Merge pull request #11503 from Security-Onion-Solutions/minechanges

Minechanges
2026-02-11 09:43:35 +01:00 · 2023-10-10 16:33:17 -04:00
parent a54479d603 abeebc7bc4
commit 5252482fe3
8 changed files with 26 additions and 53 deletions
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -580,7 +580,7 @@ update_centos_repo() {
 update_salt_mine() {
    echo "Populating the mine with network.ip_addrs pillar.host.mainint for each host."
    set +e
-    salt \* cmd.run cmd='MAININT=$(salt-call pillar.get host:mainint --out=newline_values_only) && salt-call mine.send name=network.ip_addrs interface="$MAININT"'
+    salt \* mine.update -b 50
    set -e
 }

--- a/salt/salt/engines/checkmine.py
+++ b/salt/salt/engines/checkmine.py
@@ -1,28 +0,0 @@
-# -*- coding: utf-8 -*-
-
-import logging
-from time import sleep
-from os import remove
-
-log = logging.getLogger(__name__)
-
-def start(interval=30):
-  log.info("checkmine engine started")
-  minionid = __grains__['id']
-  while True:
-    try:
-      ca_crt = __salt__['saltutil.runner']('mine.get', tgt=minionid, fun='x509.get_pem_entries')[minionid]['/etc/pki/ca.crt']
-      log.info('Successfully queried Salt mine for the CA.')
-    except:
-      log.error('Could not pull CA from the Salt mine.')
-      log.info('Removing /var/cache/salt/master/minions/%s/mine.p to force Salt mine to be repopulated.' % minionid)
-      try:
-        remove('/var/cache/salt/master/minions/%s/mine.p' % minionid)
-        log.info('Removed /var/cache/salt/master/minions/%s/mine.p' % minionid)
-      except FileNotFoundError:
-        log.error('/var/cache/salt/master/minions/%s/mine.p does not exist' % minionid)
-
-      __salt__['mine.send'](name='x509.get_pem_entries', glob_path='/etc/pki/ca.crt')
-      log.warning('Salt mine repopulated with /etc/pki/ca.crt')
-
-    sleep(interval)
--- a/salt/salt/etc/minion.d/mine_functions.conf.jinja
+++ b/salt/salt/etc/minion.d/mine_functions.conf.jinja
@@ -1,4 +1,8 @@
-mine_interval: 35
+mine_interval: 25
 mine_functions:
  network.ip_addrs:
-    - interface: {{ GLOBALS.main_interface }}
+    - interface: {{ pillar.host.mainint }}
+{% if grains.role in ['so-eval','so-import','so-manager','so-managersearch','so-standalone'] -%}
+  x509.get_pem_entries:
+    - glob_path: '/etc/pki/ca.crt'
+{% endif -%}
--- a/salt/salt/files/engines.conf
+++ b/salt/salt/files/engines.conf
@@ -1,6 +0,0 @@
-engines_dirs:
-  - /etc/salt/engines
-
-engines:
-  - checkmine:
-      interval: 30
--- a/salt/salt/master.sls
+++ b/salt/salt/master.sls
@@ -18,17 +18,14 @@ salt_master_service:
    - enable: True

 checkmine_engine:
-  file.managed:
+  file.absent:
    - name: /etc/salt/engines/checkmine.py
-    - source: salt://salt/engines/checkmine.py
-    - makedirs: True
    - watch_in:
        - service: salt_minion_service

 engines_config:
-  file.managed:
+  file.absent:
    - name: /etc/salt/minion.d/engines.conf
-    - source: salt://salt/files/engines.conf
    - watch_in:
        - service: salt_minion_service

@@ -38,4 +35,4 @@ engines_config:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed

-{% endif %}
+{% endif %}
--- a/salt/salt/mine_functions.sls
+++ b/salt/salt/mine_functions.sls
@@ -0,0 +1,13 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# this state was seperated from salt.minion state since it is called during setup
+# GLOBALS are imported in the salt.minion state and that is not available at that point in setup
+# this state is included in the salt.minion state
+mine_functions:
+  file.managed:
+    - name: /etc/salt/minion.d/mine_functions.conf
+    - source: salt://salt/etc/minion.d/mine_functions.conf.jinja
+    - template: jinja
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -12,6 +12,7 @@ include:
  - salt
  - systemd.reload
  - repo.client
+  - salt.mine_functions

 {% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}

@@ -78,14 +79,6 @@ salt_minion_service_unit_file:

 {% endif %}

-mine_functions:
-  file.managed:
-    - name: /etc/salt/minion.d/mine_functions.conf
-    - source: salt://salt/etc/minion.d/mine_functions.conf.jinja
-    - template: jinja
-    - defaults:
-        GLOBALS: {{ GLOBALS }}
-
 # this has to be outside the if statement above since there are <requisite>_in calls to this state
 salt_minion_service:
  service.running:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -649,8 +649,8 @@ configure_minion() {
 		"log_level_logfile: info"\
 		"log_file: /opt/so/log/salt/minion" >> "$minion_config"

-	cp -f ../salt/salt/etc/minion.d/mine_functions.conf.jinja /etc/salt/minion.d/mine_functions.conf
-	sed -i "s/{{ GLOBALS.main_interface }}/$MNIC/" /etc/salt/minion.d/mine_functions.conf
+	info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "$MNIC"}}'"
+	salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="{'host': {'mainint': $MNIC}}"

 	{
 		logCmd "systemctl enable salt-minion";