/wazuh-register-agent - - user: 0 - - group: 0 + - user: root + - group: root - mode: 755 - template: jinja @@ -91,8 +91,8 @@ wazuhmgrwhitelist: file.managed: - name: /usr/sbin/wazuh-manager-whitelist - source: salt://wazuh/files/wazuh-manager-whitelist - - user: 0 - - group: 0 + - user: root + - group: root - mode: 755 - template: jinja diff --git a/salt/yum/etc/yum.conf.jinja b/salt/yum/etc/yum.conf.jinja index 22449083e..bef9c2128 100644 --- a/salt/yum/etc/yum.conf.jinja +++ b/salt/yum/etc/yum.conf.jinja @@ -11,6 +11,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release -{% if salt['pillar.get']('global:managerupdate', '0') %} +{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', '0') %} proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142 -{% endif %} \ No newline at end of file +{% endif %} diff --git a/setup/so-functions b/setup/so-functions index c51feaf34..0ac1d0446 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -105,6 +105,10 @@ add_manager_hostfile() { whiptail_check_exitstatus $exitstatus } +add_mngr_ip_to_hosts() { + echo "$MSRVIP $MSRV" >> /etc/hosts +} + addtotab_generate_templates() { local addtotab_path=$local_salt_dir/pillar/data @@ -264,6 +268,7 @@ check_service_status() { check_salt_master_status() { echo "Checking if we can talk to the salt master" >> "$setup_log" 2>&1 + salt-call saltutil.kill_all_jobs > /dev/null 2>&1 salt-call state.show_top > /dev/null 2>&1 local status=$? #true if there is an issue talking to salt master @@ -1408,6 +1413,64 @@ reserve_group_ids() { groupadd -g 946 cyberchef } +reinstall_init() { + info "Putting system in state to run setup again" + + { + local minion_config=/etc/salt/minion + + # Remove startup_states from minion config so we don't immediately highstate when salt starts back up + if [[ -f $minion_config ]] && grep -q "startup_states" $minion_config; then + sed -i '/startup_states/d' $minion_config + fi + + if command -v salt-call &> /dev/null; then + # Disable schedule so highstate doesn't start running during the install + salt-call -l info schedule.disable + + # Kill any currently running salt jobs, also to prevent issues with highstate. + salt-call -l info saltutil.kill_all_jobs + fi + + if command -v docker &> /dev/null; then + # Stop and remove all so-* containers so files can be changed with more safety + docker stop $(docker ps -a -q --filter "name=so-") + docker rm -f $(docker ps -a -q --filter "name=so-") + fi + + local date_string + date_string=$(date +%s) + + # Backup /opt/so since we'll be rebuilding this directory during setup + if [[ -d /opt/so ]]; then + mv /opt/so "/opt/so_old_${date_string}" + fi + + # Backup /nsm for the same reason + while IFS= read -r -d '' dir; do + mv "$dir" "${dir}_old_${date_string}" + done < <(find /nsm -maxdepth 1 -mindepth 1 -type d -print0) + + # Remove the old launcher package in case the config changes + remove_package launcher-final + + } >> $setup_log 2>&1 +} + +remove_package() { + local package_name=$1 + if [ $OS = 'centos' ]; then + if rpm -qa | grep -q "$package_name"; then + yum remove -y "$package_name" + fi + else + if dpkg -l | grep -q "$package_name"; then + apt purge -y "$package_name" + fi + fi +} + +# When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and salt/salt/master.defaults.yaml and salt/salt/minion.defaults.yaml # CAUTION! SALT VERSION UDDATES - READ BELOW # When updating the salt version, also update the version in: # - securityonion-builds/iso-resources/build.sh @@ -1568,7 +1631,6 @@ saltify() { } salt_checkin() { - case "$install_type" in 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') # Fix Mine usage { @@ -1800,25 +1862,12 @@ set_default_log_size() { set_hostname() { - set_hostname_iso - - if [[ ! $install_type =~ ^(MANAGER|EVAL|HELIXSENSOR|MANAGERSEARCH|STANDALONE|IMPORT)$ ]]; then - if ! getent hosts "$MSRV"; then - echo "$MSRVIP $MSRV" >> /etc/hosts - fi - fi - -} - -set_hostname_iso() { - hostnamectl set-hostname --static "$HOSTNAME" echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts echo "::1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts echo "$HOSTNAME" > /etc/hostname hostname -F /etc/hostname - } set_initial_firewall_policy() { diff --git a/setup/so-setup b/setup/so-setup index d699e9f57..cf180000f 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -54,6 +54,13 @@ while [[ $# -gt 0 ]]; do esac done +if [[ -f $setup_log ]]; then + is_reinstall=true + + # Move last setup log to backup + mv $setup_log $setup_log.bak +fi + # Begin Installation pre-processing parse_install_username @@ -114,7 +121,8 @@ case "$setup_type" in esac # Allow execution of SO tools during setup -export PATH=$PATH:../salt/common/tools/sbin +local_sbin="$(pwd)/../salt/common/tools/sbin" +export PATH=$PATH:$local_sbin detect_os && detect_cloud set_network_dev_status_list @@ -420,21 +428,32 @@ whiptail_make_changes # From here on changes will be made. +if [[ $is_reinstall ]]; then + reinstall_init +fi + if [[ -n "$TURBO" ]]; then use_turbo_proxy fi if [[ "$setup_type" == 'iso' ]]; then # Init networking so rest of install works - set_hostname_iso + set_hostname set_management_interface fi disable_ipv6 disable_auto_start +if [[ "$setup_type" != 'iso' ]]; then + set_hostname +fi + +if [[ $is_minion ]]; then + add_mngr_ip_to_hosts +fi + { - set_hostname; set_version; clear_manager; } >> $setup_log 2>&1 diff --git a/setup/so-whiptail b/setup/so-whiptail index cc37f0545..20682a8b5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -791,6 +791,8 @@ whiptail_management_server() { if ! getent hosts "$MSRV"; then add_manager_hostfile + else + MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}') fi }