Merge pull request #1822 from Security-Onion-Solutions/feature/setup-idempotency

Feature/setup idempotency
2025-12-08 18:22:47 +01:00 · 2020-11-05 13:48:18 -05:00
parent ec3f35c360 a5833f1f77
commit 4fed5c2518
9 changed files with 101 additions and 31 deletions
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -158,8 +158,8 @@ Etc/UTC:
 utilsyncscripts:
  file.recurse:
    - name: /usr/sbin
-    - user: 0
+    - user: root
-    - group: 0
+    - group: root
    - file_mode: 755
    - template: jinja
    - source: salt://common/tools/sbin
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -58,8 +58,8 @@ filebeatconfsync:
  file.managed:
    - name: /opt/so/conf/filebeat/etc/filebeat.yml
    - source: salt://filebeat/etc/filebeat.yml
-    - user: 0
+    - user: root
-    - group: 0
+    - group: root
    - template: jinja
    - defaults:
        INPUTS: {{ salt['pillar.get']('filebeat:config:inputs', {}) }}
--- a/salt/nodered/init.sls
+++ b/salt/nodered/init.sls
@@ -52,8 +52,8 @@ noderedflowsload:
  file.managed:
    - name: /usr/sbin/so-nodered-load-flows
    - source: salt://nodered/files/nodered_load_flows
-    - user: 0
+    - user: root
-    - group: 0
+    - group: root
    - mode: 755
    - template: jinja
--- a/salt/telegraf/init.sls
+++ b/salt/telegraf/init.sls
@@ -26,7 +26,7 @@ tgrafetsdir:
 tgrafsyncscripts:
  file.recurse:
    - name: /opt/so/conf/telegraf/scripts
-    - user: 0
+    - user: root
    - group: 939
    - file_mode: 700
    - template: jinja
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -65,7 +65,7 @@ wazuhagentconf:
  file.managed:
    - name: /var/ossec/etc/ossec.conf
    - source: salt://wazuh/files/agent/ossec.conf
-    - user: 0
+    - user: root
    - group: 945
    - template: jinja
@@ -81,8 +81,8 @@ wazuhagentregister:
  file.managed:
    - name: /usr/sbin/wazuh-register-agent
    - source: salt://wazuh/files/agent/wazuh-register-agent
-    - user: 0
+    - user: root
-    - group: 0
+    - group: root
    - mode: 755
    - template: jinja
@@ -91,8 +91,8 @@ wazuhmgrwhitelist:
   file.managed:
    - name: /usr/sbin/wazuh-manager-whitelist
    - source: salt://wazuh/files/wazuh-manager-whitelist
-    - user: 0
+    - user: root
-    - group: 0
+    - group: root
    - mode: 755
    - template: jinja
--- a/salt/yum/etc/yum.conf.jinja
+++ b/salt/yum/etc/yum.conf.jinja
@@ -11,6 +11,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
 bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
 distroverpkg=centos-release
-{% if salt['pillar.get']('global:managerupdate', '0') %}
+{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', '0') %}
 proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142
-{% endif %}
+{% endif %}
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -105,6 +105,10 @@ add_manager_hostfile() {
 	whiptail_check_exitstatus $exitstatus
 }
 add_mngr_ip_to_hosts() {
 	echo "$MSRVIP   $MSRV" >> /etc/hosts
 }
 addtotab_generate_templates() {
 	local addtotab_path=$local_salt_dir/pillar/data
@@ -264,6 +268,7 @@ check_service_status() {
 check_salt_master_status() {
 	echo "Checking if we can talk to the salt master" >> "$setup_log" 2>&1
 	salt-call saltutil.kill_all_jobs > /dev/null 2>&1
 	salt-call state.show_top > /dev/null 2>&1
 	local status=$?
 	#true if there is an issue talking to salt master
@@ -1408,6 +1413,64 @@ reserve_group_ids() {
 	groupadd -g 946 cyberchef
 }
 reinstall_init() {
 	info "Putting system in state to run setup again"
 	{
 		local minion_config=/etc/salt/minion
 		# Remove startup_states from minion config so we don't immediately highstate when salt starts back up
 		if [[ -f $minion_config ]] && grep -q "startup_states" $minion_config; then
 			sed -i '/startup_states/d' $minion_config
 		fi
 		if command -v salt-call &> /dev/null; then
 			# Disable schedule so highstate doesn't start running during the install
 			salt-call -l info schedule.disable
 			# Kill any currently running salt jobs, also to prevent issues with highstate.
 			salt-call -l info saltutil.kill_all_jobs
 		fi
 		if command -v docker &> /dev/null; then
 			# Stop and remove all so-* containers so files can be changed with more safety
 			docker stop $(docker ps -a -q --filter "name=so-")
 			docker rm -f $(docker ps -a -q --filter "name=so-")
 		fi
 		local date_string
 		date_string=$(date +%s)
 		# Backup /opt/so since we'll be rebuilding this directory during setup
 		if [[ -d /opt/so ]]; then
 			mv /opt/so "/opt/so_old_${date_string}"
 		fi
 		# Backup /nsm for the same reason
 		while IFS= read -r -d '' dir; do
 			mv "$dir" "${dir}_old_${date_string}"
 		done < <(find /nsm -maxdepth 1 -mindepth 1 -type d -print0)
 		# Remove the old launcher package in case the config changes
 		remove_package launcher-final
 	} >> $setup_log 2>&1
 }
 remove_package() {
 	local package_name=$1
 	if [ $OS = 'centos' ]; then
 		if rpm -qa | grep -q "$package_name"; then
 			yum remove -y "$package_name"
 		fi
 	else
 		if dpkg -l | grep -q "$package_name"; then
 			apt purge -y "$package_name"
 		fi
 	fi
 }
 # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and salt/salt/master.defaults.yaml and salt/salt/minion.defaults.yaml
 # CAUTION! SALT VERSION UDDATES - READ BELOW
 # When updating the salt version, also update the version in:
 # - securityonion-builds/iso-resources/build.sh
@@ -1568,7 +1631,6 @@ saltify() {
 }
 salt_checkin() {
 	case "$install_type" in
 		'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') # Fix Mine usage
 			{
@@ -1800,25 +1862,12 @@ set_default_log_size() {
 set_hostname() {
 	set_hostname_iso
 	if [[ ! $install_type =~ ^(MANAGER|EVAL|HELIXSENSOR|MANAGERSEARCH|STANDALONE|IMPORT)$ ]]; then
 		if ! getent hosts "$MSRV"; then
 			echo "$MSRVIP   $MSRV" >> /etc/hosts
 		fi
 	fi
 }
 set_hostname_iso() {
 	hostnamectl set-hostname --static "$HOSTNAME"
 	echo "127.0.0.1   $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts
 	echo "::1   $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
 	echo "$HOSTNAME" > /etc/hostname
 	hostname -F /etc/hostname
 }
 set_initial_firewall_policy() {
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -54,6 +54,13 @@ while [[ $# -gt 0 ]]; do
 	esac
 done
 if [[ -f $setup_log ]]; then
 	is_reinstall=true
 	# Move last setup log to backup
 	mv $setup_log $setup_log.bak
 fi
 # Begin Installation pre-processing
 parse_install_username
@@ -114,7 +121,8 @@ case "$setup_type" in
 esac
 # Allow execution of SO tools during setup
-export PATH=$PATH:../salt/common/tools/sbin
+local_sbin="$(pwd)/../salt/common/tools/sbin"
 export PATH=$PATH:$local_sbin
 detect_os && detect_cloud
 set_network_dev_status_list
@@ -420,21 +428,32 @@ whiptail_make_changes
 # From here on changes will be made.
 if [[ $is_reinstall ]]; then
 	reinstall_init
 fi
 if [[ -n "$TURBO" ]]; then
 	use_turbo_proxy
 fi
 if [[ "$setup_type" == 'iso' ]]; then
 	# Init networking so rest of install works
-	set_hostname_iso
+	set_hostname
 	set_management_interface
 fi
 disable_ipv6
 disable_auto_start
 if [[ "$setup_type" != 'iso' ]]; then
 	set_hostname
 fi
 if [[ $is_minion ]]; then
 	add_mngr_ip_to_hosts
 fi
 {
 	set_hostname;
 	set_version;
 	clear_manager;
 } >> $setup_log 2>&1
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -791,6 +791,8 @@ whiptail_management_server() {
 	if ! getent hosts "$MSRV"; then
 		add_manager_hostfile
 	else
 		MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}')
 	fi
 }