Merge pull request #1822 from Security-Onion-Solutions/feature/setup-idempotency

Feature/setup idempotency

salt/common/init.sls

@@ -158,8 +158,8 @@ Etc/UTC:
 utilsyncscripts:
   file.recurse:
     - name: /usr/sbin
-    - user: 0
-    - group: 0
+    - user: root
+    - group: root
     - file_mode: 755
     - template: jinja
     - source: salt://common/tools/sbin

salt/filebeat/init.sls

@@ -58,8 +58,8 @@ filebeatconfsync:
   file.managed:
     - name: /opt/so/conf/filebeat/etc/filebeat.yml
     - source: salt://filebeat/etc/filebeat.yml
-    - user: 0
-    - group: 0
+    - user: root
+    - group: root
     - template: jinja
     - defaults:
         INPUTS: {{ salt['pillar.get']('filebeat:config:inputs', {}) }}

salt/nodered/init.sls

@@ -52,8 +52,8 @@ noderedflowsload:
   file.managed:
     - name: /usr/sbin/so-nodered-load-flows
     - source: salt://nodered/files/nodered_load_flows
-    - user: 0
-    - group: 0
+    - user: root
+    - group: root
     - mode: 755
     - template: jinja
 

salt/telegraf/init.sls

@@ -26,7 +26,7 @@ tgrafetsdir:
 tgrafsyncscripts:
   file.recurse:
     - name: /opt/so/conf/telegraf/scripts
-    - user: 0
+    - user: root
     - group: 939
     - file_mode: 700
     - template: jinja

salt/wazuh/init.sls

@@ -65,7 +65,7 @@ wazuhagentconf:
   file.managed:
     - name: /var/ossec/etc/ossec.conf
     - source: salt://wazuh/files/agent/ossec.conf
-    - user: 0
+    - user: root
     - group: 945
     - template: jinja
 
@@ -81,8 +81,8 @@ wazuhagentregister:
   file.managed:
     - name: /usr/sbin/wazuh-register-agent
     - source: salt://wazuh/files/agent/wazuh-register-agent
-    - user: 0
-    - group: 0
+    - user: root
+    - group: root
     - mode: 755
     - template: jinja
 
@@ -91,8 +91,8 @@ wazuhmgrwhitelist:
    file.managed:
     - name: /usr/sbin/wazuh-manager-whitelist
     - source: salt://wazuh/files/wazuh-manager-whitelist
-    - user: 0
-    - group: 0
+    - user: root
+    - group: root
     - mode: 755
     - template: jinja
 

salt/yum/etc/yum.conf.jinja

@@ -11,6 +11,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
 bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
 distroverpkg=centos-release
 
-{% if salt['pillar.get']('global:managerupdate', '0') %}
+{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', '0') %}
 proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142
-{% endif %}
+{% endif %}

setup/so-functions

@@ -105,6 +105,10 @@ add_manager_hostfile() {
 	whiptail_check_exitstatus $exitstatus
 }
 
+add_mngr_ip_to_hosts() {
+	echo "$MSRVIP   $MSRV" >> /etc/hosts
+}
+
 addtotab_generate_templates() {
 
 	local addtotab_path=$local_salt_dir/pillar/data
@@ -264,6 +268,7 @@ check_service_status() {
 
 check_salt_master_status() {
 	echo "Checking if we can talk to the salt master" >> "$setup_log" 2>&1
+	salt-call saltutil.kill_all_jobs > /dev/null 2>&1
 	salt-call state.show_top > /dev/null 2>&1
 	local status=$?
 	#true if there is an issue talking to salt master
@@ -1408,6 +1413,64 @@ reserve_group_ids() {
 	groupadd -g 946 cyberchef
 }
 
+reinstall_init() {
+	info "Putting system in state to run setup again"
+
+	{
+		local minion_config=/etc/salt/minion
+		
+		# Remove startup_states from minion config so we don't immediately highstate when salt starts back up
+		if [[ -f $minion_config ]] && grep -q "startup_states" $minion_config; then
+			sed -i '/startup_states/d' $minion_config
+		fi
+
+		if command -v salt-call &> /dev/null; then
+			# Disable schedule so highstate doesn't start running during the install
+			salt-call -l info schedule.disable
+
+			# Kill any currently running salt jobs, also to prevent issues with highstate.
+			salt-call -l info saltutil.kill_all_jobs
+		fi
+
+		if command -v docker &> /dev/null; then
+			# Stop and remove all so-* containers so files can be changed with more safety
+			docker stop $(docker ps -a -q --filter "name=so-")
+			docker rm -f $(docker ps -a -q --filter "name=so-")
+		fi
+
+		local date_string
+		date_string=$(date +%s)
+
+		# Backup /opt/so since we'll be rebuilding this directory during setup
+		if [[ -d /opt/so ]]; then
+			mv /opt/so "/opt/so_old_${date_string}"
+		fi
+
+		# Backup /nsm for the same reason
+		while IFS= read -r -d '' dir; do
+			mv "$dir" "${dir}_old_${date_string}"
+		done < <(find /nsm -maxdepth 1 -mindepth 1 -type d -print0)
+
+		# Remove the old launcher package in case the config changes
+		remove_package launcher-final
+
+	} >> $setup_log 2>&1
+}
+
+remove_package() {
+	local package_name=$1
+	if [ $OS = 'centos' ]; then
+		if rpm -qa | grep -q "$package_name"; then
+			yum remove -y "$package_name"
+		fi
+	else
+		if dpkg -l | grep -q "$package_name"; then
+			apt purge -y "$package_name"
+		fi
+	fi
+}
+
+# When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and salt/salt/master.defaults.yaml and salt/salt/minion.defaults.yaml
 # CAUTION! SALT VERSION UDDATES - READ BELOW
 # When updating the salt version, also update the version in:
 # - securityonion-builds/iso-resources/build.sh
@@ -1568,7 +1631,6 @@ saltify() {
 }
 
 salt_checkin() {
-
 	case "$install_type" in
 		'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') # Fix Mine usage
 			{
@@ -1800,25 +1862,12 @@ set_default_log_size() {
 
 set_hostname() {
 
-	set_hostname_iso
-
-	if [[ ! $install_type =~ ^(MANAGER|EVAL|HELIXSENSOR|MANAGERSEARCH|STANDALONE|IMPORT)$ ]]; then
-		if ! getent hosts "$MSRV"; then
-			echo "$MSRVIP   $MSRV" >> /etc/hosts
-		fi
-	fi
-
-}
-
-set_hostname_iso() {
-
 	hostnamectl set-hostname --static "$HOSTNAME"
 	echo "127.0.0.1   $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts
 	echo "::1   $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
 	echo "$HOSTNAME" > /etc/hostname
 
 	hostname -F /etc/hostname
-
 }
 
 set_initial_firewall_policy() {

setup/so-setup

@@ -54,6 +54,13 @@ while [[ $# -gt 0 ]]; do
 	esac
 done
 
+if [[ -f $setup_log ]]; then
+	is_reinstall=true
+
+	# Move last setup log to backup
+	mv $setup_log $setup_log.bak
+fi
+
 # Begin Installation pre-processing
 parse_install_username
 
@@ -114,7 +121,8 @@ case "$setup_type" in
 esac
 
 # Allow execution of SO tools during setup
-export PATH=$PATH:../salt/common/tools/sbin
+local_sbin="$(pwd)/../salt/common/tools/sbin"
+export PATH=$PATH:$local_sbin
 
 detect_os && detect_cloud
 set_network_dev_status_list
@@ -420,21 +428,32 @@ whiptail_make_changes
 
 # From here on changes will be made.
 
+if [[ $is_reinstall ]]; then
+	reinstall_init
+fi
+
 if [[ -n "$TURBO" ]]; then
 	use_turbo_proxy
 fi
 
 if [[ "$setup_type" == 'iso' ]]; then
 	# Init networking so rest of install works
-	set_hostname_iso
+	set_hostname
 	set_management_interface
 fi
 
 disable_ipv6
 disable_auto_start
 
+if [[ "$setup_type" != 'iso' ]]; then
+	set_hostname
+fi
+
+if [[ $is_minion ]]; then
+	add_mngr_ip_to_hosts
+fi
+
 {
-	set_hostname;
 	set_version;
 	clear_manager;
 } >> $setup_log 2>&1

setup/so-whiptail

@@ -791,6 +791,8 @@ whiptail_management_server() {
 
 	if ! getent hosts "$MSRV"; then
 		add_manager_hostfile
+	else
+		MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}')
 	fi
 
 }